 |  |  |  |  |  |  |  |
Vundo - I think... Explorer.exe crashing
Thread Solved |
•
•
•
•
Originally Posted by jholland1964 
Not meaning to "step on toes" here but caperjack has informed me you have a double post going here
http://www.daniweb.com/forums/post76...tml#post769217
and since I didn't realize this and don't know if you will go back to the other thread I wanted to post this in this one also.
You note in this thread right here that you have tried multiple anti-virus programs, including CA, AVG, and also Avira. I didn't have this information in my post to you in the other thread, but there also I noticed in your log posted there that you currently have CA running and also Norton.
You obviously are not uninstalling all of these anti-virus programs completely. You must UNINSTALL all of these except one of them. Running more than one at a time will certainly complicate your problems.
I am not certain what two HJT logs that Suspishio is comparing, the two I see here are pretty much the same.
I will repeat here some of what I posted in the other thread since we don't know which one the poster is checking on;
Judy
I do have etrust, however am not 'allowed' to uninstall it. Is that a show stopper? I can however stop all the services.
I do not have Norton anti-virus installed. Only ghost.
Thanks,
Brian
•
•
Join Date: Jul 2008
Posts: 3,483
Reputation: 
Solved Threads: 203
Ok then on Norton. Can I ask why you are not allowed to uninstall the etrust? Is this a work computer or something? What about those trusted sites I noted?
Judy
Judy
•
•
•
•
Originally Posted by jholland1964
Ok then on Norton. Can I ask why you are not allowed to uninstall the etrust? Is this a work computer or something? What about those trusted sites I noted?
Judy
Regarding the trusted sites - they are all intranet sites... work related...
Thanks,
Brian
•
•
Join Date: Jul 2008
Posts: 3,483
Reputation:
Solved Threads: 203
•
•
•
•
Originally Posted by bmsmith25
Yes - work pc. Not getting any help from work IT support. They suggest I re image.
Regarding the trusted sites - they are all intranet sites... work related...
Thanks,
Brian
Have you updated all the removal programs and then disconnected the internet cord and run all these without being connected to the network? If you can rule your computer totally clean then I would think there is a chance of another infected computer within the network spreading this to everyone else. Don't know this is the case but something to think about.
Here is one thing you have not tried, if it doesn't violate your work rules you could do the following:
Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.
*Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.
Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.
Now just sit back and allow the program to run
Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When all is complete then please post back here with that log.
•
•
•
•
Originally Posted by jholland1964
I hesitate to offer suggestions which may violate your work rules. Is it possible that there are other computers infected on this work network?
Have you updated all the removal programs and then disconnected the internet cord and run all these without being connected to the network? If you can rule your computer totally clean then I would think there is a chance of another infected computer within the network spreading this to everyone else. Don't know this is the case but something to think about.
Here is one thing you have not tried, if it doesn't violate your work rules you could do the following:
Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.
*Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.
Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.
Now just sit back and allow the program to run
Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When all is complete then please post back here with that log.
I'll try your suggestion with Combofix and post results.
Thanks again.
Brian
•
•
•
•
Originally Posted by jholland1964
I hesitate to offer suggestions which may violate your work rules. Is it possible that there are other computers infected on this work network?
Have you updated all the removal programs and then disconnected the internet cord and run all these without being connected to the network? If you can rule your computer totally clean then I would think there is a chance of another infected computer within the network spreading this to everyone else. Don't know this is the case but something to think about.
Here is one thing you have not tried, if it doesn't violate your work rules you could do the following:
Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.
*Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.
Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.
Now just sit back and allow the program to run
Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When all is complete then please post back here with that log.
ComboFix 09-01-01.02 - smibr13 2009-01-02 11:56:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3318.2520 [GMT -6:00]
Running from: c:\my documents\Downloads\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\SMIBR13\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\INSTALL.LOG
c:\windows\g32.txt
c:\windows\gs32.txt
c:\windows\system32\ayagobis.ini
c:\windows\system32\ebenimit.ini
c:\windows\system32\gorumiba.dll
c:\windows\system32\gujayiwo.dll
c:\windows\system32\hapafese.dll
c:\windows\system32\imuwisuv.ini
c:\windows\system32\ivetateh.ini
c:\windows\system32\operabem.ini
c:\windows\system32\pepilose.dll
c:\windows\system32\remaduvi.dll
c:\windows\system32\uyetoril.ini
c:\windows\system32\uyijegiy.ini
c:\windows\system32\vGikTvut.ini
c:\windows\system32\vGikTvut.ini2
c:\windows\system32\wedusoha.dll
c:\windows\Tasks\rhiewagy.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ASPIMGR
((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.
2009-01-02 11:30 . 2007-05-10 10:23 4,952,064 --a------ c:\windows\system32\stacgui.cpl
2009-01-02 11:30 . 2007-04-10 17:02 1,601,536 --a------ c:\windows\system32\stlang.dll
2009-01-02 11:30 . 2007-05-10 10:24 1,222,840 --a------ c:\windows\system32\drivers\sthda.sys
2009-01-02 11:30 . 2007-05-10 10:22 405,504 --a------ c:\windows\stsystra.exe
2009-01-02 11:30 . 2007-05-10 10:23 270,336 --a------ c:\windows\system32\stacapi.dll
2009-01-02 11:30 . 2007-08-21 09:58 146,944 --a------ c:\windows\system32\st325602.dll
2008-12-31 13:41 . 2009-01-01 07:51 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-12-31 12:20 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 12:20 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-30 13:48 . 2008-12-30 13:48 <DIR> d-------- C:\pre-sales
2008-12-23 00:40 . 2008-12-23 00:40 <DIR> d-------- c:\program files\iTunes
2008-12-23 00:40 . 2008-12-23 00:40 <DIR> d-------- c:\program files\iPod
2008-12-23 00:40 . 2008-12-23 00:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-23 00:39 . 2008-12-23 00:39 <DIR> d-------- c:\program files\Bonjour
2008-12-23 00:38 . 2008-12-23 00:39 <DIR> d-------- c:\program files\QuickTime
2008-12-22 22:09 . 2008-12-22 22:11 <DIR> d-------- c:\program files\Creative
2008-12-22 19:46 . 2008-12-22 19:53 <DIR> d-------- c:\program files\MockupScreens
2008-12-22 18:01 . 2009-01-02 12:03 <DIR> d-------- c:\documents and settings\SMIBR13\Application Data\Dropbox
2008-12-22 18:00 . 2008-12-22 18:01 <DIR> d-------- c:\program files\Dropbox
2008-12-22 11:36 . 2001-07-13 13:56 14,976 --a------ c:\windows\system32\drivers\SBKUPNT.SYS
2008-12-22 11:36 . 1997-02-08 17:11 13,312 --a------ c:\windows\system32\DEVLOAD.EXE
2008-12-22 11:36 . 2005-11-26 19:45 2,799 --a------ c:\windows\SKLANG.INI
2008-12-19 22:44 . 2008-12-19 22:44 <DIR> d-------- c:\temp\tools
2008-12-19 13:22 . 2008-12-19 13:23 <DIR> d-------- c:\program files\MPEG Stream
2008-12-19 04:30 . 2008-12-19 04:30 664 --a------ c:\windows\system32\d3d9caps.dat
2008-12-18 23:39 . 2008-12-18 23:39 <DIR> d-------- c:\program files\Apple Software Update
2008-12-18 23:33 . 2008-12-18 23:33 <DIR> d-------- c:\documents and settings\SMIBR13\Application Data\MPEG Streamclip
2008-12-18 21:44 . 2008-12-18 23:58 <DIR> d-------- c:\program files\Elecard
2008-12-18 21:16 . 2008-12-18 21:16 <DIR> d-------- c:\program files\VideoLAN
2008-12-18 10:59 . 2008-12-18 10:59 <DIR> d-------- c:\documents and settings\SMIBR13\Application Data\Research In Motion
2008-12-18 10:59 . 2008-12-18 13:32 256 --a------ c:\windows\system32\pool.bin
2008-12-18 10:03 . 2008-12-18 10:03 <DIR> d-------- c:\documents and settings\SMIBR13\Application Data\InstallShield
2008-12-18 10:02 . 2008-12-18 10:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic
2008-12-18 10:00 . 2008-12-18 10:01 <DIR> d-------- c:\program files\Roxio
2008-12-18 10:00 . 2008-12-18 10:00 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2008-12-18 10:00 . 2008-12-18 10:00 <DIR> d-------- c:\program files\Common Files\Roxio Shared
2008-12-18 10:00 . 2008-12-18 10:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Roxio
2008-12-18 09:59 . 2008-12-18 09:59 <DIR> d-------- c:\program files\Research In Motion
2008-12-18 09:59 . 2008-12-18 10:48 <DIR> d-------- c:\program files\Common Files\Research In Motion
2008-12-17 23:45 . 2008-12-17 23:45 <DIR> d-------- c:\program files\Sigmatel
2008-12-17 23:22 . 1999-10-10 19:00 41,984 --------- c:\windows\Ctregrun.exe
2008-12-17 23:20 . 2003-03-05 12:19 15,840 --------- c:\windows\system32\drivers\PFMODNT.SYS
2008-12-17 22:44 . 2008-12-17 22:44 <DIR> d-------- c:\program files\iXi Tools
2008-12-17 00:29 . 2008-12-31 12:20 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-17 00:29 . 2008-12-17 00:29 <DIR> d-------- c:\documents and settings\SMIBR13\Application Data\Malwarebytes
2008-12-17 00:29 . 2008-12-17 00:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 12:59 . 2008-12-16 12:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-12-16 08:39 . 2006-06-06 14:20 241,721 --a------ c:\windows\system32\HPBMINI.DLL
2008-12-16 08:39 . 2005-06-20 14:33 163,840 --a------ c:\windows\system32\HPJCMN2U.DLL
2008-12-16 08:39 . 2005-06-20 14:33 94,208 --a------ c:\windows\system32\HPJIPX1U.DLL
2008-12-16 08:39 . 2006-05-11 18:15 52,736 --a------ c:\windows\system32\HPZIPM12.DLL
2008-12-16 08:39 . 2005-06-20 14:33 49,152 --a------ c:\windows\system32\HPBNRAC2.DLL
2008-12-16 08:39 . 2006-05-11 18:15 43,520 --a------ c:\windows\system32\HPZINW12.DLL
2008-12-16 08:39 . 2007-02-06 16:29 39,424 --a------ c:\windows\system32\HPBPRO.DLL
2008-12-16 08:39 . 2007-02-06 16:29 25,600 --a------ c:\windows\system32\HPBOID.DLL
2008-12-16 08:39 . 2007-02-06 16:29 24,576 --a------ c:\windows\system32\HPBMIAPI.DLL
2008-12-16 08:39 . 2006-11-02 19:32 18,747 --a------ c:\windows\system32\HPCEAC06.HPI
2008-12-16 08:39 . 2007-02-06 16:29 7,680 --a------ c:\windows\system32\HPBPROPS.DLL
2008-12-16 08:39 . 2007-02-06 16:29 7,680 --a------ c:\windows\system32\HPBOIDPS.DLL
2008-12-12 15:47 . 2008-12-12 15:47 3,751,995 --a------ c:\windows\system32\GPhotos.scr
2008-12-02 19:02 . 2008-12-02 19:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\NCH Software
2008-12-02 18:18 . 2008-12-02 18:18 <DIR> d-------- c:\program files\DVD Decrypter
2008-12-02 18:17 . 2008-12-02 18:17 <DIR> d-------- c:\program files\DVD Shrink
2008-12-02 18:17 . 2008-12-02 18:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\DVD Shrink
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-02 18:03 --------- d-----w c:\documents and settings\SMIBR13\Application Data\VMware
2009-01-02 18:03 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware
2009-01-02 18:03 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2009-01-02 17:49 --------- d-----w c:\program files\Notepad++
2009-01-01 13:47 --------- d-----w c:\documents and settings\NetworkService\Application Data\VMware
2008-12-31 18:11 --------- d-----w c:\program files\Quest Software
2008-12-23 06:38 --------- d-----w c:\program files\Common Files\Apple
2008-12-23 05:12 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-23 04:10 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-21 06:40 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-19 05:47 --------- d-----w c:\documents and settings\SMIBR13\Application Data\Apple Computer
2008-12-18 05:48 992 ----a-w c:\windows\system32\drivers\sthdae.log
2008-12-17 06:39 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-17 04:31 --------- d-----w c:\program files\Lavasoft
2008-12-17 04:01 --------- d-----w c:\program files\Google
2008-12-15 18:32 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2008-12-04 15:00 --------- d-----w c:\documents and settings\SMIBR13\Application Data\Mikogo
2008-12-04 01:33 --------- d-----w c:\documents and settings\SMIBR13\Application Data\Trondent Development Corp
2008-12-03 03:13 --------- d-----w c:\documents and settings\SMIBR13\Application Data\FileZilla
2008-11-27 05:49 --------- d-----w c:\program files\Sun
2008-11-24 20:11 --------- d-----w c:\program files\eviware
2008-11-22 03:10 93,776 ----a-w c:\windows\system32\drivers\VBoxDrv.sys
2008-11-22 03:10 41,744 ----a-w c:\windows\system32\drivers\VBoxUSBMon.sys
2008-11-21 14:18 --------- d-----w c:\program files\Lookout Software
2008-11-16 22:08 --------- d-----w c:\documents and settings\SMIBR13\Application Data\Business Objects
2008-11-12 21:31 --------- d-----w c:\program files\Microsoft Office Communicator
2008-11-12 06:26 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-12 06:21 --------- d-----w c:\program files\Microsoft Visual Studio 8
2008-11-12 06:17 --------- d-----w c:\program files\Microsoft Works
2008-11-12 06:16 --------- d-----w c:\program files\MSBuild
2008-11-11 20:46 --------- d-----w c:\program files\CA
2008-11-11 04:41 --------- d-----w c:\program files\Active Ports
2008-11-10 21:21 --------- d-----w c:\program files\Common Files\CA
2008-11-04 01:10 --------- d-----w c:\program files\Sling Media
2008-11-04 01:10 --------- d-----w c:\documents and settings\All Users\Application Data\Sling Media
2008-04-30 17:39 131 ----a-w c:\documents and settings\All Users\Shortcut.bat
2008-04-30 17:38 1,452 ----a-w c:\documents and settings\All Users\redirect.vbs
2007-12-17 02:45 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-09-30 20:22 82,944 --sha-w c:\windows\system32\hidujuku.dll
2008-09-21 23:00 63,764 --sha-w c:\windows\system32\najowate.dll
2008-09-23 15:17 4,096 --sha-w c:\windows\system32\nasikunu.dll
2008-09-19 07:05 3,072 --sha-w c:\windows\system32\noturoya.dll
.
------- Sigcheck -------
2004-08-04 06:00 1422336 4b0011b8e35843966a3ce5685058420f c:\windows\explorer.exe
2004-08-04 06:00 1032192 a0732187050030ae399b241436565e64 c:\windows\system32\VITrans\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 01:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 01:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 01:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2007-12-30 1365504]
"Google Update"="c:\documents and settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"Mikogo"="c:\documents and settings\SMIBR13\Application Data\Mikogo\Mikogo-Host.exe" [2008-12-04 1115456]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"AccessManager"="c:\program files\AccessManager\Client\AccessMgr.exe" [2004-11-03 794624]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"eFax 4.2"="c:\program files\eFax Messenger 4.2\J2GDllCmd.exe" [2006-07-14 107008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-09-30 144792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Realtime Monitor"="c:\program files\CA\eTrustITM\realmon.exe" [2007-01-16 407632]
"NGTray"="c:\program files\Symantec\Ghost\ngtray.exe" [2008-09-03 218504]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-08-08 72240]
"VMware hqtray"="c:\program files\VMware\VMware Workstation\hqtray.exe" [2008-08-08 55856]
"CAF_SystemTray"="c:\program files\CA\DSM\\bin\cfSysTray.exe" [2007-10-28 124168]
"DsmSxplog"="c:\program files\CA\DSM\Bin\sxpstub.exe" [2007-10-28 24328]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-10-10 5726032]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-06-26 236016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
c:\documents and settings\SMIBR13\Start Menu\Programs\Startup\
Dropbox.lnk - c:\program files\Dropbox\Dropbox.exe [2008-09-26 24096981]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2008-01-08 3450608]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 3746856]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-10-07 25214]
eFax 4.2.lnk - c:\program files\eFax Messenger 4.2\J2GTray.exe [2007-02-25 612352]
Monitor.lnk - c:\program files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-05-14 114688]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-02-09 122880]
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CAF]
2007-10-28 03:45 27400 c:\program files\CA\DSM\bin\cfWlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rcHostExt]
2007-10-28 03:47 11528 c:\program files\CA\DSM\bin\rcLoginExt.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2129867641-919698055-327642922-134551\Scripts\Logon\0\0]
"Script"=Uncheck_Show_Friendly.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2129867641-919698055-327642922-277235\Scripts\Logon\0\0]
"Script"=DelNortelRegKey.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2004-05-12 14:18 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-08-04 16:28 49152 c:\program files\HP\HP Software Update\hpwuSchd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2004-08-25 17:28 1871872 c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Symantec\\Ghost\\ngserver.exe"=
"c:\\Program Files\\Symantec\\Ghost\\GhostSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Dropbox\\Dropbox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Rainlendar2\\Rainlendar2.exe"=
"c:\\Program Files\\Stardock\\ObjectDock\\ObjectDock.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\agent.exe"=
"c:\\Program Files\\CA\\DSM\\bin\\cfUsrNtf.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2008-11-25 93776]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2008-11-25 41744]
R2 AMBroker;Access Manager Configuration Service;"c:\program files\AccessManager\Client\AMBroker.exe" [2004-11-03 77824]
R2 BOBJProcessServer;List of Values Job Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe" -service -name smibr13a.ListOfValuesJobServer -ns smibr13a -objectType CrystalEnterprise.MetaData.MetaDataRepositoryInfo -lib procLOV -restart -jsTypeDescription "List of Values Job Server" [2007-10-31 950272]
R2 CA Unicenter NSM Systems Performance Agent for UAM;CA Unicenter NSM Systems Performance Agent for UAM;"c:\windows\AMO40\CWS\PAgent\capmuamagt.exe" [2007-01-17 53248]
R2 caf;CA DSM r11 Common Application Framework.;"c:\program files\CA\DSM\bin\caf.exe" service [2007-10-28 193800]
R2 OracleOraDb9iAgent;OracleOraDb9iAgent;c:\oracle\products\9i\bin\agntsrvc.exe [2002-04-26 28944]
R2 OracleOraDb9iTNSListenerCLARITY;OracleOraDb9iTNSListenerCLARITY;c:\oracle\products\9i\BIN\TNSLSNR []
R2 SBKUPNT;SBKUPNT;\??\c:\windows\system32\Drivers\SBKUPNT.SYS [2008-12-22 14976]
R2 SlingAgentService;SlingAgent Service;"c:\program files\Sling Media\SlingAgent\SlingAgentService.exe" [2008-09-21 93960]
R2 XobniService;XobniService;"c:\program files\Xobni\XobniService.exe" [2008-07-18 36352]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2006-05-26 11113]
R3 lknuhst;Linksys Network USB Host Controller;c:\windows\system32\DRIVERS\lknuhst.sys [2007-04-09 11136]
R3 LKNUHUB;Linksys Network USB Root Hub;c:\windows\system32\DRIVERS\lknuhub.sys [2007-04-09 37248]
R3 rcSmCard;rcSmCard;c:\windows\system32\DRIVERS\rcSmCard.sys [2007-01-20 26128]
S2 BOBJCentralMS;Central Management Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\CMS.exe" -service -name smibr13a.cms -restart [2008-02-07 2625536]
S2 msupdsvc;Microsoft Update Service Helper;c:\windows\system32\msupdsvc32.exe []
S3 __AC_PROCESS_MGMT_DAEMON7;Actuate Process Management Daemon 7;"c:\niku\Actuate7\Server\bin\pmd7.exe" []
S3 B-Service;B-Service;c:\documents and settings\SMIBR13\Application Data\Mikogo\B-Service.exe [2008-11-02 180224]
S3 BOBJCrystalReportApplicationServer;Report Application Server;"c:\bo\common\3.5\bin\crystalras.exe" -service -name smibr13a.RAS -ns smibr13a -ipport -restart [2007-10-31 456192]
S3 BOBJCrystalReportsCacheServer;Crystal Reports Cache Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\cacheserver.exe" -service -name smibr13a.cacheserver -cache -nops -deleteCache -ns smibr13a -restart [2008-02-07 3211264]
S3 BOBJCrystalReportspageserver;Crystal Reports Page Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\pageserver.exe" -service -name smibr13a.pageserver -ns smibr13a -restart [2008-02-07 3211264]
S3 BOBJCS;Connection Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\ConnectionServer.exe" -service -name smibr13a.ConnectionServer -ns smibr13a -restart [2007-10-31 1421312]
S3 BOBJDesktopIntelligenceCacheServer;Desktop Intelligence Cache Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\fccache.exe" -service -name smibr13a.Desktop_IntelligenceCacheServer -cache -nops -deleteCache -ns smibr13a -lib cacheFC -libTypeDescription "Desktop Intelligence Cache Server" -restart []
S3 BOBJDesktopIntelligenceReportServer;Desktop Intelligence Report Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\fcproc.exe" -service -name smibr13a.Desktop_IntelligenceReportServer -ns smibr13a -lib procFC -libTypeDescription "Desktop Intelligence Report Server" -maxDesktops 0 -restart []
S3 BOBJDestinationServer;Destination Job Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\procdest.exe" -service -name smibr13a.destinationjobserver -ns smibr13a -objectType CrystalEnterprise.Destination -lib procDest -restart -jsTypeDescription "Destination Job Server" [2007-10-31 950272]
S3 BOBJEventServer;Event Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\EventServer.exe" -service -name smibr13a.eventserver -ns smibr13a -restart [2008-02-07 892928]
S3 BOBJInputFileServer;Input File Repository Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\inputfileserver.exe" -service -name Input.smibr13a -ns smibr13a -restart [2007-10-31 626688]
S3 BOBJJobServer_DesktopIntelligence;Desktop Intelligence Job Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\JobServerFullClient.exe" -service -name smibr13a.Desktop_IntelligenceJobServer -ns smibr13a -objectType CrystalEnterprise.FullClient -lib pp_procFC -jsTypeDescription "Desktop Intelligence Job Server" -maxDesktops 0 -restart []
S3 BOBJJobServer_Report;Crystal Reports Job Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\JobServer.exe" -service -name smibr13a.reportjobserver -ns smibr13a -objectType CrystalEnterprise.Report -lib procReport -restart -jsTypeDescription "Crystal Reports Job Server" [2007-10-31 950272]
S3 BOBJOutputFileServer;Output File Repository Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\outputfileserver.exe" -service -name Output.smibr13a -ns smibr13a -restart [2007-10-31 626688]
S3 BOBJProgramServer;Program Job Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\ProgramServer.exe" -service -name smibr13a.programjobserver -ns smibr13a -objectType CrystalEnterprise.Program -lib procProgram -restart -jsTypeDescription "Program Job Server" [2007-10-31 950272]
S3 BOBJTomcat;Apache Tomcat 5.0.27;"c:\bo\Tomcat\bin\tomcat5.exe" //RS//BOBJTomcat [2004-06-17 94208]
S3 BOBJWebiServer;Web Intelligence Job Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\procWebi.exe" -service -name smibr13a.Web_IntelligenceJobServer -ns smibr13a -objectType CrystalEnterprise.Webi -lib procwebi -restart -jsTypeDescription "Web Intelligence Job Server" [2007-10-31 950272]
S3 BOBJWIRS;Web Intelligence Report Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\WIReportServer.exe" -service -name smibr13a.Web_IntelligenceReportServer -ns smibr13a -restart [2008-02-07 1011712]
S3 DAPlugin;Visual Insight DA Plugin;c:\program files\AccessManager\Client\DAPlugin.exe [2004-11-03 81920]
S3 ExtranetAccess;Contivity VPN Service;"c:\program files\Nortel Networks\Extranet_serv.exe" [2006-05-26 782336]
S3 IBMWAS61Service - smibr13aNode01;IBM WebSphere Application Server V6.1 - smibr13aNode01;"c:\program files\IBM\WebSphere\AppServer\bin\wasservice.exe" "IBMWAS61Service - smibr13aNode01" [2008-04-15 69632]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2006-05-26 216459]
S3 kwkxusb;Kyocera CDMA Wireless Modem Driver;c:\windows\system32\DRIVERS\kwusb2k.sys [2007-01-07 29952]
S3 LKNUCMP;Linksys Network USB Composite Device;c:\windows\system32\DRIVERS\lknucmp.sys [2007-04-09 11648]
S3 MsDtsServer;SQL Server Integration Services;"c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe" [2005-10-14 199384]
S3 Niku Background Server - WAS;Niku Background Server - WAS;c:\nikuwas\clarity\bin\nikubgservice.exe [2008-04-17 53248]
S3 Niku Background Server;Niku Background Server;c:\niku\clarity\bin\nikubgcmd.exe -s c:\niku\clarity\bin\nikubgcmd.conf []
S3 Niku Beacon - WAS;Niku Beacon - WAS;c:\nikuwas\clarity\bin\nikubeaconservice.exe [2008-04-17 53248]
S3 Niku Beacon;Niku Beacon;c:\niku\Clarity\bin\nikubeaconservice.exe []
S3 Niku Server;Niku Server;c:\niku\clarity\bin\nikuappcmd.exe -s c:\niku\clarity\bin\nikuappcmd.conf []
S3 Niku System Admin Server;Niku System Admin Server;c:\niku\clarity\bin\nikunsacmd.exe -s c:\niku\clarity\bin\nikunsacmd.conf []
S3 OracleOraDb10g_home1TNSListenerMITRE;OracleOraDb10g_home1TNSListenerMITRE;c:\oracle\product\10.2.0\db_1\BIN\TNSLSNR []
S3 OracleOraDb9iClientCache;OracleOraDb9iClientCache;c:\oracle\products\9i\BIN\ONRSD.EXE [2002-04-26 243352]
S3 OracleOraDb9iSNMPPeerEncapsulator;OracleOraDb9iSNMPPeerEncapsulator;c:\oracle\products\9i\BIN\ENCSVC.EXE [2002-02-13 165310]
S3 OracleOraDb9iSNMPPeerMasterAgent;OracleOraDb9iSNMPPeerMasterAgent;c:\oracle\products\9i\BIN\AGNTSVC.EXE [2002-02-13 216188]
S3 OracleServiceCLARITY;OracleServiceCLARITY;c:\oracle\products\9i\bin\ORACLE.EXE CLARITY []
S3 OracleServiceMITRE;OracleServiceMITRE;c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE MITRE []
S3 OracleServiceNIKUWAS;OracleServiceNIKUWAS;c:\oracle\products\9i\bin\ORACLE.EXE NIKUWAS []
S3 rcVidCap;rcVidCap;c:\windows\system32\DRIVERS\rcVidMpt.sys [2007-01-20 9872]
S3 sp_spi_da;Visual Insight Dial Analysis;c:\program files\AccessManager\SMOC\spi_da.exe [2004-10-15 81920]
S3 Sygman;SSA Integration Manager;"c:\program files\AccessManager\Client\sygman.exe" [2004-11-03 126976]
S4 CA_LIC_CLNT;CA License Client;"c:\program files\CA\SharedComponents\CA_LIC\\lic98rmt.exe" [2005-01-14 126976]
S4 LogWatch;Event Log Watch;"c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe" [2004-07-23 53248]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2006-10-26 2799808]
S4 OracleJobSchedulerMITRE;OracleJobSchedulerMITRE;c:\oracle\product\10.2.0\db_1\Bin\extjob.exe MITRE []
S4 OracleOraDb10g_home1TNSListenerNIKU;OracleOraDb10g_home1TNSListenerNIKU;c:\oracle\product\10.1.0\db_1\BIN\TNSLSNR []
S4 OracleOraDb9iHTTPServer;OracleOraDb9iHTTPServer;"c:\oracle\products\9i\Apache\Apache\apache.exe" --ntservice [2002-04-18 4096]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f24fa12-ab5a-11dd-b185-0016cfc2822f}]
\Shell\AutoRun\command - autoRcd.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2656c206-b72a-11dd-b19d-005056c00008}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2008-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2008-12-21 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2004-08-04 06:00]
2009-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2129867641-919698055-327642922-277235.job
- c:\documents and settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 12:32]
.
- - - - ORPHANS REMOVED - - - -
BHO-{D48DA098-42EA-41E0-A32A-EAC3AA52A210} - (no file)
HKCU-Run-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe
HKLM-Run-DXDllRegExe - dxdllreg.exe
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: free.aol.com
Trusted Zone: accountconnect.ca.com
Trusted Zone: etrustpki.ca.com
Trusted Zone: hrreports.ca.com
Trusted Zone: hrreportsft.ca.com
Trusted Zone: insight.ca.com
Trusted Zone: insightft.ca.com
Trusted Zone: mrm.ca.com
Trusted Zone: supportreports.ca.com
Trusted Zone: usilws19.ca.com
Trusted Zone: *.insight
Trusted Zone: *.insightft
Trusted Zone: *.mrm
Trusted Zone: *.supportreports
Trusted Zone: *.usilap228
Trusted Zone: *.usilws19
Trusted Zone: accountconnect.ca.com
Trusted Zone: etrustpki.ca.com
Trusted Zone: hrreports.ca.com
Trusted Zone: hrreportsft.ca.com
Trusted Zone: insight.ca.com
Trusted Zone: insightft.ca.com
Trusted Zone: mrm.ca.com
Trusted Zone: supportreports.ca.com
Trusted Zone: usilws19.ca.com
Trusted Zone: *.insight
Trusted Zone: *.insightft
Trusted Zone: *.mrm
Trusted Zone: *.supportreports
Trusted Zone: *.usilws19
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\SMIBR13\Application Data\Mozilla\Firefox\Profiles\iwiid49z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\SMIBR13\Application Data\Mozilla\Firefox\Profiles\iwiid49z.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\SMIBR13\Application Data\Mozilla\Firefox\Profiles\iwiid49z.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\SMIBR13\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Real\RealPlayer Enterprise\Netscape6\nppl3260.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 12:05:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NobleNet Portmapper for TCP]
"ImagePath"="c:\niku\Actuate7\Server/bin/portserv.exe tcp"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\OracleOraDb10g_home1TNSListenerMITRE]
"ImagePath"="c:\oracle\product\10.2.0\db_1\BIN\TNSLSNR "
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\OracleOraDb10g_home1TNSListenerNIKU]
"ImagePath"="c:\oracle\product\10.1.0\db_1\BIN\TNSLSNR "
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\OracleOraDb9iTNSListenerCLARITY]
"ImagePath"="c:\oracle\products\9i\BIN\TNSLSNR "
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1216)
c:\windows\system32\NnGina.Dll
c:\program files\CA\DSM\Bin\cfwlogon.dll
c:\program files\CA\DSM\Bin\rcLoginExt.dll
c:\windows\system32\cscui.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAServer.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CA\SC\CAM\bin\cam.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\CA\eTrustITM\InoRT.exe
c:\program files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Symantec\Ghost\ngserver.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\oracle\products\9i\bin\TNSLSNR.EXE
c:\oracle\products\9i\bin\dbsnmp.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\AccessManager\PMAC\sp_SWIns.exe
c:\program files\CA\DSM\bin\cfSysTray.exe
c:\program files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
c:\windows\system32\vmnat.exe
c:\program files\VMware\VMware Workstation\vmware-authd.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\CA\DSM\bin\cfsmsmd.exe
c:\program files\CA\DSM\bin\ccnfAgent.exe
c:\program files\CA\DSM\bin\cfnotsrvd.exe
c:\program files\CA\DSM\bin\ccsmagtd.exe
c:\program files\CA\DSM\bin\rcHost.exe
c:\program files\CA\DSM\bin\amswmagt.exe
c:\program files\CA\DSM\PMAgent\capmuamagt.exe
c:\program files\CA\DSM\bin\cfFTPlugin.exe
c:\program files\Symantec\Ghost\bin\dbserv.exe
c:\program files\Symantec\Ghost\bin\rteng9.exe
c:\program files\iPod\bin\iPodService.exe
c:\combofix\hidec.exe
c:\windows\system32\msiexec.exe
c:\combofix\Catchme.tmp
.
**************************************************************************
.
Completion time: 2009-01-02 12:09:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-02 18:08:18
Pre-Run: 71,233,081,344 bytes free
Post-Run: 71,099,355,136 bytes free
468
•
•
Join Date: Jul 2008
Posts: 3,483
Reputation:
Solved Threads: 203
Thanks for the info Brian. Let me go through this log, as you can see it will take awhile, but I will get back with you asap on it.
Try running another HJT scan and post that too. Do you feel things improved any with the running of combofix?
You might also update MBA-M and run a new scan with that too. Allow it to fix anything it finds.
Post that log also.
Judy
Try running another HJT scan and post that too. Do you feel things improved any with the running of combofix?
You might also update MBA-M and run a new scan with that too. Allow it to fix anything it finds.
Post that log also.
Judy
•
•
•
•
Originally Posted by jholland1964
Thanks for the info Brian. Let me go through this log, as you can see it will take awhile, but I will get back with you asap on it.
Try running another HJT scan and post that too. Do you feel things improved any with the running of combofix?
You might also update MBA-M and run a new scan with that too. Allow it to fix anything it finds.
Post that log also.
Judy
Can't tell yet if I have a feel if CF made a difference... Here is HJT log I just executed...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35, on 2009-01-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\AMO40\CWS\PAgent\capmuamagt.exe
C:\Program Files\CA\SC\CAM\bin\cam.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\oracle\products\9i\bin\agntsrvc.exe
c:\oracle\products\9i\BIN\TNSLSNR.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
c:\oracle\products\9i\bin\dbsnmp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\Symantec\Ghost\ngtray.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\CA\DSM\bin\cfSysTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Xobni\XobniService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\SMIBR13\Application Data\Mikogo\Mikogo-Host.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Dropbox\Dropbox.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe
C:\Program Files\CA\DSM\bin\caf.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\CA\DSM\Bin\cfsmsmd.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\CA\DSM\Bin\ccnfagent.exe
C:\Program Files\CA\DSM\Bin\cfnotsrvd.exe
C:\Program Files\CA\DSM\Bin\ccsmagtd.exe
C:\Program Files\CA\DSM\Bin\rcHost.exe
C:\Program Files\CA\DSM\Bin\amswmagt.exe
C:\Program Files\CA\DSM\PMAgent\capmuamagt.exe
C:\Program Files\CA\DSM\Bin\cfftplugin.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng9.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\explorer.exe
C:\My Documents\Downloads\imabunny.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [NGTray] "C:\Program Files\Symantec\Ghost\ngtray.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [CAF_SystemTray] C:\Program Files\CA\DSM\\bin\cfSysTray.exe
O4 - HKLM\..\Run: [DsmSxplog] "C:\Program Files\CA\DSM\Bin\sxpstub.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Mikogo] "C:\Documents and Settings\SMIBR13\Application Data\Mikogo\Mikogo-Host.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\Dropbox.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: SalesForce - {2A427663-00F1-4EE4-A3B6-7F84A024CBB3} - http://salesforce.ca.com (file missing) (HKCU)
O9 - Extra button: Helpdesk - {D4F74464-9448-4D88-B72E-07EA6EC1E14A} - http://helpdesk.ca.com/count.html (file missing) (HKCU)
O9 - Extra button: CA Portal - {D9F8785B-2C42-41B4-98FE-75E11B7460C6} - http://caportal.ca.com (file missing) (HKCU)
O9 - Extra button: Leader - {DA2EB6A6-5DA2-4C9A-BC25-2D4799669C1A} - HTTP://leaderboard.ca.com (file missing) (HKCU)
O9 - Extra button: CKM - {E367B557-5D51-425D-B0EA-DC40E26990BB} - http://km.ca.com (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://canet.ca.com
O15 - Trusted Zone: http://hrreports.ca.com
O15 - Trusted Zone: http://hrreportsft.ca.com
O15 - Trusted Zone: http://insight.ca.com
O15 - Trusted Zone: http://insightft.ca.com
O15 - Trusted Zone: http://mrm.ca.com
O15 - Trusted Zone: http://supportreports.ca.com
O15 - Trusted Zone: http://usilws19.ca.com
O15 - Trusted Zone: http://*.insight
O15 - Trusted Zone: http://*.insightft
O15 - Trusted Zone: http://*.mrm
O15 - Trusted Zone: http://*.supportreports
O15 - Trusted Zone: http://*.usilws19
O15 - Trusted Zone: http://hrreports.ca.com (HKLM)
O15 - Trusted Zone: http://hrreportsft.ca.com (HKLM)
O15 - Trusted Zone: http://insight.ca.com (HKLM)
O15 - Trusted Zone: http://insightft.ca.com (HKLM)
O15 - Trusted Zone: http://mrm.ca.com (HKLM)
O15 - Trusted Zone: http://supportreports.ca.com (HKLM)
O15 - Trusted Zone: http://usilws19.ca.com (HKLM)
O15 - Trusted Zone: http://*.insight (HKLM)
O15 - Trusted Zone: http://*.insightft (HKLM)
O15 - Trusted Zone: http://*.mrm (HKLM)
O15 - Trusted Zone: http://*.supportreports (HKLM)
O15 - Trusted Zone: http://*.usilws19 (HKLM)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ca.com
O17 - HKLM\Software\..\Telephony: DomainName = ca.com
O20 - Winlogon Notify: CAF - C:\Program Files\CA\DSM\Bin\cfwlogon.dll
O20 - Winlogon Notify: rcHostExt - C:\Program Files\CA\DSM\Bin\rcLoginExt.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B-Service - Unknown owner - C:\Documents and Settings\SMIBR13\Application Data\Mikogo\B-Service.exe
O23 - Service: Central Management Server (BOBJCentralMS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\CMS.exe
O23 - Service: Report Application Server (BOBJCrystalReportApplicationServer) - Business Objects - C:\BO\common\3.5\bin\crystalras.exe
O23 - Service: Crystal Reports Cache Server (BOBJCrystalReportsCacheServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\cacheserver.exe
O23 - Service: Crystal Reports Page Server (BOBJCrystalReportspageserver) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\pageserver.exe
O23 - Service: Connection Server (BOBJCS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\ConnectionServer.exe
O23 - Service: Desktop Intelligence Cache Server (BOBJDesktopIntelligenceCacheServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\fccache.exe
O23 - Service: Desktop Intelligence Report Server (BOBJDesktopIntelligenceReportServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\fcproc.exe
O23 - Service: Destination Job Server (BOBJDestinationServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procdest.exe
O23 - Service: Event Server (BOBJEventServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\EventServer.exe
O23 - Service: Input File Repository Server (BOBJInputFileServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\inputfileserver.exe
O23 - Service: Desktop Intelligence Job Server (BOBJJobServer_DesktopIntelligence) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\JobServerFullClient.exe
O23 - Service: Crystal Reports Job Server (BOBJJobServer_Report) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\JobServer.exe
O23 - Service: Output File Repository Server (BOBJOutputFileServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\outputfileserver.exe
O23 - Service: List of Values Job Server (BOBJProcessServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe
O23 - Service: Program Job Server (BOBJProgramServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\ProgramServer.exe
O23 - Service: Apache Tomcat 5.0.27 (BOBJTomcat) - Apache Software Foundation - C:\BO\Tomcat\bin\tomcat5.exe
O23 - Service: Web Intelligence Job Server (BOBJWebiServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procWebi.exe
O23 - Service: Web Intelligence Report Server (BOBJWIRS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\WIReportServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA Unicenter NSM Systems Performance Agent for UAM - Unknown owner - C:\WINDOWS\AMO40\CWS\PAgent\capmuamagt.exe
O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - C:\Program Files\CA\SC\CAM\bin\cam.exe
O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - C:\Program Files\CA\DSM\bin\caf.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM WebSphere Application Server V6.1 - smibr13aNode01 (IBMWAS61Service - smibr13aNode01) - Unknown owner - C:\Program Files\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\PowerToys\ImapiHelper.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft Update Service Helper (msupdsvc) - Unknown owner - C:\WINDOWS\system32\msupdsvc32.exe (file missing)
O23 - Service: Symantec Ghost Database Service Wrapper (NGDBSERV) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGSERVER) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Niku Background Server - Unknown owner - C:\niku\clarity\bin\nikubgcmd.exe
O23 - Service: Niku Background Server - WAS - Alexandria Software Consulting - C:\nikuwas\clarity\bin\nikubgservice.exe
O23 - Service: Niku Beacon - Unknown owner - C:\niku\Clarity\bin\nikubeaconservice.exe (file missing)
O23 - Service: Niku Beacon - WAS - Alexandria Software Consulting - C:\nikuwas\clarity\bin\nikubeaconservice.exe
O23 - Service: Niku Server - Unknown owner - C:\niku\clarity\bin\nikuappcmd.exe
O23 - Service: Niku System Admin Server - Unknown owner - C:\niku\clarity\bin\nikunsacmd.exe (file missing)
O23 - Service: NobleNet Portmapper for TCP - Unknown owner - C:\niku\Actuate7\Server/bin/portserv.exe (file missing)
O23 - Service: OracleOraDb10g_home1TNSListenerMITRE - Unknown owner - C:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleOraDb9iAgent - Oracle Corporation - c:\oracle\products\9i\bin\agntsrvc.exe
O23 - Service: OracleOraDb9iClientCache - Unknown owner - c:\oracle\products\9i\BIN\ONRSD.EXE
O23 - Service: OracleOraDb9iSNMPPeerEncapsulator - Unknown owner - c:\oracle\products\9i\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb9iSNMPPeerMasterAgent - Unknown owner - c:\oracle\products\9i\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb9iTNSListenerCLARITY - Unknown owner - c:\oracle\products\9i\BIN\TNSLSNR.exe
O23 - Service: OracleServiceCLARITY - Oracle Corporation - c:\oracle\products\9i\bin\ORACLE.EXE
O23 - Service: OracleServiceMITRE - Unknown owner - c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE (file missing)
O23 - Service: OracleServiceNIKUWAS - Oracle Corporation - c:\oracle\products\9i\bin\ORACLE.EXE
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SlingAgent Service (SlingAgentService) - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe
O23 - Service: SSA Integration Manager (Sygman) - MCI, Inc. - C:\Program Files\AccessManager\Client\sygman.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XobniService - Xobni Corporation - C:\Program Files\Xobni\XobniService.exe
O23 - Service: Actuate Process Management Daemon 7 (__AC_PROCESS_MGMT_DAEMON7) - Unknown owner - C:\niku\Actuate7\Server\bin\pmd7.exe (file missing)
--
End of file - 22151 bytes
Here is the Malwarebytes Log:
Malwarebytes' Anti-Malware 1.31
Database version: 1585
Windows 5.1.2600 Service Pack 2
2009-01-02 12:45:46
mbam-log-2009-01-02 (12-45-46).txt
Scan type: Quick Scan
Objects scanned: 76928
Time elapsed: 3 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\RECYCLER\S-1-5-21-0982818026-0792038349-964117139-9221\service.exe (Trojan.Agent) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe (Trojan.Agent) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\spoolsv.exe (Trojan.Agent) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe (Backdoor.Bot) -> Delete on reboot.
C:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe (Backdoor.Bot) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise323.exe (Backdoor.Bot) -> Delete on reboot.
Also attaching screenshot of Malware findings prior to me rebooting...
•
•
•
•
Originally Posted by jholland1964
Brian, can you run a new HJT scan and post that here?
Judy
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35, on 2009-01-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\AMO40\CWS\PAgent\capmuamagt.exe
C:\Program Files\CA\SC\CAM\bin\cam.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\oracle\products\9i\bin\agntsrvc.exe
c:\oracle\products\9i\BIN\TNSLSNR.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
c:\oracle\products\9i\bin\dbsnmp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\Symantec\Ghost\ngtray.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\CA\DSM\bin\cfSysTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Xobni\XobniService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\SMIBR13\Application Data\Mikogo\Mikogo-Host.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Dropbox\Dropbox.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe
C:\Program Files\CA\DSM\bin\caf.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\CA\DSM\Bin\cfsmsmd.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\CA\DSM\Bin\ccnfagent.exe
C:\Program Files\CA\DSM\Bin\cfnotsrvd.exe
C:\Program Files\CA\DSM\Bin\ccsmagtd.exe
C:\Program Files\CA\DSM\Bin\rcHost.exe
C:\Program Files\CA\DSM\Bin\amswmagt.exe
C:\Program Files\CA\DSM\PMAgent\capmuamagt.exe
C:\Program Files\CA\DSM\Bin\cfftplugin.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng9.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\explorer.exe
C:\My Documents\Downloads\imabunny.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [NGTray] "C:\Program Files\Symantec\Ghost\ngtray.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [CAF_SystemTray] C:\Program Files\CA\DSM\\bin\cfSysTray.exe
O4 - HKLM\..\Run: [DsmSxplog] "C:\Program Files\CA\DSM\Bin\sxpstub.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Mikogo] "C:\Documents and Settings\SMIBR13\Application Data\Mikogo\Mikogo-Host.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\Dropbox.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: SalesForce - {2A427663-00F1-4EE4-A3B6-7F84A024CBB3} - http://salesforce.ca.com (file missing) (HKCU)
O9 - Extra button: Helpdesk - {D4F74464-9448-4D88-B72E-07EA6EC1E14A} - http://helpdesk.ca.com/count.html (file missing) (HKCU)
O9 - Extra button: CA Portal - {D9F8785B-2C42-41B4-98FE-75E11B7460C6} - http://caportal.ca.com (file missing) (HKCU)
O9 - Extra button: Leader - {DA2EB6A6-5DA2-4C9A-BC25-2D4799669C1A} - HTTP://leaderboard.ca.com (file missing) (HKCU)
O9 - Extra button: CKM - {E367B557-5D51-425D-B0EA-DC40E26990BB} - http://km.ca.com (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://canet.ca.com
O15 - Trusted Zone: http://hrreports.ca.com
O15 - Trusted Zone: http://hrreportsft.ca.com
O15 - Trusted Zone: http://insight.ca.com
O15 - Trusted Zone: http://insightft.ca.com
O15 - Trusted Zone: http://mrm.ca.com
O15 - Trusted Zone: http://supportreports.ca.com
O15 - Trusted Zone: http://usilws19.ca.com
O15 - Trusted Zone: http://*.insight
O15 - Trusted Zone: http://*.insightft
O15 - Trusted Zone: http://*.mrm
O15 - Trusted Zone: http://*.supportreports
O15 - Trusted Zone: http://*.usilws19
O15 - Trusted Zone: http://hrreports.ca.com (HKLM)
O15 - Trusted Zone: http://hrreportsft.ca.com (HKLM)
O15 - Trusted Zone: http://insight.ca.com (HKLM)
O15 - Trusted Zone: http://insightft.ca.com (HKLM)
O15 - Trusted Zone: http://mrm.ca.com (HKLM)
O15 - Trusted Zone: http://supportreports.ca.com (HKLM)
O15 - Trusted Zone: http://usilws19.ca.com (HKLM)
O15 - Trusted Zone: http://*.insight (HKLM)
O15 - Trusted Zone: http://*.insightft (HKLM)
O15 - Trusted Zone: http://*.mrm (HKLM)
O15 - Trusted Zone: http://*.supportreports (HKLM)
O15 - Trusted Zone: http://*.usilws19 (HKLM)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ca.com
O17 - HKLM\Software\..\Telephony: DomainName = ca.com
O20 - Winlogon Notify: CAF - C:\Program Files\CA\DSM\Bin\cfwlogon.dll
O20 - Winlogon Notify: rcHostExt - C:\Program Files\CA\DSM\Bin\rcLoginExt.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B-Service - Unknown owner - C:\Documents and Settings\SMIBR13\Application Data\Mikogo\B-Service.exe
O23 - Service: Central Management Server (BOBJCentralMS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\CMS.exe
O23 - Service: Report Application Server (BOBJCrystalReportApplicationServer) - Business Objects - C:\BO\common\3.5\bin\crystalras.exe
O23 - Service: Crystal Reports Cache Server (BOBJCrystalReportsCacheServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\cacheserver.exe
O23 - Service: Crystal Reports Page Server (BOBJCrystalReportspageserver) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\pageserver.exe
O23 - Service: Connection Server (BOBJCS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\ConnectionServer.exe
O23 - Service: Desktop Intelligence Cache Server (BOBJDesktopIntelligenceCacheServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\fccache.exe
O23 - Service: Desktop Intelligence Report Server (BOBJDesktopIntelligenceReportServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\fcproc.exe
O23 - Service: Destination Job Server (BOBJDestinationServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procdest.exe
O23 - Service: Event Server (BOBJEventServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\EventServer.exe
O23 - Service: Input File Repository Server (BOBJInputFileServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\inputfileserver.exe
O23 - Service: Desktop Intelligence Job Server (BOBJJobServer_DesktopIntelligence) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\JobServerFullClient.exe
O23 - Service: Crystal Reports Job Server (BOBJJobServer_Report) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\JobServer.exe
O23 - Service: Output File Repository Server (BOBJOutputFileServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\outputfileserver.exe
O23 - Service: List of Values Job Server (BOBJProcessServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe
O23 - Service: Program Job Server (BOBJProgramServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\ProgramServer.exe
O23 - Service: Apache Tomcat 5.0.27 (BOBJTomcat) - Apache Software Foundation - C:\BO\Tomcat\bin\tomcat5.exe
O23 - Service: Web Intelligence Job Server (BOBJWebiServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procWebi.exe
O23 - Service: Web Intelligence Report Server (BOBJWIRS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\WIReportServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA Unicenter NSM Systems Performance Agent for UAM - Unknown owner - C:\WINDOWS\AMO40\CWS\PAgent\capmuamagt.exe
O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - C:\Program Files\CA\SC\CAM\bin\cam.exe
O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - C:\Program Files\CA\DSM\bin\caf.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM WebSphere Application Server V6.1 - smibr13aNode01 (IBMWAS61Service - smibr13aNode01) - Unknown owner - C:\Program Files\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\PowerToys\ImapiHelper.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft Update Service Helper (msupdsvc) - Unknown owner - C:\WINDOWS\system32\msupdsvc32.exe (file missing)
O23 - Service: Symantec Ghost Database Service Wrapper (NGDBSERV) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGSERVER) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Niku Background Server - Unknown owner - C:\niku\clarity\bin\nikubgcmd.exe
O23 - Service: Niku Background Server - WAS - Alexandria Software Consulting - C:\nikuwas\clarity\bin\nikubgservice.exe
O23 - Service: Niku Beacon - Unknown owner - C:\niku\Clarity\bin\nikubeaconservice.exe (file missing)
O23 - Service: Niku Beacon - WAS - Alexandria Software Consulting - C:\nikuwas\clarity\bin\nikubeaconservice.exe
O23 - Service: Niku Server - Unknown owner - C:\niku\clarity\bin\nikuappcmd.exe
O23 - Service: Niku System Admin Server - Unknown owner - C:\niku\clarity\bin\nikunsacmd.exe (file missing)
O23 - Service: NobleNet Portmapper for TCP - Unknown owner - C:\niku\Actuate7\Server/bin/portserv.exe (file missing)
O23 - Service: OracleOraDb10g_home1TNSListenerMITRE - Unknown owner - C:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleOraDb9iAgent - Oracle Corporation - c:\oracle\products\9i\bin\agntsrvc.exe
O23 - Service: OracleOraDb9iClientCache - Unknown owner - c:\oracle\products\9i\BIN\ONRSD.EXE
O23 - Service: OracleOraDb9iSNMPPeerEncapsulator - Unknown owner - c:\oracle\products\9i\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb9iSNMPPeerMasterAgent - Unknown owner - c:\oracle\products\9i\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb9iTNSListenerCLARITY - Unknown owner - c:\oracle\products\9i\BIN\TNSLSNR.exe
O23 - Service: OracleServiceCLARITY - Oracle Corporation - c:\oracle\products\9i\bin\ORACLE.EXE
O23 - Service: OracleServiceMITRE - Unknown owner - c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE (file missing)
O23 - Service: OracleServiceNIKUWAS - Oracle Corporation - c:\oracle\products\9i\bin\ORACLE.EXE
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SlingAgent Service (SlingAgentService) - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe
O23 - Service: SSA Integration Manager (Sygman) - MCI, Inc. - C:\Program Files\AccessManager\Client\sygman.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XobniService - Xobni Corporation - C:\Program Files\Xobni\XobniService.exe
O23 - Service: Actuate Process Management Daemon 7 (__AC_PROCESS_MGMT_DAEMON7) - Unknown owner - C:\niku\Actuate7\Server\bin\pmd7.exe (file missing)
--
End of file - 22151 bytes
•
•
Join Date: Jul 2008
Posts: 3,483
Reputation:
Solved Threads: 203
Ok, the files found by MBA-M were in your Recycler folder and they are gone now.
I would like you to do the following;
Go to this website http://virusscan.jotti.org/
This is a website which will scan suspicious files using multiple antivirus programs and then report back to you what is found by there various scans.
I would like you to upload these files to the site and allow the scans to take place. Report back on the complete findings for each one.
c:\windows\system32\hidujuku.dll
c:\windows\system32\najowate.dll
c:\windows\system32\nasikunu.dll
c:\windows\system32\noturoya.dll
Judy
I would like you to do the following;
Go to this website http://virusscan.jotti.org/
This is a website which will scan suspicious files using multiple antivirus programs and then report back to you what is found by there various scans.
I would like you to upload these files to the site and allow the scans to take place. Report back on the complete findings for each one.
c:\windows\system32\hidujuku.dll
c:\windows\system32\najowate.dll
c:\windows\system32\nasikunu.dll
c:\windows\system32\noturoya.dll
Judy
 |
Similar Threads
- explorer.exe keeps crashing and restarting (Viruses, Spyware and other Nasties)
- Explorer.exe Crashing and Rebooting (Viruses, Spyware and other Nasties)
- explorer.exe keeps crashing winXP (Viruses, Spyware and other Nasties)
- Vitrumonde/W32.Ahlem.A@mm(a.exe) Problem, explorer.exe crashing constantly!! (Viruses, Spyware and other Nasties)
- Explorer.exe keeps crashing every 10 secounds (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Browser problems - cannot access microsoft.com etc!
- Next Thread: IE POP_UPS WONT STOP!!! malware, spyware not showing problems
Views: 4426 | Replies: 29
| Thread Tools | Search this Thread |
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
Tag cloud for Viruses, Spyware and other Nasties
access acrobat adobe advertising alert antivirus array attack audio avg banks bar bing blackhat botnet breach browser center child-protection children code combofix commercial commercials control credit-cards crypto cyber ddos dialler disk domains europe explorer fake firefox google gumblar hack hacking halloween helprequired-urgent herss.exe hijack hjt hosts internet iphone kneber links logfiles login mail malware mcafee microsoft mobile nasties news norton panel password pdf police pop porn pro problem redirect regedit report research rogueantivirus scareware security shutdown_-a software spam spyware spywareexternalwindows7adminstratortrojans symantec system terrorism threat trojan unwanted useraccounts virus viruses vista vulnerability war warning web win windows windowsxp winfh.dll wscntfy.exe xp_antispyware_2010
