Below is the ComboFix log. I ran ComboFix in Safe Mode.ComboFix 09-05-29.01 - strettond 31/05/2009 0:59.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.1014.806 [GMT 10:00]
Running from: d:\documents and settings\strettond\Desktop\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {2191E165-CDCD-459D-853C-B8E9FB3D261A}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Install.txt
c:\windows\system32\afogibad.ini
c:\windows\system32\ajoyabiw.ini
c:\windows\system32\ayowokoh.ini
c:\windows\system32\azivigob.ini
c:\windows\system32\bibegipe.dll
c:\windows\system32\bidatemi.dll
c:\windows\system32\biruwuta.dll
c:\windows\system32\bivirulo.dll
c:\windows\system32\bogiviza.dll
c:\windows\system32\bohodebu.dll
c:\windows\system32\buguroru.dll
c:\windows\system32\bulurevo.dll.tmp
c:\windows\system32\dabigofa.dll
c:\windows\system32\dapatudi.dll.tmp
c:\windows\system32\dasakebe.dll
c:\windows\system32\depawehe.dll
c:\windows\system32\dewezuwa.dll.tmp
c:\windows\system32\duvapoji.dll
c:\windows\system32\edatudiv.ini
c:\windows\system32\edebezoh.ini
c:\windows\system32\ehewaped.ini
c:\windows\system32\ehigopev.ini
c:\windows\system32\enohagig.ini
c:\windows\system32\epimevuj.ini
c:\windows\system32\fimesoba.dll
c:\windows\system32\gigahone.dll
c:\windows\system32\giwaporu.dll
c:\windows\system32\gobagaju.dll
c:\windows\system32\hifikino.dll
c:\windows\system32\hokowoya.dll
c:\windows\system32\hozebede.dll
c:\windows\system32\hudebago.dll
c:\windows\system32\ihedamas.ini
c:\windows\system32\imetadib.ini
c:\windows\system32\Install.txt
c:\windows\system32\itehivol.ini
c:\windows\system32\janeguwo.dll.tmp
c:\windows\system32\jawobofe.dll
c:\windows\system32\jiyanoge.dll
c:\windows\system32\jopopaya.dll
c:\windows\system32\juvemipe.dll
c:\windows\system32\juyarono.dll
c:\windows\system32\kegayezu.dll.tmp
c:\windows\system32\kejimile.dll
c:\windows\system32\kupuweyo.dll
c:\windows\system32\lalohuni.dll
c:\windows\system32\lefeveli.dll
c:\windows\system32\lerosusi.dll
c:\windows\system32\lihasiko.dll
c:\windows\system32\loviheti.dll
c:\windows\system32\majubilu.exe
c:\windows\system32\mdm.exe
c:\windows\system32\megumipa.dll
c:\windows\system32\mohohimu.dll
c:\windows\system32\nahiyuku.dll.tmp
c:\windows\system32\nehirudu.dll
c:\windows\system32\nopepizo.dll
c:\windows\system32\nurusofi.dll
c:\windows\system32\olurivib.ini
c:\windows\system32\onanutas.ini
c:\windows\system32\onorayuj.ini
c:\windows\system32\pokazejo.dll
c:\windows\system32\ratanofi.dll
c:\windows\system32\ruseduja.dll
c:\windows\system32\samadehi.dll
c:\windows\system32\satunano.dll
c:\windows\system32\setorera.dll
c:\windows\system32\sijanidu.dll
c:\windows\system32\sivosari.dll
c:\windows\system32\taviretu.dll
c:\windows\system32\tmp.reg
c:\windows\system32\tomahuya.dll
c:\windows\system32\ubedohob.ini
c:\windows\system32\uheyipod.ini
c:\windows\system32\ukoritay.ini
c:\windows\system32\umihohom.ini
c:\windows\system32\uritejoz.ini
c:\windows\system32\uropawig.ini
c:\windows\system32\uterivat.ini
c:\windows\system32\uzesomuz.ini
c:\windows\system32\vepogihe.dll
c:\windows\system32\viborite.dll
c:\windows\system32\vidutade.dll
c:\windows\system32\wibayoja.dll
c:\windows\system32\yatiroku.dll
c:\windows\system32\yozamodi.dll
c:\windows\system32\yunizawa.dll
c:\windows\system32\zidekebe.dll
c:\windows\system32\zideribu.dll
c:\windows\system32\zojetiru.dll
c:\windows\system32\zumosezu.dll
d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
----- BITS: Possible infected sites -----
hxxp://62.4.83.201hxxp://windowsupdate.wesleycollege.net.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_AFINDING
-------\Legacy_NOBICYT
-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Legacy_WSERVING
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-30 )))))))))))))))))))))))))))))))
.
2009-05-27 09:27 . 2009-05-27 09:27 5490 --sh--w c:\windows\system32\gayorayu.dll
2009-05-23 13:01 . 2009-05-23 13:01 -------- d-----w c:\program files\CCleaner
2009-05-18 09:07 . 2004-02-04 00:27 49536 ----a-w c:\windows\system32\drivers\tiehdusb.sys
2009-05-18 09:07 . 2004-01-28 05:03 21456 ----a-w c:\windows\system32\drivers\SilvrLnk.sys
2009-05-18 09:05 . 2009-05-18 09:05 -------- d-----w c:\program files\Common Files\TI Shared
2009-05-18 09:05 . 2009-05-18 09:07 -------- d-----w c:\program files\TI Education
2009-05-16 06:26 . 2009-05-16 06:26 5421 --sh--w c:\windows\system32\togigazo.dll
2009-05-14 23:34 . 2009-05-14 23:34 -------- d-----w c:\program files\NJStar Chinese WP
2009-05-12 05:35 . 2009-05-12 05:35 -------- d-----w c:\windows\system32\Fonts
2009-05-12 05:35 . 2002-07-16 22:29 15488 ------w c:\windows\system32\drivers\PSSensor.sys
2009-05-12 05:35 . 2009-05-12 05:35 -------- d-----w c:\program files\DataStudio
2009-05-08 11:31 . 2003-03-18 21:20 1060864 ----a-w c:\windows\system32\MFC71.dll
2009-05-08 11:31 . 2009-05-08 11:31 -------- d-----w c:\program files\Alwil Software
2009-05-06 10:39 . 2009-05-11 00:05 -------- d-----w d:\documents and settings\strettond\Application Data\ptidle
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-30 14:51 . 2008-02-28 03:27 -------- d-----w d:\documents and settings\strettond\Application Data\skypePM
2009-05-30 14:33 . 2008-04-15 12:28 -------- d-----w d:\documents and settings\strettond\Application Data\Skype
2009-05-19 09:32 . 2007-10-18 03:13 104592 ----a-w d:\documents and settings\strettond\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-19 04:18 . 2008-03-19 02:56 1510 ----a-w c:\windows\Sketchpad Preferences.dat
2009-05-18 09:04 . 2007-12-25 10:25 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-16 11:04 . 2007-10-17 23:58 -------- d-----w c:\program files\Trend Micro
2009-05-14 23:34 . 2007-10-18 10:23 -------- d-----w d:\documents and settings\strettond\Application Data\NJStar
2009-05-06 10:44 . 2009-02-06 10:43 87040 --sha-w c:\windows\system32\wuboleda.dll.vir
2009-04-21 05:33 . 2007-10-18 00:12 222504 ----a-w c:\windows\system32\odyGina.dll
2009-04-21 05:33 . 2007-10-18 00:11 611624 ----a-w c:\windows\system32\odGinaLibrary.dll
2009-04-21 05:33 . 2007-10-18 00:11 210216 ----a-w c:\windows\system32\odyEvent.dll
2009-04-21 05:32 . 2009-04-21 05:32 -------- d-----w c:\program files\Common Files\Funk Software
2009-04-21 05:32 . 2007-10-18 00:11 -------- d-----w c:\program files\Juniper Networks
2009-04-07 01:24 . 2006-10-02 23:04 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-07 01:10 . 2009-04-07 01:10 -------- d-----w c:\program files\Microsoft Games
2009-04-06 05:37 . 2009-04-06 05:36 -------- d-----w d:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-04-06 05:37 . 2009-04-06 05:36 -------- d-----w c:\program files\iTunes
2009-04-06 05:37 . 2009-04-06 05:37 -------- d-----w c:\program files\iPod
2009-04-06 05:37 . 2007-10-18 13:40 -------- d-----w c:\program files\Common Files\Apple
2009-04-06 05:34 . 2009-04-06 05:34 -------- d-----w c:\program files\QuickTime
2009-04-05 03:45 . 2007-08-31 15:16 76688 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-03-06 14:44 . 2004-08-03 13:56 283648 ----a-w c:\windows\system32\pdh.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-31 68856]
"Skype"="c:\program files\Skype\Phone\skype.exe" [2007-12-12 21686568]
"mount.exe"="c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe" [2008-04-11 374272]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATSwpNav"="c:\program files\Fingerprint Sensor\ATSwpNav -run" [X]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2005-08-09 81920]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2005-07-21 242688]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2005-07-21 61440]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2005-06-07 69632]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-05-18 188416]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-01-06 761946]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-01-17 40960]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-04-05 718120]
"WG511WLU"="c:\program files\NETGEAR\WG511\Utility\WG511WLU.exe" [2004-06-28 458752]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2007-09-05 40960]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2007-09-05 45056]
"TalkAndWrite"="d:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe" [2008-03-02 3042816]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"OdTray.exe"="c:\program files\Juniper Networks\Odyssey Access Client\OdTray.exe" [2009-01-19 959784]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2005-12-09 15691264]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2006-01-17 88365]
"NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
d:\documents and settings\All Users\Start Menu\Programs\Startup\
Application Explorer.lnk - c:\program files\Novell\ZENworks\NalView.exe [2005-1-24 35840]
PASPortal.lnk - c:\program files\DataStudio\PASPortal.exe [2009-5-12 208896]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2005-01-25 417792]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2005-01-10 03:36 24576 ----a-w c:\windows\system32\novell\xtnotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2009-04-21 05:33 210216 ----a-w c:\windows\system32\odyEvent.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpmw32.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\InoNmSrv.exe"=
"c:\\Program Files\\EA Sports\\FIFA 08\\FIFA08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [8/07/2005 2:06 PM 34176]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [23/09/2005 7:48 AM 28544]
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [20/01/2009 8:18 AM 9856]
R0 odFips2;odFips2;c:\windows\system32\drivers\odFIPS2.sys [20/01/2009 8:18 AM 282496]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [21/02/2008 12:14 PM 34671]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [17/01/2005 12:23 PM 6899]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [5/11/2008 2:10 PM 87416]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [22/11/2004 1:07 PM 163840]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [13/06/2007 5:00 AM 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [13/06/2007 5:00 AM 36368]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [10/01/2005 1:36 PM 61440]
R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [18/10/2007 9:19 PM 16194]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [10/01/2005 11:37 AM 2773]
R3 EacService;Juniper TNC Endpoint Assessment;c:\program files\Common Files\Juniper Networks\TNC Client\jTnccService.exe [20/01/2009 8:48 AM 116008]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [3/10/2006 8:57 AM 4864]
R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [15/11/2006 2:49 AM 390144]
R3 JnprVaMgr;Juniper Networks Virtual Adapter Manager Service;c:\windows\system32\drivers\jnprvamgr.sys [11/01/2009 1:26 PM 29312]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [28/04/2007 6:35 AM 652552]
S2 PASCO;PASCO PASPORT USB Driver (PSSensor.sys);c:\windows\system32\drivers\PSSensor.sys [12/05/2009 3:35 PM 15488]
S3 jnprva;Juniper Networks Virtual Adapter Service;c:\windows\system32\drivers\jnprva.sys [11/01/2009 1:26 PM 11008]
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\drivers\WG511ICB.sys [18/10/2007 9:19 PM 390016]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - INO_FLTR
*NewlyCreated* - MACROMEDIA_LICENSING_SERVICE
*Deregistered* - INO_FLTR
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
2009-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 02:34]
.
- - - - ORPHANS REMOVED - - - -
BHO-{1fe3a93d-98f5-4b0f-b29f-45dc685e019f} - c:\windows\system32\zideribu.dll
HKLM-Run-rejamaleva - c:\windows\system32\lihasiko.dll
HKLM-Run-cce02f69 - c:\windows\system32\dopiyehu.dll
HKLM-Run-CPMcfd31cf5 - c:\windows\system32\fimesoba.dll
SafeBoot-procexp90.Sys
.
------- Supplementary Scan -------
.
uStart Page =
https://intranet.wesleycollege.net/uInternet Settings,ProxyOverride = *.local
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} -
hxxps://juniper.net/dana-cached/sc/Juni ... Client.cabDPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} -
hxxps://secure.gopetslive.com/dev/GoPetsWeb.cabFF - ProfilePath - d:\documents and settings\strettond\Application Data\Mozilla\Firefox\Profiles\onkiiaok.default\
FF - prefs.js: browser.search.defaulturl -
hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage -
hxxp://intranet.wesleycollege.net/FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Adobe\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnipp.dll
FF - plugin: d:\documents and settings\strettond\Application Data\Mozilla\Firefox\Profiles\onkiiaok.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-05-31 01:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1336)
c:\windows\system32\odyGina.dll
c:\program files\Novell\ZENworks\ZENPOL32.DLL
c:\windows\system32\xmlparse.dll
c:\windows\system32\odyEvent.dll
c:\program files\Common Files\Funk Software\dcfDOM.dll
c:\program files\Common Files\Funk Software\dcfLibrary.DLL
c:\program files\Juniper Networks\Odyssey Access Client\odClientControl.dll
- - - - - - - > 'Explorer.exe'(3416)
c:\program files\Novell\ZENworks\NLS\english\NalUIRes.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Juniper Networks\Odyssey Access Client\odClientService.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Novell\ZENworks\NALNTSRV.EXE
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\windows\system32\o2flash.exe
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\program files\Novell\ZENworks\WM.EXE
c:\windows\temp\SN3FC8.EXE
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\program files\Fingerprint Sensor\ATSwpNav.exe
c:\program files\Novell\ZENworks\NalAgent.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Novell\ZENworks\WMRUNDLL.EXE
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-05-30 1:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-30 15:08
Pre-Run: 22,703,263,744 bytes free
Post-Run: 21,512,310,784 bytes free
351 --- E O F --- 2009-04-23 14:41
Here is the new HijackThis logLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:01 AM, on 31/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
C:\Program Files\Common Files\Juniper Networks\TNC Client\jTnccService.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mdnsresponder.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\TEMP\SN3FC8.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\NETGEAR\WG511\Utility\wg511wlu.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\iTunes\ituneshelper.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\skype.exe
C:\Program Files\DataStudio\PASPortal.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
https://intranet.wesleycollege.net/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL =
http://proxy.wesleycollege.net/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [TalkAndWrite] D:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OdTray.exe] C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe
O4 - Global Startup: PASPortal.lnk = C:\Program Files\DataStudio\PASPortal.exe
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw -
res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://intranet.wesleycollege.net/
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) -
http://messenger.zone.msn.com/EN-AU/a-U ... E_UNO1.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupda ... 9850260890O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) -
file://C:\WINDOWS\msxml4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) -
http://messenger.zone.msn.com/binary/ZI ... b56649.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/Me ... b56907.cabO16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) -
https://juniper.net/dana-cached/setup/J ... tupSP1.cabO16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) -
https://juniper.net/dana-cached/sc/Juni ... Client.cabO16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) -
https://secure.gopetslive.com/dev/GoPetsWeb.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{F751CA9B-507D-432C-B582-5AD219BEFD20}: Domain = wesleycollege.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Juniper TNC Endpoint Assessment (EacService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\TNC Client\jTnccService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Juniper Unified Network Service (JuniperAccessService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Juniper OAC Service (odClientService) - Juniper Networks, Inc. - C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe
--
End of file - 12340 bytes