Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3554
  • Last Modified:

wdmaud.sys

I have a hijacker that changes the URL in Google searches. The search result may turn up Wikipedia but I'll be redirected to an entirely different website. I have figured out that if I remove wdmaud.sys from the system 32 directory of Windows that the problem goes away but the file returns in a few hours. I have tried a number of programs including Ad aware, Malware bites, NOD 32, and counterspy. I booted into safe mode and cleaned out everything in my browsers. I emptied the recycle bin. I am running the latest versions of Internet explorer and Firefox in Windows XP Pro. I have a lot of processes running and would like to eliminate some of them but I have difficulty associating many of the processes with programs and I am stuck on what things I can get rid of. I am including a hijack this log.

How do I keep the Malware from coming back? How can I reduce unnecessary processes?
Logfile of HijackThis v1.99.1
Scan saved at 3:41:31 PM, on 2/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adaptec\Adaptec Storage Manager\StorServ.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\LiveState Recovery\Desktop 3.0\Agent\VProSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Symantec\LiveState Recovery\Desktop 3.0\Agent\VProTray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Andrea Electronics\Andrea USB USBD2-A Audio Adapter\AudioCommander.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe
C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\Program Files\Chameleon Clock\ChamClock.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mlauncher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Nuance\NaturallySpeaking10\Program\natspeak.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Downloads\!Main Downloads\HackThis\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emedschool.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LiveState Recovery 3.0] "C:\Program Files\Symantec\LiveState Recovery\Desktop 3.0\Agent\VProTray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AudioCommander] C:\Program Files\Andrea Electronics\Andrea USB USBD2-A Audio Adapter\AudioCommander.exe /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Opware15] "C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe"
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [GBMPro8Agent] C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe
O4 - HKLM\..\Run: [CANON DR2080C SVC] rundll32.exe DR2KSVC.dll,EntryPointUserMessage
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking10\Ereg.ini
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [VirtualDrive] "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\RunOnce: [FsVdInstReboot] 
O4 - HKCU\..\Run: [HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe "/Trigger RunAtLogon"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [GBMPro8Agent] C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\Nuance\NaturallySpeaking10\Program\natspeak.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Davey Hotsync.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Identities Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Identities - {45DB34C3-955C-11D3-ABEF-444553540000} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O9 - Extra 'Tools' menuitem: Identities Editor - {45DB34C3-955C-11D3-ABEF-444553540000} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O9 - Extra button: Passcards - {45DB34C3-955C-11D3-ABEF-444553540001} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O9 - Extra 'Tools' menuitem: Passcards Editor - {45DB34C3-955C-11D3-ABEF-444553540001} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://ra.intuit.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187928486984
O16 - DPF: {6BE807BB-A5F6-4B0E-B611-E7F59C83CC82} (VSee Box Control) - http://vseelab.com/vstart.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187928474953
O16 - DPF: {A44C30C8-7837-410D-84C3-807D2867AEC6} - http://www.formsrus.com/viewer/setup.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adaptec Storage Manager Agent (AdaptecStorageManagerAgent) - Adaptec Incorporated - C:\Program Files\Adaptec\Adaptec Storage Manager\StorServ.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: CounterSpy Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
O23 - Service: Symantec LiveState Recovery - Symantec Corporation - C:\Program Files\Symantec\LiveState Recovery\Desktop 3.0\Agent\VProSvc.exe

Open in new window

0
JoshOdom
Asked:
JoshOdom
  • 7
  • 7
7 Solutions
 
IndiGenusCommented:
Hi,

This can be a stubborn one. Might be a rootkit present. I would hit it with combofix and go from there.

Download ComboFix from either of these links to your Desktop.
http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. *
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

* The link below is a list of programs that should be disabled. If yours is not listed and you don't know how to disable it, please ask.
http://www.bleepingcomputer.com/forums/topic114351.html

* Close any open browsers.
* WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
* Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
* If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

4. Double click on combofix.exe & follow the prompts.
NOTE: As part of the process combofix will now install the recovery console if required. It is recommended to do so in case of any major issues. This is not a requirement.
5. When finished, it will produce a report for you.
6. Please attach the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.


0
 
David-HowardCommented:
From your log file:
These are marked as unknown and can be removed if you are unsure of the origin.  They are not the source of your problem. But are not required to run.
C:\Program Files\Andrea Electronics\Andrea USB USBD2-A Audio Adapter\AudioCommander.exe
O4 - HKLM\..\Run: [AudioCommander] C:\Program Files\Andrea Electronics\Andrea USB USBD2-A Audio Adapter\AudioCommander.exe /tray
O4 - HKLM\..\Run: [CANON DR2080C SVC] rundll32.exe DR2KSVC.dll,EntryPointUserMessage
O4 - HKLM\..\RunOnce: [FsVdInstReboot] 
O16 - DPF: {6BE807BB-A5F6-4B0E-B611-E7F59C83CC82} (VSee Box Control) - http://vseelab.com/vstart.ocx
O16 - DPF: {A44C30C8-7837-410D-84C3-807D2867AEC6} - http://www.formsrus.com/viewer/setup.cab
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
Your log file is clean beyond those entries.
Now, prior to running any anti-virus/malware suites,
disable System Restore. Directions can be found here:
http://support.microsoft.com/kb/310405
If you are unable to view the above link follow these steps.
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
Click OK.
When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.
Once updated, reboot into Safe Mode (F8 at startup) and run a scan.
When you have finished running your scans and the threats have been removed enable System Restore.
Steps to turn on System Restore:
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.
Click OK.
After a few moments, the System Properties dialog box closes.
0
 
JoshOdomAuthor Commented:
I did run combo fix earlier and that is how I found wdmaud.sys. I downloaded the version that you recommended and ran it again. It did not show the bad file because I know to delete it when it appears. I am attaching the log file. I use Dragon Dictate and Andrea is necessary for that. I don't know about the other processes. How do I keep them from running? I know how to stop them but I don't know how to keep them from loading when I restart my computer.
ComboFix 09-02-17.02 - Administrator 2009-02-18 12:25:59.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3318.2162 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
 * Created a new restore point
.
 
(((((((((((((((((((((((((   Files Created from 2009-01-18 to 2009-02-18  )))))))))))))))))))))))))))))))
.
 
2009-02-17 22:20 . 2009-02-17 22:20	<DIR>	d--------	c:\program files\Virtual Dimension
2009-02-17 16:57 . 2009-02-17 16:57	<DIR>	d--------	c:\program files\MAPILab Ltd
2009-02-17 16:57 . 2009-02-17 16:57	<DIR>	d--------	c:\program files\Common Files\MAPILab Ltd
2009-02-17 11:23 . 2009-02-17 11:23	<DIR>	d--------	c:\program files\Malwarebytes' Anti-Malware
2009-02-17 11:23 . 2009-02-17 11:23	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-17 11:23 . 2009-02-17 11:23	<DIR>	d--------	c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-17 11:23 . 2009-02-11 10:19	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-17 11:23 . 2009-02-11 10:19	15,504	--a------	c:\windows\system32\drivers\mbam.sys
2009-02-17 03:39 . 2009-02-17 03:39	<DIR>	d--------	c:\documents and settings\QBDataServiceUser17\Application Data\Nuance
2009-02-16 15:45 . 2009-02-16 15:45	<DIR>	d--hs----	c:\documents and settings\Administrator\IECompatCache
2009-02-15 20:10 . 2009-02-15 20:10	<DIR>	d--------	c:\program files\Diskeeper Corporation
2009-02-15 20:00 . 2009-02-15 20:00	<DIR>	d--------	c:\program files\Microsoft
2009-02-15 15:19 . 2009-02-15 15:19	<DIR>	d--------	c:\program files\Sunbelt Software
2009-02-15 15:19 . 2009-02-15 15:19	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Sunbelt
2009-02-15 15:19 . 2009-02-15 15:19	<DIR>	d--------	c:\documents and settings\Administrator\Application Data\Sunbelt
2009-02-14 12:25 . 2009-02-15 09:20	26	--a------	c:\windows\Zone.Identifier
2009-02-14 01:26 . 2009-02-14 01:26	<DIR>	d--------	c:\program files\TechHit.com
2009-02-14 00:01 . 2009-02-14 00:01	27,648	--a------	C:\b641.tmp
2009-02-14 00:01 . 2009-02-14 00:01	26,112	--a------	C:\b642.tmp
2009-02-14 00:00 . 2009-02-14 00:00	41,472	--a------	C:\b643.tmp
2009-02-13 23:54 . 2009-02-13 23:54	104,341	--a------	C:\b644.tmp
2009-02-13 23:54 . 2009-02-13 23:54	102,978	--a------	C:\b645.tmp
2009-02-13 23:49 . 2009-02-13 23:49	25,088	--a------	C:\b648.tmp
2009-02-13 23:49 . 2009-02-13 23:49	7,520	--a------	C:\b646.tmp
2009-02-13 23:49 . 2009-02-13 23:49	5,472	--a------	C:\b647.tmp
2009-02-13 23:48 . 2009-02-13 23:48	1,320	--a------	C:\b649.tmp
2009-02-13 23:07 . 2009-02-13 23:07	6,142	--a------	C:\b6423.tmp
2009-02-13 23:06 . 2009-02-13 23:06	9,415	--a------	C:\b6426.tmp
2009-02-13 23:06 . 2009-02-13 23:06	8,870	--a------	C:\b6429.tmp
2009-02-13 23:06 . 2009-02-13 23:06	57	--a------	C:\b6428.tmp
2009-02-13 23:06 . 2009-02-13 23:06	57	--a------	C:\b6425.tmp
2009-02-13 23:06 . 2009-02-13 23:06	2	--a------	C:\b6427.tmp
2009-02-13 23:06 . 2009-02-13 23:06	2	--a------	C:\b6424.tmp
2009-02-13 12:11 . 2009-02-13 12:11	<DIR>	d--------	C:\My_Outlook_Files
2009-02-13 12:11 . 2009-02-13 12:11	70	--a------	c:\windows\34h929a.o2m
2009-02-13 12:11 . 2009-02-13 12:11	0	--a------	c:\windows\j38fnbs1.tmp
2009-02-13 12:11 . 2009-02-13 12:11	0	--a------	C:\temp.000
2009-02-13 12:10 . 2009-02-14 00:12	<DIR>	d--------	c:\program files\O2M
2009-02-12 13:46 . 2009-02-13 13:35	6,148	--ah-----	C:\.DS_Store
2009-02-12 07:11 . 2009-02-12 07:11	<DIR>	d--hs----	c:\documents and settings\Administrator\PrivacIE
2009-02-12 07:11 . 2009-02-12 07:11	<DIR>	d--hs----	c:\documents and settings\Administrator\IETldCache
2009-02-12 07:06 . 2009-02-17 15:28	4,096	--ahs----	C:\VSNAP.IDX
2009-02-12 07:04 . 2009-02-12 07:04	<DIR>	d--------	c:\windows\ie8updates
2009-02-12 06:57 . 2009-02-12 06:59	<DIR>	d--h-c---	c:\windows\ie8
2009-02-12 06:54 . 2009-01-10 21:00	79,360	-----c---	c:\windows\system32\dllcache\iecompat.dll
2009-02-11 21:22 . 2009-02-12 08:01	<DIR>	d--------	c:\program files\Spybot - Search & Destroy
2009-02-11 21:22 . 2009-02-12 07:59	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-11 01:02 . 2008-04-13 17:11	21,504	--a------	c:\windows\system32\hidserv.dll
2009-02-11 01:02 . 2008-04-13 17:11	21,504	--a--c---	c:\windows\system32\dllcache\hidserv.dll
2009-02-11 00:48 . 2009-02-11 01:00	<DIR>	d--------	c:\windows\SxsCaPendDel
2009-01-19 15:51 . 2009-01-19 15:51	<DIR>	d--------	c:\documents and settings\All Users\Application Data\farstone
2009-01-19 15:51 . 2009-01-19 15:51	<DIR>	d--------	c:\documents and settings\Administrator\Application Data\FarStone
2009-01-19 15:45 . 2008-10-21 13:54	86,800	--a------	c:\windows\system32\drivers\fvxscsi.sys
2009-01-19 15:45 . 2008-10-29 08:46	18,448	--a------	c:\windows\system32\drivers\fcdabus.sys
2009-01-19 15:45 . 2007-06-15 06:10	17,542	--a------	c:\windows\Driver.ico
2009-01-19 15:45 . 2006-08-08 10:03	14,496	--a------	c:\windows\system32\VDI08X.dat
2009-01-19 15:44 . 2009-01-19 15:44	<DIR>	d--------	c:\program files\FarStone
2009-01-19 15:42 . 2009-01-19 15:42	118,784	--a------	c:\windows\system32\DVC.dll
2009-01-19 15:42 . 2009-01-19 15:42	86,016	--a------	c:\windows\system32\Dversion.dll
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-18 20:11	---------	d-----w	c:\program files\Chameleon Clock
2009-02-17 23:56	2,553	----a-w	c:\documents and settings\Administrator\Application Data\SAS7_000.DAT
2009-02-17 23:56	---------	d---a-w	c:\documents and settings\All Users\Application Data\TEMP
2009-02-16 04:00	---------	d-----w	c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-16 03:45	---------	d-----w	c:\documents and settings\Administrator\Application Data\GoodSync
2009-02-16 03:07	---------	d-----w	c:\program files\Lavasoft
2009-02-12 16:27	---------	d-----w	c:\program files\Siber Systems
2009-01-15 10:05	911,872	----a-w	c:\windows\system32\wininet.dll
2009-01-15 10:05	43,008	----a-w	c:\windows\system32\licmgr10.dll
2009-01-15 10:04	18,944	----a-w	c:\windows\system32\corpol.dll
2009-01-15 10:03	72,704	----a-w	c:\windows\system32\admparse.dll
2009-01-15 10:03	71,680	----a-w	c:\windows\system32\iesetup.dll
2009-01-15 10:03	420,352	----a-w	c:\windows\system32\vbscript.dll
2009-01-15 10:01	34,304	----a-w	c:\windows\system32\imgutil.dll
2009-01-15 10:00	48,128	----a-w	c:\windows\system32\mshtmler.dll
2009-01-15 10:00	45,568	----a-w	c:\windows\system32\mshta.exe
2009-01-15 09:50	156,160	----a-w	c:\windows\system32\msls31.dll
2009-01-01 23:18	---------	d-----w	c:\documents and settings\Administrator\Application Data\SmartDraw
2009-01-01 23:14	---------	d-----w	c:\program files\SmartDraw 2006
2009-01-01 23:09	---------	d-----w	c:\program files\SmartDraw 2007
2009-01-01 22:57	---------	d-----w	c:\program files\SmartDraw 2008
2008-10-19 17:29	60,744	----a-w	c:\documents and settings\Administrator\g2mdlhlpx.exe
2008-01-02 23:02	32	----a-w	c:\documents and settings\All Users\Application Data\ezsid.dat
2008-06-12 08:52	32,768	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008061220080613\index.dat
.
 
(((((((((((((((((((((((((((((   SnapShot@2009-02-16_15.23.00.28   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-18 00:57:19	25,214	----a-r	c:\windows\Installer\{7AA36634-4324-4EF4-8C0C-D8EF1FC2BEA4}\ARPPRODUCTICON.exe
+ 2009-02-18 00:57:19	65,536	----a-r	c:\windows\Installer\{7AA36634-4324-4EF4-8C0C-D8EF1FC2BEA4}\license.rtf_7AA3663443244EF48C0CD8EF1FC2BEA4.exe
+ 2009-02-18 00:57:19	69,632	----a-r	c:\windows\Installer\{7AA36634-4324-4EF4-8C0C-D8EF1FC2BEA4}\msodrems.chm_7AA3663443244EF48C0CD8EF1FC2BEA4.exe
+ 2009-02-18 00:57:19	25,214	----a-r	c:\windows\Installer\{7AA36634-4324-4EF4-8C0C-D8EF1FC2BEA4}\NewShortcut1_7AA3663443244EF48C0CD8EF1FC2BEA4.exe
+ 2003-09-15 08:55:53	14,843	----a-w	c:\windows\system32\mingwm10.dll
- 2009-02-12 05:02:27	72,108	----a-w	c:\windows\system32\perfc009.dat
+ 2009-02-18 00:05:38	72,108	----a-w	c:\windows\system32\perfc009.dat
- 2009-02-12 05:02:27	444,358	----a-w	c:\windows\system32\perfh009.dat
+ 2009-02-18 00:05:38	444,358	----a-w	c:\windows\system32\perfh009.dat
+ 2009-02-17 23:30:15	16,384	----atw	c:\windows\Temp\Perflib_Perfdata_798.dat
+ 2009-02-17 23:30:35	16,384	----atw	c:\windows\Temp\Perflib_Perfdata_868.dat
+ 2009-02-17 23:30:12	16,384	----atw	c:\windows\Temp\Perflib_Perfdata_f8.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HomeAlarm"="c:\program files\Chameleon Clock\ChamClock.exe" [2004-01-16 810496]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\320\g2mstart.exe" [2008-10-19 31552]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"GBMPro8Agent"="c:\program files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-09-11 189056]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-12-25 160592]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"LiveState Recovery 3.0"="c:\program files\Symantec\LiveState Recovery\Desktop 3.0\Agent\VProTray.exe" [2005-05-23 1277952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"AudioCommander"="c:\program files\Andrea Electronics\Andrea USB USBD2-A Audio Adapter\AudioCommander.exe" [2006-03-20 888832]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Opware15"="c:\program files\ScanSoft\OmniPage15.0\Opware15.exe" [2006-02-03 69632]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.0\masqform.exe" [2003-12-03 1052672]
"GBMPro8Agent"="c:\program files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-09-11 189056]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2006-05-05 36864]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2006-05-05 40960]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"VirtualDrive"="c:\program files\FarStone\VirtualDrive\VDTask.exe" [2008-11-06 166416]
"SBAMTray"="c:\program files\Sunbelt Software\CounterSpy\SBAMTray.exe" [2008-10-28 681256]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-06-07 319488]
"CANON DR2080C SVC"="DR2KSVC.dll" [2007-03-02 c:\windows\system32\DR2KSVC.dll]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FsVdInstReboot"="1 (0x1)" [X]
 
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking10\Program\natspeak.exe [2008-07-27 2807144]
 
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat.exe [2006-09-23 25214]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-08-01 221295]
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.PLCMg722"= PLCMg722.acm
"msacm.PLCMg728"= PLCMg728.acm
"msacm.PLCMg729A"= PLCMg729A.acm
"PLCMsiren.acm"= Polycom Siren
"msacm.PLCMsiren"= PLCMsiren.acm
"aux7"= wdmaud.sys
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\ICQ\\Icq.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\Program Files\\Adaptec\\Adaptec Storage Manager\\jre15\\bin\\javaw.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
 
R0 adp3132;adp3132;c:\windows\system32\drivers\adp3132.sys [2007-10-26 313856]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-07-01 34312]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-20 98304]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-07-01 468224]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-20 118784]
R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]
R2 SBAMSvc;CounterSpy Antispyware;c:\program files\Sunbelt Software\CounterSpy\SBAMSvc.exe [2008-10-28 886056]
S3 ctgame;Game Port;c:\windows\system32\drivers\CTGAME.SYS [2002-12-29 12160]
S3 FIXUSTOR;FIXUSTOR;c:\windows\system32\drivers\fixustor.sys [2006-01-04 11136]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-09-07 33752]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]
S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [2006-04-03 14032]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\LaunchU3.exe -a
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24293629-1bcf-11dd-a05f-001320662387}]
\Shell\AutoRun\command - L:\PStart.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
 
2009-02-18 c:\windows\Tasks\Ad-Aware Update (Daily).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
 
2009-02-18 c:\windows\Tasks\Free World U 1202869839.job
- c:\program files\Intuit\QuickBooks 2007\AutoBackupEXE.exe [2008-03-18 17:40]
 
2009-02-15 c:\windows\Tasks\GBM - Davey-Full.job
- c:\program files\Genie-Soft\GBMPro8\GBM8.exe [2008-09-11 04:27]
 
2009-02-18 c:\windows\Tasks\GBM - Davey-Incremental.job
- c:\program files\Genie-Soft\GBMPro8\GBM8.exe [2008-09-11 04:27]
 
2009-02-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-04-03 17:12]
 
2009-01-27 c:\windows\Tasks\NatSpeak_Optimizer_9_51_267CAA42-4886-449C-96FC-E396726BAE4.job
- c:\progra~1\Nuance\NATURA~1\Program\schedmgr.exe []
 
2009-02-17 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe []
 
2009-02-18 c:\windows\Tasks\SyncBackSE Server Backup Download.job
- c:\program files\2BrightSparks\SyncBackSE\SyncBackSE.exe [2008-02-04 22:40]
.
- - - - ORPHANS REMOVED - - - -
 
Toolbar-Locked - (no file)
 
 
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: {{45DB34C3-955C-11D3-ABEF-444553540000} - c:\program files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
IE: {{45DB34C3-955C-11D3-ABEF-444553540001} - c:\program files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
DPF: {6BE807BB-A5F6-4B0E-B611-E7F59C83CC82} - hxxp://vseelab.com/vstart.ocx
DPF: {A44C30C8-7837-410D-84C3-807D2867AEC6} - hxxp://www.formsrus.com/viewer/setup.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8k6xijt7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.freeworldu.org/
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8k6xijt7.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayAccessService.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8k6xijt7.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayFormSubmitObserver.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
 
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
 
**************************************************************************
 
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-18 12:30:27
Windows 5.1.2600 Service Pack 3 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ... 
 
scanning hidden files ...  
 
 
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
 
[HKEY_USERS\Administrator\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,0e,ef,80,16,e8,f7,49,b9,74,a3,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,0e,ef,80,16,e8,f7,49,b9,74,a3,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,0e,ef,80,16,e8,f7,49,b9,74,a3,\
 
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,0e,ef,80,16,e8,f7,49,b9,74,a3,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,0e,ef,80,16,e8,f7,49,b9,74,a3,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
 
- - - - - - - > 'winlogon.exe'(792)
c:\windows\System32\wbem\wbemcomn.dll
.
Completion time: 2009-02-18 12:37:11
ComboFix-quarantined-files.txt  2009-02-18 20:35:52
ComboFix2.txt  2009-02-16 23:27:03
 
Pre-Run: 125,045,067,776 bytes free
Post-Run: 125,032,714,240 bytes free
 
279	--- E O F ---	2009-01-15 00:28:59

Open in new window

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
IndiGenusCommented:
Looks like it's getting loaded back from here.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux7"= wdmaud.sys

We can use a combofix script to kill it. As far as the other processes I'm not quite sure what you're looking to do.

Here's your script.

1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

------------------------------------------------------------------------

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux7"=-

------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt


0
 
JoshOdomAuthor Commented:

okay, I did what you said and here is the next log file.
ComboFix 09-02-17.02 - Administrator 2009-02-18 13:24:11.4 - NTFSx86 MINIMAL
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3318.2989 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
.
 
(((((((((((((((((((((((((   Files Created from 2009-01-18 to 2009-02-18  )))))))))))))))))))))))))))))))
.
 
2009-02-17 22:20 . 2009-02-17 22:20	<DIR>	d--------	c:\program files\Virtual Dimension
2009-02-17 16:57 . 2009-02-17 16:57	<DIR>	d--------	c:\program files\MAPILab Ltd
2009-02-17 16:57 . 2009-02-17 16:57	<DIR>	d--------	c:\program files\Common Files\MAPILab Ltd
2009-02-17 11:23 . 2009-02-17 11:23	<DIR>	d--------	c:\program files\Malwarebytes' Anti-Malware
2009-02-17 11:23 . 2009-02-17 11:23	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-17 11:23 . 2009-02-17 11:23	<DIR>	d--------	c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-17 11:23 . 2009-02-11 10:19	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-17 11:23 . 2009-02-11 10:19	15,504	--a------	c:\windows\system32\drivers\mbam.sys
2009-02-17 03:39 . 2009-02-17 03:39	<DIR>	d--------	c:\documents and settings\QBDataServiceUser17\Application Data\Nuance
2009-02-16 15:45 . 2009-02-16 15:45	<DIR>	d--hs----	c:\documents and settings\Administrator\IECompatCache
2009-02-15 20:10 . 2009-02-15 20:10	<DIR>	d--------	c:\program files\Diskeeper Corporation
2009-02-15 20:00 . 2009-02-15 20:00	<DIR>	d--------	c:\program files\Microsoft
2009-02-15 15:19 . 2009-02-15 15:19	<DIR>	d--------	c:\program files\Sunbelt Software
2009-02-15 15:19 . 2009-02-15 15:19	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Sunbelt
2009-02-15 15:19 . 2009-02-15 15:19	<DIR>	d--------	c:\documents and settings\Administrator\Application Data\Sunbelt
2009-02-14 12:25 . 2009-02-15 09:20	26	--a------	c:\windows\Zone.Identifier
2009-02-14 01:26 . 2009-02-14 01:26	<DIR>	d--------	c:\program files\TechHit.com
2009-02-14 00:01 . 2009-02-14 00:01	27,648	--a------	C:\b641.tmp
2009-02-14 00:01 . 2009-02-14 00:01	26,112	--a------	C:\b642.tmp
2009-02-14 00:00 . 2009-02-14 00:00	41,472	--a------	C:\b643.tmp
2009-02-13 23:54 . 2009-02-13 23:54	104,341	--a------	C:\b644.tmp
2009-02-13 23:54 . 2009-02-13 23:54	102,978	--a------	C:\b645.tmp
2009-02-13 23:49 . 2009-02-13 23:49	25,088	--a------	C:\b648.tmp
2009-02-13 23:49 . 2009-02-13 23:49	7,520	--a------	C:\b646.tmp
2009-02-13 23:49 . 2009-02-13 23:49	5,472	--a------	C:\b647.tmp
2009-02-13 23:48 . 2009-02-13 23:48	1,320	--a------	C:\b649.tmp
2009-02-13 23:07 . 2009-02-13 23:07	6,142	--a------	C:\b6423.tmp
2009-02-13 23:06 . 2009-02-13 23:06	9,415	--a------	C:\b6426.tmp
2009-02-13 23:06 . 2009-02-13 23:06	8,870	--a------	C:\b6429.tmp
2009-02-13 23:06 . 2009-02-13 23:06	57	--a------	C:\b6428.tmp
2009-02-13 23:06 . 2009-02-13 23:06	57	--a------	C:\b6425.tmp
2009-02-13 23:06 . 2009-02-13 23:06	2	--a------	C:\b6427.tmp
2009-02-13 23:06 . 2009-02-13 23:06	2	--a------	C:\b6424.tmp
2009-02-13 12:11 . 2009-02-13 12:11	<DIR>	d--------	C:\My_Outlook_Files
2009-02-13 12:11 . 2009-02-13 12:11	70	--a------	c:\windows\34h929a.o2m
2009-02-13 12:11 . 2009-02-13 12:11	0	--a------	c:\windows\j38fnbs1.tmp
2009-02-13 12:11 . 2009-02-13 12:11	0	--a------	C:\temp.000
2009-02-13 12:10 . 2009-02-14 00:12	<DIR>	d--------	c:\program files\O2M
2009-02-12 13:46 . 2009-02-13 13:35	6,148	--ah-----	C:\.DS_Store
2009-02-12 07:11 . 2009-02-12 07:11	<DIR>	d--hs----	c:\documents and settings\Administrator\PrivacIE
2009-02-12 07:11 . 2009-02-12 07:11	<DIR>	d--hs----	c:\documents and settings\Administrator\IETldCache
2009-02-12 07:06 . 2009-02-18 13:18	4,096	--ahs----	C:\VSNAP.IDX
2009-02-12 07:04 . 2009-02-12 07:04	<DIR>	d--------	c:\windows\ie8updates
2009-02-12 06:57 . 2009-02-12 06:59	<DIR>	d--h-c---	c:\windows\ie8
2009-02-12 06:54 . 2009-01-10 21:00	79,360	-----c---	c:\windows\system32\dllcache\iecompat.dll
2009-02-11 21:22 . 2009-02-12 08:01	<DIR>	d--------	c:\program files\Spybot - Search & Destroy
2009-02-11 21:22 . 2009-02-12 07:59	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-11 01:02 . 2008-04-13 17:11	21,504	--a------	c:\windows\system32\hidserv.dll
2009-02-11 01:02 . 2008-04-13 17:11	21,504	--a--c---	c:\windows\system32\dllcache\hidserv.dll
2009-02-11 00:48 . 2009-02-11 01:00	<DIR>	d--------	c:\windows\SxsCaPendDel
2009-01-19 15:51 . 2009-01-19 15:51	<DIR>	d--------	c:\documents and settings\All Users\Application Data\farstone
2009-01-19 15:51 . 2009-01-19 15:51	<DIR>	d--------	c:\documents and settings\Administrator\Application Data\FarStone
2009-01-19 15:45 . 2008-10-21 13:54	86,800	--a------	c:\windows\system32\drivers\fvxscsi.sys
2009-01-19 15:45 . 2008-10-29 08:46	18,448	--a------	c:\windows\system32\drivers\fcdabus.sys
2009-01-19 15:45 . 2007-06-15 06:10	17,542	--a------	c:\windows\Driver.ico
2009-01-19 15:45 . 2006-08-08 10:03	14,496	--a------	c:\windows\system32\VDI08X.dat
2009-01-19 15:44 . 2009-01-19 15:44	<DIR>	d--------	c:\program files\FarStone
2009-01-19 15:42 . 2009-01-19 15:42	118,784	--a------	c:\windows\system32\DVC.dll
2009-01-19 15:42 . 2009-01-19 15:42	86,016	--a------	c:\windows\system32\Dversion.dll
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-18 21:17	---------	d-----w	c:\program files\Chameleon Clock
2009-02-17 23:56	2,553	----a-w	c:\documents and settings\Administrator\Application Data\SAS7_000.DAT
2009-02-17 23:56	---------	d---a-w	c:\documents and settings\All Users\Application Data\TEMP
2009-02-16 04:00	---------	d-----w	c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-16 03:45	---------	d-----w	c:\documents and settings\Administrator\Application Data\GoodSync
2009-02-16 03:07	---------	d-----w	c:\program files\Lavasoft
2009-02-12 16:27	---------	d-----w	c:\program files\Siber Systems
2009-01-15 10:05	911,872	----a-w	c:\windows\system32\wininet.dll
2009-01-15 10:05	43,008	----a-w	c:\windows\system32\licmgr10.dll
2009-01-15 10:04	18,944	----a-w	c:\windows\system32\corpol.dll
2009-01-15 10:03	72,704	----a-w	c:\windows\system32\admparse.dll
2009-01-15 10:03	71,680	----a-w	c:\windows\system32\iesetup.dll
2009-01-15 10:03	420,352	----a-w	c:\windows\system32\vbscript.dll
2009-01-15 10:01	34,304	----a-w	c:\windows\system32\imgutil.dll
2009-01-15 10:00	48,128	----a-w	c:\windows\system32\mshtmler.dll
2009-01-15 10:00	45,568	----a-w	c:\windows\system32\mshta.exe
2009-01-15 09:50	156,160	----a-w	c:\windows\system32\msls31.dll
2009-01-01 23:18	---------	d-----w	c:\documents and settings\Administrator\Application Data\SmartDraw
2009-01-01 23:14	---------	d-----w	c:\program files\SmartDraw 2006
2009-01-01 23:09	---------	d-----w	c:\program files\SmartDraw 2007
2009-01-01 22:57	---------	d-----w	c:\program files\SmartDraw 2008
2008-10-19 17:29	60,744	----a-w	c:\documents and settings\Administrator\g2mdlhlpx.exe
2008-01-02 23:02	32	----a-w	c:\documents and settings\All Users\Application Data\ezsid.dat
2008-06-12 08:52	32,768	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008061220080613\index.dat
.
 
(((((((((((((((((((((((((((((   SnapShot@2009-02-16_15.23.00.28   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-18 00:57:19	25,214	----a-r	c:\windows\Installer\{7AA36634-4324-4EF4-8C0C-D8EF1FC2BEA4}\ARPPRODUCTICON.exe
+ 2009-02-18 00:57:19	65,536	----a-r	c:\windows\Installer\{7AA36634-4324-4EF4-8C0C-D8EF1FC2BEA4}\license.rtf_7AA3663443244EF48C0CD8EF1FC2BEA4.exe
+ 2009-02-18 00:57:19	69,632	----a-r	c:\windows\Installer\{7AA36634-4324-4EF4-8C0C-D8EF1FC2BEA4}\msodrems.chm_7AA3663443244EF48C0CD8EF1FC2BEA4.exe
+ 2009-02-18 00:57:19	25,214	----a-r	c:\windows\Installer\{7AA36634-4324-4EF4-8C0C-D8EF1FC2BEA4}\NewShortcut1_7AA3663443244EF48C0CD8EF1FC2BEA4.exe
+ 2003-09-15 08:55:53	14,843	----a-w	c:\windows\system32\mingwm10.dll
- 2009-02-12 05:02:27	72,108	----a-w	c:\windows\system32\perfc009.dat
+ 2009-02-18 00:05:38	72,108	----a-w	c:\windows\system32\perfc009.dat
- 2009-02-12 05:02:27	444,358	----a-w	c:\windows\system32\perfh009.dat
+ 2009-02-18 00:05:38	444,358	----a-w	c:\windows\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HomeAlarm"="c:\program files\Chameleon Clock\ChamClock.exe" [2004-01-16 810496]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\320\g2mstart.exe" [2008-10-19 31552]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"GBMPro8Agent"="c:\program files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-09-11 189056]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-12-25 160592]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"LiveState Recovery 3.0"="c:\program files\Symantec\LiveState Recovery\Desktop 3.0\Agent\VProTray.exe" [2005-05-23 1277952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"AudioCommander"="c:\program files\Andrea Electronics\Andrea USB USBD2-A Audio Adapter\AudioCommander.exe" [2006-03-20 888832]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Opware15"="c:\program files\ScanSoft\OmniPage15.0\Opware15.exe" [2006-02-03 69632]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.0\masqform.exe" [2003-12-03 1052672]
"GBMPro8Agent"="c:\program files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-09-11 189056]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2006-05-05 36864]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2006-05-05 40960]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"VirtualDrive"="c:\program files\FarStone\VirtualDrive\VDTask.exe" [2008-11-06 166416]
"SBAMTray"="c:\program files\Sunbelt Software\CounterSpy\SBAMTray.exe" [2008-10-28 681256]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-06-07 319488]
"CANON DR2080C SVC"="DR2KSVC.dll" [2007-03-02 c:\windows\system32\DR2KSVC.dll]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FsVdInstReboot"="1 (0x1)" [X]
 
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking10\Program\natspeak.exe [2008-07-27 2807144]
 
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat.exe [2006-09-23 25214]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-08-01 221295]
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.PLCMg722"= PLCMg722.acm
"msacm.PLCMg728"= PLCMg728.acm
"msacm.PLCMg729A"= PLCMg729A.acm
"PLCMsiren.acm"= Polycom Siren
"msacm.PLCMsiren"= PLCMsiren.acm
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\ICQ\\Icq.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\Program Files\\Adaptec\\Adaptec Storage Manager\\jre15\\bin\\javaw.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
 
R0 adp3132;adp3132;c:\windows\system32\drivers\adp3132.sys [2007-10-26 313856]
R2 SBAMSvc;CounterSpy Antispyware;c:\program files\Sunbelt Software\CounterSpy\SBAMSvc.exe [2008-10-28 886056]
S1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-07-01 34312]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-20 98304]
S2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-07-01 468224]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-20 118784]
S2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]
S3 ctgame;Game Port;c:\windows\system32\drivers\CTGAME.SYS [2002-12-29 12160]
S3 FIXUSTOR;FIXUSTOR;c:\windows\system32\drivers\fixustor.sys [2006-01-04 11136]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-09-07 33752]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]
S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [2006-04-03 14032]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\LaunchU3.exe -a
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24293629-1bcf-11dd-a05f-001320662387}]
\Shell\AutoRun\command - L:\PStart.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
 
2009-02-18 c:\windows\Tasks\Ad-Aware Update (Daily).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
 
2009-02-18 c:\windows\Tasks\Free World U 1202869839.job
- c:\program files\Intuit\QuickBooks 2007\AutoBackupEXE.exe [2008-03-18 17:40]
 
2009-02-15 c:\windows\Tasks\GBM - Davey-Full.job
- c:\program files\Genie-Soft\GBMPro8\GBM8.exe [2008-09-11 04:27]
 
2009-02-18 c:\windows\Tasks\GBM - Davey-Incremental.job
- c:\program files\Genie-Soft\GBMPro8\GBM8.exe [2008-09-11 04:27]
 
2009-02-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-04-03 17:12]
 
2009-01-27 c:\windows\Tasks\NatSpeak_Optimizer_9_51_267CAA42-4886-449C-96FC-E396726BAE4.job
- c:\progra~1\Nuance\NATURA~1\Program\schedmgr.exe []
 
2009-02-17 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe []
 
2009-02-18 c:\windows\Tasks\SyncBackSE Server Backup Download.job
- c:\program files\2BrightSparks\SyncBackSE\SyncBackSE.exe [2008-02-04 22:40]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: {{45DB34C3-955C-11D3-ABEF-444553540000} - c:\program files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
IE: {{45DB34C3-955C-11D3-ABEF-444553540001} - c:\program files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
DPF: {6BE807BB-A5F6-4B0E-B611-E7F59C83CC82} - hxxp://vseelab.com/vstart.ocx
DPF: {A44C30C8-7837-410D-84C3-807D2867AEC6} - hxxp://www.formsrus.com/viewer/setup.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8k6xijt7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.freeworldu.org/
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8k6xijt7.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayAccessService.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8k6xijt7.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayFormSubmitObserver.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
 
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
 
**************************************************************************
 
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-18 13:27:56
Windows 5.1.2600 Service Pack 3 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ... 
 
scanning hidden files ...  
 
 
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
 
[HKEY_USERS\Administrator\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,0e,ef,80,16,e8,f7,49,b9,74,a3,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,0e,ef,80,16,e8,f7,49,b9,74,a3,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,0e,ef,80,16,e8,f7,49,b9,74,a3,\
 
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,0e,ef,80,16,e8,f7,49,b9,74,a3,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,0e,ef,80,16,e8,f7,49,b9,74,a3,\
.
Completion time: 2009-02-18 13:33:14
ComboFix-quarantined-files.txt  2009-02-18 21:31:57
ComboFix2.txt  2009-02-18 20:37:12
ComboFix3.txt  2009-02-16 23:27:03
 
Pre-Run: 128,535,543,808 bytes free
Post-Run: 128,520,261,632 bytes free
 
270	--- E O F ---	2009-01-15 00:28:59

Open in new window

0
 
IndiGenusCommented:
How's it running? Still seeing wdmaud.sys?
0
 
JoshOdomAuthor Commented:
So far so good.  Firefox is working okay now. I would still like to nail down the processes that are unaccounted for and make some determination of how to eliminate them if they are unnecessary. I appreciate all your help.
0
 
IndiGenusCommented:
""I would still like to nail down the processes that are unaccounted for ""

Still not quite sure what you mean. Do you mean malicious, or just uneeded? You can disable uneeded processes with msconfig, or more permanently with HJT.



0
 
JoshOdomAuthor Commented:
Unneeded. The challenge is determining which processes I need and which I don't.
0
 
IndiGenusCommented:
Understood. Part of that is your preference. For me, I pretty much only run security related things at startup. In some cases there may be something for your laptop touchpad to work like you want it, or some other system related function.

David-Howard already mentioned a couple. Do you know how to use msconfig to make startup changes? That is one of the easiest ways. You could also use a startup manager......I like using WinPatrol, they have a free version that works nicely for this and it's also a great compliment to your security.

http://www.winpatrol.com/

Let us know if you have any specific questions on items.
0
 
JoshOdomAuthor Commented:
Yes I know how to use MSconfig to make startup changes. The challenge is knowing which processes are needed by Windows and which processes go with which programs. How do we figure that out?
0
 
IndiGenusCommented:
One of the best databases now is systemlookup. For 04's in HJT (your startups) it's here:

http://www.systemlookup.com/lists.php?list=2

Can search on either the file name or the name. ex....this entry:

O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

Name: SSBkgdUpdate
File Name: SSBkgdupdate.exe

Will give you this:

http://www.systemlookup.com/lists.php?list=2&type=filename&search=SSBkgdupdate.exe&s=

This one can be disabled.

It's not always that clear, sometimes there will be multiple choices for an entry. You need to look at file location, ect....

If you have any questions on any feel free to ask. Hope that helps.
Dave




0
 
JoshOdomAuthor Commented:
Thank you Dave,

Could you go over that again step by step. The explanation was over my head.

David
0
 
IndiGenusCommented:
Sorry about that. I'll try again. If you're still not sure I can go through them all and advise. Will just take a bit.

In HijackThis, all the 04 entries are startups. I just did the first one for you, and it can be disabled.

Let's do another:

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

Plug the file name igfxpers.exe into the system lookup database here:

http://www.systemlookup.com/lists.php?list=2

You get this:

http://www.systemlookup.com/lists.php?list=2&type=filename&search=igfxpers.exe&s=
Now, you see three different entries in there. You have to look at the whole line from HJT. In our case here the match is the 3rd one. This is determined by looking at the name:

Persistence

http://www.systemlookup.com/Startup/9351-igfxpers_exe.html

The status code is N.

Using the key:

Status Key:
                   Y = Normally leave to run at start-up
                   N = Not required - often infrequently used tasks that can be started manually, if necessary
                   U = User's choice - depends whether a user deems it necessary
                   X = Malware, spyware, adware, or other potentially unwanted items
                   ? = Currently unknown status

N = Not required to run at startup.

Make sense? If not I can spend a while and go through them all for you if you like. But this way you choose what you want to run, and hopefully learn something by going through the process. The old saying goes......"give a man a fish........"


0
 
JoshOdomAuthor Commented:
Thank you so much Dave!
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now