0

Hello Experts! I think I'm finally going to need to reach out for some urgent help...

I've been working on removing this malware/virus for a few days and thought I got it. Now I'm seeing my explorer.exe process crash quite frequently.

I'm thinking there are still some lingering problems.

Any help would be greatly appreciated! Here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:28 PM, on 12/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\AMO40\CWS\PAgent\capmuamagt.exe
C:\Program Files\CA\SC\CAM\bin\cam.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\oracle\products\9i\bin\agntsrvc.exe
c:\oracle\products\9i\BIN\TNSLSNR.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
c:\oracle\products\9i\bin\dbsnmp.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Xobni\XobniService.exe
C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe
C:\Program Files\CA\DSM\bin\caf.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\CA\DSM\Bin\cfsmsmd.exe
C:\Program Files\CA\DSM\Bin\ccnfagent.exe
C:\Program Files\CA\DSM\Bin\cfnotsrvd.exe
C:\Program Files\CA\DSM\Bin\ccsmagtd.exe
C:\Program Files\CA\DSM\Bin\rcHost.exe
C:\Program Files\CA\DSM\Bin\amswmagt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CA\DSM\PMAgent\capmuamagt.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\CA\DSM\Bin\cfftplugin.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\Symantec\Ghost\ngtray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\CA\DSM\bin\cfSysTray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\SMIBR13\Application Data\Mikogo\Mikogo-Host.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Dropbox\Dropbox.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng9.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\PROGRA~1\MICROS~2\LIVEME~1\Addins\LMCAPI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Notepad++\notepad++.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\My Documents\Downloads\HiJackThis.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\Explorer.exe
C:\My Documents\Downloads\imabunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://canet.ca.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CA
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O1 - Hosts: bcs01
O2 - BHO: (no name) - {65940327-f4c6-4b9a-ad8a-3456d6272b1a} - C:\WINDOWS\system32\yofolufe.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {D48DA098-42EA-41E0-A32A-EAC3AA52A210} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [NGTray] "C:\Program Files\Symantec\Ghost\ngtray.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [CAF_SystemTray] C:\Program Files\CA\DSM\\bin\cfSysTray.exe
O4 - HKLM\..\Run: [DsmSxplog] "C:\Program Files\CA\DSM\Bin\sxpstub.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [e472ab28] rundll32.exe "C:\WINDOWS\system32\mebarepo.dll",b
O4 - HKLM\..\Run: [CPMe74198b4] Rundll32.exe "c:\windows\system32\royetuki.dll",a
O4 - HKLM\..\Run: [derazusame] Rundll32.exe "C:\WINDOWS\system32\dawuyoha.dll",s
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Mikogo] "C:\Documents and Settings\SMIBR13\Application Data\Mikogo\Mikogo-Host.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-20\..\Run: [derazusame] Rundll32.exe "C:\WINDOWS\system32\dawuyoha.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\Dropbox.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: SalesForce - {2A427663-00F1-4EE4-A3B6-7F84A024CBB3} - http://salesforce.ca.com (file missing) (HKCU)
O9 - Extra button: Helpdesk - {D4F74464-9448-4D88-B72E-07EA6EC1E14A} - http://helpdesk.ca.com/count.html (file missing) (HKCU)
O9 - Extra button: CA Portal - {D9F8785B-2C42-41B4-98FE-75E11B7460C6} - http://caportal.ca.com (file missing) (HKCU)
O9 - Extra button: Leader - {DA2EB6A6-5DA2-4C9A-BC25-2D4799669C1A} - HTTP://leaderboard.ca.com (file missing) (HKCU)
O9 - Extra button: CKM - {E367B557-5D51-425D-B0EA-DC40E26990BB} - http://km.ca.com (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://canet.ca.com
O15 - Trusted Zone: http://hrreports.ca.com
O15 - Trusted Zone: http://hrreportsft.ca.com
O15 - Trusted Zone: http://insight.ca.com
O15 - Trusted Zone: http://insightft.ca.com
O15 - Trusted Zone: http://mrm.ca.com
O15 - Trusted Zone: http://supportreports.ca.com
O15 - Trusted Zone: http://usilws19.ca.com
O15 - Trusted Zone: http://*.insight
O15 - Trusted Zone: http://*.insightft
O15 - Trusted Zone: http://*.mrm
O15 - Trusted Zone: http://*.supportreports
O15 - Trusted Zone: http://*.usilws19
O15 - Trusted Zone: http://hrreports.ca.com (HKLM)
O15 - Trusted Zone: http://hrreportsft.ca.com (HKLM)
O15 - Trusted Zone: http://insight.ca.com (HKLM)
O15 - Trusted Zone: http://insightft.ca.com (HKLM)
O15 - Trusted Zone: http://mrm.ca.com (HKLM)
O15 - Trusted Zone: http://supportreports.ca.com (HKLM)
O15 - Trusted Zone: http://usilws19.ca.com (HKLM)
O15 - Trusted Zone: http://*.insight (HKLM)
O15 - Trusted Zone: http://*.insightft (HKLM)
O15 - Trusted Zone: http://*.mrm (HKLM)
O15 - Trusted Zone: http://*.supportreports (HKLM)
O15 - Trusted Zone: http://*.usilws19 (HKLM)
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ca.com
O17 - HKLM\Software\..\Telephony: DomainName = ca.com
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL xfrbnu.dll hsqfpf.dll C:\WINDOWS\system32\jadelamo.dll c:\windows\system32\royetuki.dll,C:\WINDOWS\system32\linivini.dll
O20 - Winlogon Notify: CAF - C:\Program Files\CA\DSM\Bin\cfwlogon.dll
O20 - Winlogon Notify: rcHostExt - C:\Program Files\CA\DSM\Bin\rcLoginExt.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\royetuki.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\royetuki.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B-Service - Unknown owner - C:\Documents and Settings\SMIBR13\Application Data\Mikogo\B-Service.exe
O23 - Service: Central Management Server (BOBJCentralMS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\CMS.exe
O23 - Service: Report Application Server (BOBJCrystalReportApplicationServer) - Business Objects - C:\BO\common\3.5\bin\crystalras.exe
O23 - Service: Crystal Reports Cache Server (BOBJCrystalReportsCacheServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\cacheserver.exe
O23 - Service: Crystal Reports Page Server (BOBJCrystalReportspageserver) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\pageserver.exe
O23 - Service: Connection Server (BOBJCS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\ConnectionServer.exe
O23 - Service: Desktop Intelligence Cache Server (BOBJDesktopIntelligenceCacheServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\fccache.exe
O23 - Service: Desktop Intelligence Report Server (BOBJDesktopIntelligenceReportServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\fcproc.exe
O23 - Service: Destination Job Server (BOBJDestinationServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procdest.exe
O23 - Service: Event Server (BOBJEventServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\EventServer.exe
O23 - Service: Input File Repository Server (BOBJInputFileServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\inputfileserver.exe
O23 - Service: Desktop Intelligence Job Server (BOBJJobServer_DesktopIntelligence) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\JobServerFullClient.exe
O23 - Service: Crystal Reports Job Server (BOBJJobServer_Report) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\JobServer.exe
O23 - Service: Output File Repository Server (BOBJOutputFileServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\outputfileserver.exe
O23 - Service: List of Values Job Server (BOBJProcessServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe
O23 - Service: Program Job Server (BOBJProgramServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\ProgramServer.exe
O23 - Service: Apache Tomcat 5.0.27 (BOBJTomcat) - Apache Software Foundation - C:\BO\Tomcat\bin\tomcat5.exe
O23 - Service: Web Intelligence Job Server (BOBJWebiServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procWebi.exe
O23 - Service: Web Intelligence Report Server (BOBJWIRS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\WIReportServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA Unicenter NSM Systems Performance Agent for UAM - Unknown owner - C:\WINDOWS\AMO40\CWS\PAgent\capmuamagt.exe
O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - C:\Program Files\CA\SC\CAM\bin\cam.exe
O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - C:\Program Files\CA\DSM\bin\caf.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM WebSphere Application Server V6.1 - smibr13aNode01 (IBMWAS61Service - smibr13aNode01) - Unknown owner - C:\Program Files\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\PowerToys\ImapiHelper.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft Update Service Helper (msupdsvc) - Unknown owner - C:\WINDOWS\system32\msupdsvc32.exe (file missing)
O23 - Service: Symantec Ghost Database Service Wrapper (NGDBSERV) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGSERVER) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Niku Background Server - Unknown owner - C:\niku\clarity\bin\nikubgcmd.exe
O23 - Service: Niku Background Server - WAS - Alexandria Software Consulting - C:\nikuwas\clarity\bin\nikubgservice.exe
O23 - Service: Niku Beacon - Unknown owner - C:\niku\Clarity\bin\nikubeaconservice.exe (file missing)
O23 - Service: Niku Beacon - WAS - Alexandria Software Consulting - C:\nikuwas\clarity\bin\nikubeaconservice.exe
O23 - Service: Niku Server - Unknown owner - C:\niku\clarity\bin\nikuappcmd.exe
O23 - Service: Niku System Admin Server - Unknown owner - C:\niku\clarity\bin\nikunsacmd.exe (file missing)
O23 - Service: NobleNet Portmapper for TCP - Unknown owner - C:\niku\Actuate7\Server/bin/portserv.exe (file missing)
O23 - Service: OracleOraDb10g_home1TNSListenerMITRE - Unknown owner - C:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleOraDb9iAgent - Oracle Corporation - c:\oracle\products\9i\bin\agntsrvc.exe
O23 - Service: OracleOraDb9iClientCache - Unknown owner - c:\oracle\products\9i\BIN\ONRSD.EXE
O23 - Service: OracleOraDb9iSNMPPeerEncapsulator - Unknown owner - c:\oracle\products\9i\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb9iSNMPPeerMasterAgent - Unknown owner - c:\oracle\products\9i\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb9iTNSListenerCLARITY - Unknown owner - c:\oracle\products\9i\BIN\TNSLSNR.exe
O23 - Service: OracleServiceCLARITY - Oracle Corporation - c:\oracle\products\9i\bin\ORACLE.EXE
O23 - Service: OracleServiceMITRE - Unknown owner - c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE (file missing)
O23 - Service: OracleServiceNIKUWAS - Oracle Corporation - c:\oracle\products\9i\bin\ORACLE.EXE
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SlingAgent Service (SlingAgentService) - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe
O23 - Service: SSA Integration Manager (Sygman) - MCI, Inc. - C:\Program Files\AccessManager\Client\sygman.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XobniService - Xobni Corporation - C:\Program Files\Xobni\XobniService.exe
O23 - Service: Actuate Process Management Daemon 7 (__AC_PROCESS_MGMT_DAEMON7) - Unknown owner - C:\niku\Actuate7\Server\bin\pmd7.exe (file missing)

--
End of file - 23102 bytes


Thanks,
Brian

5
Contributors
29
Replies
31
Views
8 Years
Discussion Span
Last Post by jholland1964
Featured Replies
  • Reboot and run update MBA-M then run a full system scan with it, reboot and run a new HJT full system scan and save the log, post back here with both. Judy Read More

0

If nobody else replies with one of the "standard" methods you'll find in most threads, and since you've been working on this for a few days (the way I would have), you cold do worse than search the forum using the term "Virtunonde" (which I delibrately mispelt so that it could be easiy searcghed on).

This provides structure to what you're trying to accomplish. It needs a second PC with your infected disk in a USB enclosure.

Let us know what you decide to do.

0

Hi and welcome to the Daniweb forums :).

==========

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Post new HJT log.

0

Hey Crunchie - Thanks for the welcome. Sorry for not including in original post, but the first thing I tried was using CA's Anti-virus software. That didn't do the trick. Next I tried AVG - that found some stuff, but didn't remove everything. Then I tried Malwarebytes's. That seemed to have done the trick, but after a reboot, still had some pop-ups... I have since uninstalled all of the above software (this is all prior to this post).

However, since posting today, I installed avira free anti-virus. That found it and to this point (a few hours) has seemed to have done the trick. I don't know if I can be sure or not.

If you have any recommendations how to be sure, then they are appreciated.

Nonetheless - I very much thank everyone for responding.

Here is the very latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:12 PM, on 12/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\AMO40\CWS\PAgent\capmuamagt.exe
C:\Program Files\CA\SC\CAM\bin\cam.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\oracle\products\9i\bin\agntsrvc.exe
c:\oracle\products\9i\BIN\TNSLSNR.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
c:\oracle\products\9i\bin\dbsnmp.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Xobni\XobniService.exe
C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe
C:\Program Files\CA\DSM\bin\caf.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\CA\DSM\Bin\cfsmsmd.exe
C:\Program Files\CA\DSM\Bin\ccnfagent.exe
C:\Program Files\CA\DSM\Bin\cfnotsrvd.exe
C:\Program Files\CA\DSM\Bin\ccsmagtd.exe
C:\Program Files\CA\DSM\Bin\rcHost.exe
C:\Program Files\CA\DSM\Bin\amswmagt.exe
C:\Program Files\CA\DSM\PMAgent\capmuamagt.exe
C:\Program Files\CA\DSM\Bin\cfftplugin.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng9.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\Symantec\Ghost\ngtray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\CA\DSM\bin\cfSysTray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\SMIBR13\Application Data\Mikogo\Mikogo-Host.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dropbox\Dropbox.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My Documents\Downloads\imabunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://canet.ca.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CA
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O1 - Hosts: bcs01
O2 - BHO: (no name) - {65940327-f4c6-4b9a-ad8a-3456d6272b1a} - C:\WINDOWS\system32\yofolufe.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {D48DA098-42EA-41E0-A32A-EAC3AA52A210} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [NGTray] "C:\Program Files\Symantec\Ghost\ngtray.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [CAF_SystemTray] C:\Program Files\CA\DSM\\bin\cfSysTray.exe
O4 - HKLM\..\Run: [DsmSxplog] "C:\Program Files\CA\DSM\Bin\sxpstub.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [derazusame] Rundll32.exe "C:\WINDOWS\system32\dawuyoha.dll",s
O4 - HKLM\..\Run: [e472ab28] rundll32.exe "C:\WINDOWS\system32\guratayo.dll",b
O4 - HKLM\..\Run: [CPMe74198b4] Rundll32.exe "c:\windows\system32\gorumiba.dll",a
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Mikogo] "C:\Documents and Settings\SMIBR13\Application Data\Mikogo\Mikogo-Host.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [derazusame] Rundll32.exe "C:\WINDOWS\system32\dawuyoha.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [derazusame] Rundll32.exe "C:\WINDOWS\system32\dawuyoha.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\Dropbox.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: SalesForce - {2A427663-00F1-4EE4-A3B6-7F84A024CBB3} - http://salesforce.ca.com (file missing) (HKCU)
O9 - Extra button: Helpdesk - {D4F74464-9448-4D88-B72E-07EA6EC1E14A} - http://helpdesk.ca.com/count.html (file missing) (HKCU)
O9 - Extra button: CA Portal - {D9F8785B-2C42-41B4-98FE-75E11B7460C6} - http://caportal.ca.com (file missing) (HKCU)
O9 - Extra button: Leader - {DA2EB6A6-5DA2-4C9A-BC25-2D4799669C1A} - HTTP://leaderboard.ca.com (file missing) (HKCU)
O9 - Extra button: CKM - {E367B557-5D51-425D-B0EA-DC40E26990BB} - http://km.ca.com (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://canet.ca.com
O15 - Trusted Zone: http://hrreports.ca.com
O15 - Trusted Zone: http://hrreportsft.ca.com
O15 - Trusted Zone: http://insight.ca.com
O15 - Trusted Zone: http://insightft.ca.com
O15 - Trusted Zone: http://mrm.ca.com
O15 - Trusted Zone: http://supportreports.ca.com
O15 - Trusted Zone: http://usilws19.ca.com
O15 - Trusted Zone: http://*.insight
O15 - Trusted Zone: http://*.insightft
O15 - Trusted Zone: http://*.mrm
O15 - Trusted Zone: http://*.supportreports
O15 - Trusted Zone: http://*.usilws19
O15 - Trusted Zone: http://hrreports.ca.com (HKLM)
O15 - Trusted Zone: http://hrreportsft.ca.com (HKLM)
O15 - Trusted Zone: http://insight.ca.com (HKLM)
O15 - Trusted Zone: http://insightft.ca.com (HKLM)
O15 - Trusted Zone: http://mrm.ca.com (HKLM)
O15 - Trusted Zone: http://supportreports.ca.com (HKLM)
O15 - Trusted Zone: http://usilws19.ca.com (HKLM)
O15 - Trusted Zone: http://*.insight (HKLM)
O15 - Trusted Zone: http://*.insightft (HKLM)
O15 - Trusted Zone: http://*.mrm (HKLM)
O15 - Trusted Zone: http://*.supportreports (HKLM)
O15 - Trusted Zone: http://*.usilws19 (HKLM)
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ca.com
O17 - HKLM\Software\..\Telephony: DomainName = ca.com
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL xfrbnu.dll hsqfpf.dll C:\WINDOWS\system32\jadelamo.dll C:\WINDOWS\system32\linivini.dll c:\windows\system32\gorumiba.dll
O20 - Winlogon Notify: CAF - C:\Program Files\CA\DSM\Bin\cfwlogon.dll
O20 - Winlogon Notify: rcHostExt - C:\Program Files\CA\DSM\Bin\rcLoginExt.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gorumiba.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gorumiba.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B-Service - Unknown owner - C:\Documents and Settings\SMIBR13\Application Data\Mikogo\B-Service.exe
O23 - Service: Central Management Server (BOBJCentralMS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\CMS.exe
O23 - Service: Report Application Server (BOBJCrystalReportApplicationServer) - Business Objects - C:\BO\common\3.5\bin\crystalras.exe
O23 - Service: Crystal Reports Cache Server (BOBJCrystalReportsCacheServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\cacheserver.exe
O23 - Service: Crystal Reports Page Server (BOBJCrystalReportspageserver) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\pageserver.exe
O23 - Service: Connection Server (BOBJCS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\ConnectionServer.exe
O23 - Service: Desktop Intelligence Cache Server (BOBJDesktopIntelligenceCacheServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\fccache.exe
O23 - Service: Desktop Intelligence Report Server (BOBJDesktopIntelligenceReportServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\fcproc.exe
O23 - Service: Destination Job Server (BOBJDestinationServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procdest.exe
O23 - Service: Event Server (BOBJEventServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\EventServer.exe
O23 - Service: Input File Repository Server (BOBJInputFileServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\inputfileserver.exe
O23 - Service: Desktop Intelligence Job Server (BOBJJobServer_DesktopIntelligence) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\JobServerFullClient.exe
O23 - Service: Crystal Reports Job Server (BOBJJobServer_Report) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\JobServer.exe
O23 - Service: Output File Repository Server (BOBJOutputFileServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\outputfileserver.exe
O23 - Service: List of Values Job Server (BOBJProcessServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe
O23 - Service: Program Job Server (BOBJProgramServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\ProgramServer.exe
O23 - Service: Apache Tomcat 5.0.27 (BOBJTomcat) - Apache Software Foundation - C:\BO\Tomcat\bin\tomcat5.exe
O23 - Service: Web Intelligence Job Server (BOBJWebiServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procWebi.exe
O23 - Service: Web Intelligence Report Server (BOBJWIRS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\WIReportServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA Unicenter NSM Systems Performance Agent for UAM - Unknown owner - C:\WINDOWS\AMO40\CWS\PAgent\capmuamagt.exe
O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - C:\Program Files\CA\SC\CAM\bin\cam.exe
O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - C:\Program Files\CA\DSM\bin\caf.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM WebSphere Application Server V6.1 - smibr13aNode01 (IBMWAS61Service - smibr13aNode01) - Unknown owner - C:\Program Files\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\PowerToys\ImapiHelper.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft Update Service Helper (msupdsvc) - Unknown owner - C:\WINDOWS\system32\msupdsvc32.exe (file missing)
O23 - Service: Symantec Ghost Database Service Wrapper (NGDBSERV) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGSERVER) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Niku Background Server - Unknown owner - C:\niku\clarity\bin\nikubgcmd.exe
O23 - Service: Niku Background Server - WAS - Alexandria Software Consulting - C:\nikuwas\clarity\bin\nikubgservice.exe
O23 - Service: Niku Beacon - Unknown owner - C:\niku\Clarity\bin\nikubeaconservice.exe (file missing)
O23 - Service: Niku Beacon - WAS - Alexandria Software Consulting - C:\nikuwas\clarity\bin\nikubeaconservice.exe
O23 - Service: Niku Server - Unknown owner - C:\niku\clarity\bin\nikuappcmd.exe
O23 - Service: Niku System Admin Server - Unknown owner - C:\niku\clarity\bin\nikunsacmd.exe (file missing)
O23 - Service: NobleNet Portmapper for TCP - Unknown owner - C:\niku\Actuate7\Server/bin/portserv.exe (file missing)
O23 - Service: OracleOraDb10g_home1TNSListenerMITRE - Unknown owner - C:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleOraDb9iAgent - Oracle Corporation - c:\oracle\products\9i\bin\agntsrvc.exe
O23 - Service: OracleOraDb9iClientCache - Unknown owner - c:\oracle\products\9i\BIN\ONRSD.EXE
O23 - Service: OracleOraDb9iSNMPPeerEncapsulator - Unknown owner - c:\oracle\products\9i\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb9iSNMPPeerMasterAgent - Unknown owner - c:\oracle\products\9i\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb9iTNSListenerCLARITY - Unknown owner - c:\oracle\products\9i\BIN\TNSLSNR.exe
O23 - Service: OracleServiceCLARITY - Oracle Corporation - c:\oracle\products\9i\bin\ORACLE.EXE
O23 - Service: OracleServiceMITRE - Unknown owner - c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE (file missing)
O23 - Service: OracleServiceNIKUWAS - Oracle Corporation - c:\oracle\products\9i\bin\ORACLE.EXE
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SlingAgent Service (SlingAgentService) - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe
O23 - Service: SSA Integration Manager (Sygman) - MCI, Inc. - C:\Program Files\AccessManager\Client\sygman.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XobniService - Xobni Corporation - C:\Program Files\Xobni\XobniService.exe
O23 - Service: Actuate Process Management Daemon 7 (__AC_PROCESS_MGMT_DAEMON7) - Unknown owner - C:\niku\Actuate7\Server\bin\pmd7.exe (file missing)

--
End of file - 22960 bytes


Thanks!
Brian

0

You are still highly infected judging by your hijackthis log. I would appreciate it if you simply followed my advice above :).

0

Just to add to Crunchie's advice, comparing HJT logs, your situation has worsened as evidenced by these entries (at least):

O2 - BHO: (no name) - {65940327-f4c6-4b9a-ad8a-3456d6272b1a} - C:\WINDOWS\system32\yofolufe.dll

O2 - BHO: (no name) - {D48DA098-42EA-41E0-A32A-EAC3AA52A210} - (no file)


O4 - HKLM\..\Run: [derazusame] Rundll32.exe "C:\WINDOWS\system32\dawuyoha.dll",s
O4 - HKLM\..\Run: [e472ab28] rundll32.exe "C:\WINDOWS\system32\guratayo.dll",b
O4 - HKLM\..\Run: [CPMe74198b4] Rundll32.exe "c:\windows\system32\gorumiba.dll",a
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe

O4 - HKUS\S-1-5-19\..\Run: [derazusame] Rundll32.exe "C:\WINDOWS\system32\dawuyoha.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [derazusame] Rundll32.exe "C:\WINDOWS\system32\dawuyoha.dll",s (User 'NETWORK SERVICE')

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL xfrbnu.dll hsqfpf.dll C:\WINDOWS\system32\jadelamo.dll C:\WINDOWS\system32\linivini.dll c:\windows\system32\gorumiba.dll

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gorumiba.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gorumiba.dll

0

Not meaning to "step on toes" here but caperjack has informed me you have a double post going here
http://www.daniweb.com/forums/post769217.html#post769217
and since I didn't realize this and don't know if you will go back to the other thread I wanted to post this in this one also.
You note in this thread right here that you have tried multiple anti-virus programs, including CA, AVG, and also Avira. I didn't have this information in my post to you in the other thread, but there also I noticed in your log posted there that you currently have CA running and also Norton.
You obviously are not uninstalling all of these anti-virus programs completely. You must UNINSTALL all of these except one of them. Running more than one at a time will certainly complicate your problems.
I am not certain what two HJT logs that Suspishio is comparing, the two I see here are pretty much the same.
I will repeat here some of what I posted in the other thread since we don't know which one the poster is checking on;

The first thing I notice in your HJT log is that you are running two anti-virus programs, eTrust and Norton. This is an absolute NO-NO. The RULE is ONE anti-virus program running on a computer. One of these must be totally Uninstalled Immediately.
The second thing...did you personally add all of these Trusted Sites? I have tried them all and none of them can be found. I you personally did not add these then they should be fixed using HiJackThis.
You are running an extraordinarily large number of programs at once.
There are a large a number of programs I have never seen before and ones I cannot find information about, except google searches which come up with malware forums noting the same programs. But since I cannot find information on the majority of them I am at a loss to tell you what to stop.

Judy

0

You are still highly infected judging by your hijackthis log. I would appreciate it if you simply followed my advice above :).

Crunchie - Here is my malwarebytes log:

Malwarebytes' Anti-Malware 1.31
Database version: 1585
Windows 5.1.2600 Service Pack 2

12/31/2008 1:23:12 PM
mbam-log-2008-12-31 (13-23-12).txt

Scan type: Full Scan (C:\|D:\|S:\|X:\|)
Objects scanned: 527700
Time elapsed: 56 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 6
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\hejitavo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jarugede.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\lojaloke.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65940327-f4c6-4b9a-ad8a-3456d6272b1a} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{65940327-f4c6-4b9a-ad8a-3456d6272b1a} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\derazusame (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e472ab28 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpme74198b4 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\hejitavo.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\hejitavo.dll

0

Just to add to Crunchie's advice, comparing HJT logs, your situation has worsened as evidenced by these entries (at least):

O2 - BHO: (no name) - {65940327-f4c6-4b9a-ad8a-3456d6272b1a} - C:\WINDOWS\system32\yofolufe.dll

O2 - BHO: (no name) - {D48DA098-42EA-41E0-A32A-EAC3AA52A210} - (no file)


O4 - HKLM\..\Run: [derazusame] Rundll32.exe "C:\WINDOWS\system32\dawuyoha.dll",s
O4 - HKLM\..\Run: [e472ab28] rundll32.exe "C:\WINDOWS\system32\guratayo.dll",b
O4 - HKLM\..\Run: [CPMe74198b4] Rundll32.exe "c:\windows\system32\gorumiba.dll",a
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe

O4 - HKUS\S-1-5-19\..\Run: [derazusame] Rundll32.exe "C:\WINDOWS\system32\dawuyoha.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [derazusame] Rundll32.exe "C:\WINDOWS\system32\dawuyoha.dll",s (User 'NETWORK SERVICE')

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL xfrbnu.dll hsqfpf.dll C:\WINDOWS\system32\jadelamo.dll C:\WINDOWS\system32\linivini.dll c:\windows\system32\gorumiba.dll

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gorumiba.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gorumiba.dll

Thanks Suspishio. I'm definitely aware of the infection. Trying like crazy to remove.

Brian

0

Not meaning to "step on toes" here but caperjack has informed me you have a double post going here
http://www.daniweb.com/forums/post769217.html#post769217
and since I didn't realize this and don't know if you will go back to the other thread I wanted to post this in this one also.
You note in this thread right here that you have tried multiple anti-virus programs, including CA, AVG, and also Avira. I didn't have this information in my post to you in the other thread, but there also I noticed in your log posted there that you currently have CA running and also Norton.
You obviously are not uninstalling all of these anti-virus programs completely. You must UNINSTALL all of these except one of them. Running more than one at a time will certainly complicate your problems.
I am not certain what two HJT logs that Suspishio is comparing, the two I see here are pretty much the same.
I will repeat here some of what I posted in the other thread since we don't know which one the poster is checking on;

Judy

Hi Judy - Yes, I couldn't find this post previously so I inadvertenly started a new thread.

I do have etrust, however am not 'allowed' to uninstall it. Is that a show stopper? I can however stop all the services.

I do not have Norton anti-virus installed. Only ghost.

Thanks,
Brian

0

Ok then on Norton. Can I ask why you are not allowed to uninstall the etrust? Is this a work computer or something? What about those trusted sites I noted?
Judy

0

Ok then on Norton. Can I ask why you are not allowed to uninstall the etrust? Is this a work computer or something? What about those trusted sites I noted?
Judy

Yes - work pc. Not getting any help from work IT support. They suggest I re image.

Regarding the trusted sites - they are all intranet sites... work related...

Thanks,
Brian

0

Yes - work pc. Not getting any help from work IT support. They suggest I re image.

Regarding the trusted sites - they are all intranet sites... work related...

Thanks,
Brian

I hesitate to offer suggestions which may violate your work rules. Is it possible that there are other computers infected on this work network?
Have you updated all the removal programs and then disconnected the internet cord and run all these without being connected to the network? If you can rule your computer totally clean then I would think there is a chance of another infected computer within the network spreading this to everyone else. Don't know this is the case but something to think about.
Here is one thing you have not tried, if it doesn't violate your work rules you could do the following:
Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

*Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

When all is complete then please post back here with that log.

0

I hesitate to offer suggestions which may violate your work rules. Is it possible that there are other computers infected on this work network?
Have you updated all the removal programs and then disconnected the internet cord and run all these without being connected to the network? If you can rule your computer totally clean then I would think there is a chance of another infected computer within the network spreading this to everyone else. Don't know this is the case but something to think about.
Here is one thing you have not tried, if it doesn't violate your work rules you could do the following:
Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

*Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

When all is complete then please post back here with that log.

Thanks Judy - I've been operating outside of my work network (working from home). I've also been working to remove this disconnected from my home network. The 2 other pc's on my home network have not detected any of these problems when i'v run similar tests.

I'll try your suggestion with Combofix and post results.

Thanks again.

Brian

0

I hesitate to offer suggestions which may violate your work rules. Is it possible that there are other computers infected on this work network?
Have you updated all the removal programs and then disconnected the internet cord and run all these without being connected to the network? If you can rule your computer totally clean then I would think there is a chance of another infected computer within the network spreading this to everyone else. Don't know this is the case but something to think about.
Here is one thing you have not tried, if it doesn't violate your work rules you could do the following:
Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

*Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

When all is complete then please post back here with that log.

ComboFix Log:

ComboFix 09-01-01.02 - smibr13 2009-01-02 11:56:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3318.2520 [GMT -6:00]
Running from: c:\my documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\SMIBR13\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\INSTALL.LOG
c:\windows\g32.txt
c:\windows\gs32.txt
c:\windows\system32\ayagobis.ini
c:\windows\system32\ebenimit.ini
c:\windows\system32\gorumiba.dll
c:\windows\system32\gujayiwo.dll
c:\windows\system32\hapafese.dll
c:\windows\system32\imuwisuv.ini
c:\windows\system32\ivetateh.ini
c:\windows\system32\operabem.ini
c:\windows\system32\pepilose.dll
c:\windows\system32\remaduvi.dll
c:\windows\system32\uyetoril.ini
c:\windows\system32\uyijegiy.ini
c:\windows\system32\vGikTvut.ini
c:\windows\system32\vGikTvut.ini2
c:\windows\system32\wedusoha.dll
c:\windows\Tasks\rhiewagy.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASPIMGR


((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.

2009-01-02 11:30 . 2007-05-10 10:23 4,952,064 --a------ c:\windows\system32\stacgui.cpl
2009-01-02 11:30 . 2007-04-10 17:02 1,601,536 --a------ c:\windows\system32\stlang.dll
2009-01-02 11:30 . 2007-05-10 10:24 1,222,840 --a------ c:\windows\system32\drivers\sthda.sys
2009-01-02 11:30 . 2007-05-10 10:22 405,504 --a------ c:\windows\stsystra.exe
2009-01-02 11:30 . 2007-05-10 10:23 270,336 --a------ c:\windows\system32\stacapi.dll
2009-01-02 11:30 . 2007-08-21 09:58 146,944 --a------ c:\windows\system32\st325602.dll
2008-12-31 13:41 . 2009-01-01 07:51 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-12-31 12:20 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 12:20 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-30 13:48 . 2008-12-30 13:48 <DIR> d-------- C:\pre-sales
2008-12-23 00:40 . 2008-12-23 00:40 <DIR> d-------- c:\program files\iTunes
2008-12-23 00:40 . 2008-12-23 00:40 <DIR> d-------- c:\program files\iPod
2008-12-23 00:40 . 2008-12-23 00:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-23 00:39 . 2008-12-23 00:39 <DIR> d-------- c:\program files\Bonjour
2008-12-23 00:38 . 2008-12-23 00:39 <DIR> d-------- c:\program files\QuickTime
2008-12-22 22:09 . 2008-12-22 22:11 <DIR> d-------- c:\program files\Creative
2008-12-22 19:46 . 2008-12-22 19:53 <DIR> d-------- c:\program files\MockupScreens
2008-12-22 18:01 . 2009-01-02 12:03 <DIR> d-------- c:\documents and settings\SMIBR13\Application Data\Dropbox
2008-12-22 18:00 . 2008-12-22 18:01 <DIR> d-------- c:\program files\Dropbox
2008-12-22 11:36 . 2001-07-13 13:56 14,976 --a------ c:\windows\system32\drivers\SBKUPNT.SYS
2008-12-22 11:36 . 1997-02-08 17:11 13,312 --a------ c:\windows\system32\DEVLOAD.EXE
2008-12-22 11:36 . 2005-11-26 19:45 2,799 --a------ c:\windows\SKLANG.INI
2008-12-19 22:44 . 2008-12-19 22:44 <DIR> d-------- c:\temp\tools
2008-12-19 13:22 . 2008-12-19 13:23 <DIR> d-------- c:\program files\MPEG Stream
2008-12-19 04:30 . 2008-12-19 04:30 664 --a------ c:\windows\system32\d3d9caps.dat
2008-12-18 23:39 . 2008-12-18 23:39 <DIR> d-------- c:\program files\Apple Software Update
2008-12-18 23:33 . 2008-12-18 23:33 <DIR> d-------- c:\documents and settings\SMIBR13\Application Data\MPEG Streamclip
2008-12-18 21:44 . 2008-12-18 23:58 <DIR> d-------- c:\program files\Elecard
2008-12-18 21:16 . 2008-12-18 21:16 <DIR> d-------- c:\program files\VideoLAN
2008-12-18 10:59 . 2008-12-18 10:59 <DIR> d-------- c:\documents and settings\SMIBR13\Application Data\Research In Motion
2008-12-18 10:59 . 2008-12-18 13:32 256 --a------ c:\windows\system32\pool.bin
2008-12-18 10:03 . 2008-12-18 10:03 <DIR> d-------- c:\documents and settings\SMIBR13\Application Data\InstallShield
2008-12-18 10:02 . 2008-12-18 10:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic
2008-12-18 10:00 . 2008-12-18 10:01 <DIR> d-------- c:\program files\Roxio
2008-12-18 10:00 . 2008-12-18 10:00 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2008-12-18 10:00 . 2008-12-18 10:00 <DIR> d-------- c:\program files\Common Files\Roxio Shared
2008-12-18 10:00 . 2008-12-18 10:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Roxio
2008-12-18 09:59 . 2008-12-18 09:59 <DIR> d-------- c:\program files\Research In Motion
2008-12-18 09:59 . 2008-12-18 10:48 <DIR> d-------- c:\program files\Common Files\Research In Motion
2008-12-17 23:45 . 2008-12-17 23:45 <DIR> d-------- c:\program files\Sigmatel
2008-12-17 23:22 . 1999-10-10 19:00 41,984 --------- c:\windows\Ctregrun.exe
2008-12-17 23:20 . 2003-03-05 12:19 15,840 --------- c:\windows\system32\drivers\PFMODNT.SYS
2008-12-17 22:44 . 2008-12-17 22:44 <DIR> d-------- c:\program files\iXi Tools
2008-12-17 00:29 . 2008-12-31 12:20 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-17 00:29 . 2008-12-17 00:29 <DIR> d-------- c:\documents and settings\SMIBR13\Application Data\Malwarebytes
2008-12-17 00:29 . 2008-12-17 00:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 12:59 . 2008-12-16 12:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-12-16 08:39 . 2006-06-06 14:20 241,721 --a------ c:\windows\system32\HPBMINI.DLL
2008-12-16 08:39 . 2005-06-20 14:33 163,840 --a------ c:\windows\system32\HPJCMN2U.DLL
2008-12-16 08:39 . 2005-06-20 14:33 94,208 --a------ c:\windows\system32\HPJIPX1U.DLL
2008-12-16 08:39 . 2006-05-11 18:15 52,736 --a------ c:\windows\system32\HPZIPM12.DLL
2008-12-16 08:39 . 2005-06-20 14:33 49,152 --a------ c:\windows\system32\HPBNRAC2.DLL
2008-12-16 08:39 . 2006-05-11 18:15 43,520 --a------ c:\windows\system32\HPZINW12.DLL
2008-12-16 08:39 . 2007-02-06 16:29 39,424 --a------ c:\windows\system32\HPBPRO.DLL
2008-12-16 08:39 . 2007-02-06 16:29 25,600 --a------ c:\windows\system32\HPBOID.DLL
2008-12-16 08:39 . 2007-02-06 16:29 24,576 --a------ c:\windows\system32\HPBMIAPI.DLL
2008-12-16 08:39 . 2006-11-02 19:32 18,747 --a------ c:\windows\system32\HPCEAC06.HPI
2008-12-16 08:39 . 2007-02-06 16:29 7,680 --a------ c:\windows\system32\HPBPROPS.DLL
2008-12-16 08:39 . 2007-02-06 16:29 7,680 --a------ c:\windows\system32\HPBOIDPS.DLL
2008-12-12 15:47 . 2008-12-12 15:47 3,751,995 --a------ c:\windows\system32\GPhotos.scr
2008-12-02 19:02 . 2008-12-02 19:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\NCH Software
2008-12-02 18:18 . 2008-12-02 18:18 <DIR> d-------- c:\program files\DVD Decrypter
2008-12-02 18:17 . 2008-12-02 18:17 <DIR> d-------- c:\program files\DVD Shrink
2008-12-02 18:17 . 2008-12-02 18:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\DVD Shrink

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-02 18:03 --------- d-----w c:\documents and settings\SMIBR13\Application Data\VMware
2009-01-02 18:03 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware
2009-01-02 18:03 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2009-01-02 17:49 --------- d-----w c:\program files\Notepad++
2009-01-01 13:47 --------- d-----w c:\documents and settings\NetworkService\Application Data\VMware
2008-12-31 18:11 --------- d-----w c:\program files\Quest Software
2008-12-23 06:38 --------- d-----w c:\program files\Common Files\Apple
2008-12-23 05:12 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-23 04:10 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-21 06:40 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-19 05:47 --------- d-----w c:\documents and settings\SMIBR13\Application Data\Apple Computer
2008-12-18 05:48 992 ----a-w c:\windows\system32\drivers\sthdae.log
2008-12-17 06:39 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-17 04:31 --------- d-----w c:\program files\Lavasoft
2008-12-17 04:01 --------- d-----w c:\program files\Google
2008-12-15 18:32 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2008-12-04 15:00 --------- d-----w c:\documents and settings\SMIBR13\Application Data\Mikogo
2008-12-04 01:33 --------- d-----w c:\documents and settings\SMIBR13\Application Data\Trondent Development Corp
2008-12-03 03:13 --------- d-----w c:\documents and settings\SMIBR13\Application Data\FileZilla
2008-11-27 05:49 --------- d-----w c:\program files\Sun
2008-11-24 20:11 --------- d-----w c:\program files\eviware
2008-11-22 03:10 93,776 ----a-w c:\windows\system32\drivers\VBoxDrv.sys
2008-11-22 03:10 41,744 ----a-w c:\windows\system32\drivers\VBoxUSBMon.sys
2008-11-21 14:18 --------- d-----w c:\program files\Lookout Software
2008-11-16 22:08 --------- d-----w c:\documents and settings\SMIBR13\Application Data\Business Objects
2008-11-12 21:31 --------- d-----w c:\program files\Microsoft Office Communicator
2008-11-12 06:26 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-12 06:21 --------- d-----w c:\program files\Microsoft Visual Studio 8
2008-11-12 06:17 --------- d-----w c:\program files\Microsoft Works
2008-11-12 06:16 --------- d-----w c:\program files\MSBuild
2008-11-11 20:46 --------- d-----w c:\program files\CA
2008-11-11 04:41 --------- d-----w c:\program files\Active Ports
2008-11-10 21:21 --------- d-----w c:\program files\Common Files\CA
2008-11-04 01:10 --------- d-----w c:\program files\Sling Media
2008-11-04 01:10 --------- d-----w c:\documents and settings\All Users\Application Data\Sling Media
2008-04-30 17:39 131 ----a-w c:\documents and settings\All Users\Shortcut.bat
2008-04-30 17:38 1,452 ----a-w c:\documents and settings\All Users\redirect.vbs
2007-12-17 02:45 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-09-30 20:22 82,944 --sha-w c:\windows\system32\hidujuku.dll
2008-09-21 23:00 63,764 --sha-w c:\windows\system32\najowate.dll
2008-09-23 15:17 4,096 --sha-w c:\windows\system32\nasikunu.dll
2008-09-19 07:05 3,072 --sha-w c:\windows\system32\noturoya.dll
.

------- Sigcheck -------

2004-08-04 06:00 1422336 4b0011b8e35843966a3ce5685058420f c:\windows\explorer.exe
2004-08-04 06:00 1032192 a0732187050030ae399b241436565e64 c:\windows\system32\VITrans\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 01:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 01:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 01:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2007-12-30 1365504]
"Google Update"="c:\documents and settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"Mikogo"="c:\documents and settings\SMIBR13\Application Data\Mikogo\Mikogo-Host.exe" [2008-12-04 1115456]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"AccessManager"="c:\program files\AccessManager\Client\AccessMgr.exe" [2004-11-03 794624]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"eFax 4.2"="c:\program files\eFax Messenger 4.2\J2GDllCmd.exe" [2006-07-14 107008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-09-30 144792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Realtime Monitor"="c:\program files\CA\eTrustITM\realmon.exe" [2007-01-16 407632]
"NGTray"="c:\program files\Symantec\Ghost\ngtray.exe" [2008-09-03 218504]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-08-08 72240]
"VMware hqtray"="c:\program files\VMware\VMware Workstation\hqtray.exe" [2008-08-08 55856]
"CAF_SystemTray"="c:\program files\CA\DSM\\bin\cfSysTray.exe" [2007-10-28 124168]
"DsmSxplog"="c:\program files\CA\DSM\Bin\sxpstub.exe" [2007-10-28 24328]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-10-10 5726032]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-06-26 236016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]

c:\documents and settings\SMIBR13\Start Menu\Programs\Startup\
Dropbox.lnk - c:\program files\Dropbox\Dropbox.exe [2008-09-26 24096981]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2008-01-08 3450608]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 3746856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-10-07 25214]
eFax 4.2.lnk - c:\program files\eFax Messenger 4.2\J2GTray.exe [2007-02-25 612352]
Monitor.lnk - c:\program files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-05-14 114688]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-02-09 122880]

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CAF]
2007-10-28 03:45 27400 c:\program files\CA\DSM\bin\cfWlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rcHostExt]
2007-10-28 03:47 11528 c:\program files\CA\DSM\bin\rcLoginExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2129867641-919698055-327642922-134551\Scripts\Logon\0\0]
"Script"=Uncheck_Show_Friendly.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2129867641-919698055-327642922-277235\Scripts\Logon\0\0]
"Script"=DelNortelRegKey.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2004-05-12 14:18 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-08-04 16:28 49152 c:\program files\HP\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2004-08-25 17:28 1871872 c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Symantec\\Ghost\\ngserver.exe"=
"c:\\Program Files\\Symantec\\Ghost\\GhostSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Dropbox\\Dropbox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Rainlendar2\\Rainlendar2.exe"=
"c:\\Program Files\\Stardock\\ObjectDock\\ObjectDock.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\agent.exe"=
"c:\\Program Files\\CA\\DSM\\bin\\cfUsrNtf.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)

R1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2008-11-25 93776]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2008-11-25 41744]
R2 AMBroker;Access Manager Configuration Service;"c:\program files\AccessManager\Client\AMBroker.exe" [2004-11-03 77824]
R2 BOBJProcessServer;List of Values Job Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe" -service -name smibr13a.ListOfValuesJobServer -ns smibr13a -objectType CrystalEnterprise.MetaData.MetaDataRepositoryInfo -lib procLOV -restart -jsTypeDescription "List of Values Job Server" [2007-10-31 950272]
R2 CA Unicenter NSM Systems Performance Agent for UAM;CA Unicenter NSM Systems Performance Agent for UAM;"c:\windows\AMO40\CWS\PAgent\capmuamagt.exe" [2007-01-17 53248]
R2 caf;CA DSM r11 Common Application Framework.;"c:\program files\CA\DSM\bin\caf.exe" service [2007-10-28 193800]
R2 OracleOraDb9iAgent;OracleOraDb9iAgent;c:\oracle\products\9i\bin\agntsrvc.exe [2002-04-26 28944]
R2 OracleOraDb9iTNSListenerCLARITY;OracleOraDb9iTNSListenerCLARITY;c:\oracle\products\9i\BIN\TNSLSNR []
R2 SBKUPNT;SBKUPNT;\??\c:\windows\system32\Drivers\SBKUPNT.SYS [2008-12-22 14976]
R2 SlingAgentService;SlingAgent Service;"c:\program files\Sling Media\SlingAgent\SlingAgentService.exe" [2008-09-21 93960]
R2 XobniService;XobniService;"c:\program files\Xobni\XobniService.exe" [2008-07-18 36352]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2006-05-26 11113]
R3 lknuhst;Linksys Network USB Host Controller;c:\windows\system32\DRIVERS\lknuhst.sys [2007-04-09 11136]
R3 LKNUHUB;Linksys Network USB Root Hub;c:\windows\system32\DRIVERS\lknuhub.sys [2007-04-09 37248]
R3 rcSmCard;rcSmCard;c:\windows\system32\DRIVERS\rcSmCard.sys [2007-01-20 26128]
S2 BOBJCentralMS;Central Management Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\CMS.exe" -service -name smibr13a.cms -restart [2008-02-07 2625536]
S2 msupdsvc;Microsoft Update Service Helper;c:\windows\system32\msupdsvc32.exe []
S3 __AC_PROCESS_MGMT_DAEMON7;Actuate Process Management Daemon 7;"c:\niku\Actuate7\Server\bin\pmd7.exe" []
S3 B-Service;B-Service;c:\documents and settings\SMIBR13\Application Data\Mikogo\B-Service.exe [2008-11-02 180224]
S3 BOBJCrystalReportApplicationServer;Report Application Server;"c:\bo\common\3.5\bin\crystalras.exe" -service -name smibr13a.RAS -ns smibr13a -ipport -restart [2007-10-31 456192]
S3 BOBJCrystalReportsCacheServer;Crystal Reports Cache Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\cacheserver.exe" -service -name smibr13a.cacheserver -cache -nops -deleteCache -ns smibr13a -restart [2008-02-07 3211264]
S3 BOBJCrystalReportspageserver;Crystal Reports Page Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\pageserver.exe" -service -name smibr13a.pageserver -ns smibr13a -restart [2008-02-07 3211264]
S3 BOBJCS;Connection Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\ConnectionServer.exe" -service -name smibr13a.ConnectionServer -ns smibr13a -restart [2007-10-31 1421312]
S3 BOBJDesktopIntelligenceCacheServer;Desktop Intelligence Cache Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\fccache.exe" -service -name smibr13a.Desktop_IntelligenceCacheServer -cache -nops -deleteCache -ns smibr13a -lib cacheFC -libTypeDescription "Desktop Intelligence Cache Server" -restart []
S3 BOBJDesktopIntelligenceReportServer;Desktop Intelligence Report Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\fcproc.exe" -service -name smibr13a.Desktop_IntelligenceReportServer -ns smibr13a -lib procFC -libTypeDescription "Desktop Intelligence Report Server" -maxDesktops 0 -restart []
S3 BOBJDestinationServer;Destination Job Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\procdest.exe" -service -name smibr13a.destinationjobserver -ns smibr13a -objectType CrystalEnterprise.Destination -lib procDest -restart -jsTypeDescription "Destination Job Server" [2007-10-31 950272]
S3 BOBJEventServer;Event Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\EventServer.exe" -service -name smibr13a.eventserver -ns smibr13a -restart [2008-02-07 892928]
S3 BOBJInputFileServer;Input File Repository Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\inputfileserver.exe" -service -name Input.smibr13a -ns smibr13a -restart [2007-10-31 626688]
S3 BOBJJobServer_DesktopIntelligence;Desktop Intelligence Job Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\JobServerFullClient.exe" -service -name smibr13a.Desktop_IntelligenceJobServer -ns smibr13a -objectType CrystalEnterprise.FullClient -lib pp_procFC -jsTypeDescription "Desktop Intelligence Job Server" -maxDesktops 0 -restart []
S3 BOBJJobServer_Report;Crystal Reports Job Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\JobServer.exe" -service -name smibr13a.reportjobserver -ns smibr13a -objectType CrystalEnterprise.Report -lib procReport -restart -jsTypeDescription "Crystal Reports Job Server" [2007-10-31 950272]
S3 BOBJOutputFileServer;Output File Repository Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\outputfileserver.exe" -service -name Output.smibr13a -ns smibr13a -restart [2007-10-31 626688]
S3 BOBJProgramServer;Program Job Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\ProgramServer.exe" -service -name smibr13a.programjobserver -ns smibr13a -objectType CrystalEnterprise.Program -lib procProgram -restart -jsTypeDescription "Program Job Server" [2007-10-31 950272]
S3 BOBJTomcat;Apache Tomcat 5.0.27;"c:\bo\Tomcat\bin\tomcat5.exe" //RS//BOBJTomcat [2004-06-17 94208]
S3 BOBJWebiServer;Web Intelligence Job Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\procWebi.exe" -service -name smibr13a.Web_IntelligenceJobServer -ns smibr13a -objectType CrystalEnterprise.Webi -lib procwebi -restart -jsTypeDescription "Web Intelligence Job Server" [2007-10-31 950272]
S3 BOBJWIRS;Web Intelligence Report Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\WIReportServer.exe" -service -name smibr13a.Web_IntelligenceReportServer -ns smibr13a -restart [2008-02-07 1011712]
S3 DAPlugin;Visual Insight DA Plugin;c:\program files\AccessManager\Client\DAPlugin.exe [2004-11-03 81920]
S3 ExtranetAccess;Contivity VPN Service;"c:\program files\Nortel Networks\Extranet_serv.exe" [2006-05-26 782336]
S3 IBMWAS61Service - smibr13aNode01;IBM WebSphere Application Server V6.1 - smibr13aNode01;"c:\program files\IBM\WebSphere\AppServer\bin\wasservice.exe" "IBMWAS61Service - smibr13aNode01" [2008-04-15 69632]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2006-05-26 216459]
S3 kwkxusb;Kyocera CDMA Wireless Modem Driver;c:\windows\system32\DRIVERS\kwusb2k.sys [2007-01-07 29952]
S3 LKNUCMP;Linksys Network USB Composite Device;c:\windows\system32\DRIVERS\lknucmp.sys [2007-04-09 11648]
S3 MsDtsServer;SQL Server Integration Services;"c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe" [2005-10-14 199384]
S3 Niku Background Server - WAS;Niku Background Server - WAS;c:\nikuwas\clarity\bin\nikubgservice.exe [2008-04-17 53248]
S3 Niku Background Server;Niku Background Server;c:\niku\clarity\bin\nikubgcmd.exe -s c:\niku\clarity\bin\nikubgcmd.conf []
S3 Niku Beacon - WAS;Niku Beacon - WAS;c:\nikuwas\clarity\bin\nikubeaconservice.exe [2008-04-17 53248]
S3 Niku Beacon;Niku Beacon;c:\niku\Clarity\bin\nikubeaconservice.exe []
S3 Niku Server;Niku Server;c:\niku\clarity\bin\nikuappcmd.exe -s c:\niku\clarity\bin\nikuappcmd.conf []
S3 Niku System Admin Server;Niku System Admin Server;c:\niku\clarity\bin\nikunsacmd.exe -s c:\niku\clarity\bin\nikunsacmd.conf []
S3 OracleOraDb10g_home1TNSListenerMITRE;OracleOraDb10g_home1TNSListenerMITRE;c:\oracle\product\10.2.0\db_1\BIN\TNSLSNR []
S3 OracleOraDb9iClientCache;OracleOraDb9iClientCache;c:\oracle\products\9i\BIN\ONRSD.EXE [2002-04-26 243352]
S3 OracleOraDb9iSNMPPeerEncapsulator;OracleOraDb9iSNMPPeerEncapsulator;c:\oracle\products\9i\BIN\ENCSVC.EXE [2002-02-13 165310]
S3 OracleOraDb9iSNMPPeerMasterAgent;OracleOraDb9iSNMPPeerMasterAgent;c:\oracle\products\9i\BIN\AGNTSVC.EXE [2002-02-13 216188]
S3 OracleServiceCLARITY;OracleServiceCLARITY;c:\oracle\products\9i\bin\ORACLE.EXE CLARITY []
S3 OracleServiceMITRE;OracleServiceMITRE;c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE MITRE []
S3 OracleServiceNIKUWAS;OracleServiceNIKUWAS;c:\oracle\products\9i\bin\ORACLE.EXE NIKUWAS []
S3 rcVidCap;rcVidCap;c:\windows\system32\DRIVERS\rcVidMpt.sys [2007-01-20 9872]
S3 sp_spi_da;Visual Insight Dial Analysis;c:\program files\AccessManager\SMOC\spi_da.exe [2004-10-15 81920]
S3 Sygman;SSA Integration Manager;"c:\program files\AccessManager\Client\sygman.exe" [2004-11-03 126976]
S4 CA_LIC_CLNT;CA License Client;"c:\program files\CA\SharedComponents\CA_LIC\\lic98rmt.exe" [2005-01-14 126976]
S4 LogWatch;Event Log Watch;"c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe" [2004-07-23 53248]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2006-10-26 2799808]
S4 OracleJobSchedulerMITRE;OracleJobSchedulerMITRE;c:\oracle\product\10.2.0\db_1\Bin\extjob.exe MITRE []
S4 OracleOraDb10g_home1TNSListenerNIKU;OracleOraDb10g_home1TNSListenerNIKU;c:\oracle\product\10.1.0\db_1\BIN\TNSLSNR []
S4 OracleOraDb9iHTTPServer;OracleOraDb9iHTTPServer;"c:\oracle\products\9i\Apache\Apache\apache.exe" --ntservice [2002-04-18 4096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f24fa12-ab5a-11dd-b185-0016cfc2822f}]
\Shell\AutoRun\command - autoRcd.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2656c206-b72a-11dd-b19d-005056c00008}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-12-21 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2004-08-04 06:00]

2009-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2129867641-919698055-327642922-277235.job
- c:\documents and settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 12:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{D48DA098-42EA-41E0-A32A-EAC3AA52A210} - (no file)
HKCU-Run-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe
HKLM-Run-DXDllRegExe - dxdllreg.exe
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: free.aol.com
Trusted Zone: accountconnect.ca.com
Trusted Zone: etrustpki.ca.com
Trusted Zone: hrreports.ca.com
Trusted Zone: hrreportsft.ca.com
Trusted Zone: insight.ca.com
Trusted Zone: insightft.ca.com
Trusted Zone: mrm.ca.com
Trusted Zone: supportreports.ca.com
Trusted Zone: usilws19.ca.com
Trusted Zone: *.insight
Trusted Zone: *.insightft
Trusted Zone: *.mrm
Trusted Zone: *.supportreports
Trusted Zone: *.usilap228
Trusted Zone: *.usilws19
Trusted Zone: accountconnect.ca.com
Trusted Zone: etrustpki.ca.com
Trusted Zone: hrreports.ca.com
Trusted Zone: hrreportsft.ca.com
Trusted Zone: insight.ca.com
Trusted Zone: insightft.ca.com
Trusted Zone: mrm.ca.com
Trusted Zone: supportreports.ca.com
Trusted Zone: usilws19.ca.com
Trusted Zone: *.insight
Trusted Zone: *.insightft
Trusted Zone: *.mrm
Trusted Zone: *.supportreports
Trusted Zone: *.usilws19

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\SMIBR13\Application Data\Mozilla\Firefox\Profiles\iwiid49z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\SMIBR13\Application Data\Mozilla\Firefox\Profiles\iwiid49z.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\SMIBR13\Application Data\Mozilla\Firefox\Profiles\iwiid49z.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\SMIBR13\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Real\RealPlayer Enterprise\Netscape6\nppl3260.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 12:05:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NobleNet Portmapper for TCP]
"ImagePath"="c:\niku\Actuate7\Server/bin/portserv.exe tcp"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\OracleOraDb10g_home1TNSListenerMITRE]
"ImagePath"="c:\oracle\product\10.2.0\db_1\BIN\TNSLSNR "

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\OracleOraDb10g_home1TNSListenerNIKU]
"ImagePath"="c:\oracle\product\10.1.0\db_1\BIN\TNSLSNR "

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\OracleOraDb9iTNSListenerCLARITY]
"ImagePath"="c:\oracle\products\9i\BIN\TNSLSNR "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1216)
c:\windows\system32\NnGina.Dll
c:\program files\CA\DSM\Bin\cfwlogon.dll
c:\program files\CA\DSM\Bin\rcLoginExt.dll
c:\windows\system32\cscui.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAServer.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CA\SC\CAM\bin\cam.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\CA\eTrustITM\InoRT.exe
c:\program files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Symantec\Ghost\ngserver.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\oracle\products\9i\bin\TNSLSNR.EXE
c:\oracle\products\9i\bin\dbsnmp.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\AccessManager\PMAC\sp_SWIns.exe
c:\program files\CA\DSM\bin\cfSysTray.exe
c:\program files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
c:\windows\system32\vmnat.exe
c:\program files\VMware\VMware Workstation\vmware-authd.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\CA\DSM\bin\cfsmsmd.exe
c:\program files\CA\DSM\bin\ccnfAgent.exe
c:\program files\CA\DSM\bin\cfnotsrvd.exe
c:\program files\CA\DSM\bin\ccsmagtd.exe
c:\program files\CA\DSM\bin\rcHost.exe
c:\program files\CA\DSM\bin\amswmagt.exe
c:\program files\CA\DSM\PMAgent\capmuamagt.exe
c:\program files\CA\DSM\bin\cfFTPlugin.exe
c:\program files\Symantec\Ghost\bin\dbserv.exe
c:\program files\Symantec\Ghost\bin\rteng9.exe
c:\program files\iPod\bin\iPodService.exe
c:\combofix\hidec.exe
c:\windows\system32\msiexec.exe
c:\combofix\Catchme.tmp
.
**************************************************************************
.
Completion time: 2009-01-02 12:09:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-02 18:08:18

Pre-Run: 71,233,081,344 bytes free
Post-Run: 71,099,355,136 bytes free

468

0

Thanks for the info Brian. Let me go through this log, as you can see it will take awhile, but I will get back with you asap on it.
Try running another HJT scan and post that too. Do you feel things improved any with the running of combofix?
You might also update MBA-M and run a new scan with that too. Allow it to fix anything it finds.
Post that log also.
Judy

0

Thanks for the info Brian. Let me go through this log, as you can see it will take awhile, but I will get back with you asap on it.
Try running another HJT scan and post that too. Do you feel things improved any with the running of combofix?
You might also update MBA-M and run a new scan with that too. Allow it to fix anything it finds.
Post that log also.
Judy

Thanks Judy!

Can't tell yet if I have a feel if CF made a difference... Here is HJT log I just executed...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35, on 2009-01-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\AMO40\CWS\PAgent\capmuamagt.exe
C:\Program Files\CA\SC\CAM\bin\cam.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\oracle\products\9i\bin\agntsrvc.exe
c:\oracle\products\9i\BIN\TNSLSNR.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
c:\oracle\products\9i\bin\dbsnmp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\Symantec\Ghost\ngtray.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\CA\DSM\bin\cfSysTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Xobni\XobniService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\SMIBR13\Application Data\Mikogo\Mikogo-Host.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Dropbox\Dropbox.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe
C:\Program Files\CA\DSM\bin\caf.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\CA\DSM\Bin\cfsmsmd.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\CA\DSM\Bin\ccnfagent.exe
C:\Program Files\CA\DSM\Bin\cfnotsrvd.exe
C:\Program Files\CA\DSM\Bin\ccsmagtd.exe
C:\Program Files\CA\DSM\Bin\rcHost.exe
C:\Program Files\CA\DSM\Bin\amswmagt.exe
C:\Program Files\CA\DSM\PMAgent\capmuamagt.exe
C:\Program Files\CA\DSM\Bin\cfftplugin.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng9.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\explorer.exe
C:\My Documents\Downloads\imabunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [NGTray] "C:\Program Files\Symantec\Ghost\ngtray.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [CAF_SystemTray] C:\Program Files\CA\DSM\\bin\cfSysTray.exe
O4 - HKLM\..\Run: [DsmSxplog] "C:\Program Files\CA\DSM\Bin\sxpstub.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Mikogo] "C:\Documents and Settings\SMIBR13\Application Data\Mikogo\Mikogo-Host.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\Dropbox.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: SalesForce - {2A427663-00F1-4EE4-A3B6-7F84A024CBB3} - http://salesforce.ca.com (file missing) (HKCU)
O9 - Extra button: Helpdesk - {D4F74464-9448-4D88-B72E-07EA6EC1E14A} - http://helpdesk.ca.com/count.html (file missing) (HKCU)
O9 - Extra button: CA Portal - {D9F8785B-2C42-41B4-98FE-75E11B7460C6} - http://caportal.ca.com (file missing) (HKCU)
O9 - Extra button: Leader - {DA2EB6A6-5DA2-4C9A-BC25-2D4799669C1A} - HTTP://leaderboard.ca.com (file missing) (HKCU)
O9 - Extra button: CKM - {E367B557-5D51-425D-B0EA-DC40E26990BB} - http://km.ca.com (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://canet.ca.com
O15 - Trusted Zone: http://hrreports.ca.com
O15 - Trusted Zone: http://hrreportsft.ca.com
O15 - Trusted Zone: http://insight.ca.com
O15 - Trusted Zone: http://insightft.ca.com
O15 - Trusted Zone: http://mrm.ca.com
O15 - Trusted Zone: http://supportreports.ca.com
O15 - Trusted Zone: http://usilws19.ca.com
O15 - Trusted Zone: http://*.insight
O15 - Trusted Zone: http://*.insightft
O15 - Trusted Zone: http://*.mrm
O15 - Trusted Zone: http://*.supportreports
O15 - Trusted Zone: http://*.usilws19
O15 - Trusted Zone: http://hrreports.ca.com (HKLM)
O15 - Trusted Zone: http://hrreportsft.ca.com (HKLM)
O15 - Trusted Zone: http://insight.ca.com (HKLM)
O15 - Trusted Zone: http://insightft.ca.com (HKLM)
O15 - Trusted Zone: http://mrm.ca.com (HKLM)
O15 - Trusted Zone: http://supportreports.ca.com (HKLM)
O15 - Trusted Zone: http://usilws19.ca.com (HKLM)
O15 - Trusted Zone: http://*.insight (HKLM)
O15 - Trusted Zone: http://*.insightft (HKLM)
O15 - Trusted Zone: http://*.mrm (HKLM)
O15 - Trusted Zone: http://*.supportreports (HKLM)
O15 - Trusted Zone: http://*.usilws19 (HKLM)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ca.com
O17 - HKLM\Software\..\Telephony: DomainName = ca.com
O20 - Winlogon Notify: CAF - C:\Program Files\CA\DSM\Bin\cfwlogon.dll
O20 - Winlogon Notify: rcHostExt - C:\Program Files\CA\DSM\Bin\rcLoginExt.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B-Service - Unknown owner - C:\Documents and Settings\SMIBR13\Application Data\Mikogo\B-Service.exe
O23 - Service: Central Management Server (BOBJCentralMS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\CMS.exe
O23 - Service: Report Application Server (BOBJCrystalReportApplicationServer) - Business Objects - C:\BO\common\3.5\bin\crystalras.exe
O23 - Service: Crystal Reports Cache Server (BOBJCrystalReportsCacheServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\cacheserver.exe
O23 - Service: Crystal Reports Page Server (BOBJCrystalReportspageserver) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\pageserver.exe
O23 - Service: Connection Server (BOBJCS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\ConnectionServer.exe
O23 - Service: Desktop Intelligence Cache Server (BOBJDesktopIntelligenceCacheServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\fccache.exe
O23 - Service: Desktop Intelligence Report Server (BOBJDesktopIntelligenceReportServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\fcproc.exe
O23 - Service: Destination Job Server (BOBJDestinationServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procdest.exe
O23 - Service: Event Server (BOBJEventServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\EventServer.exe
O23 - Service: Input File Repository Server (BOBJInputFileServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\inputfileserver.exe
O23 - Service: Desktop Intelligence Job Server (BOBJJobServer_DesktopIntelligence) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\JobServerFullClient.exe
O23 - Service: Crystal Reports Job Server (BOBJJobServer_Report) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\JobServer.exe
O23 - Service: Output File Repository Server (BOBJOutputFileServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\outputfileserver.exe
O23 - Service: List of Values Job Server (BOBJProcessServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe
O23 - Service: Program Job Server (BOBJProgramServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\ProgramServer.exe
O23 - Service: Apache Tomcat 5.0.27 (BOBJTomcat) - Apache Software Foundation - C:\BO\Tomcat\bin\tomcat5.exe
O23 - Service: Web Intelligence Job Server (BOBJWebiServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procWebi.exe
O23 - Service: Web Intelligence Report Server (BOBJWIRS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\WIReportServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA Unicenter NSM Systems Performance Agent for UAM - Unknown owner - C:\WINDOWS\AMO40\CWS\PAgent\capmuamagt.exe
O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - C:\Program Files\CA\SC\CAM\bin\cam.exe
O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - C:\Program Files\CA\DSM\bin\caf.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM WebSphere Application Server V6.1 - smibr13aNode01 (IBMWAS61Service - smibr13aNode01) - Unknown owner - C:\Program Files\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\PowerToys\ImapiHelper.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft Update Service Helper (msupdsvc) - Unknown owner - C:\WINDOWS\system32\msupdsvc32.exe (file missing)
O23 - Service: Symantec Ghost Database Service Wrapper (NGDBSERV) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGSERVER) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Niku Background Server - Unknown owner - C:\niku\clarity\bin\nikubgcmd.exe
O23 - Service: Niku Background Server - WAS - Alexandria Software Consulting - C:\nikuwas\clarity\bin\nikubgservice.exe
O23 - Service: Niku Beacon - Unknown owner - C:\niku\Clarity\bin\nikubeaconservice.exe (file missing)
O23 - Service: Niku Beacon - WAS - Alexandria Software Consulting - C:\nikuwas\clarity\bin\nikubeaconservice.exe
O23 - Service: Niku Server - Unknown owner - C:\niku\clarity\bin\nikuappcmd.exe
O23 - Service: Niku System Admin Server - Unknown owner - C:\niku\clarity\bin\nikunsacmd.exe (file missing)
O23 - Service: NobleNet Portmapper for TCP - Unknown owner - C:\niku\Actuate7\Server/bin/portserv.exe (file missing)
O23 - Service: OracleOraDb10g_home1TNSListenerMITRE - Unknown owner - C:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleOraDb9iAgent - Oracle Corporation - c:\oracle\products\9i\bin\agntsrvc.exe
O23 - Service: OracleOraDb9iClientCache - Unknown owner - c:\oracle\products\9i\BIN\ONRSD.EXE
O23 - Service: OracleOraDb9iSNMPPeerEncapsulator - Unknown owner - c:\oracle\products\9i\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb9iSNMPPeerMasterAgent - Unknown owner - c:\oracle\products\9i\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb9iTNSListenerCLARITY - Unknown owner - c:\oracle\products\9i\BIN\TNSLSNR.exe
O23 - Service: OracleServiceCLARITY - Oracle Corporation - c:\oracle\products\9i\bin\ORACLE.EXE
O23 - Service: OracleServiceMITRE - Unknown owner - c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE (file missing)
O23 - Service: OracleServiceNIKUWAS - Oracle Corporation - c:\oracle\products\9i\bin\ORACLE.EXE
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SlingAgent Service (SlingAgentService) - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe
O23 - Service: SSA Integration Manager (Sygman) - MCI, Inc. - C:\Program Files\AccessManager\Client\sygman.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XobniService - Xobni Corporation - C:\Program Files\Xobni\XobniService.exe
O23 - Service: Actuate Process Management Daemon 7 (__AC_PROCESS_MGMT_DAEMON7) - Unknown owner - C:\niku\Actuate7\Server\bin\pmd7.exe (file missing)

--
End of file - 22151 bytes

Here is the Malwarebytes Log:

Malwarebytes' Anti-Malware 1.31
Database version: 1585
Windows 5.1.2600 Service Pack 2

2009-01-02 12:45:46
mbam-log-2009-01-02 (12-45-46).txt

Scan type: Quick Scan
Objects scanned: 76928
Time elapsed: 3 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-1-5-21-0982818026-0792038349-964117139-9221\service.exe (Trojan.Agent) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe (Trojan.Agent) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\spoolsv.exe (Trojan.Agent) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe (Backdoor.Bot) -> Delete on reboot.
C:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe (Backdoor.Bot) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise323.exe (Backdoor.Bot) -> Delete on reboot.

Also attaching screenshot of Malware findings prior to me rebooting...

Attachments 2009-01-02_124540.jpg 118.86 KB
0

Brian, can you run a new HJT scan and post that here?
Judy

Here's the just executed HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35, on 2009-01-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\AMO40\CWS\PAgent\capmuamagt.exe
C:\Program Files\CA\SC\CAM\bin\cam.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\oracle\products\9i\bin\agntsrvc.exe
c:\oracle\products\9i\BIN\TNSLSNR.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
c:\oracle\products\9i\bin\dbsnmp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\Symantec\Ghost\ngtray.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\CA\DSM\bin\cfSysTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Xobni\XobniService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\SMIBR13\Application Data\Mikogo\Mikogo-Host.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Dropbox\Dropbox.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe
C:\Program Files\CA\DSM\bin\caf.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\CA\DSM\Bin\cfsmsmd.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\CA\DSM\Bin\ccnfagent.exe
C:\Program Files\CA\DSM\Bin\cfnotsrvd.exe
C:\Program Files\CA\DSM\Bin\ccsmagtd.exe
C:\Program Files\CA\DSM\Bin\rcHost.exe
C:\Program Files\CA\DSM\Bin\amswmagt.exe
C:\Program Files\CA\DSM\PMAgent\capmuamagt.exe
C:\Program Files\CA\DSM\Bin\cfftplugin.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng9.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\explorer.exe
C:\My Documents\Downloads\imabunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [NGTray] "C:\Program Files\Symantec\Ghost\ngtray.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [CAF_SystemTray] C:\Program Files\CA\DSM\\bin\cfSysTray.exe
O4 - HKLM\..\Run: [DsmSxplog] "C:\Program Files\CA\DSM\Bin\sxpstub.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Mikogo] "C:\Documents and Settings\SMIBR13\Application Data\Mikogo\Mikogo-Host.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\Dropbox.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: SalesForce - {2A427663-00F1-4EE4-A3B6-7F84A024CBB3} - http://salesforce.ca.com (file missing) (HKCU)
O9 - Extra button: Helpdesk - {D4F74464-9448-4D88-B72E-07EA6EC1E14A} - http://helpdesk.ca.com/count.html (file missing) (HKCU)
O9 - Extra button: CA Portal - {D9F8785B-2C42-41B4-98FE-75E11B7460C6} - http://caportal.ca.com (file missing) (HKCU)
O9 - Extra button: Leader - {DA2EB6A6-5DA2-4C9A-BC25-2D4799669C1A} - HTTP://leaderboard.ca.com (file missing) (HKCU)
O9 - Extra button: CKM - {E367B557-5D51-425D-B0EA-DC40E26990BB} - http://km.ca.com (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://canet.ca.com
O15 - Trusted Zone: http://hrreports.ca.com
O15 - Trusted Zone: http://hrreportsft.ca.com
O15 - Trusted Zone: http://insight.ca.com
O15 - Trusted Zone: http://insightft.ca.com
O15 - Trusted Zone: http://mrm.ca.com
O15 - Trusted Zone: http://supportreports.ca.com
O15 - Trusted Zone: http://usilws19.ca.com
O15 - Trusted Zone: http://*.insight
O15 - Trusted Zone: http://*.insightft
O15 - Trusted Zone: http://*.mrm
O15 - Trusted Zone: http://*.supportreports
O15 - Trusted Zone: http://*.usilws19
O15 - Trusted Zone: http://hrreports.ca.com (HKLM)
O15 - Trusted Zone: http://hrreportsft.ca.com (HKLM)
O15 - Trusted Zone: http://insight.ca.com (HKLM)
O15 - Trusted Zone: http://insightft.ca.com (HKLM)
O15 - Trusted Zone: http://mrm.ca.com (HKLM)
O15 - Trusted Zone: http://supportreports.ca.com (HKLM)
O15 - Trusted Zone: http://usilws19.ca.com (HKLM)
O15 - Trusted Zone: http://*.insight (HKLM)
O15 - Trusted Zone: http://*.insightft (HKLM)
O15 - Trusted Zone: http://*.mrm (HKLM)
O15 - Trusted Zone: http://*.supportreports (HKLM)
O15 - Trusted Zone: http://*.usilws19 (HKLM)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ca.com
O17 - HKLM\Software\..\Telephony: DomainName = ca.com
O20 - Winlogon Notify: CAF - C:\Program Files\CA\DSM\Bin\cfwlogon.dll
O20 - Winlogon Notify: rcHostExt - C:\Program Files\CA\DSM\Bin\rcLoginExt.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B-Service - Unknown owner - C:\Documents and Settings\SMIBR13\Application Data\Mikogo\B-Service.exe
O23 - Service: Central Management Server (BOBJCentralMS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\CMS.exe
O23 - Service: Report Application Server (BOBJCrystalReportApplicationServer) - Business Objects - C:\BO\common\3.5\bin\crystalras.exe
O23 - Service: Crystal Reports Cache Server (BOBJCrystalReportsCacheServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\cacheserver.exe
O23 - Service: Crystal Reports Page Server (BOBJCrystalReportspageserver) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\pageserver.exe
O23 - Service: Connection Server (BOBJCS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\ConnectionServer.exe
O23 - Service: Desktop Intelligence Cache Server (BOBJDesktopIntelligenceCacheServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\fccache.exe
O23 - Service: Desktop Intelligence Report Server (BOBJDesktopIntelligenceReportServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\fcproc.exe
O23 - Service: Destination Job Server (BOBJDestinationServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procdest.exe
O23 - Service: Event Server (BOBJEventServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\EventServer.exe
O23 - Service: Input File Repository Server (BOBJInputFileServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\inputfileserver.exe
O23 - Service: Desktop Intelligence Job Server (BOBJJobServer_DesktopIntelligence) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\JobServerFullClient.exe
O23 - Service: Crystal Reports Job Server (BOBJJobServer_Report) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\JobServer.exe
O23 - Service: Output File Repository Server (BOBJOutputFileServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\outputfileserver.exe
O23 - Service: List of Values Job Server (BOBJProcessServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe
O23 - Service: Program Job Server (BOBJProgramServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\ProgramServer.exe
O23 - Service: Apache Tomcat 5.0.27 (BOBJTomcat) - Apache Software Foundation - C:\BO\Tomcat\bin\tomcat5.exe
O23 - Service: Web Intelligence Job Server (BOBJWebiServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procWebi.exe
O23 - Service: Web Intelligence Report Server (BOBJWIRS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\WIReportServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA Unicenter NSM Systems Performance Agent for UAM - Unknown owner - C:\WINDOWS\AMO40\CWS\PAgent\capmuamagt.exe
O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - C:\Program Files\CA\SC\CAM\bin\cam.exe
O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - C:\Program Files\CA\DSM\bin\caf.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM WebSphere Application Server V6.1 - smibr13aNode01 (IBMWAS61Service - smibr13aNode01) - Unknown owner - C:\Program Files\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\PowerToys\ImapiHelper.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft Update Service Helper (msupdsvc) - Unknown owner - C:\WINDOWS\system32\msupdsvc32.exe (file missing)
O23 - Service: Symantec Ghost Database Service Wrapper (NGDBSERV) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGSERVER) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Niku Background Server - Unknown owner - C:\niku\clarity\bin\nikubgcmd.exe
O23 - Service: Niku Background Server - WAS - Alexandria Software Consulting - C:\nikuwas\clarity\bin\nikubgservice.exe
O23 - Service: Niku Beacon - Unknown owner - C:\niku\Clarity\bin\nikubeaconservice.exe (file missing)
O23 - Service: Niku Beacon - WAS - Alexandria Software Consulting - C:\nikuwas\clarity\bin\nikubeaconservice.exe
O23 - Service: Niku Server - Unknown owner - C:\niku\clarity\bin\nikuappcmd.exe
O23 - Service: Niku System Admin Server - Unknown owner - C:\niku\clarity\bin\nikunsacmd.exe (file missing)
O23 - Service: NobleNet Portmapper for TCP - Unknown owner - C:\niku\Actuate7\Server/bin/portserv.exe (file missing)
O23 - Service: OracleOraDb10g_home1TNSListenerMITRE - Unknown owner - C:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleOraDb9iAgent - Oracle Corporation - c:\oracle\products\9i\bin\agntsrvc.exe
O23 - Service: OracleOraDb9iClientCache - Unknown owner - c:\oracle\products\9i\BIN\ONRSD.EXE
O23 - Service: OracleOraDb9iSNMPPeerEncapsulator - Unknown owner - c:\oracle\products\9i\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb9iSNMPPeerMasterAgent - Unknown owner - c:\oracle\products\9i\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb9iTNSListenerCLARITY - Unknown owner - c:\oracle\products\9i\BIN\TNSLSNR.exe
O23 - Service: OracleServiceCLARITY - Oracle Corporation - c:\oracle\products\9i\bin\ORACLE.EXE
O23 - Service: OracleServiceMITRE - Unknown owner - c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE (file missing)
O23 - Service: OracleServiceNIKUWAS - Oracle Corporation - c:\oracle\products\9i\bin\ORACLE.EXE
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SlingAgent Service (SlingAgentService) - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe
O23 - Service: SSA Integration Manager (Sygman) - MCI, Inc. - C:\Program Files\AccessManager\Client\sygman.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XobniService - Xobni Corporation - C:\Program Files\Xobni\XobniService.exe
O23 - Service: Actuate Process Management Daemon 7 (__AC_PROCESS_MGMT_DAEMON7) - Unknown owner - C:\niku\Actuate7\Server\bin\pmd7.exe (file missing)

--
End of file - 22151 bytes

0

Ok, the files found by MBA-M were in your Recycler folder and they are gone now.
I would like you to do the following;
Go to this website http://virusscan.jotti.org/
This is a website which will scan suspicious files using multiple antivirus programs and then report back to you what is found by there various scans.
I would like you to upload these files to the site and allow the scans to take place. Report back on the complete findings for each one.
c:\windows\system32\hidujuku.dll
c:\windows\system32\najowate.dll
c:\windows\system32\nasikunu.dll
c:\windows\system32\noturoya.dll

Judy

0

Ok, the files found by MBA-M were in your Recycler folder and they are gone now.
I would like you to do the following;
Go to this website http://virusscan.jotti.org/
This is a website which will scan suspicious files using multiple antivirus programs and then report back to you what is found by there various scans.
I would like you to upload these files to the site and allow the scans to take place. Report back on the complete findings for each one.
c:\windows\system32\hidujuku.dll
c:\windows\system32\najowate.dll
c:\windows\system32\nasikunu.dll
c:\windows\system32\noturoya.dll

Judy

OK -
c:\windows\system32\hidujuku.dll -> Could not get through the scanning process... would always hang at the G Data scanner... The previous scanners found nothing. I will keep trying and update this thread should it find something...
c:\windows\system32\najowate.dll -> INFECTED (SEE SCREENSHOT)
c:\windows\system32\nasikunu.dll -> INFECTED (SEE SCREENSHOT)
c:\windows\system32\noturoya.dll -> OK (SEE SCREENSHOT)

Thanks,
Brian

Attachments najowate.jpg 162.04 KB nasikunu.jpg 157.46 KB noturoya.jpg 162.36 KB
0

I would like you to do the following:
Open Notepad(NOT WordPad) and copy/paste the text in the below quote box into it

KillAll::

File::
c:\windows\system32\hidujuku.dll
c:\windows\system32\najowate.dll
c:\windows\system32\nasikunu.dll

Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

*At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
Post back here with that new log.
Judy

0

I would like you to do the following:
Open Notepad(NOT WordPad) and copy/paste the text in the below quote box into it

Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

*At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
Post back here with that new log.
Judy

Thanks Judy - Here's the log:

ComboFix 09-01-01.02 - smibr13 2009-01-02 19:44:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3318.2576 [GMT -6:00]
Running from: c:\my documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\SMIBR13\Desktop\CFscript.txt
AV: eTrust ITM *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\hidujuku.dll
c:\windows\system32\najowate.dll
c:\windows\system32\nasikunu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hidujuku.dll
c:\windows\system32\najowate.dll
c:\windows\system32\nasikunu.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2009-01-02 11:30 . 2007-05-10 10:23 4,952,064 --a------ c:\windows\system32\stacgui.cpl
2009-01-02 11:30 . 2007-04-10 17:02 1,601,536 --a------ c:\windows\system32\stlang.dll
2009-01-02 11:30 . 2007-05-10 10:24 1,222,840 --a------ c:\windows\system32\drivers\sthda.sys
2009-01-02 11:30 . 2007-05-10 10:22 405,504 --a------ c:\windows\stsystra.exe
2009-01-02 11:30 . 2007-05-10 10:23 270,336 --a------ c:\windows\system32\stacapi.dll
2009-01-02 11:30 . 2007-08-21 09:58 146,944 --a------ c:\windows\system32\st325602.dll
2008-12-31 13:41 . 2009-01-01 07:51 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-12-31 12:20 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 12:20 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-30 13:48 . 2008-12-30 13:48 <DIR> d-------- C:\pre-sales
2008-12-23 00:40 . 2008-12-23 00:40 <DIR> d-------- c:\program files\iTunes
2008-12-23 00:40 . 2008-12-23 00:40 <DIR> d-------- c:\program files\iPod
2008-12-23 00:40 . 2008-12-23 00:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-23 00:39 . 2008-12-23 00:39 <DIR> d-------- c:\program files\Bonjour
2008-12-23 00:38 . 2008-12-23 00:39 <DIR> d-------- c:\program files\QuickTime
2008-12-22 22:09 . 2008-12-22 22:11 <DIR> d-------- c:\program files\Creative
2008-12-22 19:46 . 2008-12-22 19:53 <DIR> d-------- c:\program files\MockupScreens
2008-12-22 18:01 . 2009-01-02 19:50 <DIR> d-------- c:\documents and settings\SMIBR13\Application Data\Dropbox
2008-12-22 18:00 . 2008-12-22 18:01 <DIR> d-------- c:\program files\Dropbox
2008-12-22 11:36 . 2001-07-13 13:56 14,976 --a------ c:\windows\system32\drivers\SBKUPNT.SYS
2008-12-22 11:36 . 1997-02-08 17:11 13,312 --a------ c:\windows\system32\DEVLOAD.EXE
2008-12-22 11:36 . 2005-11-26 19:45 2,799 --a------ c:\windows\SKLANG.INI
2008-12-19 22:44 . 2008-12-19 22:44 <DIR> d-------- c:\temp\tools
2008-12-19 13:22 . 2008-12-19 13:23 <DIR> d-------- c:\program files\MPEG Stream
2008-12-19 04:30 . 2008-12-19 04:30 664 --a------ c:\windows\system32\d3d9caps.dat
2008-12-18 23:39 . 2008-12-18 23:39 <DIR> d-------- c:\program files\Apple Software Update
2008-12-18 23:33 . 2008-12-18 23:33 <DIR> d-------- c:\documents and settings\SMIBR13\Application Data\MPEG Streamclip
2008-12-18 21:44 . 2008-12-18 23:58 <DIR> d-------- c:\program files\Elecard
2008-12-18 21:16 . 2008-12-18 21:16 <DIR> d-------- c:\program files\VideoLAN
2008-12-18 10:59 . 2008-12-18 10:59 <DIR> d-------- c:\documents and settings\SMIBR13\Application Data\Research In Motion
2008-12-18 10:59 . 2008-12-18 13:32 256 --a------ c:\windows\system32\pool.bin
2008-12-18 10:03 . 2008-12-18 10:03 <DIR> d-------- c:\documents and settings\SMIBR13\Application Data\InstallShield
2008-12-18 10:02 . 2008-12-18 10:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic
2008-12-18 10:00 . 2008-12-18 10:01 <DIR> d-------- c:\program files\Roxio
2008-12-18 10:00 . 2008-12-18 10:00 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2008-12-18 10:00 . 2008-12-18 10:00 <DIR> d-------- c:\program files\Common Files\Roxio Shared
2008-12-18 10:00 . 2008-12-18 10:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Roxio
2008-12-18 09:59 . 2008-12-18 09:59 <DIR> d-------- c:\program files\Research In Motion
2008-12-18 09:59 . 2008-12-18 10:48 <DIR> d-------- c:\program files\Common Files\Research In Motion
2008-12-17 23:45 . 2008-12-17 23:45 <DIR> d-------- c:\program files\Sigmatel
2008-12-17 23:22 . 1999-10-10 19:00 41,984 --------- c:\windows\Ctregrun.exe
2008-12-17 23:20 . 2003-03-05 12:19 15,840 --------- c:\windows\system32\drivers\PFMODNT.SYS
2008-12-17 22:44 . 2008-12-17 22:44 <DIR> d-------- c:\program files\iXi Tools
2008-12-17 00:29 . 2008-12-31 12:20 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-17 00:29 . 2008-12-17 00:29 <DIR> d-------- c:\documents and settings\SMIBR13\Application Data\Malwarebytes
2008-12-17 00:29 . 2008-12-17 00:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 12:59 . 2008-12-16 12:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-12-16 08:39 . 2006-06-06 14:20 241,721 --a------ c:\windows\system32\HPBMINI.DLL
2008-12-16 08:39 . 2005-06-20 14:33 163,840 --a------ c:\windows\system32\HPJCMN2U.DLL
2008-12-16 08:39 . 2005-06-20 14:33 94,208 --a------ c:\windows\system32\HPJIPX1U.DLL
2008-12-16 08:39 . 2006-05-11 18:15 52,736 --a------ c:\windows\system32\HPZIPM12.DLL
2008-12-16 08:39 . 2005-06-20 14:33 49,152 --a------ c:\windows\system32\HPBNRAC2.DLL
2008-12-16 08:39 . 2006-05-11 18:15 43,520 --a------ c:\windows\system32\HPZINW12.DLL
2008-12-16 08:39 . 2007-02-06 16:29 39,424 --a------ c:\windows\system32\HPBPRO.DLL
2008-12-16 08:39 . 2007-02-06 16:29 25,600 --a------ c:\windows\system32\HPBOID.DLL
2008-12-16 08:39 . 2007-02-06 16:29 24,576 --a------ c:\windows\system32\HPBMIAPI.DLL
2008-12-16 08:39 . 2006-11-02 19:32 18,747 --a------ c:\windows\system32\HPCEAC06.HPI
2008-12-16 08:39 . 2007-02-06 16:29 7,680 --a------ c:\windows\system32\HPBPROPS.DLL
2008-12-16 08:39 . 2007-02-06 16:29 7,680 --a------ c:\windows\system32\HPBOIDPS.DLL
2008-12-12 15:47 . 2008-12-12 15:47 3,751,995 --a------ c:\windows\system32\GPhotos.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 01:50 --------- d-----w c:\documents and settings\SMIBR13\Application Data\VMware
2009-01-03 01:50 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware
2009-01-03 01:50 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2009-01-02 17:49 --------- d-----w c:\program files\Notepad++
2009-01-01 13:47 --------- d-----w c:\documents and settings\NetworkService\Application Data\VMware
2008-12-31 18:11 --------- d-----w c:\program files\Quest Software
2008-12-23 06:38 --------- d-----w c:\program files\Common Files\Apple
2008-12-23 05:12 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-23 04:10 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-21 06:40 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-19 05:47 --------- d-----w c:\documents and settings\SMIBR13\Application Data\Apple Computer
2008-12-18 05:48 992 ----a-w c:\windows\system32\drivers\sthdae.log
2008-12-17 06:39 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-17 04:31 --------- d-----w c:\program files\Lavasoft
2008-12-17 04:01 --------- d-----w c:\program files\Google
2008-12-15 18:32 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2008-12-04 15:00 --------- d-----w c:\documents and settings\SMIBR13\Application Data\Mikogo
2008-12-04 01:33 --------- d-----w c:\documents and settings\SMIBR13\Application Data\Trondent Development Corp
2008-12-03 03:13 --------- d-----w c:\documents and settings\SMIBR13\Application Data\FileZilla
2008-12-03 01:02 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Software
2008-12-03 00:18 --------- d-----w c:\program files\DVD Decrypter
2008-12-03 00:17 --------- d-----w c:\program files\DVD Shrink
2008-12-03 00:17 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-11-27 05:49 --------- d-----w c:\program files\Sun
2008-11-24 20:11 --------- d-----w c:\program files\eviware
2008-11-22 03:10 93,776 ----a-w c:\windows\system32\drivers\VBoxDrv.sys
2008-11-22 03:10 41,744 ----a-w c:\windows\system32\drivers\VBoxUSBMon.sys
2008-11-21 14:18 --------- d-----w c:\program files\Lookout Software
2008-11-16 22:08 --------- d-----w c:\documents and settings\SMIBR13\Application Data\Business Objects
2008-11-12 21:31 --------- d-----w c:\program files\Microsoft Office Communicator
2008-11-12 06:26 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-12 06:21 --------- d-----w c:\program files\Microsoft Visual Studio 8
2008-11-12 06:17 --------- d-----w c:\program files\Microsoft Works
2008-11-12 06:16 --------- d-----w c:\program files\MSBuild
2008-11-11 20:46 --------- d-----w c:\program files\CA
2008-11-11 04:41 --------- d-----w c:\program files\Active Ports
2008-11-10 21:21 --------- d-----w c:\program files\Common Files\CA
2008-11-04 01:10 --------- d-----w c:\program files\Sling Media
2008-11-04 01:10 --------- d-----w c:\documents and settings\All Users\Application Data\Sling Media
2008-04-30 17:39 131 ----a-w c:\documents and settings\All Users\Shortcut.bat
2008-04-30 17:38 1,452 ----a-w c:\documents and settings\All Users\redirect.vbs
2007-12-17 02:45 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-09-19 07:05 3,072 --sha-w c:\windows\system32\noturoya.dll
.

------- Sigcheck -------

2004-08-04 06:00 1422336 4b0011b8e35843966a3ce5685058420f c:\windows\explorer.exe
2004-08-04 06:00 1032192 a0732187050030ae399b241436565e64 c:\windows\system32\VITrans\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2009-01-02_12.07.16.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-02 14:30:10 205,528 ----a-w c:\windows\AMO40\CWS\PAgent\agents\data\hpa\tmp\ntdata.dat
+ 2009-01-03 01:40:13 217,472 ----a-w c:\windows\AMO40\CWS\PAgent\agents\data\hpa\tmp\ntdata.dat
- 2009-01-02 14:29:21 104,656 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-03 01:40:49 104,656 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-02 14:29:21 515,362 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-03 01:40:49 515,362 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-03 01:49:25 16,384 ----atw c:\windows\temp\Perflib_Perfdata_21c.dat
+ 2009-01-03 01:50:40 16,384 ----atw c:\windows\temp\Perflib_Perfdata_d98.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 01:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 01:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 01:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2007-12-30 1365504]
"Google Update"="c:\documents and settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"Mikogo"="c:\documents and settings\SMIBR13\Application Data\Mikogo\Mikogo-Host.exe" [2008-12-04 1115456]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"AccessManager"="c:\program files\AccessManager\Client\AccessMgr.exe" [2004-11-03 794624]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"eFax 4.2"="c:\program files\eFax Messenger 4.2\J2GDllCmd.exe" [2006-07-14 107008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-09-30 144792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Realtime Monitor"="c:\program files\CA\eTrustITM\realmon.exe" [2007-01-16 407632]
"NGTray"="c:\program files\Symantec\Ghost\ngtray.exe" [2008-09-03 218504]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-08-08 72240]
"VMware hqtray"="c:\program files\VMware\VMware Workstation\hqtray.exe" [2008-08-08 55856]
"CAF_SystemTray"="c:\program files\CA\DSM\\bin\cfSysTray.exe" [2007-10-28 124168]
"DsmSxplog"="c:\program files\CA\DSM\Bin\sxpstub.exe" [2007-10-28 24328]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-10-10 5726032]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-06-26 236016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]

c:\documents and settings\SMIBR13\Start Menu\Programs\Startup\
Dropbox.lnk - c:\program files\Dropbox\Dropbox.exe [2008-09-26 24096981]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2008-01-08 3450608]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 3746856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-10-07 25214]
eFax 4.2.lnk - c:\program files\eFax Messenger 4.2\J2GTray.exe [2007-02-25 612352]
Monitor.lnk - c:\program files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-05-14 114688]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-02-09 122880]

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CAF]
2007-10-28 03:45 27400 c:\program files\CA\DSM\bin\cfWlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rcHostExt]
2007-10-28 03:47 11528 c:\program files\CA\DSM\bin\rcLoginExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2129867641-919698055-327642922-134551\Scripts\Logon\0\0]
"Script"=Uncheck_Show_Friendly.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2129867641-919698055-327642922-277235\Scripts\Logon\0\0]
"Script"=DelNortelRegKey.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2004-05-12 14:18 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-08-04 16:28 49152 c:\program files\HP\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2004-08-25 17:28 1871872 c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Symantec\\Ghost\\ngserver.exe"=
"c:\\Program Files\\Symantec\\Ghost\\GhostSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Dropbox\\Dropbox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Rainlendar2\\Rainlendar2.exe"=
"c:\\Program Files\\Stardock\\ObjectDock\\ObjectDock.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\agent.exe"=
"c:\\Program Files\\CA\\DSM\\bin\\cfUsrNtf.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)

R1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2008-11-25 93776]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2008-11-25 41744]
R2 AMBroker;Access Manager Configuration Service;"c:\program files\AccessManager\Client\AMBroker.exe" [2004-11-03 77824]
R2 BOBJProcessServer;List of Values Job Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe" -service -name smibr13a.ListOfValuesJobServer -ns smibr13a -objectType CrystalEnterprise.MetaData.MetaDataRepositoryInfo -lib procLOV -restart -jsTypeDescription "List of Values Job Server" [2007-10-31 950272]
R2 CA Unicenter NSM Systems Performance Agent for UAM;CA Unicenter NSM Systems Performance Agent for UAM;"c:\windows\AMO40\CWS\PAgent\capmuamagt.exe" [2007-01-17 53248]
R2 caf;CA DSM r11 Common Application Framework.;"c:\program files\CA\DSM\bin\caf.exe" service [2007-10-28 193800]
R2 OracleOraDb9iAgent;OracleOraDb9iAgent;c:\oracle\products\9i\bin\agntsrvc.exe [2002-04-26 28944]
R2 OracleOraDb9iTNSListenerCLARITY;OracleOraDb9iTNSListenerCLARITY;c:\oracle\products\9i\BIN\TNSLSNR []
R2 SBKUPNT;SBKUPNT;\??\c:\windows\system32\Drivers\SBKUPNT.SYS [2008-12-22 14976]
R2 SlingAgentService;SlingAgent Service;"c:\program files\Sling Media\SlingAgent\SlingAgentService.exe" [2008-09-21 93960]
R2 XobniService;XobniService;"c:\program files\Xobni\XobniService.exe" [2008-07-18 36352]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2006-05-26 11113]
R3 lknuhst;Linksys Network USB Host Controller;c:\windows\system32\DRIVERS\lknuhst.sys [2007-04-09 11136]
R3 LKNUHUB;Linksys Network USB Root Hub;c:\windows\system32\DRIVERS\lknuhub.sys [2007-04-09 37248]
R3 rcSmCard;rcSmCard;c:\windows\system32\DRIVERS\rcSmCard.sys [2007-01-20 26128]
S2 BOBJCentralMS;Central Management Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\CMS.exe" -service -name smibr13a.cms -restart [2008-02-07 2625536]
S2 msupdsvc;Microsoft Update Service Helper;c:\windows\system32\msupdsvc32.exe []
S3 __AC_PROCESS_MGMT_DAEMON7;Actuate Process Management Daemon 7;"c:\niku\Actuate7\Server\bin\pmd7.exe" []
S3 B-Service;B-Service;c:\documents and settings\SMIBR13\Application Data\Mikogo\B-Service.exe [2008-11-02 180224]
S3 BOBJCrystalReportApplicationServer;Report Application Server;"c:\bo\common\3.5\bin\crystalras.exe" -service -name smibr13a.RAS -ns smibr13a -ipport -restart [2007-10-31 456192]
S3 BOBJCrystalReportsCacheServer;Crystal Reports Cache Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\cacheserver.exe" -service -name smibr13a.cacheserver -cache -nops -deleteCache -ns smibr13a -restart [2008-02-07 3211264]
S3 BOBJCrystalReportspageserver;Crystal Reports Page Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\pageserver.exe" -service -name smibr13a.pageserver -ns smibr13a -restart [2008-02-07 3211264]
S3 BOBJCS;Connection Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\ConnectionServer.exe" -service -name smibr13a.ConnectionServer -ns smibr13a -restart [2007-10-31 1421312]
S3 BOBJDesktopIntelligenceCacheServer;Desktop Intelligence Cache Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\fccache.exe" -service -name smibr13a.Desktop_IntelligenceCacheServer -cache -nops -deleteCache -ns smibr13a -lib cacheFC -libTypeDescription "Desktop Intelligence Cache Server" -restart []
S3 BOBJDesktopIntelligenceReportServer;Desktop Intelligence Report Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\fcproc.exe" -service -name smibr13a.Desktop_IntelligenceReportServer -ns smibr13a -lib procFC -libTypeDescription "Desktop Intelligence Report Server" -maxDesktops 0 -restart []
S3 BOBJDestinationServer;Destination Job Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\procdest.exe" -service -name smibr13a.destinationjobserver -ns smibr13a -objectType CrystalEnterprise.Destination -lib procDest -restart -jsTypeDescription "Destination Job Server" [2007-10-31 950272]
S3 BOBJEventServer;Event Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\EventServer.exe" -service -name smibr13a.eventserver -ns smibr13a -restart [2008-02-07 892928]
S3 BOBJInputFileServer;Input File Repository Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\inputfileserver.exe" -service -name Input.smibr13a -ns smibr13a -restart [2007-10-31 626688]
S3 BOBJJobServer_DesktopIntelligence;Desktop Intelligence Job Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\JobServerFullClient.exe" -service -name smibr13a.Desktop_IntelligenceJobServer -ns smibr13a -objectType CrystalEnterprise.FullClient -lib pp_procFC -jsTypeDescription "Desktop Intelligence Job Server" -maxDesktops 0 -restart []
S3 BOBJJobServer_Report;Crystal Reports Job Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\JobServer.exe" -service -name smibr13a.reportjobserver -ns smibr13a -objectType CrystalEnterprise.Report -lib procReport -restart -jsTypeDescription "Crystal Reports Job Server" [2007-10-31 950272]
S3 BOBJOutputFileServer;Output File Repository Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\outputfileserver.exe" -service -name Output.smibr13a -ns smibr13a -restart [2007-10-31 626688]
S3 BOBJProgramServer;Program Job Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\ProgramServer.exe" -service -name smibr13a.programjobserver -ns smibr13a -objectType CrystalEnterprise.Program -lib procProgram -restart -jsTypeDescription "Program Job Server" [2007-10-31 950272]
S3 BOBJTomcat;Apache Tomcat 5.0.27;"c:\bo\Tomcat\bin\tomcat5.exe" //RS//BOBJTomcat [2004-06-17 94208]
S3 BOBJWebiServer;Web Intelligence Job Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\procWebi.exe" -service -name smibr13a.Web_IntelligenceJobServer -ns smibr13a -objectType CrystalEnterprise.Webi -lib procwebi -restart -jsTypeDescription "Web Intelligence Job Server" [2007-10-31 950272]
S3 BOBJWIRS;Web Intelligence Report Server;"c:\bo\BusinessObjects Enterprise 11.5\win32_x86\WIReportServer.exe" -service -name smibr13a.Web_IntelligenceReportServer -ns smibr13a -restart [2008-02-07 1011712]
S3 DAPlugin;Visual Insight DA Plugin;c:\program files\AccessManager\Client\DAPlugin.exe [2004-11-03 81920]
S3 ExtranetAccess;Contivity VPN Service;"c:\program files\Nortel Networks\Extranet_serv.exe" [2006-05-26 782336]
S3 IBMWAS61Service - smibr13aNode01;IBM WebSphere Application Server V6.1 - smibr13aNode01;"c:\program files\IBM\WebSphere\AppServer\bin\wasservice.exe" "IBMWAS61Service - smibr13aNode01" [2008-04-15 69632]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2006-05-26 216459]
S3 kwkxusb;Kyocera CDMA Wireless Modem Driver;c:\windows\system32\DRIVERS\kwusb2k.sys [2007-01-07 29952]
S3 LKNUCMP;Linksys Network USB Composite Device;c:\windows\system32\DRIVERS\lknucmp.sys [2007-04-09 11648]
S3 MsDtsServer;SQL Server Integration Services;"c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe" [2005-10-14 199384]
S3 Niku Background Server - WAS;Niku Background Server - WAS;c:\nikuwas\clarity\bin\nikubgservice.exe [2008-04-17 53248]
S3 Niku Background Server;Niku Background Server;c:\niku\clarity\bin\nikubgcmd.exe -s c:\niku\clarity\bin\nikubgcmd.conf []
S3 Niku Beacon - WAS;Niku Beacon - WAS;c:\nikuwas\clarity\bin\nikubeaconservice.exe [2008-04-17 53248]
S3 Niku Beacon;Niku Beacon;c:\niku\Clarity\bin\nikubeaconservice.exe []
S3 Niku Server;Niku Server;c:\niku\clarity\bin\nikuappcmd.exe -s c:\niku\clarity\bin\nikuappcmd.conf []
S3 Niku System Admin Server;Niku System Admin Server;c:\niku\clarity\bin\nikunsacmd.exe -s c:\niku\clarity\bin\nikunsacmd.conf []
S3 OracleOraDb10g_home1TNSListenerMITRE;OracleOraDb10g_home1TNSListenerMITRE;c:\oracle\product\10.2.0\db_1\BIN\TNSLSNR []
S3 OracleOraDb9iClientCache;OracleOraDb9iClientCache;c:\oracle\products\9i\BIN\ONRSD.EXE [2002-04-26 243352]
S3 OracleOraDb9iSNMPPeerEncapsulator;OracleOraDb9iSNMPPeerEncapsulator;c:\oracle\products\9i\BIN\ENCSVC.EXE [2002-02-13 165310]
S3 OracleOraDb9iSNMPPeerMasterAgent;OracleOraDb9iSNMPPeerMasterAgent;c:\oracle\products\9i\BIN\AGNTSVC.EXE [2002-02-13 216188]
S3 OracleServiceCLARITY;OracleServiceCLARITY;c:\oracle\products\9i\bin\ORACLE.EXE CLARITY []
S3 OracleServiceMITRE;OracleServiceMITRE;c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE MITRE []
S3 OracleServiceNIKUWAS;OracleServiceNIKUWAS;c:\oracle\products\9i\bin\ORACLE.EXE NIKUWAS []
S3 rcVidCap;rcVidCap;c:\windows\system32\DRIVERS\rcVidMpt.sys [2007-01-20 9872]
S3 sp_spi_da;Visual Insight Dial Analysis;c:\program files\AccessManager\SMOC\spi_da.exe [2004-10-15 81920]
S3 Sygman;SSA Integration Manager;"c:\program files\AccessManager\Client\sygman.exe" [2004-11-03 126976]
S4 CA_LIC_CLNT;CA License Client;"c:\program files\CA\SharedComponents\CA_LIC\\lic98rmt.exe" [2005-01-14 126976]
S4 LogWatch;Event Log Watch;"c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe" [2004-07-23 53248]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2006-10-26 2799808]
S4 OracleJobSchedulerMITRE;OracleJobSchedulerMITRE;c:\oracle\product\10.2.0\db_1\Bin\extjob.exe MITRE []
S4 OracleOraDb10g_home1TNSListenerNIKU;OracleOraDb10g_home1TNSListenerNIKU;c:\oracle\product\10.1.0\db_1\BIN\TNSLSNR []
S4 OracleOraDb9iHTTPServer;OracleOraDb9iHTTPServer;"c:\oracle\products\9i\Apache\Apache\apache.exe" --ntservice [2002-04-18 4096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f24fa12-ab5a-11dd-b185-0016cfc2822f}]
\Shell\AutoRun\command - autoRcd.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2656c206-b72a-11dd-b19d-005056c00008}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-12-21 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2004-08-04 06:00]

2009-01-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2129867641-919698055-327642922-277235.job
- c:\documents and settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 12:32]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: free.aol.com
Trusted Zone: accountconnect.ca.com
Trusted Zone: etrustpki.ca.com
Trusted Zone: hrreports.ca.com
Trusted Zone: hrreportsft.ca.com
Trusted Zone: insight.ca.com
Trusted Zone: insightft.ca.com
Trusted Zone: mrm.ca.com
Trusted Zone: supportreports.ca.com
Trusted Zone: usilws19.ca.com
Trusted Zone: *.insight
Trusted Zone: *.insightft
Trusted Zone: *.mrm
Trusted Zone: *.supportreports
Trusted Zone: *.usilap228
Trusted Zone: *.usilws19
Trusted Zone: accountconnect.ca.com
Trusted Zone: etrustpki.ca.com
Trusted Zone: hrreports.ca.com
Trusted Zone: hrreportsft.ca.com
Trusted Zone: insight.ca.com
Trusted Zone: insightft.ca.com
Trusted Zone: mrm.ca.com
Trusted Zone: supportreports.ca.com
Trusted Zone: usilws19.ca.com
Trusted Zone: *.insight
Trusted Zone: *.insightft
Trusted Zone: *.mrm
Trusted Zone: *.supportreports
Trusted Zone: *.usilws19

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\SMIBR13\Application Data\Mozilla\Firefox\Profiles\iwiid49z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\SMIBR13\Application Data\Mozilla\Firefox\Profiles\iwiid49z.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\SMIBR13\Application Data\Mozilla\Firefox\Profiles\iwiid49z.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\SMIBR13\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Real\RealPlayer Enterprise\Netscape6\nppl3260.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 19:52:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NobleNet Portmapper for TCP]
"ImagePath"="c:\niku\Actuate7\Server/bin/portserv.exe tcp"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\OracleOraDb10g_home1TNSListenerMITRE]
"ImagePath"="c:\oracle\product\10.2.0\db_1\BIN\TNSLSNR "

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\OracleOraDb10g_home1TNSListenerNIKU]
"ImagePath"="c:\oracle\product\10.1.0\db_1\BIN\TNSLSNR "

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\OracleOraDb9iTNSListenerCLARITY]
"ImagePath"="c:\oracle\products\9i\BIN\TNSLSNR "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1912)
c:\windows\system32\NnGina.Dll
c:\program files\CA\DSM\Bin\cfwlogon.dll
c:\program files\CA\DSM\Bin\rcLoginExt.dll
c:\windows\system32\cscui.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAServer.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CA\SC\CAM\bin\cam.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\CA\eTrustITM\InoRT.exe
c:\program files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Symantec\Ghost\ngserver.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\oracle\products\9i\bin\TNSLSNR.EXE
c:\oracle\products\9i\bin\dbsnmp.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\CA\DSM\bin\cfSysTray.exe
c:\program files\AccessManager\PMAC\sp_SWIns.exe
c:\program files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
c:\windows\system32\vmnat.exe
c:\program files\VMware\VMware Workstation\vmware-authd.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\CA\DSM\bin\cfsmsmd.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\CA\DSM\bin\ccnfAgent.exe
c:\program files\CA\DSM\bin\cfnotsrvd.exe
c:\program files\CA\DSM\bin\ccsmagtd.exe
c:\program files\CA\DSM\bin\rcHost.exe
c:\program files\CA\DSM\bin\amswmagt.exe
c:\program files\CA\DSM\PMAgent\capmuamagt.exe
c:\program files\CA\DSM\bin\cfFTPlugin.exe
c:\program files\Symantec\Ghost\bin\dbserv.exe
c:\program files\Symantec\Ghost\bin\rteng9.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-01-02 19:56:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-03 01:56:25
ComboFix2.txt 2009-01-02 18:09:37

Pre-Run: 70,746,722,304 bytes free
Post-Run: 70,721,732,608 bytes free

458

1

Reboot and run update MBA-M then run a full system scan with it, reboot and run a new HJT full system scan and save the log, post back here with both.
Judy

Votes + Comments
Judy's the best!
0

Reboot and run update MBA-M then run a full system scan with it, reboot and run a new HJT full system scan and save the log, post back here with both.
Judy

Ok - I think we may be making some progress!

Here's the MBA-M log:
Malwarebytes' Anti-Malware 1.31
Database version: 1599
Windows 5.1.2600 Service Pack 2

2009-01-02 22:17:00
mbam-log-2009-01-02 (22-17-00).txt

Scan type: Full Scan (C:\|D:\|S:\|X:\|)
Objects scanned: 527588
Time elapsed: 56 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


And here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:22, on 2009-01-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\AMO40\CWS\PAgent\capmuamagt.exe
C:\Program Files\CA\SC\CAM\bin\cam.exe
C:\WINDOWS\AMO40\CWS\PAgent\agents\bin\buildreslist.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\oracle\products\9i\bin\agntsrvc.exe
c:\oracle\products\9i\BIN\TNSLSNR.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
c:\oracle\products\9i\bin\dbsnmp.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\Symantec\Ghost\ngtray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\CA\DSM\bin\cfSysTray.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\Documents and Settings\SMIBR13\Application Data\Mikogo\Mikogo-Host.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Xobni\XobniService.exe
C:\Program Files\Dropbox\Dropbox.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\BO\BusinessObjects Enterprise 11.5\win32_x86\CMS.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe
C:\Program Files\CA\DSM\bin\caf.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\CA\DSM\Bin\cfsmsmd.exe
C:\Program Files\CA\DSM\Bin\ccnfagent.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\CA\DSM\Bin\cfnotsrvd.exe
C:\Program Files\CA\DSM\Bin\ccsmagtd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\CA\DSM\Bin\rcHost.exe
C:\Program Files\CA\DSM\Bin\amswmagt.exe
C:\Program Files\CA\DSM\PMAgent\capmuamagt.exe
C:\Program Files\CA\DSM\PMAgent\agents\bin\buildreslist.exe
C:\Program Files\CA\DSM\Bin\cfftplugin.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\My Documents\Downloads\imabunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [NGTray] "C:\Program Files\Symantec\Ghost\ngtray.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [CAF_SystemTray] C:\Program Files\CA\DSM\\bin\cfSysTray.exe
O4 - HKLM\..\Run: [DsmSxplog] "C:\Program Files\CA\DSM\Bin\sxpstub.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Mikogo] "C:\Documents and Settings\SMIBR13\Application Data\Mikogo\Mikogo-Host.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\Dropbox.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: SalesForce - {2A427663-00F1-4EE4-A3B6-7F84A024CBB3} - http://salesforce.ca.com (file missing) (HKCU)
O9 - Extra button: Helpdesk - {D4F74464-9448-4D88-B72E-07EA6EC1E14A} - http://helpdesk.ca.com/count.html (file missing) (HKCU)
O9 - Extra button: CA Portal - {D9F8785B-2C42-41B4-98FE-75E11B7460C6} - http://caportal.ca.com (file missing) (HKCU)
O9 - Extra button: Leader - {DA2EB6A6-5DA2-4C9A-BC25-2D4799669C1A} - HTTP://leaderboard.ca.com (file missing) (HKCU)
O9 - Extra button: CKM - {E367B557-5D51-425D-B0EA-DC40E26990BB} - http://km.ca.com (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://canet.ca.com
O15 - Trusted Zone: http://hrreports.ca.com
O15 - Trusted Zone: http://hrreportsft.ca.com
O15 - Trusted Zone: http://insight.ca.com
O15 - Trusted Zone: http://insightft.ca.com
O15 - Trusted Zone: http://mrm.ca.com
O15 - Trusted Zone: http://supportreports.ca.com
O15 - Trusted Zone: http://usilws19.ca.com
O15 - Trusted Zone: http://*.insight
O15 - Trusted Zone: http://*.insightft
O15 - Trusted Zone: http://*.mrm
O15 - Trusted Zone: http://*.supportreports
O15 - Trusted Zone: http://*.usilws19
O15 - Trusted Zone: http://hrreports.ca.com (HKLM)
O15 - Trusted Zone: http://hrreportsft.ca.com (HKLM)
O15 - Trusted Zone: http://insight.ca.com (HKLM)
O15 - Trusted Zone: http://insightft.ca.com (HKLM)
O15 - Trusted Zone: http://mrm.ca.com (HKLM)
O15 - Trusted Zone: http://supportreports.ca.com (HKLM)
O15 - Trusted Zone: http://usilws19.ca.com (HKLM)
O15 - Trusted Zone: http://*.insight (HKLM)
O15 - Trusted Zone: http://*.insightft (HKLM)
O15 - Trusted Zone: http://*.mrm (HKLM)
O15 - Trusted Zone: http://*.supportreports (HKLM)
O15 - Trusted Zone: http://*.usilws19 (HKLM)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ca.com
O17 - HKLM\Software\..\Telephony: DomainName = ca.com
O20 - Winlogon Notify: CAF - C:\Program Files\CA\DSM\Bin\cfwlogon.dll
O20 - Winlogon Notify: rcHostExt - C:\Program Files\CA\DSM\Bin\rcLoginExt.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B-Service - Unknown owner - C:\Documents and Settings\SMIBR13\Application Data\Mikogo\B-Service.exe
O23 - Service: Central Management Server (BOBJCentralMS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\CMS.exe
O23 - Service: Report Application Server (BOBJCrystalReportApplicationServer) - Business Objects - C:\BO\common\3.5\bin\crystalras.exe
O23 - Service: Crystal Reports Cache Server (BOBJCrystalReportsCacheServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\cacheserver.exe
O23 - Service: Crystal Reports Page Server (BOBJCrystalReportspageserver) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\pageserver.exe
O23 - Service: Connection Server (BOBJCS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\ConnectionServer.exe
O23 - Service: Desktop Intelligence Cache Server (BOBJDesktopIntelligenceCacheServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\fccache.exe
O23 - Service: Desktop Intelligence Report Server (BOBJDesktopIntelligenceReportServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\fcproc.exe
O23 - Service: Destination Job Server (BOBJDestinationServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procdest.exe
O23 - Service: Event Server (BOBJEventServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\EventServer.exe
O23 - Service: Input File Repository Server (BOBJInputFileServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\inputfileserver.exe
O23 - Service: Desktop Intelligence Job Server (BOBJJobServer_DesktopIntelligence) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\JobServerFullClient.exe
O23 - Service: Crystal Reports Job Server (BOBJJobServer_Report) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\JobServer.exe
O23 - Service: Output File Repository Server (BOBJOutputFileServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\outputfileserver.exe
O23 - Service: List of Values Job Server (BOBJProcessServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe
O23 - Service: Program Job Server (BOBJProgramServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\ProgramServer.exe
O23 - Service: Apache Tomcat 5.0.27 (BOBJTomcat) - Apache Software Foundation - C:\BO\Tomcat\bin\tomcat5.exe
O23 - Service: Web Intelligence Job Server (BOBJWebiServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procWebi.exe
O23 - Service: Web Intelligence Report Server (BOBJWIRS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\WIReportServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA Unicenter NSM Systems Performance Agent for UAM - Unknown owner - C:\WINDOWS\AMO40\CWS\PAgent\capmuamagt.exe
O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - C:\Program Files\CA\SC\CAM\bin\cam.exe
O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - C:\Program Files\CA\DSM\bin\caf.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM WebSphere Application Server V6.1 - smibr13aNode01 (IBMWAS61Service - smibr13aNode01) - Unknown owner - C:\Program Files\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\PowerToys\ImapiHelper.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft Update Service Helper (msupdsvc) - Unknown owner - C:\WINDOWS\system32\msupdsvc32.exe (file missing)
O23 - Service: Symantec Ghost Database Service Wrapper (NGDBSERV) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGSERVER) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Niku Background Server - Unknown owner - C:\niku\clarity\bin\nikubgcmd.exe
O23 - Service: Niku Background Server - WAS - Alexandria Software Consulting - C:\nikuwas\clarity\bin\nikubgservice.exe
O23 - Service: Niku Beacon - Unknown owner - C:\niku\Clarity\bin\nikubeaconservice.exe (file missing)
O23 - Service: Niku Beacon - WAS - Alexandria Software Consulting - C:\nikuwas\clarity\bin\nikubeaconservice.exe
O23 - Service: Niku Server - Unknown owner - C:\niku\clarity\bin\nikuappcmd.exe
O23 - Service: Niku System Admin Server - Unknown owner - C:\niku\clarity\bin\nikunsacmd.exe (file missing)
O23 - Service: NobleNet Portmapper for TCP - Unknown owner - C:\niku\Actuate7\Server/bin/portserv.exe (file missing)
O23 - Service: OracleOraDb10g_home1TNSListenerMITRE - Unknown owner - C:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleOraDb9iAgent - Oracle Corporation - c:\oracle\products\9i\bin\agntsrvc.exe
O23 - Service: OracleOraDb9iClientCache - Unknown owner - c:\oracle\products\9i\BIN\ONRSD.EXE
O23 - Service: OracleOraDb9iSNMPPeerEncapsulator - Unknown owner - c:\oracle\products\9i\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb9iSNMPPeerMasterAgent - Unknown owner - c:\oracle\products\9i\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb9iTNSListenerCLARITY - Unknown owner - c:\oracle\products\9i\BIN\TNSLSNR.exe
O23 - Service: OracleServiceCLARITY - Oracle Corporation - c:\oracle\products\9i\bin\ORACLE.EXE
O23 - Service: OracleServiceMITRE - Unknown owner - c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE (file missing)
O23 - Service: OracleServiceNIKUWAS - Oracle Corporation - c:\oracle\products\9i\bin\ORACLE.EXE
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SlingAgent Service (SlingAgentService) - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe
O23 - Service: SSA Integration Manager (Sygman) - MCI, Inc. - C:\Program Files\AccessManager\Client\sygman.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XobniService - Xobni Corporation - C:\Program Files\Xobni\XobniService.exe
O23 - Service: Actuate Process Management Daemon 7 (__AC_PROCESS_MGMT_DAEMON7) - Unknown owner - C:\niku\Actuate7\Server\bin\pmd7.exe (file missing)

--
End of file - 22161 bytes

Let me know what you think.

And thanks _very_ much for your help!

Brian

This is some nasty stuff!

0

Run HJT again. Place check marks next to the following entries if still present:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O23 - Service: Microsoft Update Service Helper (msupdsvc) - Unknown owner - C:\WINDOWS\system32\msupdsvc32.exe (file missing)
O23 - Service: Niku Beacon - Unknown owner - C:\niku\Clarity\bin\nikubeaconservice.exe (file missing)
O23 - Service: Niku System Admin Server - Unknown owner - C:\niku\clarity\bin\nikunsacmd.exe (file missing)
O23 - Service: NobleNet Portmapper for TCP - Unknown owner - C:\niku\Actuate7\Server/bin/portserv.exe (file missing)
O23 - Service: OracleOraDb10g_home1TNSListenerMITRE - Unknown owner - C:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServiceMITRE - Unknown owner - c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE (file missing)
O23 - Service: Actuate Process Management Daemon 7 (__AC_PROCESS_MGMT_DAEMON7) - Unknown owner - C:\niku\Actuate7\Server\bin\pmd7.exe (file missing)
Once you have placed the check marks then click the Fix Checked button.
Exit HJT.
Reboot the computer. Run HJT once more and post the new log here.
Judy

0

Run HJT again. Place check marks next to the following entries if still present:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O23 - Service: Microsoft Update Service Helper (msupdsvc) - Unknown owner - C:\WINDOWS\system32\msupdsvc32.exe (file missing)
O23 - Service: Niku Beacon - Unknown owner - C:\niku\Clarity\bin\nikubeaconservice.exe (file missing)
O23 - Service: Niku System Admin Server - Unknown owner - C:\niku\clarity\bin\nikunsacmd.exe (file missing)
O23 - Service: NobleNet Portmapper for TCP - Unknown owner - C:\niku\Actuate7\Server/bin/portserv.exe (file missing)
O23 - Service: OracleOraDb10g_home1TNSListenerMITRE - Unknown owner - C:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServiceMITRE - Unknown owner - c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE (file missing)
O23 - Service: Actuate Process Management Daemon 7 (__AC_PROCESS_MGMT_DAEMON7) - Unknown owner - C:\niku\Actuate7\Server\bin\pmd7.exe (file missing)
Once you have placed the check marks then click the Fix Checked button.
Exit HJT.
Reboot the computer. Run HJT once more and post the new log here.
Judy

Ok - Ran HJT - Checked those you specified above, ran the fix. Rebooted. Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:18, on 2009-01-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\AMO40\CWS\PAgent\capmuamagt.exe
C:\Program Files\CA\SC\CAM\bin\cam.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\oracle\products\9i\bin\agntsrvc.exe
c:\oracle\products\9i\BIN\TNSLSNR.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
c:\oracle\products\9i\bin\dbsnmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\Symantec\Ghost\ngtray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\CA\DSM\bin\cfSysTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\SMIBR13\Application Data\Mikogo\Mikogo-Host.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Dropbox\Dropbox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Xobni\XobniService.exe
C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\CA\DSM\bin\caf.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\CA\DSM\Bin\cfsmsmd.exe
C:\Program Files\CA\DSM\Bin\ccnfagent.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\CA\DSM\Bin\cfnotsrvd.exe
C:\Program Files\CA\DSM\Bin\ccsmagtd.exe
C:\Program Files\CA\DSM\Bin\rcHost.exe
C:\Program Files\CA\DSM\Bin\amswmagt.exe
C:\Program Files\CA\DSM\PMAgent\capmuamagt.exe
C:\Program Files\CA\DSM\Bin\cfftplugin.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\My Documents\Downloads\imabunny.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng9.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [NGTray] "C:\Program Files\Symantec\Ghost\ngtray.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [CAF_SystemTray] C:\Program Files\CA\DSM\\bin\cfSysTray.exe
O4 - HKLM\..\Run: [DsmSxplog] "C:\Program Files\CA\DSM\Bin\sxpstub.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\SMIBR13\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Mikogo] "C:\Documents and Settings\SMIBR13\Application Data\Mikogo\Mikogo-Host.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\Dropbox.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: SalesForce - {2A427663-00F1-4EE4-A3B6-7F84A024CBB3} - http://salesforce.ca.com (file missing) (HKCU)
O9 - Extra button: Helpdesk - {D4F74464-9448-4D88-B72E-07EA6EC1E14A} - http://helpdesk.ca.com/count.html (file missing) (HKCU)
O9 - Extra button: CA Portal - {D9F8785B-2C42-41B4-98FE-75E11B7460C6} - http://caportal.ca.com (file missing) (HKCU)
O9 - Extra button: Leader - {DA2EB6A6-5DA2-4C9A-BC25-2D4799669C1A} - HTTP://leaderboard.ca.com (file missing) (HKCU)
O9 - Extra button: CKM - {E367B557-5D51-425D-B0EA-DC40E26990BB} - http://km.ca.com (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://canet.ca.com
O15 - Trusted Zone: http://hrreports.ca.com
O15 - Trusted Zone: http://hrreportsft.ca.com
O15 - Trusted Zone: http://insight.ca.com
O15 - Trusted Zone: http://insightft.ca.com
O15 - Trusted Zone: http://mrm.ca.com
O15 - Trusted Zone: http://supportreports.ca.com
O15 - Trusted Zone: http://usilws19.ca.com
O15 - Trusted Zone: http://*.insight
O15 - Trusted Zone: http://*.insightft
O15 - Trusted Zone: http://*.mrm
O15 - Trusted Zone: http://*.supportreports
O15 - Trusted Zone: http://*.usilws19
O15 - Trusted Zone: http://hrreports.ca.com (HKLM)
O15 - Trusted Zone: http://hrreportsft.ca.com (HKLM)
O15 - Trusted Zone: http://insight.ca.com (HKLM)
O15 - Trusted Zone: http://insightft.ca.com (HKLM)
O15 - Trusted Zone: http://mrm.ca.com (HKLM)
O15 - Trusted Zone: http://supportreports.ca.com (HKLM)
O15 - Trusted Zone: http://usilws19.ca.com (HKLM)
O15 - Trusted Zone: http://*.insight (HKLM)
O15 - Trusted Zone: http://*.insightft (HKLM)
O15 - Trusted Zone: http://*.mrm (HKLM)
O15 - Trusted Zone: http://*.supportreports (HKLM)
O15 - Trusted Zone: http://*.usilws19 (HKLM)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ca.com
O17 - HKLM\Software\..\Telephony: DomainName = ca.com
O20 - Winlogon Notify: CAF - C:\Program Files\CA\DSM\Bin\cfwlogon.dll
O20 - Winlogon Notify: rcHostExt - C:\Program Files\CA\DSM\Bin\rcLoginExt.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B-Service - Unknown owner - C:\Documents and Settings\SMIBR13\Application Data\Mikogo\B-Service.exe
O23 - Service: Central Management Server (BOBJCentralMS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\CMS.exe
O23 - Service: Report Application Server (BOBJCrystalReportApplicationServer) - Business Objects - C:\BO\common\3.5\bin\crystalras.exe
O23 - Service: Crystal Reports Cache Server (BOBJCrystalReportsCacheServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\cacheserver.exe
O23 - Service: Crystal Reports Page Server (BOBJCrystalReportspageserver) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\pageserver.exe
O23 - Service: Connection Server (BOBJCS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\ConnectionServer.exe
O23 - Service: Desktop Intelligence Cache Server (BOBJDesktopIntelligenceCacheServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\fccache.exe
O23 - Service: Desktop Intelligence Report Server (BOBJDesktopIntelligenceReportServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\fcproc.exe
O23 - Service: Destination Job Server (BOBJDestinationServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procdest.exe
O23 - Service: Event Server (BOBJEventServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\EventServer.exe
O23 - Service: Input File Repository Server (BOBJInputFileServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\inputfileserver.exe
O23 - Service: Desktop Intelligence Job Server (BOBJJobServer_DesktopIntelligence) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\JobServerFullClient.exe
O23 - Service: Crystal Reports Job Server (BOBJJobServer_Report) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\JobServer.exe
O23 - Service: Output File Repository Server (BOBJOutputFileServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\outputfileserver.exe
O23 - Service: List of Values Job Server (BOBJProcessServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe
O23 - Service: Program Job Server (BOBJProgramServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\ProgramServer.exe
O23 - Service: Apache Tomcat 5.0.27 (BOBJTomcat) - Apache Software Foundation - C:\BO\Tomcat\bin\tomcat5.exe
O23 - Service: Web Intelligence Job Server (BOBJWebiServer) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\procWebi.exe
O23 - Service: Web Intelligence Report Server (BOBJWIRS) - Business Objects - C:\BO\BusinessObjects Enterprise 11.5\win32_x86\WIReportServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA Unicenter NSM Systems Performance Agent for UAM - Unknown owner - C:\WINDOWS\AMO40\CWS\PAgent\capmuamagt.exe
O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - C:\Program Files\CA\SC\CAM\bin\cam.exe
O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - C:\Program Files\CA\DSM\bin\caf.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM WebSphere Application Server V6.1 - smibr13aNode01 (IBMWAS61Service - smibr13aNode01) - Unknown owner - C:\Program Files\IBM\WebSphere\AppServer\bin\wasservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\PowerToys\ImapiHelper.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft Update Service Helper (msupdsvc) - Unknown owner - C:\WINDOWS\system32\msupdsvc32.exe (file missing)
O23 - Service: Symantec Ghost Database Service Wrapper (NGDBSERV) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGSERVER) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Niku Background Server - Unknown owner - C:\niku\clarity\bin\nikubgcmd.exe
O23 - Service: Niku Background Server - WAS - Alexandria Software Consulting - C:\nikuwas\clarity\bin\nikubgservice.exe
O23 - Service: Niku Beacon - WAS - Alexandria Software Consulting - C:\nikuwas\clarity\bin\nikubeaconservice.exe
O23 - Service: Niku Server - Unknown owner - C:\niku\clarity\bin\nikuappcmd.exe
O23 - Service: OracleOraDb9iAgent - Oracle Corporation - c:\oracle\products\9i\bin\agntsrvc.exe
O23 - Service: OracleOraDb9iClientCache - Unknown owner - c:\oracle\products\9i\BIN\ONRSD.EXE
O23 - Service: OracleOraDb9iSNMPPeerEncapsulator - Unknown owner - c:\oracle\products\9i\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb9iSNMPPeerMasterAgent - Unknown owner - c:\oracle\products\9i\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb9iTNSListenerCLARITY - Unknown owner - c:\oracle\products\9i\BIN\TNSLSNR.exe
O23 - Service: OracleServiceCLARITY - Oracle Corporation - c:\oracle\products\9i\bin\ORACLE.EXE
O23 - Service: OracleServiceNIKUWAS - Oracle Corporation - c:\oracle\products\9i\bin\ORACLE.EXE
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SlingAgent Service (SlingAgentService) - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe
O23 - Service: SSA Integration Manager (Sygman) - MCI, Inc. - C:\Program Files\AccessManager\Client\sygman.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XobniService - Xobni Corporation - C:\Program Files\Xobni\XobniService.exe
O23 - Service: Actuate Process Management Daemon 7 (__AC_PROCESS_MGMT_DAEMON7) - Unknown owner - C:\niku\Actuate7\Server\bin\pmd7.exe (file missing)

--
End of file - 21183 bytes

Thanks

0

PLEASE HELP!!! POP_UPS on IE

I'm having problems with my IE popping up blank windows continually. I have McAfee, says no threats, Windows Defender says no updated available, Ran a couple other malware scans and nothing. I have the info from HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:15 PM, on 11/25/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SpiralFrog\Spiralfrog.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\oDesk\oDeskCommonPrefs.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\oDesk\oDeskTeam.exe
C:\Program Files\oDesk\oDeskShare.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Stephanie\AppData\Local\Yahoo!\BrowserPlus\2.4.21\BrowserPlusCore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SpiralFrog] C:\Program Files\SpiralFrog\Spiralfrog.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher]

0

sb147780, this thread is nearly 1 year old. Though problems seem similar they may be caused by totally different things. It is never recommended that people post their own problems in somebody else's thread, for one reason because that is called "thread hijacking" but the key reason is that it is totally impossible to work with two people and two different computers on the same thread. Please create your own thread, restating all your information and adding logs from any program you have run thus far, even it they show clean, and somebody will be very happy to help you get things fixed.
Also please note, the HJT log you posted here is incomplete. You will need to post the entire log when you create your own post.
Judy

Edited by jholland1964: n/a

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.