DriveCleaner PopUp problems - HiJackThis log

Question

I would appreciate any help that anyone could provide. The popup is driving me crazy, although I have not downloaded the software itself. I am currently running a Kaspersky Online Scan. Thanks very much. qb -------------------------------------- Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 10:12:20 AM, on 9/3/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe C:\WINDOWS\system32
vsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe C:\WINDOWS\MXOALDR.EXE C:\WINDOWS\System32\M-AudioTaskBarIcon.exe C:\WINDOWS\system32\NWTRAY.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Dell Support\DSAgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\WINDOWS\DvzCommon\DvzMsgr.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Novell\GroupWise
otify.exe C:\Program Files\Palm\HOTSYNC.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Novell\GroupWise\grpwise.exe C:\WINDOWS\system32\WISPTIS.EXE C:\Program Files\Common Files\Real\Update_OBealsched.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Brent Auvermann\Desktop\HiJackThis_v2.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0061215 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0061215 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0061215 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\webbusterz\S&THex_demo\NAVShExt.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\webbusterz\S&THex_demo\NAVShExt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SunJavaUpdateSched] 'C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe' O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] 'C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe' -start O4 - HKLM\..\Run: [Google Desktop Search] 'C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe' /startup O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE O4 - HKLM\..\Run: [ccApp] 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe' O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [TkBellExe] 'C:\Program Files\Common Files\Real\Update_OBealsched.exe' -osboot O4 - HKLM\..\Run: [Adobe Photo Downloader] 'C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe' O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] 'C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe' O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\QTTask.exe' -atboottime O4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe' O4 - HKCU\..\Run: [DellSupport] 'C:\Program Files\Dell Support\DSAgnt.exe' /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DW4] 'C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe' O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Notify.lnk = C:\Novell\GroupWise
otify.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180123044921 O17 - HKLM\System\CCS\Services\Tcpip\..\{FFD75563-CBD8-4786-8E46-52F439762DC1}: NameServer = 165.95.0.178,165.95.142.1 O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\BRENTA~1\LOCALS~1\Temp\hpdj.exe (file missing) O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
vsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 12284 bytes ---------------------------------

bamajim · Answer

queue_ball

Please download Combofix and save to your desktop:

Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

CastleCops Instructor

MRU Graduate

"The world is what you make of it"

bamajim · Answer

queue_ball

You are most welcome.

Your Combofix log is unreadable as posted.

When you compose and submit your reply, please make sure the box under your text which shows "Automatically convert carriage returns to HTML line breaks" is checked or your reply may not format correctly.

Then repost the Combofix log please

CastleCops Instructor

MRU Graduate

"The world is what you make of it"

queue_ball · Answer

bamajim: Thank you for taking the time to lend a hand. Below is my ComboFix log: _____ ComboFix 07-09-04.4 - 'BAUVERMA' 2007-09-04 11:16:22.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2488 [GMT -5:00] * Created a new restore point ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\_000006_.tmp.dll C:\WINDOWS\system32\_000007_.tmp.dll C:\WINDOWS\system32\_000008_.tmp.dll C:\WINDOWS\system32\_000011_.tmp.dll C:\WINDOWS\system32\_000012_.tmp.dll L:\Autorun.inf ((((((((((((((((((((((((( Files Created from 2007-08-04 to 2007-09-04 ))))))))))))))))))))))))))))))) 2007-09-04 11:15 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-03 10:16 d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-09-03 10:16 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab 2007-09-03 10:04 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys 2007-08-17 14:53 d-------- C:\Program Files\Lavasoft 2007-08-17 14:53 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2007-08-06 15:44 d-------- C:\Program Files\iTunes 2007-08-06 15:44 d-------- C:\Program Files\iPod (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-09-04 11:19 --------- d-------- C:\Program Files\Symantec AntiVirus 2007-08-16 16:29 --------- d-------- C:\DOCUME~1\BRENTA~1\APPLIC~1\U3 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe 2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll 2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll 2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll 2007-07-27 16:30 --------- d-------- C:\Program Files\webbusterz 2007-07-27 16:30 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\demo 2007-07-19 01:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll 2007-07-16 05:22 --------- d-------- C:\Program Files\QuickTime 2007-07-16 05:20 --------- d-------- C:\Program Files\Common Files\Apple 2007-07-16 05:20 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple 2007-07-16 05:12 --------- d-------- C:\Program Files\Apple Software Update 2007-07-12 18:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll 2007-06-27 09:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll 2007-06-27 09:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll 2007-06-27 09:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll 2007-06-27 09:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2007-06-27 09:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll 2007-06-27 09:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll 2007-06-27 09:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll 2007-06-27 09:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll 2007-06-27 09:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2007-06-27 09:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll 2007-06-27 09:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll 2007-06-27 09:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll 2007-06-27 09:34 230400 --------- C:\WINDOWS\system32\dllcache\ieaksie.dll 2007-06-27 09:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll 2007-06-27 09:34 153088 --------- C:\WINDOWS\system32\dllcache\ieakeng.dll 2007-06-27 09:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll 2007-06-27 09:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll 2007-06-27 09:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll 2007-06-27 09:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll 2007-06-27 09:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll 2007-06-27 03:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe 2007-06-27 03:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe 2007-06-27 03:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe 2007-06-27 02:00 161792 --------- C:\WINDOWS\system32\dllcache\ieakui.dll 2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll 2007-06-26 01:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll 2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll 2007-06-19 08:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll 2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe 2007-06-13 05:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe 2007-01-23 15:59:14 88 --sh--r C:\WINDOWS\system32\57602A4C5C.sys 2007-01-23 16:00:02 4,076 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'NvCplDaemon'='C:\WINDOWS\system32\NvCpl.dll' [2006-06-16 09:39] 'SunJavaUpdateSched'='C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe' [2007-07-12 04:00] 'SigmatelSysTrayApp'='stsystra.exe' [2006-07-24 11:20 C:\WINDOWS\stsystra.exe] 'IAAnotif'='C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe' [2006-07-06 08:15] 'DMXLauncher'='C:\Program Files\Dell\Media Experience\DMXLauncher.exe' [2005-10-05 04:12] 'DLA'='C:\WINDOWS\System32\DLA\DLACTRLW.EXE' [2005-09-08 06:20] 'ISUSPM Startup'='C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe' [2004-07-27 17:50] 'ISUSScheduler'='C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe' [2004-07-27 17:50] 'Google Desktop Search'='C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe' [2006-12-15 11:54] 'Corel Photo Downloader'='C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe' [2006-08-14 15:20] 'MaxtorOneTouch'='C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe' [2004-08-31 10:23] 'MXOBG'='C:\WINDOWS\MXOALDR.EXE' [2003-10-10 12:23] 'M-Audio Taskbar Icon'='C:\WINDOWS\System32\M-AudioTaskBarIcon.exe' [2005-11-09 16:32] 'NWTRAY'='NWTRAY.EXE' [2002-03-12 10:37 C:\WINDOWS\system32
wtray.exe] 'ccApp'='C:\Program Files\Common Files\Symantec Shared\ccApp.exe' [2006-03-24 18:14] 'vptray'='C:\PROGRA~1\SYMANT~1\VPTray.exe' [2006-06-15 02:40] 'TkBellExe'='C:\Program Files\Common Files\Real\Update_OBealsched.exe' [2007-03-19 10:18] 'Adobe Photo Downloader'='C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe' [2007-03-09 11:09] 'Adobe Reader Speed Launcher'='C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe' [2007-05-11 03:06] 'QuickTime Task'='C:\Program Files\QuickTime\QTTask.exe' [2007-06-29 06:24] 'iTunesHelper'='C:\Program Files\iTunes\iTunesHelper.exe' [2007-07-31 18:44] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'DellSupport'='C:\Program Files\Dell Support\DSAgnt.exe' [2006-08-28 22:57] 'ctfmon.exe'='C:\WINDOWS\system32\ctfmon.exe' [2004-08-04 06:00] 'DW4'='C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe' [2007-03-16 07:51] 'swg'='C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe' [2007-06-27 13:41] 'SpybotSD TeaTimer'='C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe' [2005-05-31 01:04] C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50] Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 21:16:50] America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-12-15 11:49:59] Dataviz Messenger.lnk - C:\WINDOWS\DvzCommon\DvzMsgr.exe [2003-02-06 20:06:30] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-12-15 11:47:57] Notify.lnk - C:\Novell\GroupWise
otify.exe [2007-05-24 01:45:24] C:\DOCUME~1\BRENTA~1\STARTM~1\Programs\Startup\ Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 21:16:50] HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2003-03-19 19:08:14] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] 'DisableCAD'=1 (0x1) 'CompatibleRUPSecurity'=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] 'appinit_dlls'=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] 'Authentication Packages'= msv1_0 nwv1_0 R0 NICM;Novell InterService Communication Driver;C:\WINDOWS\system32\drivers
icm.sys R0 NWFILTER;Novell UNC Path Filter;C:\WINDOWS\system32\NetWare
wfilter.sys R0 portenum;Intek21 PCI IO Driver;C:\WINDOWS\system32\DRIVERS\portenum.sys R2 MobilePreInstallerService;MobilePre Installer;C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe R2 NetwareWorkstation;Novell Client for Windows;C:\WINDOWS\system32\NetWare
wfs.sys R2 NWDHCP;Novell DHCP Inform Client;C:\WINDOWS\system32\NetWare
wdhcp.sys R2 RESMGR;Novell NetWare Resource Manager;C:\WINDOWS\system32\NetWareesmgr.sys R2 SRVLOC;Novell Service Location;C:\WINDOWS\system32\NetWare\srvloc.sys R3 MXOFX;USB Storage Adapter FX (MXO);C:\WINDOWS\system32\DRIVERS\MXOFX.SYS R3 MXOPSWD;Maxtor OneTouch Security Driver;C:\WINDOWS\system32\DRIVERS\mxopswd.sys R3 NWDNS;Novell DNS Name Space Service Provider;C:\WINDOWS\system32\NetWare
wdns.sys R3 NWHOST;Novell Host File Name Space Service Provider;C:\WINDOWS\system32\NetWare\NWHOST.sys R3 NWSLP;Novell SLP Name Space Service Provider;C:\WINDOWS\system32\NetWare
wslp.sys R3 NWSNS;Novell Simple Naming Services;C:\WINDOWS\system32\NetWare\NWSNS.sys S2 NWSIPX32;Novell NetWare IPX/SPX Transport Interface;C:\WINDOWS\system32\NetWare
wsipx32.sys S3 cusrvc;Client Update Service for Novell;C:\WINDOWS\system32\cusrvc.exe S3 ma763004;M-Audio MobilePre USB;C:\WINDOWS\system32\drivers\MA763004.sys S3 MADFU804;MADFU804;C:\WINDOWS\system32\DRIVERS\MADFU804.sys S3 mf;mf;C:\WINDOWS\system32\DRIVERS\mf.sys S3 NAL;Nal Service ;\??\C:\WINDOWS\system32\Drivers\iqvw32.sys S3 NWSAP;Novell SAP Name Space Provider;C:\WINDOWS\system32\NetWare\NWSAP.sys Contents of the 'Scheduled Tasks' folder '2007-09-02 18:03:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job' - C:\Program Files\Apple Software Update\SoftwareUpdate.exe ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-04 11:20:22 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-09-04 11:22:17 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-09-04 11:22 --- E O F ---

queue_ball · Answer

Reposted with HTML line breaks checked. Thanks much. qb ---------- ComboFix 07-09-04.4 - 'BAUVERMA' 2007-09-04 11:16:22.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2488 [GMT -5:00] * Created a new restore point ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\_000006_.tmp.dll C:\WINDOWS\system32\_000007_.tmp.dll C:\WINDOWS\system32\_000008_.tmp.dll C:\WINDOWS\system32\_000011_.tmp.dll C:\WINDOWS\system32\_000012_.tmp.dll L:\Autorun.inf ((((((((((((((((((((((((( Files Created from 2007-08-04 to 2007-09-04 ))))))))))))))))))))))))))))))) 2007-09-04 11:15 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-03 10:16 d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-09-03 10:16 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab 2007-09-03 10:04 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys 2007-08-17 14:53 d-------- C:\Program Files\Lavasoft 2007-08-17 14:53 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2007-08-06 15:44 d-------- C:\Program Files\iTunes 2007-08-06 15:44 d-------- C:\Program Files\iPod (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-09-04 11:19 --------- d-------- C:\Program Files\Symantec AntiVirus 2007-08-16 16:29 --------- d-------- C:\DOCUME~1\BRENTA~1\APPLIC~1\U3 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe 2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll 2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll 2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll 2007-07-27 16:30 --------- d-------- C:\Program Files\webbusterz 2007-07-27 16:30 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\demo 2007-07-19 01:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll 2007-07-16 05:22 --------- d-------- C:\Program Files\QuickTime 2007-07-16 05:20 --------- d-------- C:\Program Files\Common Files\Apple 2007-07-16 05:20 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple 2007-07-16 05:12 --------- d-------- C:\Program Files\Apple Software Update 2007-07-12 18:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll 2007-06-27 09:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll 2007-06-27 09:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll 2007-06-27 09:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll 2007-06-27 09:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2007-06-27 09:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll 2007-06-27 09:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll 2007-06-27 09:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll 2007-06-27 09:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll 2007-06-27 09:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2007-06-27 09:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll 2007-06-27 09:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll 2007-06-27 09:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll 2007-06-27 09:34 230400 --------- C:\WINDOWS\system32\dllcache\ieaksie.dll 2007-06-27 09:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll 2007-06-27 09:34 153088 --------- C:\WINDOWS\system32\dllcache\ieakeng.dll 2007-06-27 09:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll 2007-06-27 09:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll 2007-06-27 09:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll 2007-06-27 09:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll 2007-06-27 09:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll 2007-06-27 03:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe 2007-06-27 03:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe 2007-06-27 03:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe 2007-06-27 02:00 161792 --------- C:\WINDOWS\system32\dllcache\ieakui.dll 2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll 2007-06-26 01:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll 2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll 2007-06-19 08:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll 2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe 2007-06-13 05:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe 2007-01-23 15:59:14 88 --sh--r C:\WINDOWS\system32\57602A4C5C.sys 2007-01-23 16:00:02 4,076 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'NvCplDaemon'='C:\WINDOWS\system32\NvCpl.dll' [2006-06-16 09:39] 'SunJavaUpdateSched'='C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe' [2007-07-12 04:00] 'SigmatelSysTrayApp'='stsystra.exe' [2006-07-24 11:20 C:\WINDOWS\stsystra.exe] 'IAAnotif'='C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe' [2006-07-06 08:15] 'DMXLauncher'='C:\Program Files\Dell\Media Experience\DMXLauncher.exe' [2005-10-05 04:12] 'DLA'='C:\WINDOWS\System32\DLA\DLACTRLW.EXE' [2005-09-08 06:20] 'ISUSPM Startup'='C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe' [2004-07-27 17:50] 'ISUSScheduler'='C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe' [2004-07-27 17:50] 'Google Desktop Search'='C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe' [2006-12-15 11:54] 'Corel Photo Downloader'='C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe' [2006-08-14 15:20] 'MaxtorOneTouch'='C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe' [2004-08-31 10:23] 'MXOBG'='C:\WINDOWS\MXOALDR.EXE' [2003-10-10 12:23] 'M-Audio Taskbar Icon'='C:\WINDOWS\System32\M-AudioTaskBarIcon.exe' [2005-11-09 16:32] 'NWTRAY'='NWTRAY.EXE' [2002-03-12 10:37 C:\WINDOWS\system32
wtray.exe] 'ccApp'='C:\Program Files\Common Files\Symantec Shared\ccApp.exe' [2006-03-24 18:14] 'vptray'='C:\PROGRA~1\SYMANT~1\VPTray.exe' [2006-06-15 02:40] 'TkBellExe'='C:\Program Files\Common Files\Real\Update_OBealsched.exe' [2007-03-19 10:18] 'Adobe Photo Downloader'='C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe' [2007-03-09 11:09] 'Adobe Reader Speed Launcher'='C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe' [2007-05-11 03:06] 'QuickTime Task'='C:\Program Files\QuickTime\QTTask.exe' [2007-06-29 06:24] 'iTunesHelper'='C:\Program Files\iTunes\iTunesHelper.exe' [2007-07-31 18:44] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'DellSupport'='C:\Program Files\Dell Support\DSAgnt.exe' [2006-08-28 22:57] 'ctfmon.exe'='C:\WINDOWS\system32\ctfmon.exe' [2004-08-04 06:00] 'DW4'='C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe' [2007-03-16 07:51] 'swg'='C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe' [2007-06-27 13:41] 'SpybotSD TeaTimer'='C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe' [2005-05-31 01:04] C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50] Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 21:16:50] America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-12-15 11:49:59] Dataviz Messenger.lnk - C:\WINDOWS\DvzCommon\DvzMsgr.exe [2003-02-06 20:06:30] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-12-15 11:47:57] Notify.lnk - C:\Novell\GroupWise
otify.exe [2007-05-24 01:45:24] C:\DOCUME~1\BRENTA~1\STARTM~1\Programs\Startup\ Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 21:16:50] HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2003-03-19 19:08:14] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] 'DisableCAD'=1 (0x1) 'CompatibleRUPSecurity'=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] 'appinit_dlls'=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] 'Authentication Packages'= msv1_0 nwv1_0 R0 NICM;Novell InterService Communication Driver;C:\WINDOWS\system32\drivers
icm.sys R0 NWFILTER;Novell UNC Path Filter;C:\WINDOWS\system32\NetWare
wfilter.sys R0 portenum;Intek21 PCI IO Driver;C:\WINDOWS\system32\DRIVERS\portenum.sys R2 MobilePreInstallerService;MobilePre Installer;C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe R2 NetwareWorkstation;Novell Client for Windows;C:\WINDOWS\system32\NetWare
wfs.sys R2 NWDHCP;Novell DHCP Inform Client;C:\WINDOWS\system32\NetWare
wdhcp.sys R2 RESMGR;Novell NetWare Resource Manager;C:\WINDOWS\system32\NetWareesmgr.sys R2 SRVLOC;Novell Service Location;C:\WINDOWS\system32\NetWare\srvloc.sys R3 MXOFX;USB Storage Adapter FX (MXO);C:\WINDOWS\system32\DRIVERS\MXOFX.SYS R3 MXOPSWD;Maxtor OneTouch Security Driver;C:\WINDOWS\system32\DRIVERS\mxopswd.sys R3 NWDNS;Novell DNS Name Space Service Provider;C:\WINDOWS\system32\NetWare
wdns.sys R3 NWHOST;Novell Host File Name Space Service Provider;C:\WINDOWS\system32\NetWare\NWHOST.sys R3 NWSLP;Novell SLP Name Space Service Provider;C:\WINDOWS\system32\NetWare
wslp.sys R3 NWSNS;Novell Simple Naming Services;C:\WINDOWS\system32\NetWare\NWSNS.sys S2 NWSIPX32;Novell NetWare IPX/SPX Transport Interface;C:\WINDOWS\system32\NetWare
wsipx32.sys S3 cusrvc;Client Update Service for Novell;C:\WINDOWS\system32\cusrvc.exe S3 ma763004;M-Audio MobilePre USB;C:\WINDOWS\system32\drivers\MA763004.sys S3 MADFU804;MADFU804;C:\WINDOWS\system32\DRIVERS\MADFU804.sys S3 mf;mf;C:\WINDOWS\system32\DRIVERS\mf.sys S3 NAL;Nal Service ;\??\C:\WINDOWS\system32\Drivers\iqvw32.sys S3 NWSAP;Novell SAP Name Space Provider;C:\WINDOWS\system32\NetWare\NWSAP.sys Contents of the 'Scheduled Tasks' folder '2007-09-02 18:03:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job' - C:\Program Files\Apple Software Update\SoftwareUpdate.exe ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-04 11:20:22 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-09-04 11:22:17 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-09-04 11:22 --- E O F ---

bamajim · Answer

queue_ball

You are most welcome

1. You indicated in your first post that you were running a Kaspersky Online scan. If you did so, please post the scan results. If you did not run it yet then following the instructions provided and run it now.

Run an online virus scan called Kaspersky from HERE.

1. Click on " Kaspersky Online Scanner"
2. A new smaller window will pop up. Press on " Accept". After reading the contents.
3. Now Kaspersky will update the anti-virus database. Let it run.
4. Click on " Next"->>" Scan Settings", and make sure the database is set to " extended". And check both the scan options. Then click OK.
5. Then click on " My Computer". And the scan will start.
6. Once finished, save a log as ". txt" to the desktop.

Copy and post the results of the Kaspersky Online scan

CastleCops Instructor

MRU Graduate

"The world is what you make of it"

queue_ball · Answer

Kaspersky online scan log, as requested. qb -------- ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Monday, September 03, 2007 2:29:57 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 3/09/2007 Kaspersky Anti-Virus database records: 403086 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ B:\ C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ K:\ P:\ S:\ U:\ V:\ W:\ X:\ Y:\ Z:\ Scan Statistics: Total number of scanned objects: 175211 Number of viruses found: 5 Number of infected objects: 25 Number of suspicious objects: 0 Duration of the scan process: 03:07:04 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09780000\4FFE6552.VBN Infected: Backdoor.IRC.Zapchast skipped C:\Documents and Settings\Brent Auvermann\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\AUPNP.log Object is locked skipped C:\Documents and Settings\Brent Auvermann\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped C:\Documents and Settings\Brent Auvermann\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped C:\Documents and Settings\Brent Auvermann\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped C:\Documents and Settings\Brent Auvermann\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped C:\Documents and Settings\Brent Auvermann\Application Data\Mozilla\Firefox\Profiles\sr2if2zd.default\cert8.db Object is locked skipped C:\Documents and Settings\Brent Auvermann\Application Data\Mozilla\Firefox\Profiles\sr2if2zd.default\formhistory.dat Object is locked skipped C:\Documents and Settings\Brent Auvermann\Application Data\Mozilla\Firefox\Profiles\sr2if2zd.default\history.dat Object is locked skipped C:\Documents and Settings\Brent Auvermann\Application Data\Mozilla\Firefox\Profiles\sr2if2zd.default\key3.db Object is locked skipped C:\Documents and Settings\Brent Auvermann\Application Data\Mozilla\Firefox\Profiles\sr2if2zd.default\parent.lock Object is locked skipped C:\Documents and Settings\Brent Auvermann\Application Data\Mozilla\Firefox\Profiles\sr2if2zd.default\search.sqlite Object is locked skipped C:\Documents and Settings\Brent Auvermann\Application Data\Mozilla\Firefox\Profiles\sr2if2zd.default\urlclassifier2.sqlite Object is locked skipped C:\Documents and Settings\Brent Auvermann\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Brent Auvermann\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped C:\Documents and Settings\Brent Auvermann\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Brent Auvermann\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Brent Auvermann\Local Settings\Application Data\Mozilla\Firefox\Profiles\sr2if2zd.default\Cache\_CACHE_001_ Object is locked skipped C:\Documents and Settings\Brent Auvermann\Local Settings\Application Data\Mozilla\Firefox\Profiles\sr2if2zd.default\Cache\_CACHE_002_ Object is locked skipped C:\Documents and Settings\Brent Auvermann\Local Settings\Application Data\Mozilla\Firefox\Profiles\sr2if2zd.default\Cache\_CACHE_003_ Object is locked skipped C:\Documents and Settings\Brent Auvermann\Local Settings\Application Data\Mozilla\Firefox\Profiles\sr2if2zd.default\Cache\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\Brent Auvermann\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Brent Auvermann\Local Settings\History\History.IE5\MSHist012007090320070904\index.dat Object is locked skipped C:\Documents and Settings\Brent Auvermann\Local Settings\Temp\wt3A.tmp Object is locked skipped C:\Documents and Settings\Brent Auvermann\Local Settings\Temp\wt3B.tmp Object is locked skipped C:\Documents and Settings\Brent Auvermann\Local Settings\Temp\wt3C.tmp Object is locked skipped C:\Documents and Settings\Brent Auvermann\Local Settings\Temp\wt3D.tmp Object is locked skipped C:\Documents and Settings\Brent Auvermann\Local Settings\Temp\~DF130D.tmp Object is locked skipped C:\Documents and Settings\Brent Auvermann\Local Settings\Temp\~DF5F64.tmp Object is locked skipped C:\Documents and Settings\Brent Auvermann\Local Settings\Temp\~DFDF9.tmp Object is locked skipped C:\Documents and Settings\Brent Auvermann\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Brent Auvermann\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Brent Auvermann\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Brent Auvermann
tuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService
tuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService
tuser.dat.LOG Object is locked skipped C:\Program Files\Common Files\Symantec Shared\eengine\EPERSIST.DAT Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped C:\Program Files\Symantec AntiVirus\SAVRT\0441NAV~.TMP Object is locked skipped C:\Program Files\Symantec AntiVirus\SAVRT\0655NAV~.TMP Object is locked skipped C:\RECYCLER\S-1-5-21-1180751835-2267464735-3326868351-1006\Dc284.scr/data.rar/mirc.ini Infected: Backdoor.IRC.Zapchast skipped C:\RECYCLER\S-1-5-21-1180751835-2267464735-3326868351-1006\Dc284.scr/data.rar/script.ini Infected: Backdoor.IRC.Zapchast skipped C:\RECYCLER\S-1-5-21-1180751835-2267464735-3326868351-1006\Dc284.scr/data.rar/svchost.exe Infected: Virus.Win32.Parite.b skipped C:\RECYCLER\S-1-5-21-1180751835-2267464735-3326868351-1006\Dc284.scr/data.rar/sup.reg Infected: Backdoor.IRC.Zapchast skipped C:\RECYCLER\S-1-5-21-1180751835-2267464735-3326868351-1006\Dc284.scr/data.rar Infected: Backdoor.IRC.Zapchast skipped C:\RECYCLER\S-1-5-21-1180751835-2267464735-3326868351-1006\Dc284.scr RarSFX: infected - 5 skipped C:\RECYCLER\S-1-5-21-1180751835-2267464735-3326868351-1006\Dc285.scr/data.rar/mirc.ini Infected: Backdoor.IRC.Zapchast skipped C:\RECYCLER\S-1-5-21-1180751835-2267464735-3326868351-1006\Dc285.scr/data.rar/script.ini Infected: Backdoor.IRC.Zapchast skipped C:\RECYCLER\S-1-5-21-1180751835-2267464735-3326868351-1006\Dc285.scr/data.rar/svchost.exe Infected: Virus.Win32.Parite.b skipped C:\RECYCLER\S-1-5-21-1180751835-2267464735-3326868351-1006\Dc285.scr/data.rar/sup.reg Infected: Backdoor.IRC.Zapchast skipped C:\RECYCLER\S-1-5-21-1180751835-2267464735-3326868351-1006\Dc285.scr/data.rar Infected: Backdoor.IRC.Zapchast skipped C:\RECYCLER\S-1-5-21-1180751835-2267464735-3326868351-1006\Dc285.scr RarSFX: infected - 5 skipped C:\RECYCLER\S-1-5-21-1180751835-2267464735-3326868351-1006\Dc286.scr/data.rar/mirc.ini Infected: Backdoor.IRC.Zapchast skipped C:\RECYCLER\S-1-5-21-1180751835-2267464735-3326868351-1006\Dc286.scr/data.rar/script.ini Infected: Backdoor.IRC.Zapchast skipped C:\RECYCLER\S-1-5-21-1180751835-2267464735-3326868351-1006\Dc286.scr/data.rar/svchost.exe Infected: Virus.Win32.Parite.b skipped C:\RECYCLER\S-1-5-21-1180751835-2267464735-3326868351-1006\Dc286.scr/data.rar/sup.reg Infected: Backdoor.IRC.Zapchast skipped C:\RECYCLER\S-1-5-21-1180751835-2267464735-3326868351-1006\Dc286.scr/data.rar Infected: Backdoor.IRC.Zapchast skipped C:\RECYCLER\S-1-5-21-1180751835-2267464735-3326868351-1006\Dc286.scr RarSFX: infected - 5 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP314\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system\svchost.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2	mp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\DEFAULT Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SYSTEM Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32
ovell
ici\SYSTEM\XMGRCFG.KS2 Object is locked skipped C:\WINDOWS\system32
ovell
ici\SYSTEM\XMGRCFG.KS3 Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP314\change.log Object is locked skipped G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped G:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP314\change.log Object is locked skipped H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped H:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP314\change.log Object is locked skipped I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped I:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP314\change.log Object is locked skipped J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped J:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP314\change.log Object is locked skipped S:\BEAN\Bob 2007\Forage Sorghum Silage and\2007 Bushland Hay Trial Data.xls Object is locked skipped S:\JT\SOFTWARE\UBCD Winxp Password Tools\I386\SYSTEM32\WM_HOOKS.DLL Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped S:\JT\SOFTWARE\UBCD Winxp Password Tools\PROGRAMS\ultravnc\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped S:\JT\SOFTWARE\UBCD Winxp Password Tools\PROGRAMS\ultravnc\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped S:\JT\SOFTWARE\UBCD Winxp Password Tools\PROGRAMS\vncserver\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped S:\JT\SOFTWARE\UBCD Winxp Password Tools\PROGRAMS\vncserver\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped Scan process completed.

bamajim · Answer

queue_ball 1. *NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner! Download CCleaner from here to clean temp files from your computer. Double click on the file to start the installation of the program. Select your language and click OK, then next. Read the license agreement and click I Agree. Click next to use the default install location. Click Install then finish to complete installation. Double click the CCleaner shortcut on the desktop to start the program. On the 'Windows' tab, under 'Internet Explorer,' uncheck 'Cookies' if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit). If you use either the Firefox or Mozilla browsers, the box to uncheck for 'Cookies' is on the Applications tab, under Firefox/Mozilla. Click on the 'Options' icon at the left side of the window, then click on 'Advanced.' deselect 'Only delete files in Windows Temp folders older than 48 hours.' Click on the 'Cleaner' icon on the left side of the window, then click Run Cleaner to run the program. Caution: It is not recommended that you use the 'Issues' feature unless you are very familiar with the registry as it has been known to find legitimate items. After CCleaner has completed its process, click Exit. 2. Now lets check some settings on your system. (2000/XP) Only In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically Press OK twice to get out of the properties screen and reboot if it asks. That option might not be avaiable on some systems Next Go start run type cmd and hit OK type ipconfig /flushdns (that space between g and / is needed) then hit enter, type exit hit enter 3. Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log. And give me an update on how your PC is running now. CastleCops Instructor MRU Graduate 'The world is what you make of it'

Virus & Spyware

Was this post helpful?