Virus affecting Trend Micro and search engines

Question

jonknisely 0 Newbie Poster

15 Years Ago

I have a virus that is not allowing me to "connect to the internet" to download updates on Trend Micro or Norton Anti virus. It is also won't allow me to open up helpful web pages from a search engine. If I copy and paste the web address it seems to work okay most of the time.

I have tried to run hijack this, sd fix, as well as Malwarebytes' Anti-Malware 1.40, but all to no avail.

Any help would be appreciated.

windows-virus

2 Contributors
21 Replies
259 Views
6 Days Discussion Span
Latest Post 15 Years Ago Latest Post by PhilliePhan

PhilliePhan 171 Central Scrutinizer

15 Years Ago

I have tried to run hijack this, sd fix, as well as Malwarebytes' Anti-Malware 1.40, but all to no avail.

What happens when you try to run the tools?

PP :)

jonknisely commented: great help; would highly recommend +1

PhilliePhan 171 Central Scrutinizer

15 Years Ago

O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O10 - Unknown file in Winsock LSP: cespy.dll

Do you know if there is a commercial Key-logger or spyware on this machine?

PhilliePhan 171 Central Scrutinizer

15 Years Ago

not sure what those files are.
should they be removed?

Lots of times parents like to spy on their kids . . . .

Please Download LSPFix and extract it from the ZIP.

-Please run LSPFix.

-Check the Box labeled "I know what I'm doing" and then click on the nmnsp.dll file (in the “Keep” section) to select it.

-Then, Select the >> button to move nmnsp.dll into the Remove section.

-Please do the same for cespy.dll.

-Now, click the Finish Button. When the Repair Summary box appears, click OK.

-Now, just click the Finish Button. When the Repair Summary box appears, click OK.

Do a fresh scan with HJT and post the log.

PP:)

PhilliePhan 171 Central Scrutinizer

15 Years Ago

A little light humor is always nice when dealing with malware... ;)

-- I've had literally hundreds of people use that tool over the years.

PhilliePhan 171 Central Scrutinizer

15 Years Ago

now that i think about it I think maybe that cespy might be the covenant eyes filter i use. i just viewed it as an internet filter and not "a commercial Key-logger or spyware" anyway, it showed up again.

That's what it is . . . . And that's why it's back. I saw the CE entry in HJT, but it didn't register. But, it's definitely in the Spyware family.
Didn't think nmnsp.dll was a component, though.

Nothing else really jumps out at me from your HJT log - you might try running ComboFix as per the linky below and posting the log for us.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

I'll try to check back on Tuesday, as time permits.

PP :)

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

jonknisely 0 Newbie Poster · Answer 1 · 2009-09-01T11:05:52+00:00

Food for thought based on PhilliePhan's post titled
Read me before posting a request for assistance

#6. run the Microsoft® Windows® Malicious Software Removal Tool

when trying to access Microsoft® Windows® Malicious Software Removal Tool, I get an error message

Bad Request

HTTP Error 400. The request is badly formed.

#8 download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

I was able to download Malwarebytes' Anti-Malware but was not able to successfully download any database updates

I ran it and here are the results

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/31/2009 11:17:58 PM
mbam-log-2009-08-31 (23-17-58).txt

Scan type: Full Scan (C:\|)
Objects scanned: 200862
Time elapsed: 42 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014da6cb-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014da6c1-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014da6c9-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{014da6cb-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysfbtray (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\S4FFXTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\S4FFXTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\S4NTSTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\S4NTSTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\S4PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache\0055B75C (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache\0055BBC1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache\0055BDE3.bmp (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache\0055BFA9.bmp (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache\files.ini (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Settings\prevcfg2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\freddy58.exe (Worm.KoobFace) -> Quarantined and deleted successfully.

9 – Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

I was unable to access any of these programs. When clicking on the link it always came up as "Firefox can't find the server at ..."

jonknisely 0 Newbie Poster · Answer 2 · 2009-09-01T11:09:53+00:00

What happens when you try to run the tools?
PP :)

I wasn't sure what to remove when running hijack this.

the sdfix and malware programs seemed to run okay but not solve the problem.

here is the hijack log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:22 AM, on 9/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\sySTEM32\SvchoSt.ExE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Engine\17.0.0.45\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\CE\nmFlt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton Internet Security\Engine\17.0.0.45\ccSvcHst.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jonathan W. Knisely\Desktop\Analysethis.exe

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.0.0.45\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.0.0.45\IPSBHO.DLL
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.0.0.45\coIEPlg.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.0.0.45\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5537 bytes

jonknisely 0 Newbie Poster · Answer 3 · 2009-09-01T11:22:17+00:00

not sure what those files are.

should they be removed?

jonknisely 0 Newbie Poster · Answer 4 · 2009-09-01T11:39:54+00:00

Lots of times parents like to spy on their kids . . . .

Please Download LSPFix and extract it from the ZIP.
-Please run LSPFix.
-Check the Box labeled I know what I'm doing

I laughed at their comment (or enjoy re-installing my operating system.)
As a PhilliePhan I hope I can trust you. I don't want to reinstall my operating system! ;o)

jonknisely 0 Newbie Poster · Answer 5 · 2009-09-01T11:49:42+00:00

now that i think about it I think maybe that cespy might be the covenant eyes filter i use. i just viewed it as an internet filter and not "a commercial Key-logger or spyware" anyway, it showed up again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:39 AM, on 9/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\sySTEM32\SvchoSt.ExE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton Internet Security\Engine\17.0.0.45\ccSvcHst.exe
C:\Program Files\CE\nmFlt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton Internet Security\Engine\17.0.0.45\ccSvcHst.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jonathan W. Knisely\Desktop\Analysethis.exe

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.0.0.45\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.0.0.45\IPSBHO.DLL
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.0.0.45\coIEPlg.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.0.0.45\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5609 bytes

jonknisely 0 Newbie Poster · Answer 6 · 2009-09-02T06:09:52+00:00

here is the combfix log

ComboFix 09-09-01.04 - Jonathan W. Knisely 09/01/2009 17:46.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1523 [GMT -5:00]
Running from: c:\documents and settings\Jonathan W. Knisely\My Documents\Jonathan Knisely\My Downloads\ComboFixER.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\DDnsFilter
c:\program files\DDnsFilter\DDnsFilter.dll
c:\windows\010112010146101105.xe
c:\windows\0101120101464857.xe
c:\windows\0101120101465653.xe
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Installer\3832e.msi
c:\windows\prxid93ps.dat
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\drivers\DnsFilter.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SfX
-------\Legacy_ddnsfilter
-------\Legacy_DnsFilter
-------\Service_ddnsfilter
-------\Service_DnsFilter

((((((((((((((((((((((((( Files Created from 2009-08-01 to 2009-09-01 )))))))))))))))))))))))))))))))
.

2009-09-01 22:55 . 2009-07-01 01:01 163192 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.45\IPSFFPlgn\components\IPSFFPl.dll
2009-09-01 03:23 . 2009-09-01 03:23 -------- d-----w- c:\documents and settings\Jonathan W. Knisely\Application Data\Malwarebytes
2009-09-01 03:23 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-01 03:23 . 2009-09-01 03:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-01 03:23 . 2009-09-01 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-01 03:23 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-01 02:28 . 2009-09-01 02:28 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2009-09-01 02:24 . 2009-09-01 02:24 -------- d-----w- c:\windows\ERUNT
2009-09-01 01:31 . 2009-09-01 01:44 -------- d-----w- c:\documents and settings\Jonathan W. Knisely\Local Settings\Application Data\Tific
2009-09-01 01:28 . 2009-09-01 01:28 -------- d-----w- c:\documents and settings\Jonathan W. Knisely\Application Data\Tific
2009-09-01 01:28 . 2009-09-01 01:28 -------- d-----w- c:\documents and settings\Jonathan W. Knisely\Local Settings\Application Data\Symantec
2009-09-01 01:26 . 2009-09-01 01:26 -------- d-----w- c:\windows\system32\drivers\NIS
2009-09-01 01:26 . 2009-09-01 01:26 -------- d-----w- c:\program files\Norton Internet Security
2009-09-01 01:26 . 2009-09-01 01:26 -------- d-----w- c:\program files\Windows Sidebar
2009-09-01 01:26 . 2009-09-01 01:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-09-01 01:18 . 2009-09-01 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-09-01 01:18 . 2009-09-01 01:18 -------- d-----w- c:\program files\NortonInstaller
2009-08-21 01:22 . 2009-08-21 01:22 1 ----a-w- c:\windows\ectbbyn.dat
2009-08-21 01:20 . 2009-08-21 01:20 1 ---h--w- c:\windows\ex23567.dat
2009-08-15 02:01 . 2009-08-15 02:02 -------- d-----w- C:\6170ef654afc2a7ed6c4
2009-08-15 02:01 . 2009-08-15 02:01 -------- d-----w- C:\f9f8dcb5fff3540d62f5
2009-08-13 22:08 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 01:37 . 2009-08-10 01:38 -------- d-----w- c:\program files\QuickTime
2009-08-08 04:31 . 2009-08-08 04:31 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-08-08 04:30 . 2009-08-08 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-08 04:30 . 2009-08-08 21:14 -------- d-----w- c:\program files\NOS
2009-08-04 22:11 . 2009-08-04 22:11 152576 ----a-w- c:\documents and settings\Jonathan W. Knisely\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-01 23:56 . 2009-09-01 01:27 900464 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.45\OCS\hsplayer.dll
2009-09-01 23:55 . 2007-05-22 09:53 -------- d--h--w- c:\documents and settings\Jonathan W. Knisely\Application Data\CE
2009-09-01 01:27 . 2009-09-01 01:27 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-01 01:27 . 2009-09-01 01:27 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-01 01:27 . 2009-09-01 01:27 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-09-01 01:27 . 2009-09-01 01:27 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-01 01:27 . 2009-09-01 01:27 -------- d-----w- c:\program files\Symantec
2009-09-01 01:27 . 2007-05-17 04:51 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-29 18:33 . 2008-12-24 02:11 -------- d-----w- c:\documents and settings\Jonathan W. Knisely\Application Data\Skype
2009-08-29 14:33 . 2008-12-24 02:13 -------- d-----w- c:\documents and settings\Jonathan W. Knisely\Application Data\skypePM
2009-08-18 02:25 . 2008-12-23 02:16 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-08-18 02:25 . 2008-12-23 02:16 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-08-17 02:42 . 2007-05-23 00:24 5174 -csha-w- c:\windows\system32\KGyGaAvL.sys
2009-08-17 02:42 . 2007-05-23 00:24 -------- d--h--w- c:\documents and settings\Jonathan W. Knisely\Application Data\Corel
2009-08-17 02:42 . 2007-05-23 00:24 168 --sh--r- c:\windows\system32\A994E15A7B.sys
2009-08-15 02:03 . 2008-01-20 23:57 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-06 22:33 . 2007-05-17 04:55 -------- d-----w- c:\program files\Microsoft Works
2009-08-06 22:32 . 2007-05-17 04:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-06 22:31 . 2007-05-23 14:51 -------- d-----w- c:\program files\OpenOffice.org 2.0
2009-08-06 22:29 . 2007-05-17 04:57 -------- d-----w- c:\program files\CyberLink
2009-08-06 22:28 . 2007-05-17 04:42 -------- d-----w- c:\program files\Dell
2009-08-06 22:23 . 2009-01-29 03:09 -------- d-----w- c:\documents and settings\Jonathan W. Knisely\Application Data\NCH Swift Sound
2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 22:12 . 2007-05-17 04:39 -------- d-----w- c:\program files\Java
2009-07-31 14:25 . 2009-03-20 03:17 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-25 10:23 . 2009-07-11 20:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-20 02:09 . 2009-07-11 20:41 -------- d-----w- c:\documents and settings\Jonathan W. Knisely\Application Data\LimeWire
2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-13 02:47 . 2007-05-22 09:41 -------- d-----w- c:\program files\e-Sword
2009-07-11 20:34 . 2009-07-11 20:34 152576 ----a-w- c:\documents and settings\Jonathan W. Knisely\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-11 01:02 . 2009-07-11 01:01 -------- d-----w- c:\program files\Common Files\EzTools
2009-07-02 08:17 . 2009-09-01 01:27 861552 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.45\CLT\cltLMSx.dll
2009-07-02 02:09 . 2009-09-01 01:27 202640 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.45\Definitions\BASHDefs\20090701.001\BHEngx86.dll
2009-07-02 02:09 . 2009-09-01 01:27 200592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.45\Definitions\BASHDefs\20090701.001\BHRules.dll
2009-07-02 02:09 . 2009-09-01 01:27 1204624 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.45\Definitions\BASHDefs\20090701.001\BHEngine.dll
2009-07-02 02:09 . 2009-09-01 01:27 579984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.45\Definitions\BASHDefs\20090701.001\bbRGen.dll
2009-07-02 02:09 . 2009-09-01 01:27 620592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.45\Definitions\BASHDefs\20090701.001\BHDrvx64.sys
2009-07-02 02:08 . 2009-09-01 01:27 493616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.45\Definitions\BASHDefs\20090701.001\BHDrvx86.sys
2009-07-01 01:01 . 2009-09-01 01:27 451120 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.45\Definitions\IPSDefs\BinHub\IDSvia64.sys
2009-07-01 01:01 . 2009-09-01 01:27 451120 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.45\Definitions\IPSDefs\20090630.001\IDSVia64.sys
2009-07-01 01:01 . 2009-09-01 01:27 333360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.45\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-07-01 01:01 . 2009-09-01 01:27 333360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.45\Definitions\IPSDefs\20090630.001\IDSVix86.sys
2009-07-01 01:01 . 2009-09-01 01:27 317816 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.45\Definitions\IPSDefs\BinHub\IDSxpx86.sys
2009-07-01 01:01 . 2009-09-01 01:27 317816 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.45\Definitions\IPSDefs\20090630.001\IDSxpx86.sys
2009-07-01 01:01 . 2009-09-01 01:27 735096 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.45\Definitions\IPSDefs\BinHub\scxpx86.dll
2009-07-01 01:01 . 2009-09-01 01:27 735096 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.45\Definitions\IPSDefs\20090630.001\Scxpx86.dll
2009-07-01 01:01 . 2009-09-01 01:27 481656 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.45\Definitions\IPSDefs\BinHub\idsxpx86.dll
2009-07-01 01:01 . 2009-09-01 01:27 481656 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.45\Definitions\IPSDefs\20090630.001\IDSxpx86.dll
2009-06-29 16:12 . 2004-08-10 17:51 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2009-06-26 14:23 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-26 23:09 . 2009-09-01 01:27 763248 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.45\coFFPlgn\components\coFFPlgn.dll
2009-06-25 08:25 . 2004-08-10 17:51 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 17:51 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 17:51 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-10 17:51 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-10 17:51 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-10 17:51 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2004-08-10 18:01 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-10 17:51 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-10 01:36 . 2009-03-06 02:43 66076 ---ha-w- c:\windows\system32\mlfcache.dat
2008-01-05 19:46 . 2007-05-22 00:07 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-01-05 19:46 . 2007-05-22 00:07 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-01-05 19:46 . 2007-05-22 00:07 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-01-05 19:46 . 2007-05-22 00:07 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-01-05 19:46 . 2007-05-22 00:07 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-01-23 20:25 . 2009-01-23 20:25 88 --sh--r- c:\windows\system32\5AB87027A8.sys
2009-02-05 20:42 . 2009-02-05 20:42 88 --sh--r- c:\windows\system32\A84052C833.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"NMSVC"="c:\program files\CE\nmSvc.exe" [2008-11-08 1192088]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-06-13 00:37 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jonathan W. Knisely^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Jonathan W. Knisely\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:ddnsfilter

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1100000.02D\SymDS.sys [8/31/2009 8:27 PM 328240]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1100000.02D\SymEFA.sys [8/31/2009 8:27 PM 168496]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.45\Definitions\BASHDefs\20090701.001\BHDrvx86.sys [8/31/2009 8:27 PM 493616]
R1 BHHlpx86;Symantec Heuristics Helper Driver;c:\windows\system32\drivers\NIS\1100000.02D\BHHlpx86.sys [8/31/2009 8:27 PM 88624]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1100000.02D\ccHPx86.sys [8/31/2009 8:27 PM 492592]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1100000.02D\Ironx86.sys [8/31/2009 8:27 PM 109616]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.0.0.45\ccSvcHst.exe [8/31/2009 8:27 PM 122216]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.45\Definitions\IPSDefs\20090630.001\IDSxpx86.sys [8/31/2009 8:27 PM 317816]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\Drivers\IcRecUsb.sys --> c:\windows\system32\Drivers\IcRecUsb.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
ddnsfilter REG_MULTI_SZ ddnsfilter
.
Contents of the 'Scheduled Tasks' folder

2009-07-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070516
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: CESpy.dll
FF - ProfilePath - c:\documents and settings\Jonathan W. Knisely\Application Data\Mozilla\Firefox\Profiles\pdxd5nmm.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 18:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.0.0.45\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\17.0.0.45\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'lsass.exe'(932)
c:\windows\system32\CESpy.dll

- - - - - - - > 'explorer.exe'(1240)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\LEXBCES.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\program files\CE\nmFlt.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-01 19:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-02 00:01

Pre-Run: 75,129,372,672 bytes free
Post-Run: 75,244,650,496 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

298 --- E O F --- 2009-08-16 22:38

PhilliePhan 171 Central Scrutinizer Team Colleague · Answer 7 · 2009-09-02T07:03:09+00:00

Hi Jon,

Download the attached CFScript.txt to your Desktop.
-- Drag the CFScript.txt into ComboFix.exe to start ComboFix again.

Post me that log and tell me how things are working....

PP :)

jonknisely 0 Newbie Poster · Answer 8 · 2009-09-02T08:22:14+00:00

Hi Jon,
Download the attached CFScript.txt to your Desktop.
-- Drag the CFScript.txt into ComboFix.exe to start ComboFix again.
Post me that log and tell me how things are working....
PP :)

not sure I know exactly what you meant but here is the new log

ComboFix 09-09-01.04 - Jonathan W. Knisely 09/01/2009 21:02.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1478 [GMT -5:00]
Running from: c:\documents and settings\Jonathan W. Knisely\My Documents\Jonathan Knisely\My Downloads\ComboFix.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))
.

2009-09-02 01:17 . 2009-09-02 01:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-09-02 01:16 . 2009-09-02 01:13 50704 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-09-02 01:16 . 2009-09-02 01:13 158224 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-02 01:16 . 2009-09-02 01:13 59920 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-09-02 01:15 . 2009-09-02 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-09-02 01:14 . 2009-09-02 01:17 -------- d-----w- c:\program files\Trend Micro
2009-09-02 01:13 . 2009-09-02 01:13 1223832 ----a-w- c:\windows\system32\drivers\vsapint.sys
2009-09-02 01:13 . 2009-09-02 01:13 89872 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2009-09-02 01:13 . 2009-09-02 01:13 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-09-02 01:13 . 2009-09-02 01:13 339984 ----a-w- c:\windows\system32\drivers\TM_CFW.sys
2009-09-02 01:13 . 2009-09-02 01:13 225808 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-09-01 03:23 . 2009-09-01 03:23 -------- d-----w- c:\documents and settings\Jonathan W. Knisely\Application Data\Malwarebytes
2009-09-01 03:23 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-01 03:23 . 2009-09-01 03:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-01 03:23 . 2009-09-01 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-01 03:23 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-01 02:28 . 2009-09-01 02:28 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2009-09-01 02:24 . 2009-09-01 02:24 -------- d-----w- c:\windows\ERUNT
2009-09-01 01:31 . 2009-09-01 01:44 -------- d-----w- c:\documents and settings\Jonathan W. Knisely\Local Settings\Application Data\Tific
2009-09-01 01:28 . 2009-09-01 01:28 -------- d-----w- c:\documents and settings\Jonathan W. Knisely\Application Data\Tific
2009-09-01 01:28 . 2009-09-01 01:28 -------- d-----w- c:\documents and settings\Jonathan W. Knisely\Local Settings\Application Data\Symantec
2009-09-01 01:26 . 2009-09-01 01:26 -------- d-----w- c:\windows\system32\drivers\NIS
2009-09-01 01:26 . 2009-09-02 01:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-09-01 01:18 . 2009-09-01 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-21 01:22 . 2009-08-21 01:22 1 ----a-w- c:\windows\ectbbyn.dat
2009-08-21 01:20 . 2009-08-21 01:20 1 ---h--w- c:\windows\ex23567.dat
2009-08-15 02:01 . 2009-08-15 02:02 -------- d-----w- C:\6170ef654afc2a7ed6c4
2009-08-15 02:01 . 2009-08-15 02:01 -------- d-----w- C:\f9f8dcb5fff3540d62f5
2009-08-13 22:08 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 01:37 . 2009-08-10 01:38 -------- d-----w- c:\program files\QuickTime
2009-08-08 04:31 . 2009-08-08 04:31 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-08-08 04:30 . 2009-08-08 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-08 04:30 . 2009-08-08 21:14 -------- d-----w- c:\program files\NOS
2009-08-04 22:11 . 2009-08-04 22:11 152576 ----a-w- c:\documents and settings\Jonathan W. Knisely\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-02 01:34 . 2007-05-22 09:53 -------- d--h--w- c:\documents and settings\Jonathan W. Knisely\Application Data\CE
2009-09-02 01:07 . 2007-05-17 04:51 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-02 00:44 . 2007-05-17 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-02 00:21 . 2007-09-30 18:35 -------- d-----w- c:\program files\Motorola
2009-08-29 18:33 . 2008-12-24 02:11 -------- d-----w- c:\documents and settings\Jonathan W. Knisely\Application Data\Skype
2009-08-29 14:33 . 2008-12-24 02:13 -------- d-----w- c:\documents and settings\Jonathan W. Knisely\Application Data\skypePM
2009-08-18 02:25 . 2008-12-23 02:16 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-08-18 02:25 . 2008-12-23 02:16 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-08-17 02:42 . 2007-05-23 00:24 5174 -csha-w- c:\windows\system32\KGyGaAvL.sys
2009-08-17 02:42 . 2007-05-23 00:24 -------- d--h--w- c:\documents and settings\Jonathan W. Knisely\Application Data\Corel
2009-08-17 02:42 . 2007-05-23 00:24 168 --sh--r- c:\windows\system32\A994E15A7B.sys
2009-08-15 02:03 . 2008-01-20 23:57 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-06 22:33 . 2007-05-17 04:55 -------- d-----w- c:\program files\Microsoft Works
2009-08-06 22:32 . 2007-05-17 04:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-06 22:31 . 2007-05-23 14:51 -------- d-----w- c:\program files\OpenOffice.org 2.0
2009-08-06 22:29 . 2007-05-17 04:57 -------- d-----w- c:\program files\CyberLink
2009-08-06 22:28 . 2007-05-17 04:42 -------- d-----w- c:\program files\Dell
2009-08-06 22:23 . 2009-01-29 03:09 -------- d-----w- c:\documents and settings\Jonathan W. Knisely\Application Data\NCH Swift Sound
2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 22:12 . 2007-05-17 04:39 -------- d-----w- c:\program files\Java
2009-07-31 14:25 . 2009-03-20 03:17 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-25 10:23 . 2009-07-11 20:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-20 02:09 . 2009-07-11 20:41 -------- d-----w- c:\documents and settings\Jonathan W. Knisely\Application Data\LimeWire
2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-13 02:47 . 2007-05-22 09:41 -------- d-----w- c:\program files\e-Sword
2009-07-11 20:34 . 2009-07-11 20:34 152576 ----a-w- c:\documents and settings\Jonathan W. Knisely\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-11 01:02 . 2009-07-11 01:01 -------- d-----w- c:\program files\Common Files\EzTools
2009-06-29 16:12 . 2004-08-10 17:51 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2009-06-26 14:23 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2004-08-10 17:51 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 17:51 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 17:51 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-10 17:51 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-10 17:51 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-10 17:51 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2004-08-10 18:01 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-10 17:51 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-10 01:36 . 2009-03-06 02:43 66076 ---ha-w- c:\windows\system32\mlfcache.dat
2008-01-05 19:46 . 2007-05-22 00:07 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-01-05 19:46 . 2007-05-22 00:07 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-01-05 19:46 . 2007-05-22 00:07 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-01-05 19:46 . 2007-05-22 00:07 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-01-05 19:46 . 2007-05-22 00:07 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-01-23 20:25 . 2009-01-23 20:25 88 --sh--r- c:\windows\system32\5AB87027A8.sys
2009-02-05 20:42 . 2009-02-05 20:42 88 --sh--r- c:\windows\system32\A84052C833.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-09-01_23.54.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-15 02:03 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2009-09-02 00:22 . 2008-04-13 18:45 26112 c:\windows\system32\ReinstallBackups\0030\DriverFiles\i386\usbser.sys
+ 2007-09-30 18:41 . 2008-04-13 18:45 26112 c:\windows\system32\dllcache\usbser.sys
+ 2009-02-13 23:55 . 2009-09-02 01:12 24576 c:\windows\Installer\nlsdl.dll
- 2009-02-13 23:55 . 2008-08-14 14:46 24576 c:\windows\Installer\nlsdl.dll
- 2008-01-05 16:16 . 2008-08-14 14:19 57856 c:\windows\Installer\mfcm80u.dll
+ 2008-01-05 16:16 . 2009-09-02 01:12 57856 c:\windows\Installer\mfcm80u.dll
+ 2008-01-05 16:16 . 2009-09-02 01:12 69632 c:\windows\Installer\mfcm80.dll
- 2008-01-05 16:16 . 2008-08-14 14:19 69632 c:\windows\Installer\mfcm80.dll
+ 2008-01-05 16:16 . 2009-09-02 01:12 96256 c:\windows\Installer\atl80.dll
- 2008-01-05 16:16 . 2008-08-14 14:19 96256 c:\windows\Installer\atl80.dll
+ 2004-08-10 18:12 . 1998-10-29 20:45 306688 c:\windows\IsUninst.exe
- 2004-08-10 18:12 . 1998-10-29 22:45 306688 c:\windows\IsUninst.exe
- 2008-01-05 16:16 . 2008-08-14 14:18 126208 c:\windows\Installer\TmDbg32.dll
+ 2008-01-05 16:16 . 2009-09-02 01:13 126208 c:\windows\Installer\TmDbg32.dll
+ 2008-01-05 16:16 . 2009-09-02 01:12 626688 c:\windows\Installer\msvcr80.dll
- 2008-01-05 16:16 . 2008-08-14 14:19 626688 c:\windows\Installer\msvcr80.dll
- 2008-01-05 16:16 . 2008-08-14 14:19 548864 c:\windows\Installer\msvcp80.dll
+ 2008-01-05 16:16 . 2009-09-02 01:12 548864 c:\windows\Installer\msvcp80.dll
+ 2008-01-05 16:16 . 2009-09-02 01:12 479232 c:\windows\Installer\msvcm80.dll
- 2008-01-05 16:16 . 2008-08-14 14:19 479232 c:\windows\Installer\msvcm80.dll
- 2008-01-05 16:16 . 2008-08-14 14:19 159168 c:\windows\Installer\libexpat.dll
+ 2008-01-05 16:16 . 2009-09-02 01:12 159168 c:\windows\Installer\libexpat.dll
- 2008-01-05 16:16 . 2008-08-14 14:19 1093120 c:\windows\Installer\mfc80u.dll
+ 2008-01-05 16:16 . 2009-09-02 01:12 1093120 c:\windows\Installer\mfc80u.dll
- 2008-01-05 16:16 . 2008-08-14 14:19 1101824 c:\windows\Installer\mfc80.dll
+ 2008-01-05 16:16 . 2009-09-02 01:12 1101824 c:\windows\Installer\mfc80.dll
+ 2009-09-02 01:15 . 2009-09-02 01:15 3204096 c:\windows\Installer\45d72.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"NMSVC"="c:\program files\CE\nmSvc.exe" [2008-11-08 1192088]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-09-02 1020248]