PDA

View Full Version : Help removing Virtumonde and Smitfraud



anotherperson
2008-12-31, 00:01
Disregard my other thread please; I had forgotten to reboot after turning off TeaTimer. Here's the updated HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:58:28 PM, on 12/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\digtizer.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\StillSecure\NAC Agent\SAService.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\SSUtility\FJSSDMN.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\StillSecure\NAC Agent\SAService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Fujitsu\Utils\FjDspMon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Fujitsu\Utils\fjevents.exe
C:\Program Files\Fujitsu\Utils\FjMenu.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hermits.com/flash.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [SSUtility] C:\Program Files\Fujitsu\SSUtility\FJSSDMN.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [FjStrtAp] C:\Program Files\Fujitsu\Utils\FjStrtAp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Snippet] "C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" /i
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NACSysTray] C:\Program Files\StillSecure\NAC Agent\SAService.exe systray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us.fujitsu.com/computers
O16 - DPF: {0D6BB8B8-0257-420C-B9EB-CFA90DB1026C} - https://safeaccess.hermits.com:89/setup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187644590203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187649586687
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL gaujkn.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digitizer Service (Digitizer) - WACOM - C:\WINDOWS\System32\digtizer.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NAC Agent (NACAgent) - NAC - C:\Program Files\StillSecure\NAC Agent\SAService.exe
O23 - Service: o2flash - O2Micro International - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 12394 bytes

shelf life
2009-01-04, 04:32
hi,

lets start with MBAM. link and directions:


Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
*** Be sure that everything is checked, and click Remove Selected.***
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

please post the MBAM log in reply

anotherperson
2009-01-04, 05:25
First, thank you for the reply. :)

Here's the log... But there's a potential issue that I'd like to bring up. McAfee kept popping up saying that it blocked Vundo and GenericAdClicker; should I have disabled McAfee beforehand? And if so, how do I do that? Also, MBAM is asking me to reboot; should I do this?

Anyway...

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

1/3/2009 10:22:41 PM
mbam-log-2009-01-03 (22-22-41).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 121412
Time elapsed: 35 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\fccyaXqq.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b98eb2b2-c3e2-4513-852a-73b5b7b78c12} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b98eb2b2-c3e2-4513-852a-73b5b7b78c12} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\fccyaxqq -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\fccyaxqq -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\fccyaXqq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qqXayccf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qqXayccf.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.

shelf life
2009-01-04, 05:41
If McAfee keeps throwing up popups then yes you can disable it let MBAM run. yes reboot after the MBAM scan.

anotherperson
2009-01-04, 05:44
How do I disable McAfee?

Sorry, I'm bad at this >_>

shelf life
2009-01-04, 05:59
take a look here:

http://www.bleepingcomputer.com/forums/topic114351.html

anotherperson
2009-01-04, 06:09
Thanks; have re-booted. Currently re-running MBAM and I will post the log when it's finished.

So far though, it looks fine. No infected items came up when MBAM scanned registry items, which is good.

anotherperson
2009-01-04, 06:33
Here's the new log.

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

1/3/2009 11:31:53 PM
mbam-log-2009-01-03 (23-31-53).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 121172
Time elapsed: 22 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

shelf life
2009-01-04, 06:43
ok cruise around (on the internet)make sure all the pop ups, redirects etc are all gone. post one more hjt log. I will be back on line in about 8-10 hrs or so.

anotherperson
2009-01-04, 06:48
Everything seems to be clear; thank you! Here's the HJT log for when you return.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:57 PM, on 1/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\digtizer.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\StillSecure\NAC Agent\SAService.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\SSUtility\FJSSDMN.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
C:\Program Files\Fujitsu\Utils\FjDspMon.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Fujitsu\Utils\fjevents.exe
C:\Program Files\StillSecure\NAC Agent\SAService.exe
C:\Program Files\Fujitsu\Utils\FjMenu.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hermits.com/flash.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [SSUtility] C:\Program Files\Fujitsu\SSUtility\FJSSDMN.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [FjStrtAp] C:\Program Files\Fujitsu\Utils\FjStrtAp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Snippet] "C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" /i
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NACSysTray] C:\Program Files\StillSecure\NAC Agent\SAService.exe systray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us.fujitsu.com/computers
O16 - DPF: {0D6BB8B8-0257-420C-B9EB-CFA90DB1026C} - https://safeaccess.hermits.com:89/setup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187644590203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187649586687
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL gaujkn.dll
O20 - Winlogon Notify: fcccYSmk - fcccYSmk.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digitizer Service (Digitizer) - WACOM - C:\WINDOWS\System32\digtizer.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NAC Agent (NACAgent) - NAC - C:\Program Files\StillSecure\NAC Agent\SAService.exe
O23 - Service: o2flash - O2Micro International - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 12547 bytes

shelf life
2009-01-04, 16:55
hi,

ok good.sometimes this malware can come with other goodies or go out and get more, so lets get one more look for malware. We will use combofix. there is a guide you should read through first. lots of pictures, read through the guide and follow the combofix prompts as you use it;Post the combofix log

the guide;
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

anotherperson
2009-01-05, 01:46
Wait... :oops:

I just installed the wrong version of the console... How do I go about uninstalling it?

If it's not an issue for now (though it probably is), here's the ComboFix log as it is.

ComboFix 09-01-02.01 - Administrator 2009-01-04 18:34:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1253 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\emYUV.dll
c:\windows\system32\hpvaut32.dll
c:\windows\system32\hpvcp70.dll
c:\windows\system32\hpvcr70.dll
c:\windows\system32\mdm.exe

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 )))))))))))))))))))))))))))))))
.

2009-01-04 18:38 . 2004-05-11 13:53 626,960 -ra------ c:\windows\system32\hpvaut32.dll
2009-01-04 01:33 . 2009-01-04 01:33 0 --a------ c:\windows\system32\drivers\FUJITSU_A1B2H3E616B30001_WXPTPC.MKR
2009-01-04 01:33 . 2009-01-04 01:33 0 --a------ c:\windows\system\FUJITSU_A1B2H3E616B30001_WXPTPC.MKR
2009-01-03 21:44 . 2009-01-03 21:44 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-03 21:44 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-03 21:43 . 2009-01-03 21:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 21:43 . 2009-01-03 21:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-03 21:43 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-29 12:54 . 2008-12-29 12:54 <DIR> d-------- c:\documents and settings\Administrator\Application Data\McAfee
2008-12-29 00:36 . 2008-12-29 00:36 <DIR> d-------- C:\VundoFix Backups
2008-12-28 19:22 . 2008-12-28 19:22 95 --a------ c:\windows\wininit.ini
2008-12-28 19:05 . 2008-12-28 22:24 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-28 19:05 . 2008-12-28 22:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-20 19:38 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2008-12-20 19:38 . 2009-01-04 18:36 10,621 --a------ c:\windows\system32\Config.MPF
2008-12-20 19:35 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-12-20 19:35 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2008-12-20 19:35 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-20 19:35 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2008-12-20 19:35 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-20 19:35 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2008-12-20 19:34 . 2008-12-20 19:34 <DIR> d-------- c:\program files\McAfee.com
2008-12-20 19:34 . 2008-12-28 11:21 <DIR> d-------- c:\program files\McAfee
2008-12-20 19:34 . 2008-12-20 19:35 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-20 19:02 . 2008-12-29 12:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-19 10:16 . 2008-12-19 10:16 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-18 16:56 . 2008-12-18 16:56 <DIR> d-------- c:\program files\Common Files\Pinnacle
2008-12-18 16:56 . 2005-09-24 02:18 171,520 --a------ c:\windows\system32\drivers\MarvinBus.sys
2008-12-18 16:55 . 2008-12-18 16:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Pinnacle Studio
2008-12-18 16:49 . 2008-12-18 16:49 <DIR> d-------- c:\program files\Pinnacle
2008-12-18 16:49 . 2008-12-18 16:49 <DIR> d-------- c:\program files\Common Files\Yahoo!
2008-12-18 16:49 . 2008-12-18 16:49 <DIR> d-------- c:\program files\Common Files\Pegasus Imaging
2008-12-18 16:49 . 2008-12-18 16:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Studio 12
2008-12-18 16:49 . 2008-12-18 16:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Pinnacle Studio Plus
2008-12-18 16:44 . 2008-12-18 16:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Pinnacle
2008-12-18 01:41 . 2008-12-18 01:41 <DIR> d-------- c:\program files\Common Files\HP
2008-12-18 01:39 . 2008-12-18 01:39 <DIR> d-------- c:\program files\Hewlett-Packard
2008-12-18 01:39 . 2008-12-18 01:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-12-18 01:38 . 2004-05-11 13:53 82,432 -ra------ c:\windows\system32\MSXML4r.dll
2008-12-18 01:38 . 2004-05-11 13:53 44,544 -ra------ c:\windows\system32\MSXML4a.dll
2008-12-18 01:37 . 2008-12-18 01:37 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2008-12-18 01:33 . 2004-03-18 19:53 278,584 --a------ c:\windows\system32\HPZidr12.dll
2008-12-18 01:33 . 2004-03-18 19:56 204,800 --a------ c:\windows\system32\HPZipr12.dll
2008-12-18 01:33 . 2004-03-18 19:39 94,208 --a------ c:\windows\system32\HPZipt12.dll
2008-12-18 01:33 . 2004-03-18 19:55 65,536 --a------ c:\windows\system32\HPZipm12.exe
2008-12-18 01:33 . 2004-03-18 19:38 61,440 --a------ c:\windows\system32\HPZinw12.exe
2008-12-18 01:33 . 2004-03-18 19:39 57,344 --a------ c:\windows\system32\HPZisn12.dll
2008-12-18 01:32 . 1998-10-29 19:45 306,688 --a------ c:\windows\IsUninst.exe
2008-12-18 01:31 . 2008-12-18 01:43 <DIR> d-------- c:\program files\HP
2008-12-18 01:28 . 2008-12-18 01:44 104,294 --a------ c:\windows\hpoins04.dat
2008-12-18 01:28 . 2004-06-21 05:14 17,176 --------- c:\windows\hpomdl04.dat
2008-12-18 01:26 . 2004-04-12 06:10 581,632 -ra------ c:\windows\system32\hpotscl.dll
2008-12-18 01:26 . 2004-03-13 06:32 278,528 -ra------ c:\windows\system32\hpgwiamd.dll
2008-12-18 01:26 . 2004-03-13 06:34 270,336 -ra------ c:\windows\system32\HPZc3212.dll
2008-12-18 01:26 . 2004-04-12 06:10 90,112 -ra------ c:\windows\system32\hpovst08.dll
2008-12-18 01:26 . 2008-04-13 14:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-12-18 01:26 . 2008-04-13 14:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-12-18 01:26 . 2008-04-13 14:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-18 01:26 . 2008-04-13 14:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-12-18 01:14 . 2008-04-13 14:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-12-18 01:14 . 2008-04-13 14:45 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-12-09 10:56 . 2008-12-09 10:56 <DIR> d--h----- c:\windows\system32\GroupPolicy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 05:51 --------- d-----w c:\program files\Jasc Software Inc
2008-12-21 00:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-20 23:57 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-20 23:57 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-20 23:55 --------- d-----w c:\program files\Symantec
2008-12-16 17:43 --------- d-----w c:\documents and settings\Administrator\Application Data\U3
2008-12-15 03:16 --------- d-----w c:\documents and settings\Administrator\Application Data\gtk-2.0
2008-12-02 07:56 --------- d-----w c:\documents and settings\Administrator\Application Data\Jasc
2008-12-02 01:22 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-12-02 01:22 --------- d-----w c:\documents and settings\Administrator\Application Data\CyberLink
2008-12-02 00:32 --------- d-----w c:\program files\iTunes
2008-12-02 00:32 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-02 00:31 --------- d-----w c:\program files\iPod
2008-12-02 00:31 --------- d-----w c:\program files\Common Files\Apple
2008-12-02 00:30 --------- d-----w c:\program files\QuickTime
2008-11-28 05:46 --------- d-----w c:\program files\GIMP-2.0
2008-11-22 03:04 --------- d-----w c:\program files\Web Publish
2008-11-14 06:10 --------- d-----w c:\program files\Bonjour
2008-11-14 06:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-14 06:10 --------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer
2008-11-14 06:09 --------- d-----w c:\program files\Apple Software Update
2008-11-14 06:08 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-11-13 19:01 --------- d-----w c:\program files\StillSecure
2008-07-21 23:14 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008072120080722\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-13 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-13 271872]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 131072]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-09 794713]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2006-07-12 90112]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2006-11-17 80688]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2003-08-20 61440]
"SSUtility"="c:\program files\Fujitsu\SSUtility\FJSSDMN.exe" [2006-07-22 233472]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-02-20 366400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-04-19 220160]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-14 52832]
"FjStrtAp"="c:\program files\Fujitsu\Utils\FjStrtAp.exe" [2007-03-13 20480]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Snippet"="c:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-25 68296]
"OmniPass"="c:\program files\Softex\OmniPass\scureapp.exe" [2006-06-10 1966080]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\fjdvrupd.exe" [2006-07-21 303104]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"NACSysTray"="c:\program files\StillSecure\NAC Agent\SAService.exe" [2008-04-23 1052672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2006-11-06 81920]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-12 c:\windows\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 c:\windows\AGRSMMSG.exe]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-29 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-13 19:11 47104 c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2006-06-10 19:02 49152 c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 05:41 11776 c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-13 19:12 32256 c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1500:TCP"= 1500:TCP:NAC Agent Port

R0 FBIOSDRV;FBIOSDRV;c:\windows\system32\drivers\FBIOSDRV.SYS [2007-04-19 8960]
R0 FJGPNV;FJGPNV;c:\windows\system32\drivers\FJGPNV.SYS [2007-04-19 10496]
R0 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\drivers\FJGSDisk.sys [2007-04-19 7168]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2006-10-03 36640]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2006-10-12 33152]
R3 Fjbtndrv;Fujitsu Button Driver;c:\windows\system32\drivers\FjBtnDrv.sys [2007-04-19 17920]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2007-04-19 4864]
R3 hidpen;Wacom Serial Pen HID MiniDriver;c:\windows\system32\drivers\hidpen.sys [2007-04-19 30976]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-04-19 36608]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2006-03-08 92550]
R4 NACAgent;NAC Agent;c:\program files\StillSecure\NAC Agent\SAService.exe [2008-04-23 1052672]
S3 ADVNTDRV;ADVNTDRV;c:\windows\system32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2007-04-18 14208]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3dfe502f-b846-11dd-9177-00215c0a490d}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{994bdc00-b1b7-11dd-af72-00215c0a490d}]
\Shell\AutoRun\command - E:\CA_EDGEmobile.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:34]

2008-12-21 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-12-21 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-04 c:\windows\Tasks\tnvrlbwf.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]

2009-01-04 c:\windows\Tasks\WebReg 20081226224515.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2004-05-29 01:47]

2009-01-04 c:\windows\Tasks\WebReg 20090103224534.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2004-05-29 01:47]

2009-01-04 c:\windows\Tasks\WebReg 20090103224541.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2004-05-29 01:47]
.
- - - - ORPHANS REMOVED - - - -

Notify-fcccYSmk - fcccYSmk.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hermits.com/flash.asp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

O16 -: {0D6BB8B8-0257-420C-B9EB-CFA90DB1026C} - hxxps://safeaccess.hermits.com:89/setup.cab
c:\windows\Downloaded Program Files\Setup.inf
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dgttzt1l.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.hermits.com/flash.asp
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 18:38:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


c:\windows\system32\hpvaut32.dll 626960 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,20,ae,80,46,95,\
ae,21,2e,e2,63,26,f1,3f,c8,ff,68,61,16,ec,66,13,33,8d,ab,e2,63,26,f1,3f,c8,\
ff,68,df,40,41,c1,06,97,9e,85,e2,63,26,f1,3f,c8,ff,68,8c,56,1b,29,08,92,84,\
fb,14,91,0f,0d

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,19,31,c7,f4,e6,\
66,32,99,6a,9c,d6,61,af,45,84,18,45,d5,48,6d,7f,47,5d,e9,6a,9c,d6,61,af,45,\
84,18,43,0f,be,8b,54,12,c5,50,46,47,15,b0,92,4b,c7,ef,1a,1f,9d,68,32,92,50,\
69,c8,ef,bd,53

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,50,51,3f,43,a4,\
de,10,b2,ff,7c,85,e0,43,d4,0e,fe,66,f3,fd,47,d0,09,cd,d3,ff,7c,85,e0,43,d4,\
0e,fe,8c,2a,fa,45,44,df,e2,cd,ff,7c,85,e0,43,d4,0e,fe,fe,85,1d,9a,77,08,35,\
6b,92,b8,00,fd

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,68,ec,56,9c,27,\
5f,55,09,86,8c,21,01,be,91,eb,e7,41,9b,02,ff,09,f4,28,db,86,8c,21,01,be,91,\
eb,e7,d4,e6,63,dd,e6,35,9b,15,3e,1e,9e,e0,57,5a,93,61,7c,3d,eb,f5,33,a9,2d,\
9f,91,aa,0e,62

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,9d,ce,70,4e,14,\
6f,ac,fd,f5,1d,4d,73,a8,13,5c,05,62,0a,74,a2,8b,2e,96,2b,f5,1d,4d,73,a8,13,\
5c,05,b7,e2,e6,8d,3f,8e,24,09,e9,02,6c,fa,fb,1d,47,57,3a,47,a1,bc,4b,10,6d,\
1b,91,fc,fa,ba

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,03,54,e3,85,d5,\
72,47,d0,df,20,58,62,78,6b,cf,c8,e9,65,cb,ad,ee,4c,f0,02,df,20,58,62,78,6b,\
cf,c8,96,b9,92,eb,7d,20,e2,16,b0,18,ed,a7,3f,8d,37,a4,48,dc,45,94,91,1d,41,\
bf,03,1c,51,d2

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,b3,8b,36,6c,bb,\
ee,23,a5,fb,a7,78,e6,12,2f,9a,ea,4a,3a,f1,b3,ba,d7,17,1f,fb,a7,78,e6,12,2f,\
9a,ea,42,48,79,82,0b,5c,00,44,fb,a7,78,e6,12,2f,9a,ea,cd,28,a5,35,8b,bf,9f,\
25,38,a9,09,c8

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,62,6d,87,d3,08,\
b1,97,9f,01,3a,48,fc,e8,04,4a,f1,53,58,4f,44,cc,a7,74,f9,01,3a,48,fc,e8,04,\
4a,f1,3f,b7,91,b9,6d,6c,c2,70,01,3a,48,fc,e8,04,4a,f1,e3,7e,ac,7a,89,66,2f,\
d2,3b,f7,b1,26

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,0d,1a,5b,36,1b,\
e6,79,f2,f6,0f,4e,58,98,5b,89,c9,0b,00,6d,a1,ad,f1,d5,6f,f6,0f,4e,58,98,5b,\
89,c9,f2,02,23,2e,39,64,f3,f3,b2,46,9a,e2,1b,fe,1b,94,af,f0,9b,f1,02,9e,7e,\
a5,3d,a5,b0,be

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,7b,cc,93,96,cb,\
39,cb,74,3d,ce,ea,26,2d,45,aa,78,af,24,57,95,f3,04,09,dc,3d,ce,ea,26,2d,45,\
aa,78,d9,be,01,57,86,fc,29,50,b1,cd,45,5a,a8,c4,f8,b9,63,f4,11,38,ee,50,8f,\
d4,c4,a2,71,19

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,08,d7,60,93,63,\
fb,cd,b1,2a,b7,cc,b5,b9,7f,41,e7,01,0c,62,ad,4c,0b,92,de,2a,b7,cc,b5,b9,7f,\
41,e7,9e,b3,0c,db,23,b5,fb,14,f8,31,0f,a9,5f,a0,ec,fb,da,ee,01,35,d7,58,74,\
93,6f,75,17,b6

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,76,be,2a,44,ea,\
7a,bd,ed,6c,43,2d,1e,aa,22,2f,9c,9c,5a,37,a8,52,c7,0d,5a,6c,43,2d,1e,aa,22,\
2f,9c,32,0b,c4,b7,01,d9,d9,f9,05,73,21,dd,54,d8,4a,c5,44,8b,ed,e2,ac,f2,b2,\
45,f6,8e,8f,16
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1056)
c:\program files\Softex\OmniPass\opxpgina.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\Ink\keyboardsurrogate.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\digtizer.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\McAfee\MBK\MBackMonitor.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\o2flash.exe
c:\program files\Softex\OmniPass\OmniServ.exe
c:\program files\Softex\OmniPass\OPXPApp.exe
c:\windows\system32\wisptis.exe
c:\windows\system32\tabbtnu.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Microsoft Shared\Ink\tcserver.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Fujitsu\Utils\FjDspMon.exe
c:\program files\Fujitsu\Utils\FjEvents.exe
c:\program files\Fujitsu\Utils\FjMenu.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\windows\system32\igfxext.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
.
**************************************************************************
.
Completion time: 2009-01-04 18:42:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-04 23:42:24

Pre-Run: 79,633,453,056 bytes free
Post-Run: 79,499,034,624 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

392 --- E O F --- 2008-12-19 15:16:44

shelf life
2009-01-05, 03:26
hi,

combofix removed some items. rest look ok. Iam surprised you didn't get some kind of warning or something before the install of the recovery console. Its really only installed as a precaution. most computers do not have it installed and you most likely would never have to use it. there is directions for removing it but i dont know its worth the trouble or risk to do so-- links:

near bottom of page:
http://support.microsoft.com/kb/307654

and here:
http://www.bleepingcomputer.com/tutorials/tutorial117.html#delete

anotherperson
2009-01-05, 03:39
Alright, well I'll just keep it there for now and delete it later if it gives me trouble.

Anything else I should do?

shelf life
2009-01-05, 03:55
hi,

we will use combofix to remove a file;

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:



File::
c:\windows\Tasks\tnvrlbwf.job


Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop.
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log.

anotherperson
2009-01-05, 04:08
Here you go. Though I noticed that it re-deleted hpvaut32.dll. That's odd...


ComboFix 09-01-02.01 - Administrator 2009-01-04 21:04:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1364 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\Tasks\tnvrlbwf.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hpvaut32.dll
c:\windows\Tasks\tnvrlbwf.job

.
((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2009-01-04 01:33 . 2009-01-04 01:33 0 --a------ c:\windows\system32\drivers\FUJITSU_A1B2H3E616B30001_WXPTPC.MKR
2009-01-04 01:33 . 2009-01-04 01:33 0 --a------ c:\windows\system\FUJITSU_A1B2H3E616B30001_WXPTPC.MKR
2009-01-03 21:44 . 2009-01-03 21:44 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-03 21:44 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-03 21:43 . 2009-01-03 21:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 21:43 . 2009-01-03 21:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-03 21:43 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-29 12:54 . 2008-12-29 12:54 <DIR> d-------- c:\documents and settings\Administrator\Application Data\McAfee
2008-12-29 00:36 . 2008-12-29 00:36 <DIR> d-------- C:\VundoFix Backups
2008-12-28 19:22 . 2008-12-28 19:22 95 --a------ c:\windows\wininit.ini
2008-12-28 19:05 . 2008-12-28 22:24 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-28 19:05 . 2008-12-28 22:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-20 19:38 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2008-12-20 19:38 . 2009-01-04 21:01 10,621 --a------ c:\windows\system32\Config.MPF
2008-12-20 19:35 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-12-20 19:35 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2008-12-20 19:35 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-20 19:35 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2008-12-20 19:35 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-20 19:35 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2008-12-20 19:34 . 2008-12-20 19:34 <DIR> d-------- c:\program files\McAfee.com
2008-12-20 19:34 . 2008-12-28 11:21 <DIR> d-------- c:\program files\McAfee
2008-12-20 19:34 . 2008-12-20 19:35 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-20 19:02 . 2008-12-29 12:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-19 10:16 . 2008-12-19 10:16 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-18 16:56 . 2008-12-18 16:56 <DIR> d-------- c:\program files\Common Files\Pinnacle
2008-12-18 16:56 . 2005-09-24 02:18 171,520 --a------ c:\windows\system32\drivers\MarvinBus.sys
2008-12-18 16:55 . 2008-12-18 16:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Pinnacle Studio
2008-12-18 16:49 . 2008-12-18 16:49 <DIR> d-------- c:\program files\Pinnacle
2008-12-18 16:49 . 2008-12-18 16:49 <DIR> d-------- c:\program files\Common Files\Yahoo!
2008-12-18 16:49 . 2008-12-18 16:49 <DIR> d-------- c:\program files\Common Files\Pegasus Imaging
2008-12-18 16:49 . 2008-12-18 16:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Studio 12
2008-12-18 16:49 . 2008-12-18 16:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Pinnacle Studio Plus
2008-12-18 16:44 . 2008-12-18 16:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Pinnacle
2008-12-18 01:41 . 2008-12-18 01:41 <DIR> d-------- c:\program files\Common Files\HP
2008-12-18 01:39 . 2008-12-18 01:39 <DIR> d-------- c:\program files\Hewlett-Packard
2008-12-18 01:39 . 2008-12-18 01:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-12-18 01:38 . 2004-05-11 13:53 82,432 -ra------ c:\windows\system32\MSXML4r.dll
2008-12-18 01:38 . 2004-05-11 13:53 44,544 -ra------ c:\windows\system32\MSXML4a.dll
2008-12-18 01:37 . 2008-12-18 01:37 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2008-12-18 01:33 . 2004-03-18 19:53 278,584 --a------ c:\windows\system32\HPZidr12.dll
2008-12-18 01:33 . 2004-03-18 19:56 204,800 --a------ c:\windows\system32\HPZipr12.dll
2008-12-18 01:33 . 2004-03-18 19:39 94,208 --a------ c:\windows\system32\HPZipt12.dll
2008-12-18 01:33 . 2004-03-18 19:55 65,536 --a------ c:\windows\system32\HPZipm12.exe
2008-12-18 01:33 . 2004-03-18 19:38 61,440 --a------ c:\windows\system32\HPZinw12.exe
2008-12-18 01:33 . 2004-03-18 19:39 57,344 --a------ c:\windows\system32\HPZisn12.dll
2008-12-18 01:32 . 1998-10-29 19:45 306,688 --a------ c:\windows\IsUninst.exe
2008-12-18 01:31 . 2008-12-18 01:43 <DIR> d-------- c:\program files\HP
2008-12-18 01:28 . 2008-12-18 01:44 104,294 --a------ c:\windows\hpoins04.dat
2008-12-18 01:28 . 2004-06-21 05:14 17,176 --------- c:\windows\hpomdl04.dat
2008-12-18 01:26 . 2004-04-12 06:10 581,632 -ra------ c:\windows\system32\hpotscl.dll
2008-12-18 01:26 . 2004-03-13 06:32 278,528 -ra------ c:\windows\system32\hpgwiamd.dll
2008-12-18 01:26 . 2004-03-13 06:34 270,336 -ra------ c:\windows\system32\HPZc3212.dll
2008-12-18 01:26 . 2004-04-12 06:10 90,112 -ra------ c:\windows\system32\hpovst08.dll
2008-12-18 01:26 . 2008-04-13 14:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-12-18 01:26 . 2008-04-13 14:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-12-18 01:26 . 2008-04-13 14:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-18 01:26 . 2008-04-13 14:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-12-18 01:14 . 2008-04-13 14:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-12-18 01:14 . 2008-04-13 14:45 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-12-09 10:56 . 2008-12-09 10:56 <DIR> d--h----- c:\windows\system32\GroupPolicy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 05:51 --------- d-----w c:\program files\Jasc Software Inc
2008-12-21 00:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-20 23:57 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-20 23:57 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-20 23:55 --------- d-----w c:\program files\Symantec
2008-12-16 17:43 --------- d-----w c:\documents and settings\Administrator\Application Data\U3
2008-12-15 03:16 --------- d-----w c:\documents and settings\Administrator\Application Data\gtk-2.0
2008-12-02 07:56 --------- d-----w c:\documents and settings\Administrator\Application Data\Jasc
2008-12-02 01:22 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-12-02 01:22 --------- d-----w c:\documents and settings\Administrator\Application Data\CyberLink
2008-12-02 00:32 --------- d-----w c:\program files\iTunes
2008-12-02 00:32 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-02 00:31 --------- d-----w c:\program files\iPod
2008-12-02 00:31 --------- d-----w c:\program files\Common Files\Apple
2008-12-02 00:30 --------- d-----w c:\program files\QuickTime
2008-11-28 05:46 --------- d-----w c:\program files\GIMP-2.0
2008-11-22 03:04 --------- d-----w c:\program files\Web Publish
2008-11-14 06:10 --------- d-----w c:\program files\Bonjour
2008-11-14 06:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-14 06:10 --------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer
2008-11-14 06:09 --------- d-----w c:\program files\Apple Software Update
2008-11-14 06:08 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-11-13 19:01 --------- d-----w c:\program files\StillSecure
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-07-21 23:14 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008072120080722\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-13 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-13 271872]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 131072]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-09 794713]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2006-07-12 90112]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2006-11-17 80688]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2003-08-20 61440]
"SSUtility"="c:\program files\Fujitsu\SSUtility\FJSSDMN.exe" [2006-07-22 233472]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-02-20 366400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-04-19 220160]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-14 52832]
"FjStrtAp"="c:\program files\Fujitsu\Utils\FjStrtAp.exe" [2007-03-13 20480]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Snippet"="c:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-25 68296]
"OmniPass"="c:\program files\Softex\OmniPass\scureapp.exe" [2006-06-10 1966080]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\fjdvrupd.exe" [2006-07-21 303104]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"NACSysTray"="c:\program files\StillSecure\NAC Agent\SAService.exe" [2008-04-23 1052672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2006-11-06 81920]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-12 c:\windows\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 c:\windows\AGRSMMSG.exe]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-29 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-13 19:11 47104 c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2006-06-10 19:02 49152 c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 05:41 11776 c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-13 19:12 32256 c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1500:TCP"= 1500:TCP:NAC Agent Port

R0 FBIOSDRV;FBIOSDRV;c:\windows\system32\drivers\FBIOSDRV.SYS [2007-04-19 8960]
R0 FJGPNV;FJGPNV;c:\windows\system32\drivers\FJGPNV.SYS [2007-04-19 10496]
R0 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\drivers\FJGSDisk.sys [2007-04-19 7168]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2006-10-03 36640]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2006-10-12 33152]
R3 Fjbtndrv;Fujitsu Button Driver;c:\windows\system32\drivers\FjBtnDrv.sys [2007-04-19 17920]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2007-04-19 4864]
R3 hidpen;Wacom Serial Pen HID MiniDriver;c:\windows\system32\drivers\hidpen.sys [2007-04-19 30976]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-04-19 36608]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2006-03-08 92550]
R4 NACAgent;NAC Agent;c:\program files\StillSecure\NAC Agent\SAService.exe [2008-04-23 1052672]
S3 ADVNTDRV;ADVNTDRV;c:\windows\system32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2007-04-18 14208]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3dfe502f-b846-11dd-9177-00215c0a490d}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{994bdc00-b1b7-11dd-af72-00215c0a490d}]
\Shell\AutoRun\command - E:\CA_EDGEmobile.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:34]

2008-12-21 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-12-21 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-04 c:\windows\Tasks\WebReg 20081226224515.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2004-05-29 01:47]

2009-01-04 c:\windows\Tasks\WebReg 20090103224534.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2004-05-29 01:47]

2009-01-04 c:\windows\Tasks\WebReg 20090103224541.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2004-05-29 01:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hermits.com/flash.asp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

O16 -: {0D6BB8B8-0257-420C-B9EB-CFA90DB1026C} - hxxps://safeaccess.hermits.com:89/setup.cab
c:\windows\Downloaded Program Files\Setup.inf
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dgttzt1l.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.hermits.com/flash.asp
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 21:06:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1056)
c:\program files\Softex\OmniPass\opxpgina.dll
.
Completion time: 2009-01-04 21:07:12
ComboFix-quarantined-files.txt 2009-01-05 02:07:09
ComboFix2.txt 2009-01-04 23:42:29

Pre-Run: 79,469,232,128 bytes free
Post-Run: 79,453,270,016 bytes free

263 --- E O F --- 2008-12-19 15:16:44

shelf life
2009-01-05, 23:46
hi,

thanks for the info. Looks ok to me. you can remove combofix like this;

start>run and type in;
combofix /u
click ok or enter
Note; there is a space after the x and before the /

Keep MBAM and always check for updates before scanning with it. The paid version offers auto updates and real time protection.

MBAM does a good job of removing malware from the restore archive but you can manually make a new clean restore point like this;

One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

if all is good--- some tips for you;

Reducing Your Risk To Malware:
The Short Version:

1) Keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other Software (http://secunia.com/vulnerability_scanning/online/) up to date to "patch" vulnerabilities. Always install Service Packs.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons.You may be installing more than you think.

3) Install and keep them all updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software to your computer.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing.*

8) Install a third party software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer. (http://www.microsoft.com/downloads/details.aspx?FamilyID=6AA4C1DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en)

10) If your habits include: warez, cracks etc or you install files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.

anotherperson
2009-01-06, 00:37
Thank you very much for the help; everything looks to be in order now.

I'll post again if I have more problems, but again, I can't thank you enough. :):):)