Below is my ComboFix log. I noticed a couple of odd things along the way. The first of which was when i ran it, it said it had detected a root kit and needed to reboot the computer. No problem, I allowed it to do this and ComboFix ran at startup. There was one problem, though, since it said VirusScan was running. I couldn't do anything about it since nothing else had booted up and all I had on my screen was the ComboFix window. So, I killed ComboFix, let everything else startup, disabled VirusScan and SpyBot S&D and ran ComboFix again. It still told me VirusScan was running even though i had disabled it so I let it run anyway. Below are the results:
ComboFix 09-01-11.03 - epb3 2009-01-12 8:34:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1579 [GMT -5:00]
Running from: c:\documents and settings\epb3\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\struct~.ini
c:\windows\system32\
0527F69C39.dll
c:\windows\system32\Cache
c:\windows\system32\cfx32.ocx
c:\windows\system32\D7856F98E5.dll
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekapqjnkdad.sys
c:\windows\system32\F3D8B8A343.dll
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekaebwiyrwl.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekauhhbowba.dll
----- BITS: Possible infected sites -----
hxxp://childhe.com.
((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.
2009-01-07 13:11 . 2009-01-07 13:11 73,216 --a------ c:\windows\system32\ffkuz.dll
2009-01-06 09:55 . 2009-01-06 11:02 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-06 09:55 . 2009-01-06 11:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-06 08:54 . 2009-01-06 08:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-06 08:51 . 2007-10-25 15:06 1,495,552 --a------ c:\windows\system32\epoPGPsdk.dll
2009-01-06 08:51 . 2008-01-24 20:50 171,400 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-01-06 08:51 . 2008-01-24 20:50 72,936 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-01-06 08:51 . 2008-01-24 20:50 64,232 --a------ c:\windows\system32\drivers\mfeapfk.sys
2009-01-06 08:51 . 2008-01-24 20:50 52,104 --a------ c:\windows\system32\drivers\mfetdik.sys
2009-01-06 08:51 . 2008-01-24 20:50 33,960 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-01-06 08:51 . 2007-10-25 15:06 280 --a------ c:\windows\system32\epoPGPsdk.dll.sig
2009-01-06 08:48 . 2009-01-06 08:48 <DIR> d-------- c:\program files\McAfee
2009-01-06 08:48 . 2009-01-06 08:48 <DIR> d-------- c:\program files\Common Files\McAfee
2009-01-05 14:41 . 2009-01-05 14:41 <DIR> d-------- c:\program files\Trend Micro
2009-01-05 12:53 . 2006-10-04 09:06 1,197,294 --------- c:\windows\system32\dllcache\sysmain.sdb
2009-01-05 12:53 . 2006-10-04 09:06 764,868 --------- c:\windows\system32\dllcache\apph_sp.sdb
2009-01-05 12:53 . 2006-10-04 09:06 217,118 --------- c:\windows\system32\dllcache\apphelp.sdb
2009-01-05 12:52 . 2009-01-05 12:52 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-01-05 11:49 . 2009-01-05 11:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-05 11:49 . 2009-01-05 11:49 <DIR> d-------- c:\documents and settings\epb3\Application Data\Malwarebytes
2009-01-05 11:49 . 2009-01-05 11:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-05 11:49 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-05 11:49 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-05 11:39 . 2009-01-05 11:38 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-05 11:37 . 2009-01-05 11:39 <DIR> d-------- c:\documents and settings\epb3\.housecall6.6
2009-01-05 11:28 . 2009-01-05 11:28 <DIR> d-------- c:\documents and settings\epb3\Application Data\HouseCall 6.6
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 16:02 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-01-06 16:02 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2009-01-06 13:55 --------- d-----w c:\program files\Network Associates
2009-01-06 13:50 --------- d-----w c:\program files\Common Files\Network Associates
2009-01-05 19:02 --------- d-----w c:\program files\Lavasoft
2009-01-05 19:02 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-05 19:01 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 21:35 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-05 20:55 --------- d-----w c:\program files\Sonic
2008-12-05 20:55 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-05 20:44 --------- d-----w c:\program files\Common Files\Intuit
2008-12-05 20:40 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-05 20:40 --------- d-----w c:\program files\Nortel Networks
2008-12-05 20:36 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-05 20:30 --------- d-----w c:\program files\Juniper Networks
2008-12-05 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2008-12-05 20:26 --------- d-----w c:\program files\Ethereal
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 9.0
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 7.5
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 7.0
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 6.12
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 6.0
2008-12-05 14:53 --------- d-----w c:\program files\TuneUp Utilities 2007
2008-12-05 14:52 --------- d-----w c:\documents and settings\epb3\Application Data\TuneUp Software
2008-12-05 14:52 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-24 14:28 --------- d-----w c:\program files\ClearSight
2008-11-20 20:19 --------- d-----w c:\program files\GnuWin32
2008-11-17 13:23 --------- d-----w c:\documents and settings\epb3\Application Data\SSH
2008-11-14 20:14 --------- d-----w c:\documents and settings\epb3\Application Data\Elluminate
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-05-16 19:34 23,510,720 ----a-w c:\documents and settings\epb3\Application Data\dotnetfx.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-11 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-24 111952]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.CODAU"= codian_video_decoder.dll
"VIDC.CODV"= codian_video_decoder.dll
"msacm.PLCMg722"= PLCMg722.acm
"msacm.PLCMg728"= PLCMg728.acm
"msacm.PLCMg729A"= PLCMg729A.acm
"msacm.PLCMsiren"= PLCMsiren.acm
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-287218729-682003330-1107\Scripts\Logon\
0\
0]
"Script"=\\ad.unh.edu\SysVol\ad.unh.edu\scripts\telecomNOC.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-287218729-682003330-21444\Scripts\Logon\
0\
0]
"Script"=\\ad.unh.edu\SysVol\ad.unh.edu\scripts\telecomNOC.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-287218729-682003330-21667\Scripts\Logon\
0\
0]
"Script"=\\ad.unh.edu\SysVol\ad.unh.edu\scripts\telecomNOC.bat
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2005-03-04 11:26 606208 c:\program files\Dell\QuickSet\quickset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
--a------ 2007-01-12 20:48 275800 c:\program files\Microsoft LifeCam\LifeExp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-20 12:06 282624 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-11 07:01 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
--a------ 2006-12-05 18:38 707360 c:\windows\vVX3000.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"Google Update"="c:\documents and settings\epb3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\iperf.exe"=
"c:\\Program Files\\Solarwinds\\Free Tools\\TFTP-Server.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Polycom\\PVX\\vvsys.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Documents and Settings\\epb3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\epb3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R3 smrtdrv;SMART Technologies Inc. Mirror Driver;c:\windows\system32\drivers\smrtdrv.sys [2008-02-19 2432]
R3 SolarWinds Discovery Service;SolarWinds Discovery Service;c:\program files\Solarwinds\ipMonitor\SWDiscoveryEngine12.exe [2007-10-02 122880]
R4 ipMonitorRpt;ipMonitorRpt;c:\program files\Solarwinds\ipMonitor\ipmrptsrv9.exe [2007-10-19 475136]
R4 ipMonitorSrv;ipMonitorSrv;c:\program files\Solarwinds\ipMonitor\ipmservice9.exe [2008-01-04 990720]
R4 Sniffer;SNIFFER Protocol Driver;c:\windows\system32\drivers\sniffer.sys [2005-10-27 607216]
R4 zyross_dc;ZyrOSS Data Collector for Polycom Products;c:\program files\zyross\zyross_ec_an\bin\wrapper.exe [2007-03-09 204800]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-06-28 42512]
S3 PGNPF;PG Netgroup Packet Filter;c:\windows\system32\PGdrivers\npf.sys --> c:\windows\system32\PGdrivers\npf.sys [?]
S4 SMART Mirror Driver Monitor Service;SMART Mirror Driver Monitor Service;c:\documents and settings\epb3\Application Data\TANDBERG\See&Share\monitorservice.exe [2008-02-19 135680]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
2008-12-05 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-08-02 19:35]
2009-01-09 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\epb3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 10:30]
2008-12-05 c:\windows\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job
- c:\program files\Microsoft LifeCam\LifeExp.exe [2007-01-12 20:48]
2008-12-05 c:\windows\Tasks\Microsoft_Hardware_Launch_vVX3000_exe.job
- c:\windows\vVX3000.exe [2006-12-05 18:38]
2009-01-12 c:\windows\Tasks\smvqsfzk.job
- c:\windows\system32\rundll32.exe [2004-08-04 05:00]
2009-01-12 c:\windows\Tasks\User_Feed_Synchronization-{E39D2DB4-ADFF-4A46-A393-BF76567CDA61}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:58]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL =
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext =
hxxp://www.dell4me.com/mywaybizuSearchURL,(Default) =
hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
c:\windows\Downloaded Program Files\EMA.ClassLoader.dll - O16 -: {B0073133-2D9B-4AC6-8AAC-6EB8E9343040}
hxxp://132.177.196.114/EMA.Utils/EMA.Cl ... Loader.cabFF - ProfilePath - c:\documents and settings\epb3\Application Data\Mozilla\Firefox\Profiles\jluf5fbo.default\
FF - prefs.js: browser.startup.homepage -
hxxp://en-us.start.mozilla.com/firefox? ... S:officialFF - plugin: c:\documents and settings\epb3\Application Data\Mozilla\Firefox\Profiles\jluf5fbo.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\epb3\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npkapanga.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-01-12 08:36:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-12 8:38:06
ComboFix-quarantined-files.txt 2009-01-12 13:38:04
Pre-Run: 76,927,639,552 bytes free
Post-Run: 76,988,973,056 bytes free
253 --- E O F --- 2008-12-22 21:30:50
Immediately after running this, SpyBot S&D popped up telling me that some changes had been made to my registry and asked me if I should allow the changes. I assumed I had forgot to disable Spybot and that all these changes were from ComboFix so I allowed them. I disabled Spybot again and decided to run ComboFix again with it disabled. It still thought VirusScan was running, but I ran it once again. The new log didn't say it had deleted anything else, but here it is anyway:
ComboFix 09-01-11.03 - epb3 2009-01-12 8:42:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1500 [GMT -5:00]
Running from: c:\documents and settings\epb3\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)
.
((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.
2009-01-07 13:11 . 2009-01-07 13:11 73,216 --a------ c:\windows\system32\ffkuz.dll
2009-01-06 09:55 . 2009-01-06 11:02 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-06 09:55 . 2009-01-06 11:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-06 08:54 . 2009-01-06 08:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-06 08:51 . 2007-10-25 15:06 1,495,552 --a------ c:\windows\system32\epoPGPsdk.dll
2009-01-06 08:51 . 2008-01-24 20:50 171,400 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-01-06 08:51 . 2008-01-24 20:50 72,936 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-01-06 08:51 . 2008-01-24 20:50 64,232 --a------ c:\windows\system32\drivers\mfeapfk.sys
2009-01-06 08:51 . 2008-01-24 20:50 52,104 --a------ c:\windows\system32\drivers\mfetdik.sys
2009-01-06 08:51 . 2008-01-24 20:50 33,960 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-01-06 08:51 . 2007-10-25 15:06 280 --a------ c:\windows\system32\epoPGPsdk.dll.sig
2009-01-06 08:48 . 2009-01-06 08:48 <DIR> d-------- c:\program files\McAfee
2009-01-06 08:48 . 2009-01-06 08:48 <DIR> d-------- c:\program files\Common Files\McAfee
2009-01-05 14:41 . 2009-01-05 14:41 <DIR> d-------- c:\program files\Trend Micro
2009-01-05 12:53 . 2006-10-04 09:06 1,197,294 --------- c:\windows\system32\dllcache\sysmain.sdb
2009-01-05 12:53 . 2006-10-04 09:06 764,868 --------- c:\windows\system32\dllcache\apph_sp.sdb
2009-01-05 12:53 . 2006-10-04 09:06 217,118 --------- c:\windows\system32\dllcache\apphelp.sdb
2009-01-05 12:52 . 2009-01-05 12:52 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-01-05 11:49 . 2009-01-05 11:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-05 11:49 . 2009-01-05 11:49 <DIR> d-------- c:\documents and settings\epb3\Application Data\Malwarebytes
2009-01-05 11:49 . 2009-01-05 11:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-05 11:49 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-05 11:49 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-05 11:39 . 2009-01-05 11:38 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-05 11:37 . 2009-01-05 11:39 <DIR> d-------- c:\documents and settings\epb3\.housecall6.6
2009-01-05 11:28 . 2009-01-05 11:28 <DIR> d-------- c:\documents and settings\epb3\Application Data\HouseCall 6.6
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 16:02 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-01-06 16:02 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2009-01-06 13:55 --------- d-----w c:\program files\Network Associates
2009-01-06 13:50 --------- d-----w c:\program files\Common Files\Network Associates
2009-01-05 19:02 --------- d-----w c:\program files\Lavasoft
2009-01-05 19:02 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-05 19:01 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 21:35 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-05 20:55 --------- d-----w c:\program files\Sonic
2008-12-05 20:55 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-05 20:44 --------- d-----w c:\program files\Common Files\Intuit
2008-12-05 20:40 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-05 20:40 --------- d-----w c:\program files\Nortel Networks
2008-12-05 20:36 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-05 20:30 --------- d-----w c:\program files\Juniper Networks
2008-12-05 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2008-12-05 20:26 --------- d-----w c:\program files\Ethereal
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 9.0
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 7.5
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 7.0
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 6.12
2008-12-05 15:16 --------- d-----w c:\program files\MGC Manager ver 6.0
2008-12-05 14:53 --------- d-----w c:\program files\TuneUp Utilities 2007
2008-12-05 14:52 --------- d-----w c:\documents and settings\epb3\Application Data\TuneUp Software
2008-12-05 14:52 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-24 14:28 --------- d-----w c:\program files\ClearSight
2008-11-20 20:19 --------- d-----w c:\program files\GnuWin32
2008-11-17 13:23 --------- d-----w c:\documents and settings\epb3\Application Data\SSH
2008-11-14 20:14 --------- d-----w c:\documents and settings\epb3\Application Data\Elluminate
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-05-16 19:34 23,510,720 ----a-w c:\documents and settings\epb3\Application Data\dotnetfx.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-11 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-24 111952]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.CODAU"= codian_video_decoder.dll
"VIDC.CODV"= codian_video_decoder.dll
"msacm.PLCMg722"= PLCMg722.acm
"msacm.PLCMg728"= PLCMg728.acm
"msacm.PLCMg729A"= PLCMg729A.acm
"msacm.PLCMsiren"= PLCMsiren.acm
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-287218729-682003330-1107\Scripts\Logon\
0\
0]
"Script"=\\ad.unh.edu\SysVol\ad.unh.edu\scripts\telecomNOC.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-287218729-682003330-21444\Scripts\Logon\
0\
0]
"Script"=\\ad.unh.edu\SysVol\ad.unh.edu\scripts\telecomNOC.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-287218729-682003330-21667\Scripts\Logon\
0\
0]
"Script"=\\ad.unh.edu\SysVol\ad.unh.edu\scripts\telecomNOC.bat
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2005-03-04 11:26 606208 c:\program files\Dell\QuickSet\quickset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
--a------ 2007-01-12 20:48 275800 c:\program files\Microsoft LifeCam\LifeExp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-20 12:06 282624 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-11 07:01 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
--a------ 2006-12-05 18:38 707360 c:\windows\vVX3000.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"Google Update"="c:\documents and settings\epb3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\iperf.exe"=
"c:\\Program Files\\Solarwinds\\Free Tools\\TFTP-Server.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Polycom\\PVX\\vvsys.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Documents and Settings\\epb3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\epb3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R3 smrtdrv;SMART Technologies Inc. Mirror Driver;c:\windows\system32\drivers\smrtdrv.sys [2008-02-19 2432]
R3 SolarWinds Discovery Service;SolarWinds Discovery Service;c:\program files\Solarwinds\ipMonitor\SWDiscoveryEngine12.exe [2007-10-02 122880]
R4 ipMonitorRpt;ipMonitorRpt;c:\program files\Solarwinds\ipMonitor\ipmrptsrv9.exe [2007-10-19 475136]
R4 ipMonitorSrv;ipMonitorSrv;c:\program files\Solarwinds\ipMonitor\ipmservice9.exe [2008-01-04 990720]
R4 Sniffer;SNIFFER Protocol Driver;c:\windows\system32\drivers\sniffer.sys [2005-10-27 607216]
R4 zyross_dc;ZyrOSS Data Collector for Polycom Products;c:\program files\zyross\zyross_ec_an\bin\wrapper.exe [2007-03-09 204800]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-06-28 42512]
S3 PGNPF;PG Netgroup Packet Filter;c:\windows\system32\PGdrivers\npf.sys --> c:\windows\system32\PGdrivers\npf.sys [?]
S4 SMART Mirror Driver Monitor Service;SMART Mirror Driver Monitor Service;c:\documents and settings\epb3\Application Data\TANDBERG\See&Share\monitorservice.exe [2008-02-19 135680]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
2008-12-05 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-08-02 19:35]
2009-01-09 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\epb3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 10:30]
2008-12-05 c:\windows\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job
- c:\program files\Microsoft LifeCam\LifeExp.exe [2007-01-12 20:48]
2008-12-05 c:\windows\Tasks\Microsoft_Hardware_Launch_vVX3000_exe.job
- c:\windows\vVX3000.exe [2006-12-05 18:38]
2009-01-12 c:\windows\Tasks\smvqsfzk.job
- c:\windows\system32\rundll32.exe [2004-08-04 05:00]
2009-01-12 c:\windows\Tasks\User_Feed_Synchronization-{E39D2DB4-ADFF-4A46-A393-BF76567CDA61}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:58]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL =
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext =
hxxp://www.dell4me.com/mywaybizuSearchURL,(Default) =
hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
c:\windows\Downloaded Program Files\EMA.ClassLoader.dll - O16 -: {B0073133-2D9B-4AC6-8AAC-6EB8E9343040}
hxxp://132.177.196.114/EMA.Utils/EMA.Cl ... Loader.cabFF - ProfilePath - c:\documents and settings\epb3\Application Data\Mozilla\Firefox\Profiles\jluf5fbo.default\
FF - prefs.js: browser.startup.homepage -
hxxp://en-us.start.mozilla.com/firefox? ... S:officialFF - plugin: c:\documents and settings\epb3\Application Data\Mozilla\Firefox\Profiles\jluf5fbo.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\epb3\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npkapanga.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-01-12 08:43:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-12 8:44:33
ComboFix-quarantined-files.txt 2009-01-12 13:44:31
ComboFix2.txt 2009-01-12 13:38:07
Pre-Run: 77,007,757,312 bytes free
Post-Run: 76,989,079,552 bytes free
234 --- E O F --- 2008-12-22 21:30:50
After this ran again, I noticed that Spybot had restarted once again, but I didn't see VirusScan in my system try any longer. Also, I noticed Firefox was no longer my default browser. Anyway, I decided to reboot to see if VirusScan would come back. As I was doing this, I noticed an M in my system tray. Ordinarilly, my VirusScan console is represented by a V, by I remember reading about how to disable VirusScan before running ComboFix and it said the icon was an M. Anyway, my computer restarted and VirusScan was back, this time with the familar V in the system tray.
All that aside, here's my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:39, on 2009-01-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\SolarWinds\ipMonitor\ipmrptsrv9.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\SolarWinds\ipMonitor\ipm9watchdog.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\zyross\zyross_ec_an\bin\wrapper.exe
C:\Program Files\Java\jre1.5.0_11\bin\java.exe
C:\Program Files\SolarWinds\ipMonitor\SWDiscoveryEngine12.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.dell4me.com/mywaybizO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B0073133-2D9B-4AC6-8AAC-6EB8E9343040} (CEMAClassLoaderCtl Object) -
http://132.177.196.114/EMA.Utils/EMA.Cl ... Loader.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.macromedia.com/get/s ... wflash.cabO16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) -
https://vpn.unh.edu/dana-cached/setup/J ... tupSP1.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.unh.edu
O17 - HKLM\Software\..\Telephony: DomainName = ad.unh.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.unh.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = unh.edu,unh.edu,unh.edu,ad.unh.edu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ad.unh.edu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = unh.edu,unh.edu,unh.edu,ad.unh.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = unh.edu,unh.edu,unh.edu,ad.unh.edu
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: ipMonitorRpt - SolarWinds - C:\Program Files\SolarWinds\ipMonitor\ipmrptsrv9.exe
O23 - Service: ipMonitorSrv - SolarWinds - C:\Program Files\SolarWinds\ipMonitor\ipmservice9.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SMART Mirror Driver Monitor Service - SMART Technologies Inc. - C:\Documents and Settings\epb3\Application Data\TANDBERG\See&Share\monitorservice.exe
O23 - Service: SolarWinds Discovery Service - SolarWinds - C:\Program Files\SolarWinds\ipMonitor\SWDiscoveryEngine12.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: ZyrOSS Data Collector for Polycom Products (zyross_dc) - Unknown owner - C:\Program Files\zyross\zyross_ec_an\bin\wrapper.exe
--
End of file - 8983 bytes
Thanks for your help.