View Full Version : Help w/Vundo/Virtumonde
InfectedComputer
2009-03-30, 02:48
Help! I got infected with Vundo/Virtumonde.
Vundo!Grb was detected by McAffee On-Access scan.
I then ran Spybot, which detected several items related to virtumonde. I had Spybot fix these, but the problems didn't go away. System is slow, and I'm getting popups. Taskmgr is running at 15-25% CPU even when no windows open.
Some .dll files that I can't delete were generated in Windows/system32, plus a file named Zofaziba that keeps regenerating itself after I try to delete it. Over the last few days, 8 new .exe files with funny names have been created in windows/system32.
I have McAfee (VirusScan Enterprise 7.1.0, virus definitions 5562 3/23/2009, scan engine 5.3.00). Since my machine got infected, McAfee On-Access scan sometimes is disabled when I log in. McAfee On-Demand scan isn't finding anything.
Ad-Aware detected only some tracking cookies. I had it remove them. But the Ad-Aware log has the funny .dll's showing up in every process.
Windows malicious software removal tool won't even start.
My machine has Windows XP Pro with SP1 (yeah, I know, I should have upgraded the service pack; I'll be sure to do that one the machine is clean). It has 2 admin logins, 5 user logins, and guest login. Also, "Administrator" and one of my 2 admin logins comes up as login choices when I boot in safe mode, but I've forgotten the password for "Administrator". Does anything special have to be done to make sure all problems get fixed related to any/ all of these logins?
I had at least one of my several external USB hard drives connected when the infection occurred. Also at least one USB flash drive. How do I deal with those? -- do they have to be disinfected as well?
I will be most appreciative of any help you can provide.
Here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:39 PM, on 3/29/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\MXOaldr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30ed70f8-faa2-4a7d-9431-70bdb8a46f97} - C:\WINDOWS\System32\kobihudi.dll
O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O2 - BHO: (no name) - {f9328a9a-e18c-478e-b89b-bc896a7c9b6e} - C:\WINDOWS\System32\kobihudi.dll
O2 - BHO: {8ff28ff9-1664-96eb-a5c4-b2fba760b69f} - {f96b067a-bf2b-4c5a-be69-46619ff82ff8} - C:\WINDOWS\System32\wfokyf.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking\Program\ereg.ini"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [pijupakapa] Rundll32.exe "C:\WINDOWS\System32\gotifodo.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WinMem] C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
O4 - HKCU\..\Run: [Download] "C:\Program Files\Bellsouth\HelpCenter\ssGet.exe" 120 "http://download.fastaccess.com/download/HC43SInstaller.exe" "HC43SInstaller.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-19\..\Run: [pijupakapa] Rundll32.exe "C:\WINDOWS\System32\gotifodo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [pijupakapa] Rundll32.exe "C:\WINDOWS\System32\gotifodo.dll",s (User 'NETWORK SERVICE')
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://smportal.rti.org/dana-cached/setup/JuniperSetupSP1.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\gotifodo.dll wfokyf.dll c:\windows\system32\fobekuwe.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fobekuwe.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fobekuwe.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 10935 bytes
Hello and welcome to Safer Networking.
My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
Please observe these rules while we work:
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Please continue to respond until I give you the "All Clear"
If you follow these instructions, everything should go smoothly.
1 - Scan With ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
How to Temporarily Disable Anti-virus (http://www.bleepingcomputer.com/forums/topic114351.html)
Please include the C:\ComboFix.txt in your next reply for further review.
2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
3 - Status Check
Please reply with
1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log
Thanks peku006
InfectedComputer
2009-04-01, 15:40
Hello peku006,
Thanks for your response.
I disabled McAfee and turned off Windows Firewall. I don't use the Tea Timer. I ran Combofix. I had previously unplugged the computer from the internet (I am corresponding from a different computer), because the computer starts acting weird when it's connected. The Combofix Guide seemed to imply that an internet connection was only needed if the Recovery Console was not already installed. I already have the Recovery Console installed, so I left the ethernet cable unplugged. [For future reference, though, I do have that missing "Administrator" password problem I mentioned before, so I've never been able to use the console.]
Everything ran as described in the Guide until the screen went blank before the stage where the log is prepared. Then after a short while a blue window (formatted like Combofix) popped up and read something like “Rebooting Windows, please wait. Do not manually reboot the machine yourself!” The computer rebooted in normal mode and returned to the welcome screen. As this point, do I go ahead and log in (to the same administrative user account from which I ran ComboFix, I presume)? That seems like the obvious thing to do, but since the ComboFix Guide didn't mention the possibility that it might reboot the machine before producing the log, and your instructions said to ask if unsure, I thought I'd better ask.
Regards,
"InfectedComputer"
Hi InfectedComputer
to the same administrative user account from which I ran ComboFix, I presume?
yes that is right :bigthumb:
InfectedComputer
2009-04-01, 19:22
Hi peku006,
The ComboFix box titled "Find3M" came up with the message "Preparing Log Report" and the instruction not to run any programs until finished. Then three windows popped up:
1. C:\combofix\psexec.cfexe -- "c:\combofix\psexec.cfexe is not a valid Win32 application.”
2. RUNDLL -- "Error loading C:\windows\system32\gotifodo.dll. The specified module could not be found." This is one of those funny dll's. So I guess the program killed the file but not the startup instruction.
3. "HelpCenter Download Manager" from my ISP (BellSouth/AT&T) asking me to upgrade the HelpCenter for my DSL. This always comes up, and I always just close this window.
I left these windows alone because I had to step away from the computer for a business call. I came back an hour later and nothing had happened so I exited windows #2 and 3.
Another half hour has gone by and still nothing happening. I assume I should go ahead and exit out of window #1 and see what happens?
Regards,
"InfectedComputer"
Hi InfectedComputer
OK don't worry about Combofix, we'll try a different tools
1 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to a convenient location.
Double click on mbam-setup.exe to install it.
Before clicking the Finish button, make sure that these 2 boxes are checked (ticked): Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
Select the Scanner tab. Click on Perform full scan, then click on Scan.
Leave the default options as it is and click on Start Scan.
When done, you will be prompted. Click OK, then click on Show Results.
Checked (ticked) all items except items in the System Volume Information folder and click on Remove Selected.
http://i35.photobucket.com/albums/d165/ndmmxiaomayi/mayi/mbam1.png
After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.
2 - download and run RSIT
Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt<- (will be maximized) and info.txt<- (will be minimized)
4 - Status Check
Please reply with
1.the logs from RSIT (log.txt ,info.txt)
2. the Malwarebytes' Anti-Malware Log
Thanks peku006
InfectedComputer
2009-04-01, 20:31
Hi peku006,
I exited out of the error window, and after a few minutes ComboFix produced a log. Do you want me to send that to you and wait for further instructions before proceeding to Malwarebytes and RSIC?
What is the best way to send you the ComboFix log? Is it better to (1) connect to the forum from my infected computer, or (2) copy the log to a USB key and transfer it to my clean computer?
Regarding option #1, my infected computer has been doing strange things when I connect to the internet.
Regarding option #2, my clean computer (on which I'm typing this post) is my work computer and I can't take *any* chance that it could get infected by a file transfer.
What do you recommend? If we go with option #1, I assume it would be better to connect to the internet from a regular user logon rather than an administrator logon?
Regards,
"InfectedComputer"
Hi InfectedComputer
Do you want me to send that to you and wait for further instructions before proceeding to Malwarebytes and RSIC?
Yes send it.. Do not run RSIT or MBAM yet
What do you recommend? If we go with option #1, I assume it would be better to connect to the internet from a regular user logon rather than an administrator logon?
if you have access to the internet with infected computer....you can use it .... with "administrator privileges" :D:
InfectedComputer
2009-04-01, 22:34
Hi peku006,
Here's the ComboFix log.
Regards,
"InfectedComputer"
----------------------------------------------------------
ComboFix 09-03-28.02 - dmakoc 2009-04-01 8:51:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.767.469 [GMT -4:00]
Running from: c:\documents and settings\dmakoc\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Matt\Cookies\MM2048.DAT
c:\documents and settings\Matt\Cookies\MM256.DAT
c:\windows\system32\rihobije.dll
c:\windows\system32\wasizula.dll
----- BITS: Possible infected sites -----
hxxp://82.98.235.208
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_RPCPATCH
-------\Legacy_RPCTFTPD
((((((((((((((((((((((((( Files Created from 2009-03-01 to 2009-04-01 )))))))))))))))))))))))))))))))
.
2009-03-29 20:15 . 2009-03-29 20:15 <DIR> d-------- c:\program files\Trend Micro
2009-03-29 19:46 . 2009-03-29 19:46 <DIR> d-------- c:\program files\ERUNT
2009-03-29 12:21 . 2009-03-29 12:21 2,098 ---hs---- c:\windows\SYSTEM32\diyudejo.exe
2009-03-28 21:20 . 2009-03-28 21:20 2,098 ---hs---- c:\windows\SYSTEM32\lohukehi.exe
2009-03-28 06:20 . 2009-03-28 06:20 2,098 ---hs---- c:\windows\SYSTEM32\sowatoto.exe
2009-03-27 15:20 . 2009-03-27 15:20 2,098 ---hs---- c:\windows\SYSTEM32\gasefiwa.exe
2009-03-27 00:19 . 2009-03-27 00:19 2,098 ---hs---- c:\windows\SYSTEM32\vayedomo.exe
2009-03-26 09:19 . 2009-03-26 09:19 2,098 ---hs---- c:\windows\SYSTEM32\yonozise.exe
2009-03-25 18:19 . 2009-03-25 18:19 2,098 ---hs---- c:\windows\SYSTEM32\tilufewa.exe
2009-03-25 15:18 . 2009-03-29 12:21 <DIR> d-------- c:\windows\SYSTEM32\CONFIG\systemprofile\Application Data\ATTTOOLBAR
2009-03-18 23:43 . 2009-03-18 23:43 2,294,837 --a------ c:\documents and settings\Lilin\HCUpgrade3.1.exe
2009-03-08 12:13 . 2009-03-08 12:13 <DIR> d-------- c:\documents and settings\Matt2\Application Data\Ahead
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 01:57 --------- d-----w c:\documents and settings\All Users\Application Data\ATTToolbar
2009-03-24 18:36 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-24 17:28 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-23 04:21 --------- d-----w c:\documents and settings\dmakoc\Application Data\U3
2009-03-22 18:31 --------- d-----w c:\documents and settings\Lilin\Application Data\ATTTOOLBAR
2009-03-21 18:47 --------- d-----w c:\documents and settings\Matt2\Application Data\U3
2009-03-14 03:20 --------- d-----w c:\documents and settings\Adam\Application Data\ATTTOOLBAR
2009-03-08 21:06 --------- d-----w c:\documents and settings\dmakoc\Application Data\WinFF
2009-02-27 20:31 --------- d-----w c:\documents and settings\Alexander\Application Data\ATTTOOLBAR
2009-02-11 05:46 --------- d-----w c:\documents and settings\Matt2\Application Data\ATTTOOLBAR
2009-02-08 05:56 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-02-07 20:37 --------- d-----w c:\documents and settings\dmakoc\Application Data\ATTToolbar
2009-02-06 19:45 --------- d-----w c:\documents and settings\Matt\Application Data\ATTTOOLBAR
2009-02-06 19:38 --------- d-----w c:\documents and settings\Arthur\Application Data\ATTTOOLBAR
2009-02-06 16:25 --------- d-----w c:\program files\Common Files\Motive
2009-02-06 16:25 --------- d-----w c:\program files\ATTToolbar
2009-02-06 16:19 --------- d-----w c:\documents and settings\dmakoc\Application Data\Motive
2009-02-06 15:56 --------- d-----w c:\program files\ATT-HSI
2009-02-06 15:46 --------- d-----w c:\documents and settings\All Users\Application Data\Motive
2009-02-04 05:04 --------- d-----w c:\program files\Lavasoft
2009-02-04 05:04 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-04 05:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-26 19:17 97,296 ----a-w c:\documents and settings\Lilin\Application Data\GDIPFONTCACHEV1.DAT
2009-01-19 20:52 97,296 ----a-w c:\documents and settings\dmakoc\Application Data\GDIPFONTCACHEV1.DAT
2009-01-15 04:53 1,610,790 ----a-w c:\documents and settings\dmakoc\HC43SInstaller.exe
2009-01-08 05:30 172,544 ----a-w c:\windows\SYSTEM32\schedsvc.dll
2007-02-15 22:44 784 ----a-w c:\documents and settings\Alexander\Application Data\mpauth.dat
2006-11-07 02:33 93,408 ----a-w c:\documents and settings\Alexander\Application Data\GDIPFONTCACHEV1.DAT
2006-02-11 16:32 558,675 ----a-w c:\documents and settings\dmakoc\HCUpgrade3.1.exe
2005-05-02 16:23 323 ---ha-w c:\documents and settings\dmakoc\hpothb07.dat
2005-05-02 16:23 161 ---ha-w c:\documents and settings\Lilin\hpothb07.dat
2005-03-31 03:06 164 ---ha-w c:\documents and settings\All Users\hpothb07.dat
2005-01-31 18:47 376 ---ha-w c:\documents and settings\All Users\Application Data\hpothb07.dat
2004-12-06 15:21 186 ---ha-w c:\documents and settings\Lilin\Application Data\hpothb07.dat
2004-01-05 22:00 64,392 ----a-w c:\documents and settings\Adam\Application Data\GDIPFONTCACHEV1.DAT
2002-11-10 08:33 63,208 ----a-w c:\documents and settings\Matt2\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-11-15 1670144]
"WinMem"="c:\program files\blcorp\UWCSuite\WinMem\WinMem.exe" [2003-12-02 376320]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 655360]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-03-28 102400]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-08-02 368720]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2002-07-15 1544192]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-02 4640768]
"MaxtorCombo"="c:\progra~1\Dantz\RETROS~1\ComboButton.exe" [2002-07-15 40960]
"MXO Auto Loader"="c:\windows\MXOaldr.exe" [2002-08-09 118784]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 188416]
"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 221184]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-20 483328]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-04-07 135224]
"DNS7reminder"="c:\program files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" [2003-11-17 729088]
"PinnacleDriverCheck"="c:\windows\System32\PSDrvCheck.exe" [2004-03-10 406016]
"RCScheduleCheck"="c:\program files\VCOM\Recovery Commander\RCSCHED.EXE" [2003-10-21 151552]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-29 180269]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"nwiz"="nwiz.exe" [2003-05-02 c:\windows\SYSTEM32\nwiz.exe]
c:\documents and settings\dmakoc\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{a5780613-492e-4a2a-a7fd-549610edf6cc}"= "c:\program files\VCOM\Recovery Commander\RCHOOK.DLL" [2003-07-08 102400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2003-12-01 15:34 24665 c:\windows\SYSTEM32\ckpNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"aux1"= ctwdm32.dll
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.PIXL"= pclepixl.dll
"VIDC.NTN1"= NUVision.ax
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [2002-08-14 5632]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [1980-01-01 28672]
R2 Scap;SecureClient Application Policy Module;c:\windows\SYSTEM32\DRIVERS\scap.sys [2004-03-26 17296]
R2 VPN-1;VPN-1 Module;c:\windows\SYSTEM32\DRIVERS\vpn.sys [2004-03-26 668336]
R3 FW1;SecuRemote Miniport;c:\windows\SYSTEM32\DRIVERS\fw.sys [2004-03-26 2038128]
R3 Msikbd2k;DellTouch;c:\windows\SYSTEM32\DRIVERS\Msikbd2k.sys [2002-04-19 6942]
R3 mxDisk;mxDisk;c:\progra~1\VCOM\Fix-It\mxDisk.sys [2005-05-10 51656]
S2 VRDVC20;Sony VRD-VC20 [Video Capture];c:\windows\SYSTEM32\DRIVERS\VRDVC20X.SYS [2006-02-25 18:11:47 31104]
S3 ati2mpaa;ati2mpaa;c:\windows\SYSTEM32\DRIVERS\ati2mpaa.sys [2002-04-19 281856]
S3 NUVision;Pinnacle DVC 80 Video;c:\windows\SYSTEM32\DRIVERS\nuvvid2.sys [2005-01-04 155264]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\SYSTEM32\DRIVERS\OMVA.sys [2004-03-26 14924]
S3 VVRUSB;VVRUSB Device;c:\windows\SYSTEM32\DRIVERS\VVRUSB.sys [2004-09-14 38479]
.
Contents of the 'Scheduled Tasks' folder
2009-03-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2009-03-02 c:\windows\Tasks\HP DArC Task #Hewlett-Packard#7900#CN38V220VXEV.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-08-20 14:57]
2009-04-01 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2003-08-20 17:23]
2002-05-19 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 06:41]
2002-05-19 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 06:41]
2002-05-19 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 06:41]
2009-04-01 c:\windows\Tasks\Scheduled Checkpoint.job
- c:\program files\VCOM\Recovery Commander\RCSCHED.EXE [2003-10-21 13:20]
2009-03-29 c:\windows\Tasks\WebReg officejet 6300 series.job
- c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqwrg.exe [2006-02-19 05:09]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Download - c:\program files\Bellsouth\HelpCenter\ssGet.exe 120 http://download.fastaccess.com/download/HC43SInstaller.exe
HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
HKLM-Run-pijupakapa - c:\windows\System32\gotifodo.dll
HKLM-Run-NWEReboot - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.att.net/
uDefault_Search_URL = hxxp://ie.search.msn.com
mStart Page = hxxp://www.dellnet.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: {{9239E4EC-C9A6-11D2-A844-00C04F68D538}
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-01 14:01:24
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DellTouch = c:\windows\DELLMMKB.EXE?E?L?L?M?M?K?B?.?E?X?E???@???????????x??????????????????????????????????????w???w????7??w???w?????????"?????w?"???????(?w????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
AdaptecDirectCD = "c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"??C?r?e?a?t?o?r? ?5?\?D?i?r?e?c?t?C?D?\?D?i?r?e?c?t?C?D?.?e?x?e?"??????????(?w????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
UpdReg = c:\windows\Updreg.exe?U?p?d?r?e?g?.?e?x?e???DirectCD\DirectCD.exe"??C?r?e?a?t?o?r? ?5?\?D?i?r?e?c?t?C?D?\?D?i?r?e?c?t?C?D?.?e?x?e?"??????????(?w????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
AHQInit = c:\program files\Creative\SBLive\Program\AHQInit.exe??B?L?i?v?e?\?P?r?o?g?r?a?m?\?A?H?Q?I?n?i?t?.?e?x?e???D?i?r?e?c?t?C?D?.?e?x?e?"??????????(?w????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
BJCFD = c:\program files\BroadJump\Client Foundation\CFD.exe??C?l?i?e?n?t? ?F?o?u?n?d?a?t?i?o?n?\?C?F?D?.?e?x?e???S?h?a?r?e?d?\?W?k?U?F?i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
tgcmd = "c:\program files\Support.com\bin\tgcmd.exe" /server /nosystray?n?\?t?g?c?m?d?.?e?x?e?"? ?/?s?e?r?v?e?r? ?/?n?o?s?y?s?t?r?a?y???i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
NvCplDaemon = RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup??t?e?m?3?2?\?N?v?C?p?l?.?d?l?l?,?N?v?S?t?a?r?t?u?p???/?n?o?s?y?s?t?r?a?y???i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
nwiz = nwiz.exe /install?/?i?n?s?t?a?l?l???pl.dll,NvStartup??t?e?m?3?2?\?N?v?C?p?l?.?d?l?l?,?N?v?S?t?a?r?t?u?p???/?n?o?s?y?s?t?r?a?y???i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
MaxtorCombo = "c:\progra~1\Dantz\RETROS~1\ComboButton.exe"??O?S?~?1?\?C?o?m?b?o?B?u?t?t?o?n?.?e?x?e?"???S?t?a?r?t?u?p???/?n?o?s?y?s?t?r?a?y???i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
MXO Auto Loader = c:\windows\MXOaldr.exe??X?O?a?l?d?r?.?e?x?e???O?S?~?1?\?C?o?m?b?o?B?u?t?t?o?n?.?e?x?e?"???S?t?a?r?t?u?p???/?n?o?s?y?s?t?r?a?y???i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
HPDJ Taskbar Utility = c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe?i?v?e?r?s?\?w?3?2?x?8?6?\?3?\?h?p?z?t?s?b?0?9?.?e?x?e???rogram\ereg.ini"??x?e?"? ?/?S?t?a?r?t?e?d?F?r?o?m?R?u?n?K?e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
HPHUPD05 = c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe??D?C?A?B?-?4?0?9?3?-?8?E?E?8?-?6?1?6?4?4?5?7?5?1?7?F?0?}?\?h?p?h?u?p?d?0?5?.?e?x?e???e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
HP Component Manager = "c:\program files\HP\hpcoretech\hpcmpmgr.exe"?c?o?r?e?t?e?c?h?\?h?p?c?m?p?m?g?r?.?e?x?e?"???B?-?4?0?9?3?-?8?E?E?8?-?6?1?6?4?4?5?7?5?1?7?F?0?}?\?h?p?h?u?p?d?0?5?.?e?x?e???e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
HPHmon05 = c:\windows\System32\hphmon05.exe??3?2?\?h?p?h?m?o?n?0?5?.?e?x?e???p?c?m?p?m?g?r?.?e?x?e?"???B?-?4?0?9?3?-?8?E?E?8?-?6?1?6?4?4?5?7?5?1?7?F?0?}?\?h?p?h?u?p?d?0?5?.?e?x?e???e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
ShStatEXE = "c:\program files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE??\?V?i?r?u?s?S?c?a?n?\?S?H?S?T?A?T?.?E?X?E?"? ?/?S?T?A?N?D?A?L?O?N?E???\?h?p?h?u?p?d?0?5?.?e?x?e?????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
McAfeeUpdaterUI = "c:\program files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey?F?r?a?m?e?w?o?r?k?\?U?p?d?a?t?e?r?U?I?.?e?x?e?"? ?/?S?t?a?r?t?e?d?F?r?o?m?R?u?n?K?e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
DNS7reminder = "c:\program files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" -r "c:\program files\ScanSoft\NaturallySpeaking\Program\ereg.ini"??x?e?"? ?/?S?t?a?r?t?e?d?F?r?o?m?R?u?n?K?e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
PinnacleDriverCheck = c:\windows\System32\PSDrvCheck.exe -CheckReg??r?v?C?h?e?c?k?.?e?x?e? ?-?C?h?e?c?k?R?e?g???ft\NaturallySpeaking\Program\ereg.ini"??x?e?"? ?/?S?t?a?r?t?e?d?F?r?o?m?R?u?n?K?e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2225589205-1256799619-874574627-1012\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-2225589205-1256799619-874574627-1012\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-2225589205-1256799619-874574627-1012)
@Allowed: (Read) (S-1-5-21-2225589205-1256799619-874574627-1012)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,32,31,14,99,61,
31,74,86,c8,28,51,af,b0,29,a3,98,de,8c,45,98,c6,3d,6f,4f,e2,63,26,f1,3f,c8,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,be,db,f6,31,50,
8b,65,8a,71,3b,04,66,8b,46,0d,96,7b,86,1e,c8,f5,15,6a,6d,6a,9c,d6,61,af,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,aa,6f,0a,18,3d,
39,ee,8a,25,da,ec,7e,55,20,c9,26,33,da,6e,a7,a0,c1,ff,36,ff,7c,85,e0,43,d4,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,5d,e2,8c,1c,7c,
30,56,c1,3e,1e,9e,e0,57,5a,93,61,53,99,e5,4b,fd,dd,52,d0,86,8c,21,01,be,91,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,ce,cd,40,94,59,
2b,df,ba,cd,44,cd,b9,a6,33,6c,cd,e5,51,9c,d7,81,fd,51,06,f5,1d,4d,73,a8,13,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,74,1a,bd,2b,d8,
cb,8e,80,b0,18,ed,a7,3f,8d,37,a4,5b,c0,de,db,23,e0,b3,a6,df,20,58,62,78,6b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,5e,e7,f6,11,5f,
f4,84,c8,31,77,e1,ba,b1,f8,68,02,1a,66,6d,16,21,b5,05,ce,fb,a7,78,e6,12,2f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,84,ed,f7,8b,f0,
35,8b,f2,83,6c,56,8b,a0,85,96,ab,e2,55,8a,87,1f,f7,9d,03,01,3a,48,fc,e8,04,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,d2,34,6e,b1,b0,
88,cc,c6,51,fa,6e,91,28,9e,14,cc,d6,08,5c,25,5d,99,f8,b1,f6,0f,4e,58,98,5b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,a7,8c,a9,c6,70,
a4,85,26,b1,cd,45,5a,a8,c4,f8,b9,e3,21,47,0c,b2,8f,4a,7c,3d,ce,ea,26,2d,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,db,48,e1,79,a9,
ae,52,31,e3,0e,66,d5,eb,bc,2f,6b,2e,9f,90,c5,08,6f,ca,5d,2a,b7,cc,b5,b9,7f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,a8,6e,be,44,74,
ba,7c,c5,fa,ea,66,7f,d4,3b,6b,70,93,7a,fd,d1,66,cc,1b,4e,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(828)
c:\windows\system32\ODBC32.dll
- - - - - - - > 'lsass.exe'(884)
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\progra~1\VCOM\Fix-It\MXTASK.exe
c:\progra~1\Symantec\NORTON~1\GHOSTS~2.EXE
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\program files\Network Associates\VirusScan\mcshield.exe
c:\program files\Network Associates\VirusScan\vstskmgr.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\progra~1\Dantz\RETROS~1\retrorun.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
c:\windows\wanmpsvc.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe
c:\progra~1\VCOM\Fix-It\MXTASK.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe
c:\windows\SYSTEM32\devldr32.exe
c:\program files\Netropa\OSD.exe
c:\windows\SYSTEM32\HPZipm12.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe
c:\windows\SYSTEM32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2009-04-01 14:05:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-01 18:05:24
Pre-Run: 75,077,525,504 bytes free
Post-Run: 75,943,677,952 bytes free
312 --- E O F --- 2009-03-18 16:42:14
Hi InfectedComputer
1 - Run CFScript
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\windows\SYSTEM32\diyudejo.exe
c:\windows\SYSTEM32\lohukehi.exe
c:\windows\SYSTEM32\sowatoto.exe
c:\windows\SYSTEM32\gasefiwa.exe
c:\windows\SYSTEM32\vayedomo.exe
c:\windows\SYSTEM32\yonozise.exe
c:\windows\SYSTEM32\tilufewa.exe
Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
2 - Run Malwarebytes' Anti-Malware
Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.
Click on Perform full scan, then click on Scan.
Leave the default options as it is and click on Start Scan.
When done, you will be prompted. Click OK, then click on Show Results.
Checked (ticked) all items except items in the System Volume Information folder and click on Remove Selected.
http://i35.photobucket.com/albums/d165/ndmmxiaomayi/mayi/mbam1.png
After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.
3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
4 - Status Check
Please reply with
1. the ComboFix log(C:\ComboFix.txt)
2. the Malwarebytes' Anti-Malware Log
3. a fresh HijackThis log
description of any problems you are having with your PC
Thanks peku006
InfectedComputer
2009-04-02, 17:56
Hi peku006,
I started ComboFix as requested. The usual ComboFix window with the blue background opened, followed by a pop-up window "Update” – "There’s a new version of ComboFix available. Would you like to update ComboFix?" yes/no. The "X" button at the upper right corner of the Update window is shaded out.
I don't know whether this is legitimate, or whether my it's just the malware infection trying to redirect me to a site with a fake ComboFix.
Should I:
a. click yes
b. click no
c. alt F4?
If "b" or "c", should I plan to go get a new copy of ComboFix using my clean computer?
Regards,
"InfectedComputer"
Hi InfectedComputer
it is normal that combofix updates itself , you should "click yes" :bigthumb:
InfectedComputer
2009-04-03, 04:28
Hi peku006,
Today (April 2nd) I ran ComboFix with the CFSript file, Malwarebytes, and HJT. Logs are below.
When I first ran ComboFix on April 1st, it did a reboot as I mentioned earlier. When I logged back in the McAfee On-Access scanner re-enabled itself. When I woke up this morning, and entered the screensaver password, I found that overnight the McAfee On-Access scanner had found 5 items. Here is what was in the On-Access log:
2009-04-01 09:36 Deleted NT AUTHORITY\SYSTEM C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP470\A0085301.dll Vundo
2009-04-01 10:03 Deleted NT AUTHORITY\SYSTEM C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP470\A0085302.dll Vundo
2009-04-01 11:03 Deleted NT AUTHORITY\SYSTEM C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP470\A0085303.dll Vundo
2009-04-01 11:37 Delete failed (Clean failed) D3K0BF11\dmakoc C:\ComboFix\psexec.cfexe RemAdm-ProcLaunch!171
2009-04-02 10:04 Deleted NT AUTHORITY\SYSTEM C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP472\A0086311.dll Vundo.gen.an
I disabled the On-Access scanner before I ran the ComboFix, Malwarebytes, and HJT today.
Your last post also asked for a report on any symptoms. The computer has been running fine and has been doing anything weird since we did the first ComboFix scan on April 1st. All of the strange .dll and .exe files in c:\windows\system32 are now gone. However one bad file remains in that folder -- the hidden file "zofazibe" (no extension). This file has a blank under "date created" in Windows explorer.
Here are the 3 logs:
1. ComboFix:
ComboFix 09-04-01.01 - dmakoc 2009-04-02 12:30:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.767.415 [GMT -4:00]
Running from: c:\documents and settings\dmakoc\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\dmakoc\Desktop\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\SYSTEM32\diyudejo.exe
c:\windows\SYSTEM32\gasefiwa.exe
c:\windows\SYSTEM32\lohukehi.exe
c:\windows\SYSTEM32\sowatoto.exe
c:\windows\SYSTEM32\tilufewa.exe
c:\windows\SYSTEM32\vayedomo.exe
c:\windows\SYSTEM32\yonozise.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\SYSTEM32\diyudejo.exe
c:\windows\SYSTEM32\gasefiwa.exe
c:\windows\SYSTEM32\lohukehi.exe
c:\windows\SYSTEM32\sowatoto.exe
c:\windows\SYSTEM32\tilufewa.exe
c:\windows\SYSTEM32\vayedomo.exe
c:\windows\SYSTEM32\yonozise.exe
.
((((((((((((((((((((((((( Files Created from 2009-03-02 to 2009-04-02 )))))))))))))))))))))))))))))))
.
2009-03-29 20:15 . 2009-03-29 20:15 <DIR> d-------- c:\program files\Trend Micro
2009-03-29 19:46 . 2009-03-29 19:46 <DIR> d-------- c:\program files\ERUNT
2009-03-25 15:18 . 2009-03-29 12:21 <DIR> d-------- c:\windows\SYSTEM32\CONFIG\systemprofile\Application Data\ATTTOOLBAR
2009-03-18 23:43 . 2009-03-18 23:43 2,294,837 --a------ c:\documents and settings\Lilin\HCUpgrade3.1.exe
2009-03-08 12:13 . 2009-03-08 12:13 <DIR> d-------- c:\documents and settings\Matt2\Application Data\Ahead
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-02 15:37 --------- d-----w c:\documents and settings\All Users\Application Data\ATTToolbar
2009-03-24 18:36 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-24 17:28 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-23 04:21 --------- d-----w c:\documents and settings\dmakoc\Application Data\U3
2009-03-22 18:31 --------- d-----w c:\documents and settings\Lilin\Application Data\ATTTOOLBAR
2009-03-21 18:47 --------- d-----w c:\documents and settings\Matt2\Application Data\U3
2009-03-14 03:20 --------- d-----w c:\documents and settings\Adam\Application Data\ATTTOOLBAR
2009-03-08 21:06 --------- d-----w c:\documents and settings\dmakoc\Application Data\WinFF
2009-02-27 20:31 --------- d-----w c:\documents and settings\Alexander\Application Data\ATTTOOLBAR
2009-02-11 05:46 --------- d-----w c:\documents and settings\Matt2\Application Data\ATTTOOLBAR
2009-02-08 05:56 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-02-07 20:37 --------- d-----w c:\documents and settings\dmakoc\Application Data\ATTToolbar
2009-02-06 19:45 --------- d-----w c:\documents and settings\Matt\Application Data\ATTTOOLBAR
2009-02-06 19:38 --------- d-----w c:\documents and settings\Arthur\Application Data\ATTTOOLBAR
2009-02-06 16:25 --------- d-----w c:\program files\Common Files\Motive
2009-02-06 16:25 --------- d-----w c:\program files\ATTToolbar
2009-02-06 16:19 --------- d-----w c:\documents and settings\dmakoc\Application Data\Motive
2009-02-06 15:56 --------- d-----w c:\program files\ATT-HSI
2009-02-06 15:46 --------- d-----w c:\documents and settings\All Users\Application Data\Motive
2009-02-04 05:04 --------- d-----w c:\program files\Lavasoft
2009-02-04 05:04 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-04 05:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-26 19:17 97,296 ----a-w c:\documents and settings\Lilin\Application Data\GDIPFONTCACHEV1.DAT
2009-01-19 20:52 97,296 ----a-w c:\documents and settings\dmakoc\Application Data\GDIPFONTCACHEV1.DAT
2009-01-15 04:53 1,610,790 ----a-w c:\documents and settings\dmakoc\HC43SInstaller.exe
2009-01-08 05:30 172,544 ----a-w c:\windows\SYSTEM32\schedsvc.dll
2007-02-15 22:44 784 ----a-w c:\documents and settings\Alexander\Application Data\mpauth.dat
2006-11-07 02:33 93,408 ----a-w c:\documents and settings\Alexander\Application Data\GDIPFONTCACHEV1.DAT
2006-02-11 16:32 558,675 ----a-w c:\documents and settings\dmakoc\HCUpgrade3.1.exe
2005-05-02 16:23 323 ---ha-w c:\documents and settings\dmakoc\hpothb07.dat
2005-05-02 16:23 161 ---ha-w c:\documents and settings\Lilin\hpothb07.dat
2005-03-31 03:06 164 ---ha-w c:\documents and settings\All Users\hpothb07.dat
2005-01-31 18:47 376 ---ha-w c:\documents and settings\All Users\Application Data\hpothb07.dat
2004-12-06 15:21 186 ---ha-w c:\documents and settings\Lilin\Application Data\hpothb07.dat
2004-01-05 22:00 64,392 ----a-w c:\documents and settings\Adam\Application Data\GDIPFONTCACHEV1.DAT
2002-11-10 08:33 63,208 ----a-w c:\documents and settings\Matt2\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-11-15 1670144]
"WinMem"="c:\program files\blcorp\UWCSuite\WinMem\WinMem.exe" [2003-12-02 376320]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 655360]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-03-28 102400]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-08-02 368720]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2002-07-15 1544192]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-02 4640768]
"MaxtorCombo"="c:\progra~1\Dantz\RETROS~1\ComboButton.exe" [2002-07-15 40960]
"MXO Auto Loader"="c:\windows\MXOaldr.exe" [2002-08-09 118784]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 188416]
"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 221184]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-20 483328]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-04-07 135224]
"DNS7reminder"="c:\program files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" [2003-11-17 729088]
"PinnacleDriverCheck"="c:\windows\System32\PSDrvCheck.exe" [2004-03-10 406016]
"RCScheduleCheck"="c:\program files\VCOM\Recovery Commander\RCSCHED.EXE" [2003-10-21 151552]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-29 180269]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"nwiz"="nwiz.exe" [2003-05-02 c:\windows\SYSTEM32\nwiz.exe]
c:\documents and settings\dmakoc\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{a5780613-492e-4a2a-a7fd-549610edf6cc}"= "c:\program files\VCOM\Recovery Commander\RCHOOK.DLL" [2003-07-08 102400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2003-12-01 15:34 24665 c:\windows\SYSTEM32\ckpNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"aux1"= ctwdm32.dll
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.PIXL"= pclepixl.dll
"VIDC.NTN1"= NUVision.ax
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [2002-08-14 5632]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [1980-01-01 28672]
R2 Scap;SecureClient Application Policy Module;c:\windows\SYSTEM32\DRIVERS\scap.sys [2004-03-26 17296]
R2 VPN-1;VPN-1 Module;c:\windows\SYSTEM32\DRIVERS\vpn.sys [2004-03-26 668336]
R3 FW1;SecuRemote Miniport;c:\windows\SYSTEM32\DRIVERS\fw.sys [2004-03-26 2038128]
R3 Msikbd2k;DellTouch;c:\windows\SYSTEM32\DRIVERS\Msikbd2k.sys [2002-04-19 6942]
R3 mxDisk;mxDisk;c:\progra~1\VCOM\Fix-It\mxDisk.sys [2005-05-10 51656]
S2 VRDVC20;Sony VRD-VC20 [Video Capture];c:\windows\SYSTEM32\DRIVERS\VRDVC20X.SYS [2006-02-25 18:11:47 31104]
S3 ati2mpaa;ati2mpaa;c:\windows\SYSTEM32\DRIVERS\ati2mpaa.sys [2002-04-19 281856]
S3 NUVision;Pinnacle DVC 80 Video;c:\windows\SYSTEM32\DRIVERS\nuvvid2.sys [2005-01-04 155264]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\SYSTEM32\DRIVERS\OMVA.sys [2004-03-26 14924]
S3 VVRUSB;VVRUSB Device;c:\windows\SYSTEM32\DRIVERS\VVRUSB.sys [2004-09-14 38479]
.
Contents of the 'Scheduled Tasks' folder
2009-03-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2009-04-02 c:\windows\Tasks\HP DArC Task #Hewlett-Packard#7900#CN38V220VXEV.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-08-20 14:57]
2009-04-02 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2003-08-20 17:23]
2002-05-19 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 06:41]
2002-05-19 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 06:41]
2002-05-19 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 06:41]
2009-04-02 c:\windows\Tasks\Scheduled Checkpoint.job
- c:\program files\VCOM\Recovery Commander\RCSCHED.EXE [2003-10-21 13:20]
2009-04-02 c:\windows\Tasks\WebReg officejet 6300 series.job
- c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqwrg.exe [2006-02-19 05:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.att.net/
uDefault_Search_URL = hxxp://ie.search.msn.com
mStart Page = hxxp://www.dellnet.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: {{9239E4EC-C9A6-11D2-A844-00C04F68D538}
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-02 12:33:31
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DellTouch = c:\windows\DELLMMKB.EXE?E?L?L?M?M?K?B?.?E?X?E???@???????????x??????????????????????????????????????w???w????7??w???w?????????"?????w?"???????(?w????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
AdaptecDirectCD = "c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"??C?r?e?a?t?o?r? ?5?\?D?i?r?e?c?t?C?D?\?D?i?r?e?c?t?C?D?.?e?x?e?"??????????(?w????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
UpdReg = c:\windows\Updreg.exe?U?p?d?r?e?g?.?e?x?e???DirectCD\DirectCD.exe"??C?r?e?a?t?o?r? ?5?\?D?i?r?e?c?t?C?D?\?D?i?r?e?c?t?C?D?.?e?x?e?"??????????(?w????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
AHQInit = c:\program files\Creative\SBLive\Program\AHQInit.exe??B?L?i?v?e?\?P?r?o?g?r?a?m?\?A?H?Q?I?n?i?t?.?e?x?e???D?i?r?e?c?t?C?D?.?e?x?e?"??????????(?w????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
BJCFD = c:\program files\BroadJump\Client Foundation\CFD.exe??C?l?i?e?n?t? ?F?o?u?n?d?a?t?i?o?n?\?C?F?D?.?e?x?e???S?h?a?r?e?d?\?W?k?U?F?i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
tgcmd = "c:\program files\Support.com\bin\tgcmd.exe" /server /nosystray?n?\?t?g?c?m?d?.?e?x?e?"? ?/?s?e?r?v?e?r? ?/?n?o?s?y?s?t?r?a?y???i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
NvCplDaemon = RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup??t?e?m?3?2?\?N?v?C?p?l?.?d?l?l?,?N?v?S?t?a?r?t?u?p???/?n?o?s?y?s?t?r?a?y???i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
nwiz = nwiz.exe /install?/?i?n?s?t?a?l?l???pl.dll,NvStartup??t?e?m?3?2?\?N?v?C?p?l?.?d?l?l?,?N?v?S?t?a?r?t?u?p???/?n?o?s?y?s?t?r?a?y???i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
MaxtorCombo = "c:\progra~1\Dantz\RETROS~1\ComboButton.exe"??O?S?~?1?\?C?o?m?b?o?B?u?t?t?o?n?.?e?x?e?"???S?t?a?r?t?u?p???/?n?o?s?y?s?t?r?a?y???i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
MXO Auto Loader = c:\windows\MXOaldr.exe??X?O?a?l?d?r?.?e?x?e???O?S?~?1?\?C?o?m?b?o?B?u?t?t?o?n?.?e?x?e?"???S?t?a?r?t?u?p???/?n?o?s?y?s?t?r?a?y???i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
HPDJ Taskbar Utility = c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe?i?v?e?r?s?\?w?3?2?x?8?6?\?3?\?h?p?z?t?s?b?0?9?.?e?x?e???rogram\ereg.ini"??x?e?"? ?/?S?t?a?r?t?e?d?F?r?o?m?R?u?n?K?e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
HPHUPD05 = c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe??D?C?A?B?-?4?0?9?3?-?8?E?E?8?-?6?1?6?4?4?5?7?5?1?7?F?0?}?\?h?p?h?u?p?d?0?5?.?e?x?e???e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
HP Component Manager = "c:\program files\HP\hpcoretech\hpcmpmgr.exe"?c?o?r?e?t?e?c?h?\?h?p?c?m?p?m?g?r?.?e?x?e?"???B?-?4?0?9?3?-?8?E?E?8?-?6?1?6?4?4?5?7?5?1?7?F?0?}?\?h?p?h?u?p?d?0?5?.?e?x?e???e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
HPHmon05 = c:\windows\System32\hphmon05.exe??3?2?\?h?p?h?m?o?n?0?5?.?e?x?e???p?c?m?p?m?g?r?.?e?x?e?"???B?-?4?0?9?3?-?8?E?E?8?-?6?1?6?4?4?5?7?5?1?7?F?0?}?\?h?p?h?u?p?d?0?5?.?e?x?e???e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
ShStatEXE = "c:\program files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE??\?V?i?r?u?s?S?c?a?n?\?S?H?S?T?A?T?.?E?X?E?"? ?/?S?T?A?N?D?A?L?O?N?E???\?h?p?h?u?p?d?0?5?.?e?x?e?????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
McAfeeUpdaterUI = "c:\program files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey?F?r?a?m?e?w?o?r?k?\?U?p?d?a?t?e?r?U?I?.?e?x?e?"? ?/?S?t?a?r?t?e?d?F?r?o?m?R?u?n?K?e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
DNS7reminder = "c:\program files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" -r "c:\program files\ScanSoft\NaturallySpeaking\Program\ereg.ini"??x?e?"? ?/?S?t?a?r?t?e?d?F?r?o?m?R?u?n?K?e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
PinnacleDriverCheck = c:\windows\System32\PSDrvCheck.exe -CheckReg??r?v?C?h?e?c?k?.?e?x?e? ?-?C?h?e?c?k?R?e?g???ft\NaturallySpeaking\Program\ereg.ini"??x?e?"? ?/?S?t?a?r?t?e?d?F?r?o?m?R?u?n?K?e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2225589205-1256799619-874574627-1012\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-2225589205-1256799619-874574627-1012\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-2225589205-1256799619-874574627-1012)
@Allowed: (Read) (S-1-5-21-2225589205-1256799619-874574627-1012)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,32,31,14,99,61,
31,74,86,c8,28,51,af,b0,29,a3,98,de,8c,45,98,c6,3d,6f,4f,e2,63,26,f1,3f,c8,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,be,db,f6,31,50,
8b,65,8a,71,3b,04,66,8b,46,0d,96,7b,86,1e,c8,f5,15,6a,6d,6a,9c,d6,61,af,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,aa,6f,0a,18,3d,
39,ee,8a,25,da,ec,7e,55,20,c9,26,33,da,6e,a7,a0,c1,ff,36,ff,7c,85,e0,43,d4,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,5d,e2,8c,1c,7c,
30,56,c1,3e,1e,9e,e0,57,5a,93,61,53,99,e5,4b,fd,dd,52,d0,86,8c,21,01,be,91,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,ce,cd,40,94,59,
2b,df,ba,cd,44,cd,b9,a6,33,6c,cd,e5,51,9c,d7,81,fd,51,06,f5,1d,4d,73,a8,13,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,74,1a,bd,2b,d8,
cb,8e,80,b0,18,ed,a7,3f,8d,37,a4,5b,c0,de,db,23,e0,b3,a6,df,20,58,62,78,6b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,5e,e7,f6,11,5f,
f4,84,c8,31,77,e1,ba,b1,f8,68,02,1a,66,6d,16,21,b5,05,ce,fb,a7,78,e6,12,2f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,84,ed,f7,8b,f0,
35,8b,f2,83,6c,56,8b,a0,85,96,ab,e2,55,8a,87,1f,f7,9d,03,01,3a,48,fc,e8,04,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,d2,34,6e,b1,b0,
88,cc,c6,51,fa,6e,91,28,9e,14,cc,d6,08,5c,25,5d,99,f8,b1,f6,0f,4e,58,98,5b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,a7,8c,a9,c6,70,
a4,85,26,b1,cd,45,5a,a8,c4,f8,b9,e3,21,47,0c,b2,8f,4a,7c,3d,ce,ea,26,2d,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,db,48,e1,79,a9,
ae,52,31,e3,0e,66,d5,eb,bc,2f,6b,2e,9f,90,c5,08,6f,ca,5d,2a,b7,cc,b5,b9,7f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,a8,6e,be,44,74,
ba,7c,c5,fa,ea,66,7f,d4,3b,6b,70,93,7a,fd,d1,66,cc,1b,4e,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(828)
c:\windows\system32\ODBC32.dll
- - - - - - - > 'lsass.exe'(884)
c:\windows\System32\dssenh.dll
.
Completion time: 2009-04-02 12:36:09
ComboFix-quarantined-files.txt 2009-04-02 16:36:06
ComboFix2.txt 2009-04-01 18:05:42
Pre-Run: 75,810,811,904 bytes free
Post-Run: 75,798,380,544 bytes free
275 --- E O F --- 2009-03-18 16:42:14
2. Malwarebytes:
Malwarebytes' Anti-Malware 1.35
Database version: 1935
Windows 5.1.2600 Service Pack 1
4/2/2009 8:57:13 PM
mbam-log-2009-04-02 (20-57-13).txt
Scan type: Full Scan (C:\|)
Objects scanned: 223920
Time elapsed: 37 minute(s), 29 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\rihobije.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP465\A0085134.dll (Trojan.Vundo) -> Not selected for removal.
3. HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:39 PM, on 4/2/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\MXOaldr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking\Program\ereg.ini"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WinMem] C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://smportal.rti.org/dana-cached/setup/JuniperSetupSP1.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 9579 bytes
Regards,
"InfectedComputer"
Hi InfectedComputer
psexec.cfexe is part of combofix and all other "viruses" are in system restore and inactive, I give you later instructions how to empty it.
Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
zofazibe sounds "tricks" :scratch: let us take a deeper look.
OTScanIt2
Download OTScanIt2 by Oldtimer (http://oldtimer.geekstogo.com/OTScanIt2.exe) to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.
NOTE: You must be logged on to the system with an account that has Administrator privileges to run this program.
Close ALL OTHER PROGRAMS.
Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
Click the Scan All Users checkbox on the toolbar.
Do not change any other settings.
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Close Notepad (saving the change if necessry).
NOTE:Use the Add Reply button and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt2 folder and named OTScanIt.txt.
Thanks peku006
InfectedComputer
2009-04-03, 15:32
Hi peku006,
Last night, after my last post, I logged out of my administrator account on the infected computer. I just logged back in after reading your post. The login process seems complete or nearly complete, but I now have a popup window titled "VPN-1 SecureClient" that says "Are you sure you want to delete [my company's name]". In the past I've used this computer to connect to the intranet at my workplace through SecureClient. I've stopped recently, and probably won't resume, but I don't want to alter the SecureClient implementation unless I need to in order to get the computer disinfected.
So, do I need to click "Yes", or can i click "no"?
Regards,
InfectedComputer
Hi InfectedComputer
you should click "no"
InfectedComputer
2009-04-03, 19:28
Hi peku006,
Attached is the OTScanIt2 log. I had to split it into 5 parts in order not to exceed the 48K limit for .txt file attachments. I included the same header info at the top of each file.
Regards,
InfectedComputer
Hi InfectedComputer
1 - Run OTScanIt2
Start OTScanIt2. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
[Files/Folders - Created Within 30 Days]
NY -> zofaziba -> %SystemRoot%\System32\zofaziba
[Files/Folders - Modified Within 30 Days]
NY -> zofaziba -> %SystemRoot%\System32\zofaziba
NY -> DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> %UserProfile%\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.
If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.
2 - Clean temp files
Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
if you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
if you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program
3 - F-Secure Online Scan
F-Secure Online Scan
Note: You will need to use Internet explorer for this scan
Go here (http://support.f-secure.com/enu/home/ols.shtml) to run an online scan from F-Secure
Click on Start scanning
This will open a new internet explorer window
It will require an activex control, please install it
Click Accept
Click Full System Scan
It will now download the scanner, this may take a while, please be patient
It will then start scanning, wait for the scan to finish
Click Automatic cleaning (recommended)
Wait for it finish the cleaning process
Click show report
This will open up a window with the results of the scan, copy and paste those results as a reply to this topic
4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
5 - Status Check
Please reply with
1. the F-Secure online scanner report
2. the OTScanIt2 scan log
3. a fresh HijackThis log
How's the computer running now? Any problems?
Thanks peku006
InfectedComputer
2009-04-06, 04:39
Hi peku006,
1. I ran the OTScanIt2 "run fix" with the script. Here is the log:
[Files/Folders - Created Within 30 Days]
C:\WINDOWS\System32\zofaziba moved successfully.
[Files/Folders - Modified Within 30 Days]
File C:\WINDOWS\System32\zofaziba not found!
C:\Documents and Settings\dmakoc\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini moved successfully.
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.10.0 fix logfile created on 04052009_194102
2. I ran the F-Secure Online Scan. It finished, detecting 5 viruses and 2 spyware. There were >70 files skipped. I unchecked the box to send the samples to F-Secure and then clicked the "Automatic Cleaning (recommended)" button. The program started fixing a spyware with a name that ended with ".mirar" (or .micar?), but almost immediately the window just disappeared and nothing more happened. Should I run it again?
3. I ran HJT. Here is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:47 PM, on 4/5/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\MXOaldr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking\Program\ereg.ini"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WinMem] C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://smportal.rti.org/dana-cached/setup/JuniperSetupSP1.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 9617 bytes
4. The computer has been running OK.
Regards,
InfectedComputer
Hi InfectedComputer
Please perform an online scan using Internet Explorer at this website - http://www.bitdefender.com/scan8/ie.html
Under SCANNING OPTIONS, use the following Settings:
http://img.photobucket.com/albums/v706/ried7/BitDefenderB.gif
Action options - Report only
Second option - Report only
Once finished, click on "Click here to export the scan results"
Save the report to your desktop, then post those results in your next reply.
Thanks peku006
InfectedComputer
2009-04-06, 14:49
Hi peku006,
The Bitdefender scan is about 1/2 done, currently scanning c:\Program Files\Adobe and says it has an hour and 15 minutes left to finish. So far, it has found 5 viruses and 14 infected files. The viruses are identified as Generic.Peed.Eml.xxxxxxxx (various extensions for the xxxxxxxx).
Although I selected the settings for "report only" as you requested, it has deleted 16 files after trying to disinfect. It says at least one of the infected files could not be disinfected or deleted.
Do you want me to let this run to completion, or stop scanning?
Regards,
InfectedComputer
Hi InfectedComputer
Do you want me to let this run to completion
Yes,and post results in your next reply
InfectedComputer
2009-04-06, 16:43
Hi peku006,
Here is the Bitdefender report. [I was puzzled as to how to send this to you, since it is a .html file which is not an allowable attachment. I was going to zip it, but I decided to try cut and paste, which seems to have worked.]
Regards,
InfectedComputer
---------------------------------------------------
BitDefender Online Scanner
Scan report generated at: Mon, Apr 06, 2009 - 10:21:31
Scan path: A:\;C:\;D:\;E:\;F:\;
Statistics
Time
01:52:50
Files
299858
Folders
8906
Boot Sectors
0
Archives
11618
Packed Files
33471
Results
Identified Viruses
9
Infected Files
21
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
23
Engines Info
Virus Definitions
2828941
Engine build
AVCORE v1.7 (build 8314.19) (i386) (Sep 29 2008 17:19:14)
Scan plugins
17
Archive plugins
45
Unpack plugins
7
E-mail plugins
6
System plugins
4
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
Hi InfectedComputer
the scans are fine and it looks like your machine is clean :yahoo:
To remove all of the tools we used and the files and folders they created do the following:
Start OTScanIt2
Click the CleanUp button
* OTScanIt2 will delete any tools downloaded and files/folders created and then ask you to reboot so it can remove itself. Click Yes.
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:
Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
This will remove all restore points except the new one you just created.
Here are some free programs I recommend that could help you improve your computer's security.
Spybot Search and Destroy 1.6
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
Install SpyWare Blaster 4.0
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Install WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)
Install FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)
Install MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Please check out Tony Klein's article "How did I get infected in the first place?" (http://forums.spybot.info/showthread.php?t=279)
Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.
Happy safe surfing! :bigthumb:
InfectedComputer
2009-04-06, 18:18
Hi peku006,
Thank you for all your help.
Two issues --
1. If you recall, I mentioned at the outset that I had at least one of my USB flash drives and and at least one of my external USB hard drives connected when the machine got infected. I removed the flash drive, not sure if I ever reconnected it. I removed the USB hard drive and haven't reconnected it. Is there anything I need to do to check those to make sure they are clean, or are the infections we found not the kind that infect those devices?
2. When I made my last post, I didn't realize there was some personal information in the log file that should be removed. Can you change your settings so I can PM you?
Regards,
InfectedComputer
Hi InfectedComputer
you can check your USB flash drive and external hard drive,with the Kaspersky Online Scanner or MBAM, (but I am sure that they are clean )
please check you PM
InfectedComputer
2009-04-06, 20:57
Hi peku006,
I tried to reply to your PM, but I got the error message "peku006 has chosen not to receive private messages or may not be allowed to receive private messages." What am I doing wrong?
Regards,
InfectedComputer
Hi InfectedComputer
I do not know why the PM does not work
but I sent you my e-mail address,if there is even more what is needed to remove
Thanks peku006
InfectedComputer
2009-04-06, 21:54
Hi peku006,
Thank you, nothing else needs to be removed from the post with the Bitdefender log.
Will I be able to post any follow-up questions if any issues come up as I install the tools you mentioned and upgrade my service pack? How soon will the thread be archived?
Finally, thank you so much for your help. I am so relieved to have a clean computer, and I will be making a donation. Keep up the good work.
Regards,
InfectedComputer
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.