MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Hijack This log, help is appreciated
October 15, 2019, 11:38:46 AM
  

Home Forum Rules Help Search Mobile Version Login Register
Welcome, Guest. Please login or register.
Did you miss your activation email?
October 15, 2019, 11:38:46 AM

Login with username, password and session length
 
News
12th Anniversary Celebrating 12 Years! (1997 - 2009) 12th Anniversary
Thanks to ALL that make this site what it is!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Hijack This log, help is appreciated  (Read 3486 times)
wolfe
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 74


Bookmark and Share

View Profile
« on: November 09, 2009, 05:49:10 PM »
Ok, I'm running XP with SP2

I've run my Symantec Virus software, Spybot S&D, Adaware, TrendMicro Housecall, Smitfraud Fix and one other than I don't remember the name of.

Here is my Hijack This log now.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:36, on 2009/11/09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program files\Cisco Systems\VPN client\cvpnd.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\PROGRA~1\LANDesk\LDClient\LDregwatch.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
C:\lotus\notes\nsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Wonderware\Avantis\Common\wwlogsvc.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Apps\HiJack This\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.psc.uss.com/USS/index.asp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.psc.uss.com/USS/index.asp
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe,
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ter8m] RUNDLL32.EXE C:\WINDOWS\system32\msxm192z.dll,w
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [P2kAutostart] D:\Documents and Settings\pst246e\Desktop\Razr\P2kCommander-V5.1.0-MR\P2kAutostart.exe
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\engsupp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN client\vpngui.exe
O4 - Global Startup: Printkey2000.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.psc.uss.com/USS/index.asp
O15 - Trusted Zone: http://*.thrust (HKLM)
O15 - Trusted Zone: http://*.timber (HKLM)
O15 - Trusted Zone: http://*.toffee (HKLM)
O15 - Trusted Zone: http://*.toggle (HKLM)
O15 - Trusted Zone: http://*.tootle (HKLM)
O15 - Trusted Zone: http://*.topple (HKLM)
O15 - Trusted Zone: http://*.torque (HKLM)
O15 - Trusted Zone: http://*.torrid (HKLM)
O15 - Trusted Zone: http://*.touchy (HKLM)
O15 - Trusted Zone: http://*.tousle (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stelcorp.stelco.ca
O17 - HKLM\Software\..\Telephony: DomainName = stelcorp.stelco.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = stelcorp.stelco.ca
O20 - Winlogon Notify: !SASWinLogon - C:\Apps\Super Anti Spyware\SASWINLO.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program files\Cisco Systems\VPN client\cvpnd.exe
O23 - Service: fastnetsrv  Service (fastnetsrv) - Unknown owner - C:\WINDOWS\system32\FastNetSrv.exe (file missing)
O23 - Service: Google Update Service (gupdate1c9a3d0e831d5f8) (gupdate1c9a3d0e831d5f8) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LANDesk Policy Invoker - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lotus Notes Diagnostics - IBM - C:\lotus\notes\nsd.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - c:\oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: Symantec Auto-upgrade Agent (Smcinst) - Unknown owner - C:\Program Files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe (file missing)
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Wonderware Logger (WWLOGSVC) - Wonderware Corporation - C:\Program Files\Wonderware\Avantis\Common\wwlogsvc.exe

--
End of file - 10268 bytes
Logged
 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #1 on: November 09, 2009, 09:25:34 PM »

You will need to download ComboFix.exe. Download Combofix from any of the links below. You must rename it before saving it. Name it ComFx, and Save it to your desktop.



http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe


* IMPORTANT !!! Save ComboFix.exe to your Desktop
 It is important that it is saved and renamed following this process directly to your desktop**




Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools. More help on your specific AV here: http://www.bleepingcomputer.com/forums/topic114351.html


Double click on ComFx.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.






Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes to continue scanning for malware.

When finished, it shall produce a log for you. Please include the ComboFix.txt in your reply.


Caution.....
Never use this program to remove files.Only use it with  help from an experienced user.Wrongful use can damage your computer.
Logged
An Australian Member of

EDDY
wolfe
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 74


Bookmark and Share

View Profile
« Reply #2 on: November 09, 2009, 11:10:42 PM »
ComboFix Log

ComboFix 09-11-08.03 - engsupp 2009/11/09 17:13.1.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.2.1033.18.1015.518 [GMT -5:00]
Running from: d:\documents and settings\engsupp\Desktop\ComFx.exe
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\msi.exe
c:\windows\system32\3538477.exe
c:\windows\system32\41.exe
c:\windows\system32\6518824.exe
c:\windows\system32\9.tmp
c:\windows\system32\959905.exe
c:\windows\system32\9968988.exe
c:\windows\system32\certstore.dat
c:\windows\system32\clrviddc.dll
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\tmp.reg
d:\documents and settings\engsupp\Start Menu\Programs\Security Tool.lnk

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4
-------\Service_npf


(((((((((((((((((((((((((   Files Created from 2009-10-09 to 2009-11-09  )))))))))))))))))))))))))))))))
.

2009-11-09 19:56 . 2009-11-09 19:56   --------   d-----w-   d:\documents and settings\engsupp\Application Data\DivX
2009-11-03 16:09 . 2009-11-03 16:09   --------   d-----w-   d:\documents and settings\pst246e\Application Data\DivX
2009-11-03 16:06 . 2009-11-03 16:06   --------   d-----w-   c:\program files\Common Files\DivX Shared
2009-11-03 16:06 . 2009-11-03 16:08   --------   d-----w-   c:\program files\DivX
2009-11-03 15:49 . 1998-04-30 19:56   129024   ----a-w-   c:\windows\UNWISE.EXE
2009-11-03 13:09 . 2004-08-04 00:56   25600   ----a-w-   d:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-11-03 02:17 . 2009-11-03 02:17   --------   d-----w-   c:\program files\Windows Media Connect 2
2009-11-03 02:12 . 2009-11-03 02:14   --------   d-----w-   c:\windows\system32\drivers\UMDF
2009-11-03 02:01 . 2009-11-03 02:01   --------   d-----w-   d:\documents and settings\pst246e\Application Data\Apple Computer
2009-11-02 18:37 . 2009-11-02 18:40   117760   ----a-w-   d:\documents and settings\pst246e\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-10-28 13:07 . 2009-10-28 13:07   --------   d-----w-   d:\documents and settings\engsupp\Application Data\AVG8
2009-10-27 05:34 . 2009-10-28 12:23   --------   d-sh--w-   d:\documents and settings\pst246e\Application Data\lowsec
2009-10-26 01:47 . 2009-10-26 01:47   134   ----a-w-   C:\wy33c108.bat
2009-10-25 20:44 . 2009-10-25 20:44   --------   d-----w-   d:\documents and settings\pst246e\Application Data\SUPERAntiSpyware.com
2009-10-25 19:16 . 2009-10-31 19:57   950272   ----a-w-   d:\documents and settings\pst246e\Application Data\DealAssistant\dealassistant.exe
2009-10-25 19:16 . 2009-11-01 05:25   269312   ----a-w-   d:\documents and settings\pst246e\Application Data\DealAssistant\DAUninstall.exe
2009-10-25 19:16 . 2009-11-08 16:50   --------   d-----w-   d:\documents and settings\pst246e\Application Data\DealAssistant
2009-10-25 19:12 . 2009-10-25 19:18   --------   d-sh--w-   d:\documents and settings\pst246e\Application Data\Windows System Defender
2009-10-25 19:12 . 2009-10-25 19:12   --------   d-sh--w-   d:\documents and settings\All Users\Application Data\WSDDSys
2009-10-11 20:29 . 2009-07-23 16:04   38056   ----a-w-   c:\windows\system32\drivers\WGX.SYS

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-09 16:21 . 2009-03-13 11:38   --------   d-----w-   d:\documents and settings\All Users\Application Data\Google Updater
2009-11-08 01:28 . 2009-01-15 15:58   --------   d-----w-   d:\documents and settings\All Users\Application Data\vulScan
2009-11-06 14:31 . 2009-01-19 14:37   --------   d-----w-   c:\program files\pdf995
2009-11-02 17:21 . 1980-01-01 00:00   12800   ----a-w-   c:\windows\system32\winver.exe
2009-11-01 05:20 . 2009-07-23 16:09   196608   -c--a-w-   d:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373}\program files\Symantec\SEP\XDelta\xdelta3.exe
2009-11-01 05:15 . 2008-08-25 16:53   44032   ----a-w-   c:\windows\system32\wbem\scrcons.exe
2009-11-01 05:15 . 2008-08-25 16:53   24064   ----a-w-   c:\windows\system32\wbem\unsecapp.exe
2009-11-01 05:14 . 2008-08-25 16:53   23552   ----a-w-   c:\windows\system32\wbem\mofcomp.exe
2009-11-01 05:13 . 2008-08-25 16:53   366080   ----a-w-   c:\windows\system32\wbem\wmic.exe
2009-11-01 05:12 . 2008-08-25 16:53   203776   ----a-w-   c:\windows\system32\wbem\wmiadap.exe
2009-11-01 05:12 . 2008-08-25 16:53   20480   ----a-w-   c:\windows\system32\wbem\winmgmt.exe
2009-11-01 05:12 . 2008-08-25 16:53   123392   ----a-w-   c:\windows\system32\wbem\wbemtest.exe
2009-11-01 04:51 . 2008-08-25 16:55   157696   ----a-w-   c:\windows\pchealth\UploadLB\Binaries\UploadM.exe
2009-11-01 04:49 . 2008-08-25 16:55   42496   ----a-w-   c:\windows\pchealth\helpctr\binaries\notiflag.exe
2009-11-01 04:47 . 2008-08-25 16:55   26112   ----a-w-   c:\windows\pchealth\helpctr\binaries\HscUpd.exe
2009-11-01 04:47 . 2008-08-25 16:55   751104   ----a-w-   c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2009-11-01 04:46 . 2008-08-25 16:55   107008   ----a-w-   c:\windows\pchealth\helpctr\binaries\HelpHost.exe
2009-10-31 20:33 . 1980-01-01 00:00   37888   ----a-w-   c:\windows\system32\xcopy.exe
2009-10-31 20:33 . 1980-01-01 00:00   39424   ----a-w-   c:\windows\system32\wupdmgr.exe
2009-10-31 20:33 . 1980-01-01 00:00   20992   ----a-w-   c:\windows\system32\wscntfy.exe
2009-10-31 20:33 . 2008-08-25 16:54   12800   ----a-w-   c:\windows\system32\write.exe
2009-10-31 20:33 . 1980-01-01 00:00   39424   ----a-w-   c:\windows\system32\wpnpinst.exe
2009-10-31 20:33 . 1980-01-01 00:00   39424   ----a-w-   c:\windows\system32\wpabaln.exe
2009-10-31 20:32 . 2006-10-26 18:45   300544   ----a-w-   c:\windows\system32\WISPTIS.EXE
2009-10-31 20:32 . 1980-01-01 00:00   18944   ----a-w-   c:\windows\system32\winmsd.exe
2009-10-31 20:32 . 1980-01-01 00:00   15360   ----a-w-   c:\windows\system32\winhlp32.exe
2009-10-31 20:32 . 1980-01-01 00:00   72704   ----a-w-   c:\windows\system32\wextract.exe
2009-10-31 20:32 . 1980-01-01 00:00   56832   ----a-w-   c:\windows\system32\w32tm.exe
2009-10-31 20:32 . 1980-01-01 00:00   40960   ----a-w-   c:\windows\system32\vssadmin.exe
2009-10-31 20:32 . 1980-01-01 00:00   105472   ----a-w-   c:\windows\system32\verifier.exe
2009-10-31 20:30 . 1980-01-01 00:00   19456   ----a-w-   c:\windows\system32\tcmsetup.exe
2009-10-31 20:29 . 1980-01-01 00:00   27136   ----a-w-   c:\windows\system32\ssbezier.scr
2009-10-31 20:28 . 2008-08-25 16:53   23040   ----a-w-   c:\windows\system32\rwinsta.exe
2009-10-31 20:27 . 1980-01-01 00:00   18432   ----a-w-   c:\windows\system32\rasdial.exe
2009-10-31 20:26 . 2002-08-29 13:00   93696   ----a-w-   c:\windows\system32\opeia.exe
2009-10-31 20:26 . 1980-01-01 00:00   74752   ----a-w-   c:\windows\system32\openfiles.exe
2009-10-31 20:26 . 1980-01-01 00:00   73728   ----a-w-   c:\windows\system32\odbcconf.exe
2009-10-31 20:26 . 1980-01-01 00:00   133632   ----a-w-   c:\windows\system32\nwscript.exe
2009-10-31 20:26 . 1980-01-01 00:00   83968   ----a-w-   c:\windows\system32\nslookup.exe
2009-10-31 20:26 . 1980-01-01 00:00   44032   ----a-w-   c:\windows\system32\netstat.exe
2009-10-31 20:26 . 1980-01-01 00:00   93184   ----a-w-   c:\windows\system32\netsh.exe
2009-10-31 20:26 . 1980-01-01 00:00   338944   ----a-w-   c:\windows\system32\netsetup.exe
2009-10-31 20:25 . 1980-01-01 00:00   118272   ----a-w-   c:\windows\system32\netdde.exe
2009-10-31 20:25 . 1980-01-01 00:00   11264   ----a-w-   c:\windows\system32\nddeapir.exe
2009-10-31 20:25 . 1980-01-01 00:00   27648   ----a-w-   c:\windows\system32\nbtstat.exe
2009-10-31 20:25 . 2008-08-25 16:55   19456   ----a-w-   c:\windows\system32\mstinit.exe
2009-10-31 20:25 . 1980-01-01 00:00   13824   ----a-w-   c:\windows\system32\msswchx.exe
2009-10-31 20:24 . 2008-08-25 16:53   28160   ----a-w-   c:\windows\system32\msg.exe
2009-10-31 20:24 . 1980-01-01 00:00   19968   ----a-w-   c:\windows\system32\mrinfo.exe
2009-10-31 20:24 . 1980-01-01 00:00   124416   ----a-w-   c:\windows\system32\mqtgsvc.exe
2009-10-31 20:24 . 1980-01-01 00:00   11776   ----a-w-   c:\windows\system32\mqsvc.exe
2009-10-31 20:24 . 1980-01-01 00:00   27136   ----a-w-   c:\windows\system32\mqbkup.exe
2009-10-31 20:24 . 2008-08-25 16:53   130560   ----a-w-   c:\windows\system32\mplay32.exe
2009-10-31 20:24 . 1980-01-01 00:00   15360   ----a-w-   c:\windows\system32\mountvol.exe
2009-10-31 20:24 . 1980-01-01 00:00   822272   ----a-w-   c:\windows\system32\mmc.exe
2009-10-31 20:23 . 1980-01-01 00:00   58880   ----a-w-   c:\windows\system32\migpwd.exe
2009-10-31 20:23 . 1980-01-01 00:00   92672   ----a-w-   c:\windows\system32\makecab.exe
2009-10-31 20:23 . 1980-01-01 00:00   15360   ----a-w-   c:\windows\system32\lpr.exe
2009-10-31 20:23 . 1980-01-01 00:00   13312   ----a-w-   c:\windows\system32\lpq.exe
2009-10-31 20:23 . 2008-08-25 16:53   22528   ----a-w-   c:\windows\system32\logoff.exe
2009-10-31 20:23 . 1980-01-01 00:00   66560   ----a-w-   c:\windows\system32\logman.exe
2009-10-31 20:23 . 1980-01-01 00:00   12288   ----a-w-   c:\windows\system32\lodctr.exe
2009-10-31 20:23 . 1980-01-01 00:00   32256   ----a-w-   c:\windows\system32\lnkstub.exe
2009-10-31 20:23 . 1980-01-01 00:00   36864   ----a-w-   c:\windows\system32\lights.exe
2009-10-31 20:23 . 1980-01-01 00:00   16896   ----a-w-   c:\windows\system32\label.exe
2009-10-31 20:23 . 2008-08-25 17:50   42496   ----a-w-   c:\windows\system32\kill.exe
2009-10-31 20:21 . 1980-01-01 00:00   62464   ----a-w-   c:\windows\system32\getmac.exe
2009-10-31 20:20 . 1980-01-01 00:00   84992   ----a-w-   c:\windows\system32\eventtriggers.exe
2009-10-31 20:20 . 1980-01-01 00:00   57344   ----a-w-   c:\windows\system32\eventcreate.exe
2009-10-31 20:20 . 1980-01-01 00:00   200192   ----a-w-   c:\windows\system32\eudcedit.exe
2009-10-31 20:20 . 1980-01-01 00:00   46592   ----a-w-   c:\windows\system32\esentutl.exe
2009-10-31 20:20 . 1980-01-01 00:00   1302528   ----a-w-   c:\windows\system32\dxdiag.exe
2009-10-31 20:20 . 1980-01-01 00:00   25088   ----a-w-   c:\windows\system32\dvdupgrd.exe
2009-10-31 20:20 . 1980-01-01 00:00   65536   ----a-w-   c:\windows\system32\driverquery.exe
2009-10-31 20:18 . 1980-01-01 00:00   102400   ----a-w-   c:\windows\system32\cscript.exe
2009-10-31 20:17 . 2008-08-25 16:53   121856   ----a-w-   c:\windows\system32\calc.exe
2009-10-31 20:16 . 1998-10-29 21:45   313856   ----a-w-   c:\windows\IsUninst.exe
2009-10-31 20:16 . 2009-10-11 15:57   753664   ----a-w-   c:\windows\diskperfm.exe
2009-10-31 20:15 . 1980-01-01 00:00   521728   ----a-w-   c:\windows\system32\logonui.exe
2009-10-31 20:13 . 2008-08-25 16:53   69632   ----a-w-   c:\windows\system32\rdpclip.exe
2009-10-31 20:11 . 1980-01-01 00:00   15360   ----a-w-   c:\windows\system32\control.exe
2009-10-31 20:09 . 1980-01-01 00:00   25600   ----a-w-   c:\windows\system32\secedit.exe
2009-10-31 20:05 . 1980-01-01 00:00   290816   ----a-w-   c:\windows\winhlp32.exe
2009-10-31 20:03 . 2009-01-15 15:57   32768   ----a-w-   c:\windows\system32\msgsys.exe
2009-10-31 20:02 . 2009-01-15 15:57   65536   ----a-w-   c:\windows\system32\LDCmd32.EXE
2009-10-31 20:02 . 1980-01-01 00:00   52736   ----a-w-   c:\windows\system32\drwtsn32.exe
2009-10-31 20:02 . 1980-01-01 00:00   227840   ----a-w-   c:\windows\system32\logon.scr
2009-10-31 20:02 . 2009-01-15 15:57   31744   ----a-w-   c:\windows\system32\poweroff.exe
2009-10-31 20:01 . 2008-08-25 16:55   165376   ----a-w-   c:\windows\pchealth\helpctr\binaries\msconfig.exe
2009-10-31 19:58 . 2008-08-25 16:55   775680   ----a-w-   c:\windows\pchealth\helpctr\binaries\HelpCtr.exe
2009-10-31 19:57 . 1980-01-01 00:00   184320   ----a-w-   c:\windows\system32\dwwin.exe
2009-10-31 19:55 . 1980-01-01 00:00   102400   ----a-w-   c:\windows\system32\igfxext.exe
2009-10-31 19:55 . 1980-01-01 00:00   139776   ----a-w-   c:\windows\system32\rsvp.exe
2009-10-31 19:55 . 2008-08-25 16:53   133632   ----a-w-   c:\windows\system32\wbem\wmiapsrv.exe
2009-10-31 19:55 . 1980-01-01 00:00   296960   ----a-w-   c:\windows\system32\vssvc.exe
2009-10-31 19:55 . 1980-01-01 00:00   17920   ----a-w-   c:\windows\hh.exe
2009-10-31 19:55 . 2008-08-25 16:53   13312   ----a-w-   c:\windows\system32\msdtc.exe
2009-10-31 19:54 . 1980-01-01 00:00   17920   ----a-w-   c:\windows\system32\dumprep.exe
2009-10-31 19:54 . 1980-01-01 00:00   36864   ----a-w-   c:\windows\system32\odbcad32.exe
2009-10-31 19:54 . 1980-01-01 00:00   71168   ----a-w-   c:\windows\system32\cleanmgr.exe
.

------- Sigcheck -------

[-] 2009-11-02 . 3626739051265D92503FDD04B3A230E7 . 65024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe
[-] 2009-11-02 . 65D667C3F6EE8528BBC37984AAFB00BC . 65024 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2009-10-31 . E0AB6C4E80EF88609D88EA46015EB466 . 65024 . . [5.1.2600.2696] . . c:\windows\system32\dllcache\spoolsv.exe
[-] 2009-10-31 . E8A393B0029D7AD37B70E63BF7EDDB14 . 65024 . . [5.1.2600.2696] . . c:\windows\system32\spoolsv.exe

[-] 2009-10-31 . 5543887AB1607D3E31C963B770C793FC . 31744 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\userinit.exe
[-] 2009-10-31 . E555879FD99273B69B74C4845E67CF4F . 31744 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe

[-] 2009-10-31 . A5AB4E0D92B640F14C232F11379AD5E5 . 1039360 . . [6.00.2900.2180] . . c:\windows\system32\dllcache\explorer.exe
[-] 2009-10-31 . AA1041E4E7895CAD0A4E4B4523D51A7C . 1039360 . . [6.00.2900.2180] . . c:\windows\explorer.exe

[-] 2009-10-31 . 44644A9C13A0D16A7E41E6C8D3DC58C6 . 20992 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\wscntfy.exe
[-] 2009-10-31 . BE5562DF6EEE39F141235F9244B5E9B6 . 20992 . . [5.1.2600.2180] . . c:\windows\system32\wscntfy.exe

[-] 2009-10-31 . 49586A524D109DA25B25528949645EEF . 22528 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ctfmon.exe
[-] 2009-10-31 . 8EAA66157258FC92E6DFC19DABA436E3 . 22528 . . [5.1.2600.2180] . . c:\windows\system32\ctfmon.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="d:\documents and settings\engsupp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-30 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2009-10-31 159744]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2009-10-31 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2009-10-31 81920]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2009-10-31 118784]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2009-10-31 57344]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-27 136600]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-12-03 115560]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-10-31 421888]
"Logitech Utility"="LOGI_MWX.EXE" - c:\windows\LOGI_MWX.EXE [2009-10-31 28160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2009-10-31 22528]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD LT Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN client\vpngui.exe [2009-1-15 1421328]
Printkey2000.lnk - c:\windows\Installer\{7E6CB159-AE11-4B11-960C-4DC6D48ACEE2}\Icon7E6CB159.exe [2008-8-25 13312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\apps\Super Anti Spyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05   356352   ----a-w-   c:\apps\Super Anti Spyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\cba\\pds.exe"=
"c:\\WINDOWS\\system32\\msgsys.exe"=
"c:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=
"c:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"= c:\\PROGRA~1\\MI3AA1~1\\wcescomm.exe
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"= c:\\PROGRA~1\\MI3AA1~1\\WCESMgr.exe
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

R1 SASDIFSV;SASDIFSV;c:\apps\Super Anti Spyware\sasdifsv.sys [2009/01/15 4:17 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\apps\Super Anti Spyware\SASKUTIL.SYS [2009/01/15 4:17 PM 55024]
R2 CBA8;LANDesk(R) Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [2009/03/23 9:03 AM 159744]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [2009/01/15 10:57 AM 143360]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\lotus\notes\nsd.exe -svcinvoke -ini "c:\lotus\notes\notes.ini" --> c:\lotus\notes\nsd.exe -svcinvoke -ini c:\lotus\notes\notes.ini [?]
R2 Softmon;LANDesk(R) Software Monitoring Service;c:\program files\LANDesk\LDClient\softmon.exe [2009/01/15 10:57 AM 339968]
R2 WWLOGSVC;Wonderware Logger;c:\program files\Wonderware\Avantis\Common\wwlogsvc.exe [2009/06/05 2:31 PM 40960]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009/09/10 9:39 AM 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2009/01/15 2:45 PM 80384]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [2009/01/15 10:57 AM 11904]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [2009/01/15 10:57 AM 3328]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [2009/01/15 10:57 AM 3712]
S2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [1979/12/31 7:00 PM 14336]
S2 fastnetsrv;fastnetsrv  Service;c:\windows\system32\FastNetSrv.exe --> c:\windows\system32\FastNetSrv.exe [?]
S2 gupdate1c9a3d0e831d5f8;Google Update Service (gupdate1c9a3d0e831d5f8);c:\program files\Google\Update\GoogleUpdate.exe [2009/03/13 6:43 AM 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008/12/03 9:28 AM 23888]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009/01/25 8:56 PM 40832]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;c:\oracle\Ora81\bin\ONRSD.EXE [2008/08/25 1:05 PM 242328]
S3 SASENUM;SASENUM;c:\apps\Super Anti Spyware\SASENUM.SYS [2009/01/15 4:17 PM 7408]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
BtwSrv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{XP_UserTweak}]
c:\windows\system32\XP_Current_User_RunOnce.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\QuickLaunch]
Regedit.exe /S c:\windows\System32\QuickLaunch.reg

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\RealPlayer Enterprise]
regedit.exe /s "c:\program files\Real\RealPlayer Enterprise\RealPlayerConfig\MimeType.reg"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2800A44D-B9CA-4359-9CD5-45BA9469065B}]
c:\windows\msagent\agentdpv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3282CE82-00B9-4E3A-9BFC-749CCF539395}]
msiexec /fup {3282CE82-00B9-4E3A-9BFC-749CCF539395} /qn

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6815FCDD-401D-481E-BA88-31B4754C2B46}]
msiexec /fup {6815FCDD-401D-481E-BA88-31B4754C2B46} /qn

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{E8EA10C6-3C01-4411-B6BF-B1FC294D9EF8}]
msiexec /fup {E8EA10C6-3C01-4411-B6BF-B1FC294D9EF8} /qn

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\INF\wmactedp.inf,PerUserStub,,4
.
Contents of the 'Scheduled Tasks' folder

2009-11-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-13 23:31]

2009-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-13 11:42]

2009-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-13 11:42]

2009-11-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-345979002-2643468011-2963444719-1009Core.job
- d:\documents and settings\engsupp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-14 00:43]

2009-11-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-345979002-2643468011-2963444719-1009UA.job
- d:\documents and settings\engsupp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-14 00:43]

2009-11-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-445146387-157309287-390072313-13104Core.job
- d:\documents and settings\pst246e\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-14 00:43]

2009-11-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-445146387-157309287-390072313-13104UA.job
- d:\documents and settings\pst246e\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-14 00:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.psc.uss.com/USS/index.asp
uInternet Connection Wizard,ShellNext = hxxp://www.psc.uss.com/USS/index.asp
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: thrust
Trusted Zone: timber
Trusted Zone: toffee
Trusted Zone: toggle
Trusted Zone: tootle
Trusted Zone: topple
Trusted Zone: torque
Trusted Zone: torrid
Trusted Zone: touchy
Trusted Zone: tousle
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-P2kAutostart - d:\documents and settings\pst246e\Desktop\Razr\P2kCommander-V5.1.0-MR\P2kAutostart.exe
SafeBoot-Symantec Antvirus
AddRemove-Recovery Toolbox for Outlook_is1 - d:\documents and settings\pst246e\Desktop\Recovery Toolbox for Outlook\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-09 17:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1256)
c:\apps\Super Anti Spyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3148)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Cisco Systems\VPN client\cvpnd.exe
c:\program files\LANDesk\LDClient\LocalSch.EXE
c:\progra~1\LANDesk\LDClient\collector.exe
c:\windows\system32\CBA\pds.exe
c:\progra~1\LANDesk\LDClient\LDregwatch.exe
c:\program files\LANDesk\LDClient\tmcsvc.exe
c:\progra~1\LANDesk\LDClient\issuser.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\lotus\notes\nsd.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
c:\windows\system32\CCM\CcmExec.exe
c:\progra~1\LANDesk\LDClient\rcgui.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\Apntex.exe
c:\program files\PrintKey2000\Printkey2000.exe
c:\program files\Symantec\Symantec Endpoint Protection\SescLU.exe
c:\program files\Symantec\LiveUpdate\luall.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2009-11-09 18:01 - machine was rebooted
ComboFix-quarantined-files.txt  2009-11-09 23:01

Pre-Run: 10,412,916,736 bytes free
Post-Run: 10,280,230,912 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 543AFE9B16A61166B1EED8B174B77795
Logged
 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #3 on: November 09, 2009, 11:33:24 PM »
Thats fixed the problem.You should be fine now..just delete this file if its still there.. C:\WINDOWS\system32\drivers\smss.exe,


This will clear away any of the files and folders that were created by ComboFix.

Go to :
Start > Run then copy and paste the following highlighted (blue) text below into the box  and click OK.



ComboFix /u


Please read these for future reference it may save you future problems with malware:


http://www.pchelpforum.com/fixed-hijackthis-logs/59327-now-you-all-clean-afterwork.html

http://www.pchelpforum.com/fixed-hijackthis-logs/64964-so-you-want-prevent-happening.html

http://www.pchelpforum.com/fixed-hijackthis-logs/57400-how-did-i-get-infected.html
« Last Edit: November 09, 2009, 11:38:53 PM by Pancake » Logged
An Australian Member of

EDDY
wolfe
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 74


Bookmark and Share

View Profile
« Reply #4 on: November 09, 2009, 11:50:37 PM »
Thank you very much, you are always a lifesaver Pancake
Logged
 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #5 on: November 10, 2009, 12:34:30 AM »
Ok.Not a problem.
Logged
An Australian Member of

EDDY
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers!
MyTechSupport.ca © 2008
[ Sitemap | Forums Sitemap | Lo-Fi Version ]
Page loaded in 0.136 seconds with 22 queries.
Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page June 13, 2018, 01:32:01 PM