infected with frmwrk32.exe

Status
Not open for further replies.
N

NOOB001

Solid State Member
Messages
6
Hello all. I came home yesterday and my daughter had a puzzled look on her face. The PC was popping up a window and there was a red box in the tray with a white X. I did some searching and found frmwrk32 and punnet in my msconfig. I shut them down and renamed the dll file. The desktop had black outlines around the icons and was unresponsive. Windows restore did not work. ctr-alt-del didn't work. I downloaded the spyware guide and all the relevant programs. I have spent all last night and all morning running the programs and following the guide.
I have logs from combofix, trojan remover, smitfraud, antimalware and hijackthis. They found rootkits and trojans. Vundofix found stuff too.
I am up to the AVG download and when I try to update, AVG popups continually tell me I am infected and locks me up. I am stuck at that point. Here is my hijackthis log. Please let me know what else I should post. thanks in advance. Pat





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:38, on 1/15/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Trojan Remover\Trjscan.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Pat\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SonicWALL VPN Client.lnk = C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {DE3135A8-D948-49DC-ABBC-B2EFF418E5FD} (AIRJ01FPlayer.Player) - http://www.iradiopop.com/IRD/pages/AIRJ01FPlayer.CAB
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 6888 bytes
 
follow up: here is my Combofix log.
thanks, Pat


ComboFix 09-01-13.04 - Pat 2009-01-15 7:22:58.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.1022.733 [GMT -5:00]
Running from: c:\documents and settings\Pat\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\LocalService\Application Data\NetMon
c:\documents and settings\LocalService\Application Data\NetMon\domains.txt
c:\documents and settings\LocalService\Application Data\NetMon\log.txt
c:\windows\system32\atmtd.dll._
c:\windows\SYSTEM32\ccbLonmp.ini
c:\windows\system32\ccbLonmp.ini2
c:\windows\system32\ddcdeBSJ.dll
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekatfjqnafo.sys
c:\windows\system32\intr32.dll
c:\windows\system32\pjraondx.dll
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekalog.dat
c:\windows\system32\senekamixtrlwv.dll
c:\windows\system32\senekayqggyouu.dll
c:\windows\system32\tmp.reg
c:\windows\system32\uniq.tll

----- BITS: Possible infected sites -----

hxxp://childhe.com
hxxp://eservicesupport.us.dell.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))
.

2009-01-14 20:22 . 2009-01-14 20:22 45,568 --------- c:\windows\SYSTEM32\log.exe
2009-01-14 19:41 . 2009-01-14 19:41 <DIR> d-------- c:\documents and settings\Pat\Application Data\Malwarebytes
2009-01-14 19:40 . 2009-01-14 19:41 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-14 19:40 . 2009-01-14 19:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-14 19:40 . 2009-01-04 18:38 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-14 19:40 . 2009-01-04 18:38 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-14 19:32 . 2009-01-14 19:32 <DIR> d-------- C:\VundoFix Backups
2009-01-14 19:10 . 2009-01-14 19:10 <DIR> d-------- c:\program files\CCleaner
2009-01-14 18:49 . 2009-01-14 18:50 <DIR> d-------- c:\program files\CleanUp!
2009-01-14 18:45 . 2009-01-14 18:45 <DIR> d-------- c:\program files\MSConfig CleanUp
2009-01-14 06:29 . 2009-01-14 06:29 <DIR> d-------- c:\program files\PrevxCSI
2009-01-14 06:29 . 2009-01-14 07:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-01-14 06:29 . 2009-01-15 07:28 26,808 --a------ c:\windows\SYSTEM32\DRIVERS\pxark.sys
2009-01-14 05:51 . 2009-01-14 08:42 12,807,426 -r-hs---- C:\AVG7DB_F.DAT
2009-01-14 05:10 . 2009-01-14 05:10 25,088 --a------ c:\windows\SYSTEM32\DRIVERS\cbdmsqtq.sys
2009-01-14 05:08 . 2009-01-14 05:08 11,835,889 --------- C:\AVG7QT.DAT
2009-01-14 05:06 . 2009-01-14 05:06 <DIR> d-------- c:\documents and settings\LocalService\Application Data\AVG7
2009-01-14 05:06 . 2009-01-14 05:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Grisoft
2009-01-14 04:34 . 2004-08-25 10:16 <DIR> d-------- c:\documents and settings\Administrator.D3ZX0L51\Application Data\Symantec
2009-01-14 04:34 . 2004-08-25 10:15 <DIR> d-------- c:\documents and settings\Administrator.D3ZX0L51\Application Data\Sonic
2009-01-14 04:34 . 2004-08-25 10:16 <DIR> d-------- c:\documents and settings\Administrator.D3ZX0L51\Application Data\Jasc Software Inc
2009-01-14 04:34 . 2004-08-25 10:10 <DIR> d-------- c:\documents and settings\Administrator.D3ZX0L51\Application Data\Creative
2009-01-14 04:34 . 2009-01-14 05:06 <DIR> d-------- c:\documents and settings\Administrator.D3ZX0L51
2009-01-13 18:04 . 2009-01-15 07:26 2,022 --a------ c:\windows\ldxtdoad

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 03:47 --------- d-----w c:\documents and settings\All Users\Application Data\Motive
2009-01-15 00:35 26,112 ----a-w c:\windows\Internet Logs\xDB8C.tmp
2009-01-15 00:23 51,200 ----a-w c:\documents and settings\Pat\Application Data\GDIPFONTCACHEV1.DAT
2009-01-15 00:21 2,461,184 ----a-w c:\windows\Internet Logs\xDB8B.tmp
2009-01-14 23:20 2,460,160 ----a-w c:\windows\Internet Logs\xDB89.tmp
2009-01-14 20:37 197,120 ----a-w c:\windows\Internet Logs\xDB8A.tmp
2009-01-14 13:00 --------- d-----w c:\documents and settings\All Users\Application Data\AVG7
2009-01-14 10:08 --------- d-----w c:\documents and settings\Pat\Application Data\AVG7
2009-01-06 20:28 289,280 ----a-w c:\windows\Internet Logs\xDB88.tmp
2009-01-06 20:28 2,417,664 ----a-w c:\windows\Internet Logs\xDB87.tmp
2009-01-04 17:48 --------- d-----w c:\documents and settings\Pat\Application Data\AdobeUM
2008-12-15 22:46 --------- d-----w c:\program files\EA GAMES
2008-12-13 14:46 170,496 ----a-w c:\windows\Internet Logs\xDB86.tmp
2008-12-13 02:43 2,388,480 ----a-w c:\windows\Internet Logs\xDB85.tmp
2008-12-08 21:45 212,992 ----a-w c:\windows\SYSTEM32\DSPlayer.dll
2008-12-01 03:35 250,880 ----a-w c:\windows\Internet Logs\xDB84.tmp
2008-12-01 03:33 2,406,912 ----a-w c:\windows\Internet Logs\xDB83.tmp
2008-11-09 21:10 309,760 ----a-w c:\windows\Internet Logs\xDB82.tmp
2008-11-09 21:04 2,310,656 ----a-w c:\windows\Internet Logs\xDB81.tmp
2008-08-19 18:16 8,289,720 ----a-w c:\program files\FLV PlayerRCATSetup.exe
2008-08-19 18:12 411,248 ----a-w c:\program files\FLV PlayerRCSetup.exe
2008-12-19 01:24 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 01:24 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 01:24 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 01:24 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 01:24 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-04-28 692224]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2004-07-26 705808]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2009-01-14 338432]
"AVG7_EMC"="c:\progra~1\Grisoft\AVGFRE~1\avgemc.exe" [2009-01-14 263680]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2009-01-14 147968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-08-25 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
SonicWALL VPN Client.lnk - c:\program files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe [2004-09-14 49204]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2007-04-27 12:10 18744 c:\windows\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xhutwh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\SYSTEM32\DRIVERS\vap.sys [2004-08-31 36188]
R4 Crypto;Crypto;c:\windows\SYSTEM32\DRIVERS\Crypto.sys [2004-09-14 217088]
R4 CSIScanner;CSIScanner;c:\program files\PrevxCSI\prevxcsi.exe [2009-01-14 927288]
R4 IPSECDRV;SafeNet IPSec Plugin;c:\windows\SYSTEM32\DRIVERS\IpSecDrv.sys [2004-09-14 112696]
S0 agjlekcg;agjlekcg;c:\windows\SYSTEM32\DRIVERS\cbdmsqtq.sys [2009-01-14 25088]
S0 ldxtdoad;ldxtdoad;c:\windows\SYSTEM32\DRIVERS\wwoebzhm.sys []
S0 pxark;pxark;c:\windows\SYSTEM32\DRIVERS\pxark.sys [2009-01-14 26808]
S3 SMALUSB;Digital Camera Driver;c:\windows\SYSTEM32\DRIVERS\smalidt.sys [2004-09-06 9216]
S4 NCMMCIAJ;NCMMCIAJ;\??\c:\windows\System32\ncmmciaj.krg --> c:\windows\System32\ncmmciaj.krg [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-01-15 c:\windows\Tasks\vjyvzljs.job
- c:\windows\System32\RUNDLL32.EXE [2002-08-29 05:00]
.
- - - - ORPHANS REMOVED - - - -

BHO-{F613CD00-14DC-47FD-817A-D4D35053ADE5} - (no file)


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
Trusted Zone: www.pcu.clearviewfcu.org

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\System32\OLEAUT32.DLL - c:\windows\System32\OLEPRO32.DLL
c:\windows\System32\ASYCFILT.DLL
c:\windows\System32\STDOLE2.TLB
c:\windows\System32\COMCAT.DLL
c:\windows\System32\MSVBVM60.DLL
c:\windows\Downloaded Program Files\AIRJ01FPlayer.ocx
O16 -: {DE3135A8-D948-49DC-ABBC-B2EFF418E5FD}
hxxp://www.iradiopop.com/IRD/pages/AIRJ01FPlayer.CAB
c:\windows\Downloaded Program Files\AIRJ01FPlayer.INF
FF - ProfilePath - c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\pe5jfrn6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.00.19.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 07:28:11
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\wwoebzhm.sys 25088 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NCMMCIAJ]
"ImagePath"="\??\c:\windows\System32\ncmmciaj.krg"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
c:\windows\system32\ODBC32.dll
c:\windows\system32\PCANotify.dll

- - - - - - - > 'lsass.exe'(1040)
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
c:\progra~1\Grisoft\AVGFRE~1\avgamsvr.exe
c:\progra~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\program files\Symantec\pcAnywhere\awhost32.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\program files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\ZoneLabs\vsmon.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
.
**************************************************************************
.
Completion time: 2009-01-15 7:30:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-15 12:30:48

Pre-Run: 53,346,836,480 bytes free
Post-Run: 53,254,688,768 bytes free

214
 
Osiris, I deleted the files on hijackthis as requested, but I could not find the odd sys file in my drivers folder? Here is the newest log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:25:07, on 1/15/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Pat\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SonicWALL VPN Client.lnk = C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 6425 bytes
 
CCleaner and Cleanups done. Combofix run, log as follows.
One question though- when combofix ran, Zonealarm popped up with 3 programs trying to access the internet. Ping, IP Utility, and psexec.cfexe. Are these normally associated with combofix? thanks....Pat



ComboFix 09-01-13.04 - Pat 2009-01-15 20:19:00.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.1022.657 [GMT -5:00]
Running from: c:\documents and settings\Pat\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.

2009-01-15 13:06 . 2008-10-16 14:06 268,648 --a------ c:\windows\SYSTEM32\mucltui.dll
2009-01-15 13:06 . 2008-10-16 14:06 27,496 --a------ c:\windows\SYSTEM32\mucltui.dll.mui
2009-01-15 11:38 . 2009-01-15 11:38 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-15 11:38 . 2009-01-15 11:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-01-15 11:20 . 2009-01-15 11:38 <DIR> d-------- c:\program files\Trojan Remover
2009-01-15 11:15 . 2009-01-15 11:20 <DIR> d-------- c:\documents and settings\Pat\Application Data\Simply Super Software
2009-01-15 11:15 . 2006-05-25 14:52 162,304 --a------ c:\windows\SYSTEM32\ztvunrar36.dll
2009-01-15 11:15 . 2003-02-02 19:06 153,088 --a------ c:\windows\SYSTEM32\unrar3.dll
2009-01-15 11:15 . 2005-08-26 00:50 77,312 --a------ c:\windows\SYSTEM32\ztvunace26.dll
2009-01-15 11:15 . 2002-03-06 00:00 75,264 --a------ c:\windows\SYSTEM32\unacev2.dll
2009-01-15 11:15 . 2006-06-19 12:01 69,632 --a------ c:\windows\SYSTEM32\ztvcabinet.dll
2009-01-14 20:22 . 2009-01-14 20:22 45,568 --------- c:\windows\SYSTEM32\log.exe
2009-01-14 19:41 . 2009-01-14 19:41 <DIR> d-------- c:\documents and settings\Pat\Application Data\Malwarebytes
2009-01-14 19:40 . 2009-01-14 19:41 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-14 19:40 . 2009-01-14 19:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-14 19:40 . 2009-01-04 18:38 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-14 19:40 . 2009-01-04 18:38 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-14 19:32 . 2009-01-14 19:32 <DIR> d-------- C:\VundoFix Backups
2009-01-14 19:10 . 2009-01-14 19:10 <DIR> d-------- c:\program files\CCleaner
2009-01-14 18:49 . 2009-01-14 18:50 <DIR> d-------- c:\program files\CleanUp!
2009-01-14 18:45 . 2009-01-14 18:45 <DIR> d-------- c:\program files\MSConfig CleanUp
2009-01-14 06:29 . 2009-01-15 11:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-01-14 05:51 . 2009-01-14 08:42 12,807,426 -r-hs---- C:\AVG7DB_F.DAT
2009-01-14 05:10 . 2009-01-14 05:10 25,088 --a------ c:\windows\SYSTEM32\DRIVERS\cbdmsqtq.sys.vir
2009-01-14 05:08 . 2009-01-14 05:08 11,835,889 --a------ C:\AVG7QT.DAT.vir
2009-01-14 05:06 . 2009-01-14 05:06 <DIR> d-------- c:\documents and settings\LocalService\Application Data\AVG7
2009-01-14 05:06 . 2009-01-14 05:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Grisoft
2009-01-14 04:34 . 2004-08-25 10:16 <DIR> d-------- c:\documents and settings\Administrator.D3ZX0L51\Application Data\Symantec
2009-01-14 04:34 . 2004-08-25 10:15 <DIR> d-------- c:\documents and settings\Administrator.D3ZX0L51\Application Data\Sonic
2009-01-14 04:34 . 2004-08-25 10:16 <DIR> d-------- c:\documents and settings\Administrator.D3ZX0L51\Application Data\Jasc Software Inc
2009-01-14 04:34 . 2004-08-25 10:10 <DIR> d-------- c:\documents and settings\Administrator.D3ZX0L51\Application Data\Creative
2009-01-14 04:34 . 2009-01-14 05:06 <DIR> d-------- c:\documents and settings\Administrator.D3ZX0L51
2009-01-13 18:04 . 2009-01-15 11:27 2,022 --a------ c:\windows\ldxtdoad

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 16:38 --------- d-----w c:\documents and settings\All Users\Application Data\AVG7
2009-01-15 16:28 2,488,320 ----a-w c:\windows\Internet Logs\xDB8F.tmp
2009-01-15 15:58 2,495,488 ----a-w c:\windows\Internet Logs\xDB8D.tmp
2009-01-15 15:53 55,808 ----a-w c:\windows\Internet Logs\xDB8E.tmp
2009-01-15 03:47 --------- d-----w c:\documents and settings\All Users\Application Data\Motive
2009-01-15 00:35 26,112 ----a-w c:\windows\Internet Logs\xDB8C.tmp
2009-01-15 00:23 51,200 ----a-w c:\documents and settings\Pat\Application Data\GDIPFONTCACHEV1.DAT
2009-01-15 00:21 2,461,184 ----a-w c:\windows\Internet Logs\xDB8B.tmp
2009-01-14 23:20 2,460,160 ----a-w c:\windows\Internet Logs\xDB89.tmp
2009-01-14 20:37 197,120 ----a-w c:\windows\Internet Logs\xDB8A.tmp
2009-01-14 10:08 --------- d-----w c:\documents and settings\Pat\Application Data\AVG7
2009-01-06 20:28 289,280 ----a-w c:\windows\Internet Logs\xDB88.tmp
2009-01-06 20:28 2,417,664 ----a-w c:\windows\Internet Logs\xDB87.tmp
2009-01-04 17:48 --------- d-----w c:\documents and settings\Pat\Application Data\AdobeUM
2008-12-15 22:46 --------- d-----w c:\program files\EA GAMES
2008-12-13 14:46 170,496 ----a-w c:\windows\Internet Logs\xDB86.tmp
2008-12-13 02:43 2,388,480 ----a-w c:\windows\Internet Logs\xDB85.tmp
2008-12-08 21:45 212,992 ----a-w c:\windows\SYSTEM32\DSPlayer.dll
2008-12-01 03:35 250,880 ----a-w c:\windows\Internet Logs\xDB84.tmp
2008-12-01 03:33 2,406,912 ----a-w c:\windows\Internet Logs\xDB83.tmp
2008-11-09 21:10 309,760 ----a-w c:\windows\Internet Logs\xDB82.tmp
2008-11-09 21:04 2,310,656 ----a-w c:\windows\Internet Logs\xDB81.tmp
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\SYSTEM32\muweb.dll
2008-08-19 18:16 8,289,720 ----a-w c:\program files\FLV PlayerRCATSetup.exe
2008-08-19 18:12 411,248 ----a-w c:\program files\FLV PlayerRCSetup.exe
2008-12-19 01:24 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 01:24 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 01:24 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 01:24 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 01:24 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-15_ 7.30.11.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-17 23:05:11 454,892 ----a-w c:\windows\SYSTEM32\Restore\rstrlog.dat
+ 2009-01-15 16:38:26 268,656 ----a-w c:\windows\SYSTEM32\Restore\rstrlog.dat
+ 2008-10-16 19:08:58 34,328 ----a-w c:\windows\SYSTEM32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 19:09:44 43,544 ----a-w c:\windows\SYSTEM32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-04-28 692224]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2004-07-26 705808]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2009-01-14 338432]
"AVG7_EMC"="c:\progra~1\Grisoft\AVGFRE~1\avgemc.exe" [2009-01-14 263680]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-01-01 1231752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2009-01-14 147968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-08-25 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
SonicWALL VPN Client.lnk - c:\program files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe [2004-09-14 49204]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2007-04-27 12:10 18744 c:\windows\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\SYSTEM32\DRIVERS\vap.sys [2004-08-31 36188]
R4 Crypto;Crypto;c:\windows\SYSTEM32\DRIVERS\Crypto.sys [2004-09-14 217088]
R4 IPSECDRV;SafeNet IPSec Plugin;c:\windows\SYSTEM32\DRIVERS\IpSecDrv.sys [2004-09-14 112696]
S0 agjlekcg;agjlekcg; [x]
S0 ldxtdoad;ldxtdoad; [x]
S3 SMALUSB;Digital Camera Driver;c:\windows\SYSTEM32\DRIVERS\smalidt.sys [2004-09-06 9216]
S4 NCMMCIAJ;NCMMCIAJ;\??\c:\windows\System32\ncmmciaj.krg --> c:\windows\System32\ncmmciaj.krg [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-01-15 c:\windows\Tasks\vjyvzljs.job
- c:\windows\System32\RUNDLL32.EXE [2002-08-29 05:00]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: www.pcu.clearviewfcu.org

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\pe5jfrn6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.techist.com/pc/f70/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.00.19.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 20:20:27
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NCMMCIAJ]
"ImagePath"="\??\c:\windows\System32\ncmmciaj.krg"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:\windows\system32\ODBC32.dll
c:\windows\system32\PCANotify.dll

- - - - - - - > 'lsass.exe'(1004)
c:\windows\System32\dssenh.dll
.
Completion time: 2009-01-15 20:21:29
ComboFix-quarantined-files.txt 2009-01-16 01:21:24
ComboFix2.txt 2009-01-15 12:30:57

Pre-Run: 56,429,506,560 bytes free
Post-Run: 56,408,322,048 bytes free

183
 
I'm not sure, never ran It with ZA, but it looks clean...


So wat is ur system running like now?
 
The systems is running smooth now, no popups, no hangups. I have control of my desktop, but can't for the life of me figure out how to change my tray clock from military time back to 12 hr time? Thanks for all of your help, your guide was a lifesaver!!! As a final question- do you suggest I upgrade to SP2 or 3 for my XP?
 
looks like I didn't read far enough in the guide to figure out the military time on my own :eek:

thanks again for everything!!! now i'm off to do some long overdue upgrades. Pat
 
Status
Not open for further replies.

Similar threads

XWrench3
hijack this scan
Replies
6
Views
2K
XWrench3
XWrench3
G
Computer slow and work in background
Replies
0
Views
2K
grecycle99
G
N
Laptop slowing down in function (internet and general apps)
Replies
1
Views
3K
Trotter
Trotter
M
computer suddenly slowed down.
Replies
0
Views
3K
mike3dp
M
N
Your computer appears to be correctly configured, but the device or resource (DNS server) is not responding"
Replies
0
Views
4K
nev
N
Back
Top Bottom