Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Popups and slow internet

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Popups and slow internet

Unread postby themasta » May 27th, 2009, 7:57 am

Recently I've started getting annoying popups every now and then. The content seems to be random, but often involves something with the IP 82.98.231.93/? and Google saying the link appears broken. Along with this, a few sites are working very slowly or not loading at all.

I ran a Trend Micro OfficeScan and it only found some JOKE_RENOS thing which it sometimes pops up and says "Succesful, no action required". That was already there before the current problem (although I wouldn't mind getting rid of it).

Thanks, here is the my hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:05 PM, on 27/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
C:\Program Files\Common Files\Juniper Networks\TNC Client\jTnccService.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mdnsresponder.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\TEMP\CN3526.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmproxy.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\NETGEAR\WG511\Utility\wg511wlu.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
D:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe
C:\Program Files\iTunes\ituneshelper.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\skype.exe
C:\Program Files\DataStudio\PASPortal.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypepm.exe
\gw\sys\public\clntrust.exe
\gw\sys\public\wbalance.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://intranet.wesleycollege.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://intranet.wesleycollege.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://intranet.wesleycollege.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wesley College
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.wesleycollege.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1fe3a93d-98f5-4b0f-b29f-45dc685e019f} - C:\WINDOWS\system32\kegayezu.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [TalkAndWrite] D:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OdTray.exe] C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe
O4 - HKLM\..\Run: [rejamaleva] Rundll32.exe "C:\WINDOWS\system32\bulurevo.dll",s
O4 - HKLM\..\Run: [cce02f69] rundll32.exe "C:\WINDOWS\system32\hokowoya.dll",b
O4 - HKLM\..\Run: [CPMcfd31cf5] Rundll32.exe "c:\windows\system32\sivosari.dll",a
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [rejamaleva] Rundll32.exe "C:\WINDOWS\system32\bulurevo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe
O4 - Global Startup: PASPortal.lnk = C:\Program Files\DataStudio\PASPortal.exe
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://intranet.wesleycollege.net/
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-U ... E_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 9850260890
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://juniper.net/dana-cached/setup/J ... tupSP1.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/Juni ... Client.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F751CA9B-507D-432C-B582-5AD219BEFD20}: Domain = wesleycollege.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\janeguwo.dll c:\windows\system32\sivosari.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sivosari.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sivosari.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Juniper TNC Endpoint Assessment (EacService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\TNC Client\jTnccService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Juniper Unified Network Service (JuniperAccessService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Juniper OAC Service (odClientService) - Juniper Networks, Inc. - C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 13642 bytes
themasta
Active Member
 
Posts: 11
Joined: May 27th, 2009, 7:51 am
Advertisement
Register to Remove

Re: Popups and slow internet

Unread postby Shaba » May 29th, 2009, 10:35 am

Hi themasta

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Popups and slow internet

Unread postby themasta » May 29th, 2009, 11:56 pm

Hi Shaba,

I have downloaded ComboFix.exe and have disabled Windows Firewall, but I can't see how to disable Trend Micro OfficeScan Antivirus. There is an option when I right-click the icon on the taskbar to "Unload Office Scan" (I believe this is separate to uninstalling it), but when I click this it asks for a password that I don't know of. The Version Information says that it is OfficeScan Client version 8.0 Service Pack 1 if that helps.
themasta
Active Member
 
Posts: 11
Joined: May 27th, 2009, 7:51 am

Re: Popups and slow internet

Unread postby Shaba » May 30th, 2009, 2:04 am

Please enable windows firewall.

If you are unable to disable it, please run combofix in safe mode.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Popups and slow internet

Unread postby themasta » May 30th, 2009, 11:13 am

Below is the ComboFix log. I ran ComboFix in Safe Mode.

ComboFix 09-05-29.01 - strettond 31/05/2009 0:59.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.1014.806 [GMT 10:00]
Running from: d:\documents and settings\strettond\Desktop\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {2191E165-CDCD-459D-853C-B8E9FB3D261A}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\afogibad.ini
c:\windows\system32\ajoyabiw.ini
c:\windows\system32\ayowokoh.ini
c:\windows\system32\azivigob.ini
c:\windows\system32\bibegipe.dll
c:\windows\system32\bidatemi.dll
c:\windows\system32\biruwuta.dll
c:\windows\system32\bivirulo.dll
c:\windows\system32\bogiviza.dll
c:\windows\system32\bohodebu.dll
c:\windows\system32\buguroru.dll
c:\windows\system32\bulurevo.dll.tmp
c:\windows\system32\dabigofa.dll
c:\windows\system32\dapatudi.dll.tmp
c:\windows\system32\dasakebe.dll
c:\windows\system32\depawehe.dll
c:\windows\system32\dewezuwa.dll.tmp
c:\windows\system32\duvapoji.dll
c:\windows\system32\edatudiv.ini
c:\windows\system32\edebezoh.ini
c:\windows\system32\ehewaped.ini
c:\windows\system32\ehigopev.ini
c:\windows\system32\enohagig.ini
c:\windows\system32\epimevuj.ini
c:\windows\system32\fimesoba.dll
c:\windows\system32\gigahone.dll
c:\windows\system32\giwaporu.dll
c:\windows\system32\gobagaju.dll
c:\windows\system32\hifikino.dll
c:\windows\system32\hokowoya.dll
c:\windows\system32\hozebede.dll
c:\windows\system32\hudebago.dll
c:\windows\system32\ihedamas.ini
c:\windows\system32\imetadib.ini
c:\windows\system32\Install.txt
c:\windows\system32\itehivol.ini
c:\windows\system32\janeguwo.dll.tmp
c:\windows\system32\jawobofe.dll
c:\windows\system32\jiyanoge.dll
c:\windows\system32\jopopaya.dll
c:\windows\system32\juvemipe.dll
c:\windows\system32\juyarono.dll
c:\windows\system32\kegayezu.dll.tmp
c:\windows\system32\kejimile.dll
c:\windows\system32\kupuweyo.dll
c:\windows\system32\lalohuni.dll
c:\windows\system32\lefeveli.dll
c:\windows\system32\lerosusi.dll
c:\windows\system32\lihasiko.dll
c:\windows\system32\loviheti.dll
c:\windows\system32\majubilu.exe
c:\windows\system32\mdm.exe
c:\windows\system32\megumipa.dll
c:\windows\system32\mohohimu.dll
c:\windows\system32\nahiyuku.dll.tmp
c:\windows\system32\nehirudu.dll
c:\windows\system32\nopepizo.dll
c:\windows\system32\nurusofi.dll
c:\windows\system32\olurivib.ini
c:\windows\system32\onanutas.ini
c:\windows\system32\onorayuj.ini
c:\windows\system32\pokazejo.dll
c:\windows\system32\ratanofi.dll
c:\windows\system32\ruseduja.dll
c:\windows\system32\samadehi.dll
c:\windows\system32\satunano.dll
c:\windows\system32\setorera.dll
c:\windows\system32\sijanidu.dll
c:\windows\system32\sivosari.dll
c:\windows\system32\taviretu.dll
c:\windows\system32\tmp.reg
c:\windows\system32\tomahuya.dll
c:\windows\system32\ubedohob.ini
c:\windows\system32\uheyipod.ini
c:\windows\system32\ukoritay.ini
c:\windows\system32\umihohom.ini
c:\windows\system32\uritejoz.ini
c:\windows\system32\uropawig.ini
c:\windows\system32\uterivat.ini
c:\windows\system32\uzesomuz.ini
c:\windows\system32\vepogihe.dll
c:\windows\system32\viborite.dll
c:\windows\system32\vidutade.dll
c:\windows\system32\wibayoja.dll
c:\windows\system32\yatiroku.dll
c:\windows\system32\yozamodi.dll
c:\windows\system32\yunizawa.dll
c:\windows\system32\zidekebe.dll
c:\windows\system32\zideribu.dll
c:\windows\system32\zojetiru.dll
c:\windows\system32\zumosezu.dll
d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://62.4.83.201
hxxp://windowsupdate.wesleycollege.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_NOBICYT
-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Legacy_WSERVING


((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-30 )))))))))))))))))))))))))))))))
.

2009-05-27 09:27 . 2009-05-27 09:27 5490 --sh--w c:\windows\system32\gayorayu.dll
2009-05-23 13:01 . 2009-05-23 13:01 -------- d-----w c:\program files\CCleaner
2009-05-18 09:07 . 2004-02-04 00:27 49536 ----a-w c:\windows\system32\drivers\tiehdusb.sys
2009-05-18 09:07 . 2004-01-28 05:03 21456 ----a-w c:\windows\system32\drivers\SilvrLnk.sys
2009-05-18 09:05 . 2009-05-18 09:05 -------- d-----w c:\program files\Common Files\TI Shared
2009-05-18 09:05 . 2009-05-18 09:07 -------- d-----w c:\program files\TI Education
2009-05-16 06:26 . 2009-05-16 06:26 5421 --sh--w c:\windows\system32\togigazo.dll
2009-05-14 23:34 . 2009-05-14 23:34 -------- d-----w c:\program files\NJStar Chinese WP
2009-05-12 05:35 . 2009-05-12 05:35 -------- d-----w c:\windows\system32\Fonts
2009-05-12 05:35 . 2002-07-16 22:29 15488 ------w c:\windows\system32\drivers\PSSensor.sys
2009-05-12 05:35 . 2009-05-12 05:35 -------- d-----w c:\program files\DataStudio
2009-05-08 11:31 . 2003-03-18 21:20 1060864 ----a-w c:\windows\system32\MFC71.dll
2009-05-08 11:31 . 2009-05-08 11:31 -------- d-----w c:\program files\Alwil Software
2009-05-06 10:39 . 2009-05-11 00:05 -------- d-----w d:\documents and settings\strettond\Application Data\ptidle

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-30 14:51 . 2008-02-28 03:27 -------- d-----w d:\documents and settings\strettond\Application Data\skypePM
2009-05-30 14:33 . 2008-04-15 12:28 -------- d-----w d:\documents and settings\strettond\Application Data\Skype
2009-05-19 09:32 . 2007-10-18 03:13 104592 ----a-w d:\documents and settings\strettond\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-19 04:18 . 2008-03-19 02:56 1510 ----a-w c:\windows\Sketchpad Preferences.dat
2009-05-18 09:04 . 2007-12-25 10:25 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-16 11:04 . 2007-10-17 23:58 -------- d-----w c:\program files\Trend Micro
2009-05-14 23:34 . 2007-10-18 10:23 -------- d-----w d:\documents and settings\strettond\Application Data\NJStar
2009-05-06 10:44 . 2009-02-06 10:43 87040 --sha-w c:\windows\system32\wuboleda.dll.vir
2009-04-21 05:33 . 2007-10-18 00:12 222504 ----a-w c:\windows\system32\odyGina.dll
2009-04-21 05:33 . 2007-10-18 00:11 611624 ----a-w c:\windows\system32\odGinaLibrary.dll
2009-04-21 05:33 . 2007-10-18 00:11 210216 ----a-w c:\windows\system32\odyEvent.dll
2009-04-21 05:32 . 2009-04-21 05:32 -------- d-----w c:\program files\Common Files\Funk Software
2009-04-21 05:32 . 2007-10-18 00:11 -------- d-----w c:\program files\Juniper Networks
2009-04-07 01:24 . 2006-10-02 23:04 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-07 01:10 . 2009-04-07 01:10 -------- d-----w c:\program files\Microsoft Games
2009-04-06 05:37 . 2009-04-06 05:36 -------- d-----w d:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-04-06 05:37 . 2009-04-06 05:36 -------- d-----w c:\program files\iTunes
2009-04-06 05:37 . 2009-04-06 05:37 -------- d-----w c:\program files\iPod
2009-04-06 05:37 . 2007-10-18 13:40 -------- d-----w c:\program files\Common Files\Apple
2009-04-06 05:34 . 2009-04-06 05:34 -------- d-----w c:\program files\QuickTime
2009-04-05 03:45 . 2007-08-31 15:16 76688 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-03-06 14:44 . 2004-08-03 13:56 283648 ----a-w c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-31 68856]
"Skype"="c:\program files\Skype\Phone\skype.exe" [2007-12-12 21686568]
"mount.exe"="c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe" [2008-04-11 374272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATSwpNav"="c:\program files\Fingerprint Sensor\ATSwpNav -run" [X]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2005-08-09 81920]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2005-07-21 242688]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2005-07-21 61440]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2005-06-07 69632]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-05-18 188416]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-01-06 761946]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-01-17 40960]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-04-05 718120]
"WG511WLU"="c:\program files\NETGEAR\WG511\Utility\WG511WLU.exe" [2004-06-28 458752]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2007-09-05 40960]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2007-09-05 45056]
"TalkAndWrite"="d:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe" [2008-03-02 3042816]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"OdTray.exe"="c:\program files\Juniper Networks\Odyssey Access Client\OdTray.exe" [2009-01-19 959784]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2005-12-09 15691264]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2006-01-17 88365]
"NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Application Explorer.lnk - c:\program files\Novell\ZENworks\NalView.exe [2005-1-24 35840]
PASPortal.lnk - c:\program files\DataStudio\PASPortal.exe [2009-5-12 208896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2005-01-25 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2005-01-10 03:36 24576 ----a-w c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2009-04-21 05:33 210216 ----a-w c:\windows\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpmw32.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\InoNmSrv.exe"=
"c:\\Program Files\\EA Sports\\FIFA 08\\FIFA08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [8/07/2005 2:06 PM 34176]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [23/09/2005 7:48 AM 28544]
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [20/01/2009 8:18 AM 9856]
R0 odFips2;odFips2;c:\windows\system32\drivers\odFIPS2.sys [20/01/2009 8:18 AM 282496]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [21/02/2008 12:14 PM 34671]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [17/01/2005 12:23 PM 6899]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [5/11/2008 2:10 PM 87416]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [22/11/2004 1:07 PM 163840]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [13/06/2007 5:00 AM 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [13/06/2007 5:00 AM 36368]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [10/01/2005 1:36 PM 61440]
R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [18/10/2007 9:19 PM 16194]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [10/01/2005 11:37 AM 2773]
R3 EacService;Juniper TNC Endpoint Assessment;c:\program files\Common Files\Juniper Networks\TNC Client\jTnccService.exe [20/01/2009 8:48 AM 116008]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [3/10/2006 8:57 AM 4864]
R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [15/11/2006 2:49 AM 390144]
R3 JnprVaMgr;Juniper Networks Virtual Adapter Manager Service;c:\windows\system32\drivers\jnprvamgr.sys [11/01/2009 1:26 PM 29312]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [28/04/2007 6:35 AM 652552]
S2 PASCO;PASCO PASPORT USB Driver (PSSensor.sys);c:\windows\system32\drivers\PSSensor.sys [12/05/2009 3:35 PM 15488]
S3 jnprva;Juniper Networks Virtual Adapter Service;c:\windows\system32\drivers\jnprva.sys [11/01/2009 1:26 PM 11008]
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\drivers\WG511ICB.sys [18/10/2007 9:19 PM 390016]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - INO_FLTR
*NewlyCreated* - MACROMEDIA_LICENSING_SERVICE
*Deregistered* - INO_FLTR

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 02:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1fe3a93d-98f5-4b0f-b29f-45dc685e019f} - c:\windows\system32\zideribu.dll
HKLM-Run-rejamaleva - c:\windows\system32\lihasiko.dll
HKLM-Run-cce02f69 - c:\windows\system32\dopiyehu.dll
HKLM-Run-CPMcfd31cf5 - c:\windows\system32\fimesoba.dll
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = https://intranet.wesleycollege.net/
uInternet Settings,ProxyOverride = *.local
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/Juni ... Client.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - d:\documents and settings\strettond\Application Data\Mozilla\Firefox\Profiles\onkiiaok.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://intranet.wesleycollege.net/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Adobe\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnipp.dll
FF - plugin: d:\documents and settings\strettond\Application Data\Mozilla\Firefox\Profiles\onkiiaok.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-31 01:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1336)
c:\windows\system32\odyGina.dll
c:\program files\Novell\ZENworks\ZENPOL32.DLL
c:\windows\system32\xmlparse.dll
c:\windows\system32\odyEvent.dll
c:\program files\Common Files\Funk Software\dcfDOM.dll
c:\program files\Common Files\Funk Software\dcfLibrary.DLL
c:\program files\Juniper Networks\Odyssey Access Client\odClientControl.dll

- - - - - - - > 'Explorer.exe'(3416)
c:\program files\Novell\ZENworks\NLS\english\NalUIRes.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Juniper Networks\Odyssey Access Client\odClientService.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Novell\ZENworks\NALNTSRV.EXE
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\windows\system32\o2flash.exe
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\program files\Novell\ZENworks\WM.EXE
c:\windows\temp\SN3FC8.EXE
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\program files\Fingerprint Sensor\ATSwpNav.exe
c:\program files\Novell\ZENworks\NalAgent.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Novell\ZENworks\WMRUNDLL.EXE
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-05-30 1:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-30 15:08

Pre-Run: 22,703,263,744 bytes free
Post-Run: 21,512,310,784 bytes free

351 --- E O F --- 2009-04-23 14:41

Here is the new HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:01 AM, on 31/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
C:\Program Files\Common Files\Juniper Networks\TNC Client\jTnccService.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mdnsresponder.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\TEMP\SN3FC8.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\NETGEAR\WG511\Utility\wg511wlu.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\iTunes\ituneshelper.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\skype.exe
C:\Program Files\DataStudio\PASPortal.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://intranet.wesleycollege.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.wesleycollege.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [TalkAndWrite] D:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OdTray.exe] C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe
O4 - Global Startup: PASPortal.lnk = C:\Program Files\DataStudio\PASPortal.exe
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://intranet.wesleycollege.net/
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-U ... E_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 9850260890
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://juniper.net/dana-cached/setup/J ... tupSP1.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/Juni ... Client.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F751CA9B-507D-432C-B582-5AD219BEFD20}: Domain = wesleycollege.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Juniper TNC Endpoint Assessment (EacService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\TNC Client\jTnccService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Juniper Unified Network Service (JuniperAccessService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Juniper OAC Service (odClientService) - Juniper Networks, Inc. - C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 12340 bytes
themasta
Active Member
 
Posts: 11
Joined: May 27th, 2009, 7:51 am

Re: Popups and slow internet

Unread postby Shaba » May 30th, 2009, 11:31 am

Please see my link and install recovery console manually. After that, rerun combofix and post back a fresh combofix log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Popups and slow internet

Unread postby themasta » May 31st, 2009, 2:55 am

I downloaded the Windows Recovery console, but when I tried to run ComboFix in Safe Mode again it warned me that my antivirus program was running, as it does in normal windows. When I ran ComboFix in Safe Mode yesterday, ComboFix ran normally.
themasta
Active Member
 
Posts: 11
Joined: May 27th, 2009, 7:51 am

Re: Popups and slow internet

Unread postby Shaba » May 31st, 2009, 7:18 am

Did recovery console install properly?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Popups and slow internet

Unread postby themasta » May 31st, 2009, 7:31 am

The place I downloaded it from said to just drag the Windows Recovery icon (WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe) onto the ComboFix icon and this would install it and run ComboFix. When I did that, ComboFix started as normal but then the warning message came up.
themasta
Active Member
 
Posts: 11
Joined: May 27th, 2009, 7:51 am

Re: Popups and slow internet

Unread postby Shaba » May 31st, 2009, 7:34 am

OK, then please rerun combofix in safe mode and post back a fresh combofix log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Popups and slow internet

Unread postby themasta » May 31st, 2009, 8:20 am

Here is the ComboFix log. Windows Recovery installed succesfully. Tell me if you require a new HijackThis log.

ComboFix 09-05-29.01 - strettond 31/05/2009 22:05.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.1014.804 [GMT 10:00]
Running from: d:\documents and settings\strettond\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\strettond\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {2191E165-CDCD-459D-853C-B8E9FB3D261A}
.

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-31 )))))))))))))))))))))))))))))))
.

2009-05-27 09:27 . 2009-05-27 09:27 5490 --sh--w c:\windows\system32\gayorayu.dll
2009-05-23 13:01 . 2009-05-23 13:01 -------- d-----w c:\program files\CCleaner
2009-05-18 09:07 . 2004-02-04 00:27 49536 ----a-w c:\windows\system32\drivers\tiehdusb.sys
2009-05-18 09:07 . 2004-01-28 05:03 21456 ----a-w c:\windows\system32\drivers\SilvrLnk.sys
2009-05-18 09:05 . 2009-05-18 09:05 -------- d-----w c:\program files\Common Files\TI Shared
2009-05-18 09:05 . 2009-05-18 09:07 -------- d-----w c:\program files\TI Education
2009-05-16 06:26 . 2009-05-16 06:26 5421 --sh--w c:\windows\system32\togigazo.dll
2009-05-14 23:34 . 2009-05-14 23:34 -------- d-----w c:\program files\NJStar Chinese WP
2009-05-12 05:35 . 2009-05-12 05:35 -------- d-----w c:\windows\system32\Fonts
2009-05-12 05:35 . 2002-07-16 22:29 15488 ------w c:\windows\system32\drivers\PSSensor.sys
2009-05-12 05:35 . 2009-05-12 05:35 -------- d-----w c:\program files\DataStudio
2009-05-08 11:31 . 2003-03-18 21:20 1060864 ----a-w c:\windows\system32\MFC71.dll
2009-05-08 11:31 . 2009-05-08 11:31 -------- d-----w c:\program files\Alwil Software
2009-05-06 10:39 . 2009-05-11 00:05 -------- d-----w d:\documents and settings\strettond\Application Data\ptidle

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-31 11:54 . 2008-04-15 12:28 -------- d-----w d:\documents and settings\strettond\Application Data\Skype
2009-05-31 03:25 . 2008-02-28 03:27 -------- d-----w d:\documents and settings\strettond\Application Data\skypePM
2009-05-19 09:32 . 2007-10-18 03:13 104592 ----a-w d:\documents and settings\strettond\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-19 04:18 . 2008-03-19 02:56 1510 ----a-w c:\windows\Sketchpad Preferences.dat
2009-05-18 09:04 . 2007-12-25 10:25 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-16 11:04 . 2007-10-17 23:58 -------- d-----w c:\program files\Trend Micro
2009-05-14 23:34 . 2007-10-18 10:23 -------- d-----w d:\documents and settings\strettond\Application Data\NJStar
2009-05-06 10:44 . 2009-02-06 10:43 87040 --sha-w c:\windows\system32\wuboleda.dll.vir
2009-04-21 05:33 . 2007-10-18 00:12 222504 ----a-w c:\windows\system32\odyGina.dll
2009-04-21 05:33 . 2007-10-18 00:11 611624 ----a-w c:\windows\system32\odGinaLibrary.dll
2009-04-21 05:33 . 2007-10-18 00:11 210216 ----a-w c:\windows\system32\odyEvent.dll
2009-04-21 05:32 . 2009-04-21 05:32 -------- d-----w c:\program files\Common Files\Funk Software
2009-04-21 05:32 . 2007-10-18 00:11 -------- d-----w c:\program files\Juniper Networks
2009-04-07 01:24 . 2006-10-02 23:04 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-07 01:10 . 2009-04-07 01:10 -------- d-----w c:\program files\Microsoft Games
2009-04-06 05:37 . 2009-04-06 05:36 -------- d-----w d:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-04-06 05:37 . 2009-04-06 05:36 -------- d-----w c:\program files\iTunes
2009-04-06 05:37 . 2009-04-06 05:37 -------- d-----w c:\program files\iPod
2009-04-06 05:37 . 2007-10-18 13:40 -------- d-----w c:\program files\Common Files\Apple
2009-04-06 05:34 . 2009-04-06 05:34 -------- d-----w c:\program files\QuickTime
2009-04-05 03:45 . 2007-08-31 15:16 76688 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-03-06 14:44 . 2004-08-03 13:56 283648 ----a-w c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-30_15.04.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-31 03:52 . 2007-06-15 07:07 14244 c:\windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\SecEdit\XPSec.dat
- 2009-05-30 15:02 . 2007-06-15 07:07 14244 c:\windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\SecEdit\XPSec.dat
+ 2009-05-31 03:52 . 2007-06-15 07:07 45056 c:\windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\SecEdit\IPS1.dat
- 2009-05-30 15:02 . 2007-06-15 07:07 45056 c:\windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\SecEdit\IPS1.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-31 68856]
"Skype"="c:\program files\Skype\Phone\skype.exe" [2007-12-12 21686568]
"mount.exe"="c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe" [2008-04-11 374272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATSwpNav"="c:\program files\Fingerprint Sensor\ATSwpNav -run" [X]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2005-08-09 81920]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2005-07-21 242688]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2005-07-21 61440]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2005-06-07 69632]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-05-18 188416]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-01-06 761946]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-01-17 40960]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-04-05 718120]
"WG511WLU"="c:\program files\NETGEAR\WG511\Utility\WG511WLU.exe" [2004-06-28 458752]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2007-09-05 40960]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2007-09-05 45056]
"TalkAndWrite"="d:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe" [2008-03-02 3042816]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"OdTray.exe"="c:\program files\Juniper Networks\Odyssey Access Client\OdTray.exe" [2009-01-19 959784]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2005-12-09 15691264]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2006-01-17 88365]
"NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Application Explorer.lnk - c:\program files\Novell\ZENworks\NalView.exe [2005-1-24 35840]
PASPortal.lnk - c:\program files\DataStudio\PASPortal.exe [2009-5-12 208896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2005-01-25 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2005-01-10 03:36 24576 ----a-w c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2009-04-21 05:33 210216 ----a-w c:\windows\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpmw32.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\InoNmSrv.exe"=
"c:\\Program Files\\EA Sports\\FIFA 08\\FIFA08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [8/07/2005 2:06 PM 34176]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [23/09/2005 7:48 AM 28544]
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [20/01/2009 8:18 AM 9856]
R0 odFips2;odFips2;c:\windows\system32\drivers\odFIPS2.sys [20/01/2009 8:18 AM 282496]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [3/10/2006 8:57 AM 4864]
S1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [21/02/2008 12:14 PM 34671]
S2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [17/01/2005 12:23 PM 6899]
S2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [5/11/2008 2:10 PM 87416]
S2 PASCO;PASCO PASPORT USB Driver (PSSensor.sys);c:\windows\system32\drivers\PSSensor.sys [12/05/2009 3:35 PM 15488]
S2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [22/11/2004 1:07 PM 163840]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [13/06/2007 5:00 AM 225296]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [13/06/2007 5:00 AM 36368]
S2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [10/01/2005 1:36 PM 61440]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [18/10/2007 9:19 PM 16194]
S3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [10/01/2005 11:37 AM 2773]
S3 EacService;Juniper TNC Endpoint Assessment;c:\program files\Common Files\Juniper Networks\TNC Client\jTnccService.exe [20/01/2009 8:48 AM 116008]
S3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [15/11/2006 2:49 AM 390144]
S3 jnprva;Juniper Networks Virtual Adapter Service;c:\windows\system32\drivers\jnprva.sys [11/01/2009 1:26 PM 11008]
S3 JnprVaMgr;Juniper Networks Virtual Adapter Manager Service;c:\windows\system32\drivers\jnprvamgr.sys [11/01/2009 1:26 PM 29312]
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\drivers\WG511ICB.sys [18/10/2007 9:19 PM 390016]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [28/04/2007 6:35 AM 652552]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - INO_FLTR
*NewlyCreated* - MACROMEDIA_LICENSING_SERVICE
*Deregistered* - INO_FLTR

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = https://intranet.wesleycollege.net/
uInternet Settings,ProxyOverride = *.local
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/Juni ... Client.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - d:\documents and settings\strettond\Application Data\Mozilla\Firefox\Profiles\onkiiaok.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://intranet.wesleycollege.net/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Adobe\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnipp.dll
FF - plugin: d:\documents and settings\strettond\Application Data\Mozilla\Firefox\Profiles\onkiiaok.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-31 22:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(256)
c:\windows\system32\odyEvent.dll
.
Completion time: 2009-05-31 22:08
ComboFix-quarantined-files.txt 2009-05-31 12:08
ComboFix2.txt 2009-05-30 15:08

Pre-Run: 22,571,343,872 bytes free
Post-Run: 22,556,327,936 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

220 --- E O F --- 2009-04-23 14:41
themasta
Active Member
 
Posts: 11
Joined: May 27th, 2009, 7:51 am

Re: Popups and slow internet

Unread postby Shaba » May 31st, 2009, 8:53 am

Please do this in safe mode.

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
    c:\windows\system32\gayorayu.dll
    c:\windows\system32\togigazo.dll
    c:\windows\system32\wuboleda.dll.vir
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Popups and slow internet

Unread postby themasta » May 31st, 2009, 9:51 am

ComboFix 09-05-29.01 - strettond 31/05/2009 23:45.3 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.1014.806 [GMT 10:00]
Running from: d:\documents and settings\strettond\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\strettond\Desktop\CFScript.txt
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {2191E165-CDCD-459D-853C-B8E9FB3D261A}
.

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-31 )))))))))))))))))))))))))))))))
.

2009-05-27 09:27 . 2009-05-27 09:27 5490 --sh--w c:\windows\system32\gayorayu.dll
2009-05-23 13:01 . 2009-05-23 13:01 -------- d-----w c:\program files\CCleaner
2009-05-18 09:07 . 2004-02-04 00:27 49536 ----a-w c:\windows\system32\drivers\tiehdusb.sys
2009-05-18 09:07 . 2004-01-28 05:03 21456 ----a-w c:\windows\system32\drivers\SilvrLnk.sys
2009-05-18 09:05 . 2009-05-18 09:05 -------- d-----w c:\program files\Common Files\TI Shared
2009-05-18 09:05 . 2009-05-18 09:07 -------- d-----w c:\program files\TI Education
2009-05-16 06:26 . 2009-05-16 06:26 5421 --sh--w c:\windows\system32\togigazo.dll
2009-05-14 23:34 . 2009-05-14 23:34 -------- d-----w c:\program files\NJStar Chinese WP
2009-05-12 05:35 . 2009-05-12 05:35 -------- d-----w c:\windows\system32\Fonts
2009-05-12 05:35 . 2002-07-16 22:29 15488 ------w c:\windows\system32\drivers\PSSensor.sys
2009-05-12 05:35 . 2009-05-12 05:35 -------- d-----w c:\program files\DataStudio
2009-05-08 11:31 . 2003-03-18 21:20 1060864 ----a-w c:\windows\system32\MFC71.dll
2009-05-08 11:31 . 2009-05-08 11:31 -------- d-----w c:\program files\Alwil Software
2009-05-06 10:39 . 2009-05-11 00:05 -------- d-----w d:\documents and settings\strettond\Application Data\ptidle

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-31 13:37 . 2008-04-15 12:28 -------- d-----w d:\documents and settings\strettond\Application Data\Skype
2009-05-31 12:13 . 2008-02-28 03:27 -------- d-----w d:\documents and settings\strettond\Application Data\skypePM
2009-05-19 09:32 . 2007-10-18 03:13 104592 ----a-w d:\documents and settings\strettond\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-19 04:18 . 2008-03-19 02:56 1510 ----a-w c:\windows\Sketchpad Preferences.dat
2009-05-18 09:04 . 2007-12-25 10:25 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-16 11:04 . 2007-10-17 23:58 -------- d-----w c:\program files\Trend Micro
2009-05-14 23:34 . 2007-10-18 10:23 -------- d-----w d:\documents and settings\strettond\Application Data\NJStar
2009-05-06 10:44 . 2009-02-06 10:43 87040 --sha-w c:\windows\system32\wuboleda.dll.vir
2009-04-21 05:33 . 2007-10-18 00:12 222504 ----a-w c:\windows\system32\odyGina.dll
2009-04-21 05:33 . 2007-10-18 00:11 611624 ----a-w c:\windows\system32\odGinaLibrary.dll
2009-04-21 05:33 . 2007-10-18 00:11 210216 ----a-w c:\windows\system32\odyEvent.dll
2009-04-21 05:32 . 2009-04-21 05:32 -------- d-----w c:\program files\Common Files\Funk Software
2009-04-21 05:32 . 2007-10-18 00:11 -------- d-----w c:\program files\Juniper Networks
2009-04-07 01:24 . 2006-10-02 23:04 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-07 01:10 . 2009-04-07 01:10 -------- d-----w c:\program files\Microsoft Games
2009-04-06 05:37 . 2009-04-06 05:36 -------- d-----w d:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-04-06 05:37 . 2009-04-06 05:36 -------- d-----w c:\program files\iTunes
2009-04-06 05:37 . 2009-04-06 05:37 -------- d-----w c:\program files\iPod
2009-04-06 05:37 . 2007-10-18 13:40 -------- d-----w c:\program files\Common Files\Apple
2009-04-06 05:34 . 2009-04-06 05:34 -------- d-----w c:\program files\QuickTime
2009-04-05 03:45 . 2007-08-31 15:16 76688 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-03-06 14:44 . 2004-08-03 13:56 283648 ----a-w c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-30_15.04.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-31 12:10 . 2007-06-15 07:07 14244 c:\windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\SecEdit\XPSec.dat
- 2009-05-30 15:02 . 2007-06-15 07:07 14244 c:\windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\SecEdit\XPSec.dat
+ 2009-05-31 12:10 . 2007-06-15 07:07 45056 c:\windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\SecEdit\IPS1.dat
- 2009-05-30 15:02 . 2007-06-15 07:07 45056 c:\windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\SecEdit\IPS1.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-31 68856]
"Skype"="c:\program files\Skype\Phone\skype.exe" [2007-12-12 21686568]
"mount.exe"="c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe" [2008-04-11 374272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATSwpNav"="c:\program files\Fingerprint Sensor\ATSwpNav -run" [X]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2005-08-09 81920]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2005-07-21 242688]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2005-07-21 61440]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2005-06-07 69632]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-05-18 188416]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-01-06 761946]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-01-17 40960]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-04-05 718120]
"WG511WLU"="c:\program files\NETGEAR\WG511\Utility\WG511WLU.exe" [2004-06-28 458752]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2007-09-05 40960]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2007-09-05 45056]
"TalkAndWrite"="d:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe" [2008-03-02 3042816]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"OdTray.exe"="c:\program files\Juniper Networks\Odyssey Access Client\OdTray.exe" [2009-01-19 959784]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2005-12-09 15691264]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2006-01-17 88365]
"NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Application Explorer.lnk - c:\program files\Novell\ZENworks\NalView.exe [2005-1-24 35840]
PASPortal.lnk - c:\program files\DataStudio\PASPortal.exe [2009-5-12 208896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2005-01-25 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2005-01-10 03:36 24576 ----a-w c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2009-04-21 05:33 210216 ----a-w c:\windows\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpmw32.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\InoNmSrv.exe"=
"c:\\Program Files\\EA Sports\\FIFA 08\\FIFA08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [8/07/2005 2:06 PM 34176]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [23/09/2005 7:48 AM 28544]
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [20/01/2009 8:18 AM 9856]
R0 odFips2;odFips2;c:\windows\system32\drivers\odFIPS2.sys [20/01/2009 8:18 AM 282496]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [3/10/2006 8:57 AM 4864]
S1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [21/02/2008 12:14 PM 34671]
S2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [17/01/2005 12:23 PM 6899]
S2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [5/11/2008 2:10 PM 87416]
S2 PASCO;PASCO PASPORT USB Driver (PSSensor.sys);c:\windows\system32\drivers\PSSensor.sys [12/05/2009 3:35 PM 15488]
S2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [22/11/2004 1:07 PM 163840]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [13/06/2007 5:00 AM 225296]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [13/06/2007 5:00 AM 36368]
S2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [10/01/2005 1:36 PM 61440]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [18/10/2007 9:19 PM 16194]
S3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [10/01/2005 11:37 AM 2773]
S3 EacService;Juniper TNC Endpoint Assessment;c:\program files\Common Files\Juniper Networks\TNC Client\jTnccService.exe [20/01/2009 8:48 AM 116008]
S3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [15/11/2006 2:49 AM 390144]
S3 jnprva;Juniper Networks Virtual Adapter Service;c:\windows\system32\drivers\jnprva.sys [11/01/2009 1:26 PM 11008]
S3 JnprVaMgr;Juniper Networks Virtual Adapter Manager Service;c:\windows\system32\drivers\jnprvamgr.sys [11/01/2009 1:26 PM 29312]
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\drivers\WG511ICB.sys [18/10/2007 9:19 PM 390016]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [28/04/2007 6:35 AM 652552]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - INO_FLTR
*NewlyCreated* - MACROMEDIA_LICENSING_SERVICE
*Deregistered* - INO_FLTR

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = https://intranet.wesleycollege.net/
uInternet Settings,ProxyOverride = *.local
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/Juni ... Client.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - d:\documents and settings\strettond\Application Data\Mozilla\Firefox\Profiles\onkiiaok.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://intranet.wesleycollege.net/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Adobe\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnipp.dll
FF - plugin: d:\documents and settings\strettond\Application Data\Mozilla\Firefox\Profiles\onkiiaok.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-31 23:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(256)
c:\windows\system32\odyEvent.dll

- - - - - - - > 'explorer.exe'(1796)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\msi.dll
.
Completion time: 2009-05-31 23:49
ComboFix-quarantined-files.txt 2009-05-31 13:48
ComboFix2.txt 2009-05-31 12:08
ComboFix3.txt 2009-05-30 15:08

Pre-Run: 22,567,374,848 bytes free
Post-Run: 22,552,248,320 bytes free

219 --- E O F --- 2009-04-23 14:41
themasta
Active Member
 
Posts: 11
Joined: May 27th, 2009, 7:51 am

Re: Popups and slow internet

Unread postby Shaba » May 31st, 2009, 10:21 am

Did you copy everything to CFScript, including File:: ?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Popups and slow internet

Unread postby themasta » June 1st, 2009, 10:11 am

I must not have. I ran it again with the File:: in CFScript.txt. ComboFix wanted to submit stuff for further analysis but I couldn't connect to the internet in Safe Mode so it saved a submission form on my computer. Below is the new log.

ComboFix 09-05-29.01 - strettond 02/06/2009 0:04.4 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.1014.808 [GMT 10:00]
Running from: d:\documents and settings\strettond\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\strettond\Desktop\CFScript.txt
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {2191E165-CDCD-459D-853C-B8E9FB3D261A}

FILE ::
"c:\windows\system32\gayorayu.dll"
"c:\windows\system32\togigazo.dll"
"c:\windows\system32\wuboleda.dll.vir"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gayorayu.dll
c:\windows\system32\togigazo.dll
c:\windows\system32\wuboleda.dll.vir

.
((((((((((((((((((((((((( Files Created from 2009-05-01 to 2009-06-01 )))))))))))))))))))))))))))))))
.

2009-05-23 13:01 . 2009-05-23 13:01 -------- d-----w c:\program files\CCleaner
2009-05-18 09:07 . 2004-02-04 00:27 49536 ----a-w c:\windows\system32\drivers\tiehdusb.sys
2009-05-18 09:07 . 2004-01-28 05:03 21456 ----a-w c:\windows\system32\drivers\SilvrLnk.sys
2009-05-18 09:05 . 2009-05-18 09:05 -------- d-----w c:\program files\Common Files\TI Shared
2009-05-18 09:05 . 2009-05-18 09:07 -------- d-----w c:\program files\TI Education
2009-05-14 23:34 . 2009-05-14 23:34 -------- d-----w c:\program files\NJStar Chinese WP
2009-05-12 05:35 . 2009-05-12 05:35 -------- d-----w c:\windows\system32\Fonts
2009-05-12 05:35 . 2002-07-16 22:29 15488 ------w c:\windows\system32\drivers\PSSensor.sys
2009-05-12 05:35 . 2009-05-12 05:35 -------- d-----w c:\program files\DataStudio
2009-05-08 11:31 . 2003-03-18 21:20 1060864 ----a-w c:\windows\system32\MFC71.dll
2009-05-08 11:31 . 2009-05-08 11:31 -------- d-----w c:\program files\Alwil Software
2009-05-06 10:39 . 2009-05-11 00:05 -------- d-----w d:\documents and settings\strettond\Application Data\ptidle

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 13:33 . 2008-04-15 12:28 -------- d-----w d:\documents and settings\strettond\Application Data\Skype
2009-06-01 09:02 . 2008-02-28 03:27 -------- d-----w d:\documents and settings\strettond\Application Data\skypePM
2009-05-19 09:32 . 2007-10-18 03:13 104592 ----a-w d:\documents and settings\strettond\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-19 04:18 . 2008-03-19 02:56 1510 ----a-w c:\windows\Sketchpad Preferences.dat
2009-05-18 09:04 . 2007-12-25 10:25 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-16 11:04 . 2007-10-17 23:58 -------- d-----w c:\program files\Trend Micro
2009-05-14 23:34 . 2007-10-18 10:23 -------- d-----w d:\documents and settings\strettond\Application Data\NJStar
2009-04-21 05:33 . 2007-10-18 00:12 222504 ----a-w c:\windows\system32\odyGina.dll
2009-04-21 05:33 . 2007-10-18 00:11 611624 ----a-w c:\windows\system32\odGinaLibrary.dll
2009-04-21 05:33 . 2007-10-18 00:11 210216 ----a-w c:\windows\system32\odyEvent.dll
2009-04-21 05:32 . 2009-04-21 05:32 -------- d-----w c:\program files\Common Files\Funk Software
2009-04-21 05:32 . 2007-10-18 00:11 -------- d-----w c:\program files\Juniper Networks
2009-04-07 01:24 . 2006-10-02 23:04 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-07 01:10 . 2009-04-07 01:10 -------- d-----w c:\program files\Microsoft Games
2009-04-06 05:37 . 2009-04-06 05:36 -------- d-----w d:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-04-06 05:37 . 2009-04-06 05:36 -------- d-----w c:\program files\iTunes
2009-04-06 05:37 . 2009-04-06 05:37 -------- d-----w c:\program files\iPod
2009-04-06 05:37 . 2007-10-18 13:40 -------- d-----w c:\program files\Common Files\Apple
2009-04-06 05:34 . 2009-04-06 05:34 -------- d-----w c:\program files\QuickTime
2009-04-05 03:45 . 2007-08-31 15:16 76688 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-03-06 14:44 . 2004-08-03 13:56 283648 ----a-w c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-30_15.04.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-01 09:00 . 2007-06-15 07:07 14244 c:\windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\SecEdit\XPSec.dat
- 2009-05-30 15:02 . 2007-06-15 07:07 14244 c:\windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\SecEdit\XPSec.dat
+ 2009-06-01 09:00 . 2007-06-15 07:07 45056 c:\windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\SecEdit\IPS1.dat
- 2009-05-30 15:02 . 2007-06-15 07:07 45056 c:\windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\SecEdit\IPS1.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-31 68856]
"Skype"="c:\program files\Skype\Phone\skype.exe" [2007-12-12 21686568]
"mount.exe"="c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe" [2008-04-11 374272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATSwpNav"="c:\program files\Fingerprint Sensor\ATSwpNav -run" [X]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2005-08-09 81920]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2005-07-21 242688]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2005-07-21 61440]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2005-06-07 69632]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-05-18 188416]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-01-06 761946]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-01-17 40960]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-04-05 718120]
"WG511WLU"="c:\program files\NETGEAR\WG511\Utility\WG511WLU.exe" [2004-06-28 458752]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2007-09-05 40960]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2007-09-05 45056]
"TalkAndWrite"="d:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe" [2008-03-02 3042816]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"OdTray.exe"="c:\program files\Juniper Networks\Odyssey Access Client\OdTray.exe" [2009-01-19 959784]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2005-12-09 15691264]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2006-01-17 88365]
"NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Application Explorer.lnk - c:\program files\Novell\ZENworks\NalView.exe [2005-1-24 35840]
PASPortal.lnk - c:\program files\DataStudio\PASPortal.exe [2009-5-12 208896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2005-01-25 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2005-01-10 03:36 24576 ----a-w c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2009-04-21 05:33 210216 ----a-w c:\windows\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpmw32.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\InoNmSrv.exe"=
"c:\\Program Files\\EA Sports\\FIFA 08\\FIFA08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [8/07/2005 2:06 PM 34176]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [23/09/2005 7:48 AM 28544]
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [20/01/2009 8:18 AM 9856]
R0 odFips2;odFips2;c:\windows\system32\drivers\odFIPS2.sys [20/01/2009 8:18 AM 282496]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [3/10/2006 8:57 AM 4864]
S1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [21/02/2008 12:14 PM 34671]
S2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [17/01/2005 12:23 PM 6899]
S2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [5/11/2008 2:10 PM 87416]
S2 PASCO;PASCO PASPORT USB Driver (PSSensor.sys);c:\windows\system32\drivers\PSSensor.sys [12/05/2009 3:35 PM 15488]
S2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [22/11/2004 1:07 PM 163840]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [13/06/2007 5:00 AM 225296]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [13/06/2007 5:00 AM 36368]
S2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [10/01/2005 1:36 PM 61440]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [18/10/2007 9:19 PM 16194]
S3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [10/01/2005 11:37 AM 2773]
S3 EacService;Juniper TNC Endpoint Assessment;c:\program files\Common Files\Juniper Networks\TNC Client\jTnccService.exe [20/01/2009 8:48 AM 116008]
S3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [15/11/2006 2:49 AM 390144]
S3 jnprva;Juniper Networks Virtual Adapter Service;c:\windows\system32\drivers\jnprva.sys [11/01/2009 1:26 PM 11008]
S3 JnprVaMgr;Juniper Networks Virtual Adapter Manager Service;c:\windows\system32\drivers\jnprvamgr.sys [11/01/2009 1:26 PM 29312]
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\drivers\WG511ICB.sys [18/10/2007 9:19 PM 390016]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [28/04/2007 6:35 AM 652552]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - INO_FLTR
*NewlyCreated* - MACROMEDIA_LICENSING_SERVICE
*Deregistered* - INO_FLTR

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = https://intranet.wesleycollege.net/
uInternet Settings,ProxyOverride = *.local
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/Juni ... Client.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - d:\documents and settings\strettond\Application Data\Mozilla\Firefox\Profiles\onkiiaok.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://intranet.wesleycollege.net/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Adobe\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnipp.dll
FF - plugin: d:\documents and settings\strettond\Application Data\Mozilla\Firefox\Profiles\onkiiaok.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-02 00:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(256)
c:\windows\system32\odyEvent.dll
.
Completion time: 2009-06-01 0:07
ComboFix-quarantined-files.txt 2009-06-01 14:07
ComboFix2.txt 2009-05-31 13:49
ComboFix3.txt 2009-05-31 12:08
ComboFix4.txt 2009-05-30 15:08

Pre-Run: 22,563,123,200 bytes free
Post-Run: 22,547,464,192 bytes free

222 --- E O F --- 2009-04-23 14:41
themasta
Active Member
 
Posts: 11
Joined: May 27th, 2009, 7:51 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 432 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware