vundo.h, hiloti, hijack.shell, sasfix, delf [Solved]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

vundo.h, hiloti, hijack.shell, sasfix, delf [Solved] post clean up 2nd look

#1 stubbdog

Group: Member
Posts: 46
Joined: 18-August 05

Posted 27 January 2010 - 03:31 PM

User of mine got infected.

First run of MBAM found:
Broken.securityProviders
Trojan.Vundo.H
Backdoor.Bot
Trojan.SASFix
Hijack.Shell

Said it successfully removed all. After reboot, did second MBAM scan and all above items were gone, but 4 new ones appeared:

Trojan.Hiloti x 2
Trojan.Delf x 2

Said it successfully removed them. Did 2 more reboots wiith scans after each finding nothing.

So, I think it is all gone, but attaching the OTL and extras logs to get a second set of eyes to help me make sure. Thank you.

Only problem I have experienced during clean up is that the machine rebooted during the middle of the GMER scan. So, I dont have that to attach.

OTL logfile created on: 1/27/2010 3:06:17 PM - Run 1

OTL by OldTimer - Version 3.1.27.0 Folder = C:\Documents and Settings\administrator.CONCORDE\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 165.00 Mb Available Physical Memory | 33.00% Memory free

1.00 Gb Paging File | 1.00 Gb Available in Paging File | 66.00% Paging File free

Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.52 Gb Total Space | 47.30 Gb Free Space | 63.47% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: CFC-SMACKEY

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 14 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/01/27 15:04:20 | 00,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\administrator.CONCORDE\Desktop\OTL.exe

PRC - [2009/10/28 20:21:26 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe

PRC - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe

PRC - [2009/07/25 04:23:22 | 00,386,872 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jucheck.exe

PRC - [2009/07/25 04:23:12 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe

PRC - [2009/06/01 12:43:46 | 01,501,064 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\itype.exe

PRC - [2009/06/01 12:43:46 | 00,448,400 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe

PRC - [2009/05/29 12:41:26 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

PRC - [2009/01/20 00:57:24 | 01,795,400 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Smc.exe

PRC - [2009/01/20 00:57:24 | 01,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\SmcGui.exe

PRC - [2009/01/20 00:57:22 | 02,440,120 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe

PRC - [2009/01/14 16:53:02 | 00,226,656 | ---- | M] (Microsoft Corp.) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe

PRC - [2008/11/19 11:22:48 | 00,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

PRC - [2008/11/19 11:22:46 | 00,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe

PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2008/01/10 10:13:44 | 00,053,248 | ---- | M] (HP) -- C:\Program Files\HP\ToolboxFX\bin\HPTLBXFX.exe

PRC - [2007/06/22 09:34:37 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

PRC - [2007/05/08 15:24:20 | 00,054,840 | ---- | M] (Hewlett-Packard) -- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

PRC - [2007/01/12 16:45:32 | 00,897,584 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2tray.exe

PRC - [2007/01/12 16:45:32 | 00,249,904 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe

PRC - [2007/01/12 16:45:28 | 00,251,440 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2pre.exe

PRC - [2007/01/12 16:45:24 | 00,590,384 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2comm.exe

PRC - [2005/12/04 18:39:19 | 00,461,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\ipoint.exe

PRC - [2005/05/04 00:04:28 | 09,150,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlservr.exe

PRC - [2005/05/03 22:07:32 | 00,081,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

PRC - [2005/03/01 11:57:44 | 00,339,968 | ---- | M] (Southwest Airlines) -- C:\Program Files\Southwest Airlines\Ding\Ding.exe

PRC - [2004/09/10 15:32:48 | 00,053,248 | ---- | M] (Brother Industries, Ltd.) -- C:\WINDOWS\system32\BrmfBAgS.exe

PRC - [2004/04/14 14:46:50 | 00,057,393 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

PRC - [2003/09/04 03:55:54 | 00,524,288 | ---- | M] () -- C:\Program Files\Symmetricom\SymmTime\SymmTime.exe

PRC - [2003/05/08 06:34:32 | 00,069,632 | ---- | M] (adi) -- C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe

PRC - [2003/05/05 10:57:30 | 00,143,360 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

PRC - [2003/03/11 04:24:08 | 00,155,648 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe

PRC - [2003/03/11 04:11:56 | 00,114,688 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe

PRC - [2002/09/20 18:50:10 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

========== Modules (SafeList) ==========

MOD - [2010/01/27 15:04:20 | 00,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\administrator.CONCORDE\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (Smcinst)

SRV - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)

SRV - [2009/07/25 04:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Stopped] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)

SRV - [2009/05/29 12:41:26 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2009/04/27 10:43:38 | 00,182,768 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)

SRV - [2009/01/20 00:57:24 | 01,795,400 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Smc.exe -- (SmcService)

SRV - [2009/01/20 00:57:24 | 00,320,840 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SNAC.EXE -- (SNAC)

SRV - [2009/01/20 00:57:22 | 02,440,120 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)

SRV - [2009/01/14 16:53:02 | 00,226,656 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)

SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)

SRV - [2008/11/19 11:22:48 | 00,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)

SRV - [2008/11/19 11:22:48 | 00,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)

SRV - [2008/07/18 12:13:20 | 00,053,760 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.dll -- (Pml Driver HPZ12)

SRV - [2008/07/18 12:13:20 | 00,044,032 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZinw12.dll -- (Net Driver HPZ12)

SRV - [2008/06/30 16:36:35 | 03,093,872 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)

SRV - [2008/01/29 10:32:44 | 00,217,088 | ---- | M] (Hewlett-Packard Co.) [On_Demand | Running] -- C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08)

SRV - [2007/03/11 21:02:52 | 00,131,072 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll -- (hpqddsvc)

SRV - [2007/01/12 16:45:32 | 00,249,904 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [Auto | Running] -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe -- (GoToMyPC)

SRV - [2005/11/14 00:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)

SRV - [2005/05/04 00:04:28 | 09,150,464 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlservr.exe -- (MSSQL$FACW)

SRV - [2005/05/03 21:42:56 | 00,323,584 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlagent.EXE -- (SQLAgent$FACW)

SRV - [2004/09/10 15:32:48 | 00,053,248 | ---- | M] (Brother Industries, Ltd.) [Auto | Running] -- C:\WINDOWS\System32\BrmfBAgS.exe -- (brmfbags)

SRV - [2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)

SRV - [2002/09/20 18:50:10 | 00,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...r/fix_homepage/

IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...r/fix_homepage/

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...r/fix_homepage/

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...r/fix_homepage/

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3054568116-606813964-587920001-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com...DT/0409/bl7.asp

IE - HKU\S-1-5-21-3054568116-606813964-587920001-500\S-1-5-21-3054568116-606813964-587920001-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{A16BDCBB-0051-45E1-83E0-0AE4145C75A2}: C:\Documents and Settings\administrator.CONCORDE\Local Settings\Application Data\{A16BDCBB-0051-45E1-83E0-0AE4145C75A2} [2010/01/27 10:12:24 | 00,000,000 | ---D | M]

O1 HOSTS File: ([2008/02/19 08:23:07 | 00,000,807 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 7.0.0.1 localhost

O1 - Hosts: 192.168.10.129 cfc-dc-1.concorde.local

O1 - Hosts: 192.168.9.2 ihc-dc-1.intlhosp.com

O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.)

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)

O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)

O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)

O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKU\S-1-5-21-3054568116-606813964-587920001-500\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)

O4 - HKLM..\Run: [CardScanAgent] C:\Program Files\CardScan\CardScan\CardScanAgent.exe (CardScan, Inc.)

O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)

O4 - HKLM..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe (adi)

O4 - HKLM..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe (Citrix Online, a division of Citrix Systems, Inc.)

O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)

O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (Hewlett-Packard)

O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)

O4 - HKLM..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)

O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)

O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

O4 - HKLM..\Run: [itype] c:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)

O4 - HKLM..\Run: [KernelFaultCheck] File not found

O4 - HKLM..\Run: [Microsoft Default Manager] C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe (Microsoft Corp.)

O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)

O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)

O4 - HKLM..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe (Hewlett-Packard Company)

O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe (Analog Devices, Inc.)

O4 - HKLM..\Run: [srmclean] C:\cpqs\scom\srmclean.exe ()

O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Scansoft, Inc.)

O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)

O4 - HKLM..\Run: [ToolBoxFX] C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe (HP)

O4 - HKU\S-1-5-21-3054568116-606813964-587920001-500..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe (Southwest Airlines)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Principia Online Update.lnk = C:\Program Files\Morningstar\Principia\schedupd.exe ()

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SymmTime.lnk = C:\Program Files\Symmetricom\SymmTime\SymmTime.exe ()

O4 - Startup: C:\Documents and Settings\smackey\Start Menu\Programs\Startup\Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe (InforBit)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-3054568116-606813964-587920001-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} http://h50203.www5.hp.com/HPISWeb/Customer...SWebManager.CAB (Hewlett-Packard Printer Diagnostics)

O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} http://www.xblock.co...clean_micro.exe (Reg Error: Key error.)

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://friag.webex....ent/ieatgpc.cab (GpcContainer Class)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = concorde.local

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\GoToMyPC: DllName - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll (Citrix Online, a division of Citrix Systems, Inc.)

O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)

O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found

O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O24 - Desktop BackupWallPaper: C:\WINDOWS\HPQ1280h.BMP

O32 - HKLM CDRom: AutoRun - 1

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - comfile [open] -- "%1" %*

O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found

NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/03/17 06:38:12 | 00,000,000 | ---D | M]

NetSvcs: Iprip - File not found

NetSvcs: Irmon - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT

Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 14 Days ==========

[2010/01/27 15:05:27 | 00,548,864 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\administrator.CONCORDE\Desktop\OTL.exe

[2010/01/27 13:52:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/01/27 13:52:16 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT

[2010/01/27 10:49:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\administrator.CONCORDE\Local Settings\Application Data\Adobe

[2010/01/27 10:34:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\administrator.CONCORDE\Application Data\Apple Computer

[2010/01/27 10:12:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\administrator.CONCORDE\Local Settings\Application Data\{A16BDCBB-0051-45E1-83E0-0AE4145C75A2}

[2009/07/07 13:05:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\HP

[2008/08/12 16:37:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple

[2007/12/03 18:00:17 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

[2006/02/28 09:36:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

[2004/07/20 14:53:19 | 01,905,297 | ---- | C] (Symmetricom - Timing Test & Measurement Division ) -- C:\Program Files\SymmTime2004.exe

[2004/03/17 06:38:09 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

[2004/03/17 06:38:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

[2003/09/04 10:57:42 | 00,102,400 | ---- | C] (Symmetricom, Inc.) -- C:\Program Files\ZoneLib.dll

[1998/08/24 08:31:44 | 00,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\IMPLODE.DLL

[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/01/27 15:04:20 | 00,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\administrator.CONCORDE\Desktop\OTL.exe

[2010/01/27 14:52:42 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/01/27 14:47:40 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/01/27 14:47:22 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/01/27 14:47:18 | 52,801,1264 | -HS- | M] () -- C:\hiberfil.sys

[2010/01/27 14:27:13 | 00,068,272 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat

[2010/01/27 14:14:01 | 01,835,008 | -H-- | M] () -- C:\Documents and Settings\administrator.CONCORDE\NTUSER.DAT

[2010/01/27 14:14:01 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\administrator.CONCORDE\ntuser.ini

[2010/01/27 14:13:48 | 00,002,267 | ---- | M] () -- C:\WINDOWS\SymmTime.ini

[2010/01/27 13:50:50 | 00,000,120 | ---- | M] () -- C:\WINDOWS\Vneqac.dat

[2010/01/27 10:41:27 | 00,000,104 | ---- | M] () -- C:\Documents and Settings\administrator.CONCORDE\Desktop\Recycle Bin.lnk

[2010/01/27 10:34:52 | 00,000,072 | ---- | M] () -- C:\WINDOWS\ZoneLib-DisplayNames.ini

[2010/01/27 10:32:51 | 00,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk

[2010/01/27 10:12:37 | 00,000,000 | ---- | M] () -- C:\WINDOWS\Iyonazukohomal.bin

[2010/01/24 18:00:02 | 00,000,412 | ---- | M] () -- C:\WINDOWS\tasks\Norton Security Scan for smackey.job

[2010/01/22 17:34:09 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2010/01/20 09:19:10 | 00,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk

[2010/01/19 18:05:08 | 00,000,048 | ---- | M] () -- C:\WINDOWS\wpd99.drv

[2010/01/19 17:30:38 | 00,001,725 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Principia Online Update.lnk

[2010/01/19 17:30:32 | 00,001,704 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Principia.lnk

[2010/01/14 03:05:08 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/27 10:41:26 | 00,000,104 | ---- | C] () -- C:\Documents and Settings\administrator.CONCORDE\Desktop\Recycle Bin.lnk

[2010/01/27 10:12:37 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Iyonazukohomal.bin

[2010/01/27 10:12:34 | 00,000,120 | ---- | C] () -- C:\WINDOWS\Vneqac.dat

[2010/01/20 09:19:09 | 00,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk

[2009/07/07 11:50:41 | 00,000,384 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini

[2009/01/20 12:02:57 | 00,000,608 | -HS- | C] () -- C:\WINDOWS\System32\winzvprt5.sys

[2008/03/28 10:31:57 | 00,000,144 | ---- | C] () -- C:\WINDOWS\Readiris.ini

[2008/03/28 09:41:06 | 00,007,328 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log

[2008/02/11 12:43:19 | 00,000,269 | ---- | C] () -- C:\WINDOWS\DESI.INI

[2008/01/14 15:54:04 | 00,099,712 | ---- | C] () -- C:\WINDOWS\HPBroker.dll

[2008/01/09 13:47:28 | 00,000,050 | ---- | C] () -- C:\WINDOWS\brmx2001.ini

[2008/01/09 13:38:14 | 00,000,386 | ---- | C] () -- C:\WINDOWS\BrmfBidi.ini

[2008/01/09 10:05:18 | 00,000,209 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini

[2008/01/09 10:05:18 | 00,000,092 | ---- | C] () -- C:\WINDOWS\brpcfx.ini

[2008/01/09 10:05:17 | 00,000,426 | ---- | C] () -- C:\WINDOWS\brwmark.ini

[2008/01/09 10:05:17 | 00,000,052 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI

[2008/01/09 10:04:42 | 00,000,052 | ---- | C] () -- C:\WINDOWS\System32\BrmfBAgP.ini

[2008/01/09 10:04:42 | 00,000,029 | ---- | C] () -- C:\WINDOWS\System32\BrmfBAgS.ini

[2008/01/09 10:04:35 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\BROSNMP.DLL

[2008/01/09 10:02:10 | 00,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini

[2007/05/29 13:59:48 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI

[2007/04/25 12:03:27 | 00,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys

[2007/03/16 17:00:00 | 00,003,403 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

[2006/07/28 08:54:58 | 00,000,092 | ---- | C] () -- C:\WINDOWS\dxchange.ini

[2006/07/27 08:46:01 | 00,000,197 | ---- | C] () -- C:\WINDOWS\datapo32.INI

[2006/03/28 11:48:33 | 00,000,048 | ---- | C] () -- C:\WINDOWS\wpd99.drv

[2006/03/28 11:48:19 | 00,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini

[2006/03/28 11:46:58 | 00,147,506 | ---- | C] () -- C:\WINDOWS\System32\pdfmona.dll

[2006/03/28 11:46:58 | 00,050,364 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll

[2006/03/22 15:48:31 | 00,000,459 | ---- | C] () -- C:\WINDOWS\Tcd_D51FB824.ini

[2004/11/09 18:05:04 | 00,000,004 | ---- | C] () -- C:\WINDOWS\uccspecb.sys

[2004/07/20 14:54:34 | 00,002,267 | ---- | C] () -- C:\WINDOWS\SymmTime.ini

[2004/07/20 14:54:34 | 00,000,072 | ---- | C] () -- C:\WINDOWS\ZoneLib-DisplayNames.ini

[2004/07/20 14:54:31 | 00,002,320 | ---- | C] () -- C:\WINDOWS\Default_SymmTime.ini

[2004/04/27 13:04:58 | 00,001,190 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2004/03/17 06:57:00 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2004/03/17 06:51:50 | 00,001,058 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini

[2004/03/17 06:50:22 | 00,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll

[2004/03/17 06:49:44 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll

[2004/03/17 06:39:37 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini

[2003/01/07 14:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

[2002/03/04 10:16:34 | 00,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll

[2000/10/23 17:12:34 | 00,012,800 | ---- | C] () -- C:\WINDOWS\System32\std-2.1-vc5.0-mt.dll

[1999/09/22 13:03:54 | 00,100,352 | ---- | C] () -- C:\WINDOWS\System32\PG32CONV.DLL

[1999/03/11 20:07:22 | 00,299,008 | ---- | C] () -- C:\WINDOWS\System32\CRUTL14.DLL

========== LOP Check ==========

[2008/05/08 11:13:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications

[2007/05/14 12:48:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CardScan

[2008/01/09 10:01:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft

[2005/05/09 09:10:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Southwest Airlines

[2009/09/11 17:01:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

[2009/04/13 08:25:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

[2007/05/14 12:34:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\smackey\Application Data\CardScan

[2007/01/29 11:41:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\smackey\Application Data\Centra

[2007/05/14 12:43:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\smackey\Application Data\Corex

[2007/01/22 09:30:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\smackey\Application Data\Fidelity Advisor Channel TrainerTool

[2007/01/22 09:41:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\smackey\Application Data\Fidelity Investments

[2007/04/27 08:56:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\smackey\Application Data\Morningstar

[2006/03/28 11:48:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\smackey\Application Data\pdf995

[2007/04/25 12:04:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\smackey\Application Data\WebEx

[2007/07/19 09:18:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\SMackey.CONCORDE\Application Data\CardScan

[2008/08/28 09:52:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\SMackey.CONCORDE\Application Data\Corex

[2009/05/21 16:18:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\SMackey.CONCORDE\Application Data\Fidelity Advisor CHANNEL

[2008/04/25 09:13:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\SMackey.CONCORDE\Application Data\Fidelity Advisor Channel TrainerTool

[2007/06/25 04:40:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\SMackey.CONCORDE\Application Data\Fidelity Investments

[2007/10/19 13:04:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\SMackey.CONCORDE\Application Data\Morningstar

[2007/06/25 10:08:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\SMackey.CONCORDE\Application Data\pdf995

[2008/01/09 13:47:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\SMackey.CONCORDE\Application Data\ScanSoft

[2007/12/12 11:12:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\SMackey.CONCORDE\Application Data\Walgreens

[2009/11/18 14:58:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\SMackey.CONCORDE\Application Data\WebEx

[2007/06/13 14:36:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\SMackey.CONCORDE6-24\Application Data\Fidelity Advisor Channel TrainerTool

[2007/06/12 08:28:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\SMackey.CONCORDE6-24\Application Data\Fidelity Investments

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

[2008/05/08 11:13:13 | 16,958,464 | ---- | M] (Microsoft Corporation) -- C:\LMSetup.exe

< MD5 for: AGP440.SYS >

[2006/02/28 09:07:19 | 22,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys

[2008/12/18 18:12:02 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

[2006/02/28 09:07:19 | 22,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys

[2008/12/18 18:12:02 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys

[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys

[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

[2004/08/04 00:07:41 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >

[2003/03/31 01:00:00 | 10,158,890 | ---- | M] () .cab file -- C:\I386\sp1.cab:atapi.sys

[2003/03/30 20:00:00 | 10,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys

[2006/02/28 09:07:19 | 22,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys

[2008/12/18 18:12:02 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys

[2006/02/28 09:07:19 | 22,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys

[2008/12/18 18:12:02 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys

[2002/08/29 03:27:50 | 00,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\$NtUninstallQ817472$\atapi.sys

[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys

[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

[2004/08/03 23:59:42 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

[2003/04/23 03:29:54 | 00,087,296 | ---- | M] (Microsoft Corporation) MD5=E52B3B3F78C9AE85806CE49DCDD80C18 -- C:\I386\atapi.sys

< MD5 for: EVENTLOG.DLL >

[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll

[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

[2004/08/04 01:56:42 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >

[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll

[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

[2004/08/04 01:56:44 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >

[2004/08/04 01:56:44 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll

[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: SYMMPI.SYS >

[2002/04/04 00:32:06 | 00,028,416 | R--- | M] (LSI Logic) MD5=F2B7E8416F508368AC6730E2AE1C614F -- C:\WINDOWS\system32\drivers\symmpi.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

[2009/01/20 00:57:34 | 00,049,480 | ---- | M] (Symantec Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\FwsVpn.dll

[2009/01/20 00:57:36 | 00,107,848 | ---- | M] (Symantec Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\SymVPN.dll

[2009/01/20 00:57:36 | 00,357,704 | ---- | M] (Symantec Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\sysfer.dll

[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< End of report >

Attached File(s)

OTL.Txt (74.24K)
Number of downloads: 85
Extras.Txt (45.01K)
Number of downloads: 321

#2 mpascal

Group: Retired Staff
Posts: 3,644
Joined: 13-April 09

Posted 30 January 2010 - 01:16 PM

Please only start one topic in this forum.

#3 mpascal

Group: Retired Staff
Posts: 3,644
Joined: 13-April 09

Posted 01 February 2010 - 10:05 AM

Hi, I will assist you on this topic as well.

Please download ComboFix and save it to your Desktop.

Alternate Link

NOTE: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don''t know how to disable it, please ask.
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post C:\Combo-Fix.txt in your next post.

**Note: Do not mouseclick combo-fix''s window while it''s running. That may cause it to stall**

#4 stubbdog

Group: Member
Posts: 46
Joined: 18-August 05

Posted 02 February 2010 - 10:36 AM

ComboFix 10-02-01.05 - SMackey 02/02/2010 10:06:45.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.167 [GMT -6:00]
Running from: c:\documents and settings\SMackey.CONCORDE\Desktop\Combo-Fix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\administrator.CONCORDE\Local Settings\Application Data\{A16BDCBB-0051-45E1-83E0-0AE4145C75A2}
c:\documents and settings\administrator.CONCORDE\Local Settings\Application Data\{A16BDCBB-0051-45E1-83E0-0AE4145C75A2}\chrome.manifest
c:\documents and settings\administrator.CONCORDE\Local Settings\Application Data\{A16BDCBB-0051-45E1-83E0-0AE4145C75A2}\chrome\content\_cfg.js
c:\documents and settings\administrator.CONCORDE\Local Settings\Application Data\{A16BDCBB-0051-45E1-83E0-0AE4145C75A2}\chrome\content\overlay.xul
c:\documents and settings\administrator.CONCORDE\Local Settings\Application Data\{A16BDCBB-0051-45E1-83E0-0AE4145C75A2}\install.rdf
c:\windows\system32\drivers\fad.sys

.
((((((((((((((((((((((((( Files Created from 2010-01-02 to 2010-02-02 )))))))))))))))))))))))))))))))
.

2010-01-28 16:52 . 2006-08-02 18:30 45056 ----a-w- c:\documents and settings\SMackey.CONCORDE\Application Data\Fidelity Investments\{8e6ed95b-740c-479f-9de6-c1160b3a03a2}\phase2\Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.dll
2010-01-28 16:52 . 2006-08-02 18:30 102400 ----a-w- c:\documents and settings\SMackey.CONCORDE\Application Data\Fidelity Investments\{8e6ed95b-740c-479f-9de6-c1160b3a03a2}\phase2\Microsoft.Practices.EnterpriseLibrary.Configuration.dll
2010-01-28 16:52 . 2006-08-02 18:30 57344 ----a-w- c:\documents and settings\SMackey.CONCORDE\Application Data\Fidelity Investments\{8e6ed95b-740c-479f-9de6-c1160b3a03a2}\phase2\Microsoft.Practices.EnterpriseLibrary.Common.dll
2010-01-28 16:52 . 2006-08-02 18:30 36864 ----a-w- c:\documents and settings\SMackey.CONCORDE\Application Data\Fidelity Investments\{8e6ed95b-740c-479f-9de6-c1160b3a03a2}\phase2\Microsoft.ApplicationBlocks.Updater.Downloaders.dll
2010-01-28 16:52 . 2006-08-02 18:30 49152 ----a-w- c:\documents and settings\SMackey.CONCORDE\Application Data\Fidelity Investments\{8e6ed95b-740c-479f-9de6-c1160b3a03a2}\phase2\Microsoft.ApplicationBlocks.Updater.ActivationProcessors.dll
2010-01-28 16:52 . 2009-04-27 18:44 122880 ----a-w- c:\documents and settings\SMackey.CONCORDE\Application Data\Fidelity Investments\{8e6ed95b-740c-479f-9de6-c1160b3a03a2}\phase2\fmr.RiaWorkstation.AppStart.exe
2010-01-28 16:52 . 2009-03-03 00:52 49152 ----a-w- c:\documents and settings\SMackey.CONCORDE\Application Data\Fidelity Investments\{8e6ed95b-740c-479f-9de6-c1160b3a03a2}\phase2\AxInterop.SHDocVw.dll
2010-01-28 16:52 . 2006-08-02 18:30 118784 ----a-w- c:\documents and settings\SMackey.CONCORDE\Application Data\Fidelity Investments\{8e6ed95b-740c-479f-9de6-c1160b3a03a2}\phase2\Microsoft.ApplicationBlocks.Updater.dll
2010-01-28 16:52 . 2006-08-02 18:30 36864 ----a-w- c:\documents and settings\SMackey.CONCORDE\Application Data\Fidelity Investments\{8e6ed95b-740c-479f-9de6-c1160b3a03a2}\phase2\Interop.WindowsInstaller.dll
2010-01-27 19:52 . 2010-01-27 19:52 -------- d-----w- c:\program files\ERUNT
2010-01-27 16:49 . 2010-01-27 16:49 -------- d-----w- c:\documents and settings\administrator.CONCORDE\Local Settings\Application Data\Adobe
2010-01-27 16:34 . 2010-01-27 16:34 -------- d-----w- c:\documents and settings\administrator.CONCORDE\Application Data\Apple Computer
2010-01-27 16:12 . 2010-01-27 16:12 0 ----a-w- c:\windows\Iyonazukohomal.bin
2010-01-27 16:12 . 2010-01-27 19:50 120 ----a-w- c:\windows\Vneqac.dat
2010-01-13 10:47 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-01 00:00 . 2009-01-16 18:21 -------- d-----w- c:\program files\Norton Security Scan
2010-01-30 04:00 . 2006-02-26 02:21 -------- d-----w- c:\program files\Symantec AntiVirus
2010-01-27 20:27 . 2009-07-10 15:11 68272 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-27 19:55 . 2008-08-20 16:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-27 16:27 . 2008-12-18 22:21 5115823 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-20 15:19 . 2004-04-27 19:27 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-20 00:05 . 2006-03-28 17:48 48 ----a-w- c:\windows\wpd99.drv
2010-01-07 22:07 . 2008-08-20 16:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2008-08-20 16:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 19:14 . 2005-10-21 18:51 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-19 14:33 . 2009-12-19 14:33 79488 ----a-w- c:\documents and settings\SMackey.CONCORDE\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-03 18:38 . 2009-01-20 06:57 149768 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2009-11-21 15:51 . 2003-03-31 02:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-16 15:31 . 2009-11-16 15:31 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-11-16 15:14 . 2009-11-16 15:14 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2004-07-20 20:53 . 2004-07-20 20:53 1905297 ----a-w- c:\program files\SymmTime2004.exe
2003-09-04 16:57 . 2003-09-04 16:57 102400 ----a-w- c:\program files\ZoneLib.dll
2009-01-20 18:02 . 2009-01-20 18:02 608 --sha-w- c:\windows\system32\winzvprt5.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-03-11 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-03-11 114688]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-05 461584]
"CardScanAgent"="c:\program files\CardScan\CardScan\CardScanAgent.exe" [2006-10-20 176128]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-01-12 249904]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-11-19 115560]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-01-10 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-06-01 1501064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\smackey\Start Menu\Programs\Startup\
Infotriever.lnk - c:\program files\Infotriever\Agent\infoclient.exe [2006-3-21 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2005-3-1 339968]
Principia Online Update.lnk - c:\program files\Morningstar\Principia\schedupd.exe [2006-2-24 20543]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
SymmTime.lnk - c:\program files\Symmetricom\SymmTime\SymmTime.exe [2004-7-20 524288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-01-12 22:45 10800 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

R2 MSSQL$FACW;MSSQL$FACW;c:\program files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlservr.exe [5/4/2005 12:04 AM 9150464]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/1/2009 8:42 AM 102448]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [1/9/2008 1:37 PM 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [1/9/2008 1:38 PM 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [1/9/2008 1:37 PM 39552]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [1/9/2008 1:37 PM 61440]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec AntiVirus\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec AntiVirus\SmcLU\Setup\smcinst.exe [?]
S3 SQLAgent$FACW;SQLAgent$FACW;c:\program files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlagent.EXE [5/3/2005 9:42 PM 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-01-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-13 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2009-06-01 18:43]

2010-02-01 c:\windows\Tasks\Norton Security Scan for smackey.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 10:18]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: advisorchannel.com\www2
TCP: {288D8F2E-94BF-42D1-AC28-5211E017BC7D} = 192.168.10.129,192.168.9.2
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-02 10:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL

- - - - - - - > 'lsass.exe'(1008)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2010-02-02 10:33:58
ComboFix-quarantined-files.txt 2010-02-02 16:33

Pre-Run: 50,568,626,176 bytes free
Post-Run: 51,098,771,456 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 5E7614FF655C1959F975053390634324

#5 mpascal

Group: Retired Staff
Posts: 3,644
Joined: 13-April 09

Posted 02 February 2010 - 11:05 AM

Close any open browsers, and close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\Iyonazukohomal.bin

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

#6 mpascal

Group: Retired Staff
Posts: 3,644
Joined: 13-April 09

Posted 02 February 2010 - 11:10 AM

Also, run this.

Make sure to use Internet Explorer for this
Please go to VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
- c:\windows\system32\winzvprt5.sys
Click on the Upload button
If a pop-up appears saying the file has been scanned already, please select the ReScan button.
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

#7 stubbdog

Group: Member
Posts: 46
Joined: 18-August 05

Posted 02 February 2010 - 12:15 PM

Here is the Combo-fix result of the second one (before running that free scan).

Also, is there any reason why it seems that Combo-Fix removed Google Chrome from the machine?

ComboFix 10-02-01.05 - SMackey 02/02/2010 11:47:37.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.270 [GMT -6:00]
Running from: c:\documents and settings\SMackey.CONCORDE\My Documents\downloads\Combo-Fix.exe
Command switches used :: c:\documents and settings\SMackey.CONCORDE\My Documents\downloads\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

FILE ::
"c:\windows\Iyonazukohomal.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Iyonazukohomal.bin

.
((((((((((((((((((((((((( Files Created from 2010-01-02 to 2010-02-02 )))))))))))))))))))))))))))))))
.

2010-01-28 16:52 . 2006-08-02 18:30 45056 ----a-w- c:\documents and settings\SMackey.CONCORDE\Application Data\Fidelity Investments\{8e6ed95b-740c-479f-9de6-c1160b3a03a2}\phase2\Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.dll
2010-01-28 16:52 . 2006-08-02 18:30 102400 ----a-w- c:\documents and settings\SMackey.CONCORDE\Application Data\Fidelity Investments\{8e6ed95b-740c-479f-9de6-c1160b3a03a2}\phase2\Microsoft.Practices.EnterpriseLibrary.Configuration.dll
2010-01-28 16:52 . 2006-08-02 18:30 57344 ----a-w- c:\documents and settings\SMackey.CONCORDE\Application Data\Fidelity Investments\{8e6ed95b-740c-479f-9de6-c1160b3a03a2}\phase2\Microsoft.Practices.EnterpriseLibrary.Common.dll
2010-01-28 16:52 . 2006-08-02 18:30 36864 ----a-w- c:\documents and settings\SMackey.CONCORDE\Application Data\Fidelity Investments\{8e6ed95b-740c-479f-9de6-c1160b3a03a2}\phase2\Microsoft.ApplicationBlocks.Updater.Downloaders.dll
2010-01-28 16:52 . 2006-08-02 18:30 49152 ----a-w- c:\documents and settings\SMackey.CONCORDE\Application Data\Fidelity Investments\{8e6ed95b-740c-479f-9de6-c1160b3a03a2}\phase2\Microsoft.ApplicationBlocks.Updater.ActivationProcessors.dll
2010-01-28 16:52 . 2009-04-27 18:44 122880 ----a-w- c:\documents and settings\SMackey.CONCORDE\Application Data\Fidelity Investments\{8e6ed95b-740c-479f-9de6-c1160b3a03a2}\phase2\fmr.RiaWorkstation.AppStart.exe
2010-01-28 16:52 . 2009-03-03 00:52 49152 ----a-w- c:\documents and settings\SMackey.CONCORDE\Application Data\Fidelity Investments\{8e6ed95b-740c-479f-9de6-c1160b3a03a2}\phase2\AxInterop.SHDocVw.dll
2010-01-28 16:52 . 2006-08-02 18:30 118784 ----a-w- c:\documents and settings\SMackey.CONCORDE\Application Data\Fidelity Investments\{8e6ed95b-740c-479f-9de6-c1160b3a03a2}\phase2\Microsoft.ApplicationBlocks.Updater.dll
2010-01-28 16:52 . 2006-08-02 18:30 36864 ----a-w- c:\documents and settings\SMackey.CONCORDE\Application Data\Fidelity Investments\{8e6ed95b-740c-479f-9de6-c1160b3a03a2}\phase2\Interop.WindowsInstaller.dll
2010-01-27 19:52 . 2010-01-27 19:52 -------- d-----w- c:\program files\ERUNT
2010-01-27 16:49 . 2010-01-27 16:49 -------- d-----w- c:\documents and settings\administrator.CONCORDE\Local Settings\Application Data\Adobe
2010-01-27 16:34 . 2010-01-27 16:34 -------- d-----w- c:\documents and settings\administrator.CONCORDE\Application Data\Apple Computer
2010-01-27 16:12 . 2010-01-27 19:50 120 ----a-w- c:\windows\Vneqac.dat
2010-01-13 10:47 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-01 00:00 . 2009-01-16 18:21 -------- d-----w- c:\program files\Norton Security Scan
2010-01-30 04:00 . 2006-02-26 02:21 -------- d-----w- c:\program files\Symantec AntiVirus
2010-01-27 20:27 . 2009-07-10 15:11 68272 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-27 19:55 . 2008-08-20 16:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-27 16:27 . 2008-12-18 22:21 5115823 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-20 15:19 . 2004-04-27 19:27 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-20 00:05 . 2006-03-28 17:48 48 ----a-w- c:\windows\wpd99.drv
2010-01-07 22:07 . 2008-08-20 16:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2008-08-20 16:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 19:14 . 2005-10-21 18:51 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-19 14:33 . 2009-12-19 14:33 79488 ----a-w- c:\documents and settings\SMackey.CONCORDE\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-03 18:38 . 2009-01-20 06:57 149768 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2009-11-21 15:51 . 2003-03-31 02:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-16 15:31 . 2009-11-16 15:31 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-11-16 15:14 . 2009-11-16 15:14 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2004-07-20 20:53 . 2004-07-20 20:53 1905297 ----a-w- c:\program files\SymmTime2004.exe
2003-09-04 16:57 . 2003-09-04 16:57 102400 ----a-w- c:\program files\ZoneLib.dll
2009-01-20 18:02 . 2009-01-20 18:02 608 --sha-w- c:\windows\system32\winzvprt5.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-03-11 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-03-11 114688]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-05 461584]
"CardScanAgent"="c:\program files\CardScan\CardScan\CardScanAgent.exe" [2006-10-20 176128]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-01-12 249904]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-11-19 115560]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-01-10 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-06-01 1501064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\smackey\Start Menu\Programs\Startup\
Infotriever.lnk - c:\program files\Infotriever\Agent\infoclient.exe [2006-3-21 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2005-3-1 339968]
Principia Online Update.lnk - c:\program files\Morningstar\Principia\schedupd.exe [2006-2-24 20543]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
SymmTime.lnk - c:\program files\Symmetricom\SymmTime\SymmTime.exe [2004-7-20 524288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-01-12 22:45 10800 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

R2 MSSQL$FACW;MSSQL$FACW;c:\program files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlservr.exe [5/4/2005 12:04 AM 9150464]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/1/2009 8:42 AM 102448]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [1/9/2008 1:37 PM 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [1/9/2008 1:38 PM 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [1/9/2008 1:37 PM 39552]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [1/9/2008 1:37 PM 61440]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec AntiVirus\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec AntiVirus\SmcLU\Setup\smcinst.exe [?]
S3 SQLAgent$FACW;SQLAgent$FACW;c:\program files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlagent.EXE [5/3/2005 9:42 PM 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-01-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-13 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2009-06-01 18:43]

2010-02-01 c:\windows\Tasks\Norton Security Scan for smackey.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 10:18]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: advisorchannel.com\www2
TCP: {288D8F2E-94BF-42D1-AC28-5211E017BC7D} = 192.168.10.129,192.168.9.2
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-02 12:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'lsass.exe'(1008)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2010-02-02 12:12:14
ComboFix-quarantined-files.txt 2010-02-02 18:12

Pre-Run: 51,107,196,928 bytes free
Post-Run: 51,080,851,456 bytes free

- - End Of File - - 0770B8DB36E2CA94D67B6C6C9BB82493

#8 mpascal

Group: Retired Staff
Posts: 3,644
Joined: 13-April 09

Posted 02 February 2010 - 12:18 PM

I don't think it removed Google Chrome, it only removed an add-on which was installed via Google Chrome.

#9 stubbdog

Group: Member
Posts: 46
Joined: 18-August 05

Posted 02 February 2010 - 12:25 PM

File Name : winzvprt5.sys
File Size : 608 byte
File Type : data
MD5 : baf3bfb12c04f83ebb540f4b0a711d6d
SHA1 : a516645f89b72cc28a805d798eea7c24d6ece03c

Scanner results : Scanners did not find malware!
Time : 2010/02/02 12:16:37 (CST)

#10 mpascal

Group: Retired Staff
Posts: 3,644
Joined: 13-April 09

Posted 02 February 2010 - 06:47 PM

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

Once the update is complete, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View report... at the bottom.
Click the Save report... button.
Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Also, run a scan with MBAM and post the results here.

#11 stubbdog

Group: Member
Posts: 46
Joined: 18-August 05

Posted 03 February 2010 - 09:29 AM

We use Symantec's Business level Anti-virus. Will installing this cause problems with that?

#12 mpascal

Group: Retired Staff
Posts: 3,644
Joined: 13-April 09

Posted 03 February 2010 - 09:42 AM

Maybe just run a scan with that instead and see if it comes up with anything.

#13 mpascal

Group: Retired Staff
Posts: 3,644
Joined: 13-April 09

Posted 14 April 2010 - 12:44 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Back to Virus, Spyware, Malware Removal

Share this topic:

Page 1 of 1

Please log in to reply

vundo.h, hiloti, hijack.shell, sasfix, delf [Solved] - Geeks to Go Forums