PDA

View Full Version : Aarrrgh. Infected again, probably virtumonde again ...



InfectedComputer
2009-05-14, 13:09
Greetings,

Peku006 helped me clean up a virtumonde infection in late March/ early April. I am chagrined to say that, despite upgrading to SP2 and then SP3 and all patches, and setting the Spybot resident tools including the TeaTimer, doing regular updates and immunizations, my computer is again infected. I am assuming it's virtumonde again, because the same file -- zofaziba -- is in my system32 folder, along with a number of others. This time it is really bad, because there are 50-100 entries of devldr.exe in my process list and the CPU is 100% in use, so it's taken several hours just to get a HJT run and the log copied to CD and moved to the clean computer where I'm composing this message. (I tried booting to safe mode and had the same problem, many copies of devldr.exe in the process list and 100% CPU usage).

I did not do the registry backup yet because it was all I could do just to get the HJT. [I'll try it after I send this message.] I do have a bunch of system restore points and Fix-It Utilities Recovery Commander checkpoints. I also have a Ghost backup I ran right after the machine was pronounced clean back in early April (but unfortunately before I did all the upgrades from SP1 to SP3 and all the patches, etc.).

Here is the HJT log. After the log, I've provided some history of some malware troubles from the previous day that might or might not have anything to do with the current infection.

I will be most appreciative of any help you can provide.

Regards,

InfectedComputer

----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:27 AM, on 5/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\MXOaldr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\dmakoc\Application Data\ptidle\ptidle.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {f9328a9a-e18c-478e-b89b-bc896a7c9b6e} - C:\WINDOWS\system32\mizalaza.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (disabled by BHODemon)
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking\Program\ereg.ini"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKLM\..\Run: [2cee2ecf] rundll32.exe "C:\WINDOWS\system32\yovalono.dll",b
O4 - HKLM\..\Run: [CPM2fdd1d53] Rundll32.exe "c:\windows\system32\bofuwike.dll",a
O4 - HKLM\..\Run: [pijupakapa] Rundll32.exe "C:\WINDOWS\system32\rewagiki.dll",s
O4 - HKCU\..\Run: [WinMem] C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ptidle] "C:\Documents and Settings\dmakoc\Application Data\ptidle\ptidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKUS\S-1-5-20\..\Run: [pijupakapa] Rundll32.exe "C:\WINDOWS\system32\rewagiki.dll",s (User 'NETWORK SERVICE')
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://smportal.rti.org/dana-cached/setup/JuniperSetupSP1.cab
O20 - AppInit_DLLs: c:\windows\system32\bofuwike.dll,C:\WINDOWS\system32\yukikono.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bofuwike.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bofuwike.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 12416 bytes

-------------------------------------------------

Some history from the previous day. The day before this infection, the Tea-Timer warned me about:

5/12/2009 1:28:07 AM Denied (based on Spybot-S&D scan) value "system tool" (new data: "C:\WINDOWS\sysguard.exe") added in System Startup user entry!

I selected "deny".

The next morning when I logged in the McAfee On-Access Scan found:

5/13/2009 9:53:54 AM Deleted C:\WINDOWS\SYSTEM32\WBEM\proquota.exe Generic.dx!cf

and later it found:

5/13/2009 10:06:46 AM Deleted C:\Documents and Settings\dmakoc\Local Settings\Temp\~TMCE.tmp Generic.dx!cf

I also checked Spybot and found the following from the previous night in the resident section:

5/12/2009 1:28:43 AM Encountered and terminated Fraud.Sysguard in C:\WINDOWS\sysguard.exe!

I also found the following file in C:\Documents and Settings\dmakoc\Local Settings: install[1].exe

The file had these properties:

file version 5.1.2600.0
description Игра ''Сапер''
copyright © Корпорация Майкрософт. Все права защ
company Корпорация Майкрософт .

I updated Malwarebytes and Spybot and then I ran a Malwarebytes quick scan, which found Malware.trace (registry item – ... AvScan). Didn’t remove this but instead I ran Spybot, which found:

Company:
Product: WinSpywareProtect
Threat: Malware

Description: WinSpywareProtect is a rogue antispyware solution (in close relation to MalWarrior). It scans the system and reports several non existent threats. Further it displays popups every few minutes in order to lure the user into buying the product.

I had not seen any such pop-ups. I let Spyware fix this.

I scanned the file install[1].exe with Spybot and with Malwarebytes -- nothing found. So I deleted the file.

I ran a quick system scan with Malwarebytes and with the latest Windows Malicious Software Removal Tool. Nothing found.

Then McAfee On-Access found Generic.dx!cf in system volume information – A0012927.exe – and deleted it.
I ran Malwarebytes and then McAfee on the entire sys vol info folder -- nothing found.

So at that point I thought those issues were taken care of. I don't know if those had anything to do with the current infection.

--------------------------------------------------------

pskelley
2009-05-15, 03:05
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You must have read and followed the "Before you Post" instructions, anything else will waste your time and mine.
TeaTimer is not disabled as instructed?

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)


2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks

InfectedComputer
2009-05-15, 21:45
Hi pskelley,

Thanks for your response. I've disabled the Windows firewall and have run ERUNT. McAfee On-Access is disabled (by the Malware). So those preliminaries are taken care of.

I've tried twice but I have not been able to disable the TeaTimer. The problem is that I can't logoff properly, much less restart properly so that the changes will take effect. When I logoff, I eventually the screen that (that is colored like the Windows welcome screen) that says "Windows XP", and the hourglass icon is running. I've let it run for 7 1/2 hours overnight and it never completes the log off -- the Windows XP screen remains with the hourglass running. So I eventually push the power button to do a hard shutdown, and when I start up the computer and log in again the TeaTimer comes up in the process list and when I open Spybot the TeaTimer is still marked as checked.

Regarding ComboFix -- even if there were another way to shut off the TeaTimer, I'm concerned that if I try the ComboFix it won't complete because it includes a restart ... Is there a tool that doesn't require a restart to make some progress, or will ComboFix do some good even if it's built in restart doesn't work?

Also, regarding ComboFix, a month and a half ago with the previous infection when peku006 asked me to run ComboFix it did not complete properly, so he had me proceed with Malwarebytes instead. I still have that tool on my computer if you want me to use that instead. [Also, FYI, I installed the recovery console a long time ago, but have never been able to use it because somehow I lost the password to the original Administrator account.]

The other problem is that it is taking forever to do anything because dozens of copies of devldr.exe are taking up 100% CPU. Some of the copies are loaded as system, some as local service, and some as network service. Logging in takes 15 to 20 minutes. Loading Spybot takes about 10 minutes. It took more than an hour this morning just to log on, turn off the Windows firewall, uncheck TeaTimer, and copy ComboFix to the desktop from a CD. So whatever tool you ask me to run next, it will likely take a very long time, so I hope whatever we use won't bomb!

Also, during the login process I keep getting multiple popups saying that devldr.exe could not be loaded. I've been clicking to close these each time they come up. During the most recent attempt to logoff, after the process got to the Windows XP screen with the endless hourglass, another of these popped up, so maybe it won't log off because it's still trying to start more copies of devldr.exe, I don't know.

So, I have 2 questions:

1. What do I do about the TeaTimer?
2. Do you want me to proceed with ComboFix anyway, or something else?

Also, a side question:

3. I still have Malwarebytes and HJT installed from before. Do I need to download again and re-install?

Regards,

InfectedComputer

pskelley
2009-05-15, 22:45
1) To make sure TeaTimer does not interfere with fixes, uninstall Spybot S&D in Add Remove programs. That will take care of TeaTimer and you can re-install Spybot once the malware is removed.

2) Then folllow the directions I posted.

3) MBAM: We will use that program later and I will post instructions for it at that time.

HJT installed from before: the request is for an UNINSTALL LIST not a HJT log or HJT installation? Please read the directions carefully.

Thanks

InfectedComputer
2009-05-16, 19:57
Hi pskelley,

Regarding the TeaTimer -- I uninstalled Spybot. At the end of the uninstall process, it asked for a restart. When I did that, the computer wouldn't logoff/shutdown, the same as before. So eventually I powered off the computer and powered it back on. Then, when I logged in, the TeaTimer started up again. There are three files remaining in c:\Program Files\Spybot - Search & Destroy that didn't get deleted during the uninstall -- TeaTimer.exe, SDHelper.dll, and advcheck.dll . Should I delete these manually and then power down/ power up and proceed with ComboFix?

Regarding the instructions -- I understand from your instructions that after the TeaTimer is disabled I need to produce, in order, a ComboFix log, an HJT log, and an uninstall list using HJT, and post all 3 of them.

Regarding my question about uninstalling and reinstalling HJT and MBAM -- I probably didn't explain the question well enough. My question is a general one: usually an instruction from a helper says go to the following link, download tool "X", save it to the desktop, install it (and update it, depending on the tool), and run a scan with it. But the instruction doesn't say what to do if you already have the tool installed on your infected computer from a previous time. So my question is: if I already had a particular tool installed on my my computer before the infection happened (and had been keeping the tool updated), is it necessary to download and install a "fresh" copy of the tool? I know that the initial Malware infection can disable features of anti-spyware programs (e.g., the Malware disabled my McAfee On-Access scan), so it seems possible that the answer might be "yes", so I thought I would ask to be sure. [In my particular case, I already have HJT and MBAM from last time, so that's why I asked about those particular tools, and because your current instructions require HJT -- BTW, the HJT log in my initial post above is from my existing HJT.] I'm asking because I'm anxious to get it right, and also because I'm just curious about these things.

Regards,

InfectedComputer

pskelley
2009-05-16, 20:40
So neither of us gets confused, and I am close to it now trying to figure out your posts, I will post one (1) instructions at a time from this point on.

Post an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Please post the uninstall list and nothing else.

InfectedComputer
2009-05-16, 21:41
OK, here's the uninstall list produced by HJT:

----------------------------------

5000 Series
Ad-Aware
Adobe Flash Player ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0.5
Advertisement Service
America Online
Anapod CopyGear (remove only)
Anapod Explorer (remove only)
AOL Coach Version 1.0(Build:20011028.1)
Apple Software Update
ArcSoft Media Card Companion
ArcSoft Software Suite
ATI Display Driver
Audacity 1.2.6
BellSouth® FastAccess® Connection Manager
BroadJump Client Foundation
BroadJump CorrectConnect Engine
CCleaner (remove only)
Cebuano Tutor 4.0
Check Point VPN-1 SecureClient NG_AI_R55
Compatibility Pack for the 2007 Office system
Conexant HSF V92 56K Data Fax PCI Modem
Critical Update for Windows Media Player 11 (KB959772)
CSDiff
DeductionPro 2003
Dell Picture Studio - Image Expert 2000
Dell ResourceCD
Dell Solution Center
DellTouch
Detto IntelliMover
DiscWizard for Windows
DivX 5.0.3 Bundle
Dragon NaturallySpeaking 7.3
Easy CD Creator 5 Basic
ERUNT 1.1j
FLV Player 2.0, build 24
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
hp instant support
HP Memories Disc
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
Intel Application Accelerator
iPod for Windows 2005-03-23
iPod for Windows 2005-09-06
iTunes
iTunes
Lavasoft VX2 Cleaner
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
LP Recorder
LP Ripper
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
McAfee QuickClean
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2002
Microsoft Halo
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Picture It! Photo 2002
Microsoft Silverlight
Microsoft Streets and Trips 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Word 2002
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
MiraScan V4.03
Modem Helper
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Muhlenberg College
MusicMatch Jukebox
My DSC
Nero Suite
Ninotech Path Copy 4.0
Norton Ghost
NVIDIA Windows 2000/XP Display Drivers
OCR Software by I.R.I.S 7.0
OLYMPUS CAMEDIA Master 4.1
Olympus Digital Wave Player
Olympus Voice Album
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
PhoneTools
Photosmart 140,240,7200,7600,7700,7900 Series
Pinnacle Hollywood FX
PowerDesk 5.0
PrintMusic! 2001
PRO200WL
QuickLink Mobile Phonebook
QuickTime
RealPlayer
Recovery Commander
Registry First Aid
Remove MiraScan USB Driver
Retrospect 5.6
Samsung USB Driver (MCCI 4.24 WHQL)
ScanButton 3.0
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Shockwave
Shockwave Player
Sony VRD-VCX [Video Capture] DS Filters v1.9.3i
Sound Blaster Live! Value
Spelling Dictionaries For Adobe Reader Package
Spychecker
Studio 9
TaxCut 2003
TaxCut 2004
TaxCut Deluxe 2005
TaxCut North Carolina 2008
TaxCut Premium + State + Efile 2008
Teach2000.7 XP
Ultra WinCleaner Utility Suite Version 8
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
USB Storage Adapter FX (MXO)
VCOM Fix-It Utilities Professional 6
Viewpoint Media Player (Remove Only)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VNC 3.3.7
WD Diagnostics
Windows Driver Package - Sony (VRDVC20) MEDIA 11/10/2004 5.1.18.01
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Service Pack 3
WinFF 0.43
WinRAR archiver
Xvid 1.1.2 final uninstall

pskelley
2009-05-16, 22:44
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Recap: Post the log from combofix and a new HJT log run AFTER combofix was run.

InfectedComputer
2009-05-17, 01:16
Hi,

I've put ComboFix.exe on the desktop, as instructed. I've disabled Windows Firewall and the McAfee On-Access scanner, and I've uninstalled Spybot S&D.

But, as I mentioned above, the Spybot uninstall did not remove the TeaTimer. The uninstall procedure asked me to restart the computer to complete the uninstall, but the computer hung up during the process of shutting down, so eventually I had to do a forced shutdown. The TeaTimer restarted when I logged in after I booted back to Windows. TeaTimer.exe did not get removed from the Spybot program folder.

Please confirm for me, do you want me to launch ComboFix now even though the TeaTimer is still running?

Or is there something else you want me to do to try to disable the TeaTimer before I run ComboFix?

Thanks

P.S., Here are the additional details on what happened during the Spybot uninstall, if you want them or need them:

The uninstall procedure ended with a pop-up Window that said a restart was required to complete the process, and asked "Do you want to restart now?". I clicked "yes", and my Windows session started the process of logging off but then it "hung", showing the hourglass "Windows busy" icon in place of the cursor icon. Since the infection began, the computer has done this every time I have tried to logoff, restart, or shutdown from within a Windows user account session. (The other night I waited 7 hours and it was still hung in the same place.) Each time, I've finally had to force the computer to shut down by pressing and holding the power button until the computer powers off.

So this time, when I powered up the computer and then logged in to my Windows account from the Windows welcome screen, the TeaTimer restarted (specifically, TeaTimer.exe appeared in the process list in Task Manager, and the "Spybot resident" icon appeared in the systray). I looked in the "c:\Program Files\Spybot S & D" folder to see if the uniinstall had deleted all the files. I found that there were still 3 files there -- TeaTimer.exe and a couple of DLL's.

pskelley
2009-05-17, 01:48
Please run combofix:bigthumb:

InfectedComputer
2009-05-17, 02:36
Sorry, just one quick question before I launch ComboFix. When the computer got infected, I unplugged it from the internet. Based on the ComboFix guide, it seems that ComboFix only needs an internet connection if it needs to download and install the Recovery Console. I already have the Recovery Console installed. So is it OK to leave the computer unplugged from the internet while I run ComboFix?

Regards,

Infected computer.

P.S. FYI, I've been posting from a clean computer, to avoid or minimize the need to plug the infected computer back in to the internet while it's being cleaned.

pskelley
2009-05-17, 02:39
Yes it is.

InfectedComputer
2009-05-17, 05:01
Hi,

Below are the ComboFix and HJT logs.

Several brief items, and then the logs:

1. FYI, before I ran ComboFix I right-clicked the Spybot resident icon in the systray, and was able to get it to exit. After I did that, the TeaTimer.exe process was no longer appearing in the Task Manager.

2. Also FYI, Combofix rebooted my machine twice -- once after I clicked to exit close the Rootkit pop-up and once right before it produced the log file. The ComboFix guide made no mention of that possibility, and I wasn't sure if I was to go ahead and login at the Windows Welcome screen. After waiting a bit, I did login to the same account that I had launched ComboFix from. It would be good if the ComboFix people would update their guide to cover this.

3. ComboFix popped up a rootkit alert. Here's what it said:

Pop-up: Rootkit !! ComboFix has detected the presence of rootkit activfity and needs to reboot the machine. Kindly note down on paper, the name of each file. We may need it later.

C:\WINDOWS\system32\drivers\ovfsthyakjcbbolpuwfnpmiyaetuqfsqqppkek.sys
C:\WINDOWS\system32\ovfsthtdlhfptvaixbndwyturnevvbwkcpojnc.dll
C:\WINDOWS\system32\ovfsthytenpfquexndsqovugxfyaphsrbdvoel.dat
C:\WINDOWS\system32\ovfsthnkvucvojinybhmrlylpbojvoycnfowem.dll
C:\WINDOWS\system32\ovfsthykxbrfdmwfbifsxhtorfixqsvuofsjfw.dll
C:\WINDOWS\system32\ovfsthxcmmarjmucqcuqxsbhqxbadfexubbmrs.dat

-------------------------------

Here is the ComboFix log:

ComboFix 09-05-14.07 - dmakoc 05/16/2009 20:14.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.538 [GMT -4:00]
Running from: c:\documents and settings\dmakoc\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\dmakoc\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\bofuwike.dll
c:\windows\system32\bowagina.dll.tmp
c:\windows\system32\drivers\ovfsthyakjcbbolpuwfnpmiyaetuqfsqqppkek.sys
c:\windows\system32\fakugupu.exe
c:\windows\system32\fufuwatu.dll
c:\windows\system32\kivereza.dll.tmp
c:\windows\system32\luravufa.dll
c:\windows\system32\mizalaza.dll
c:\windows\system32\onolavoy.ini
c:\windows\system32\ovfsthnkvucvojinybhmrlylpbojvoycnfowem.dll
c:\windows\system32\ovfsthtdlhfptvaixbndwyturnevvbwkcpojnc.dll
c:\windows\system32\ovfsthxcmmarjmucqcuqxsbhqxbadfexubbmrs.dat
c:\windows\system32\ovfsthykxbrfdmwfbifsxhtorfixqsvuofsjfw.dll
c:\windows\system32\ovfsthytenpfquexndsqovugxfyaphsrbdvoel.dat
c:\windows\system32\prnet.tmp
c:\windows\system32\rewagiki.dll
c:\windows\system32\yovalono.dll
c:\windows\system32\yukikono.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.208
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthdtkdcbbxemaihnyiowvmhqlfqxsehwlm


((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))
.

2009-05-14 04:11 . 2009-05-14 04:11 -------- d-----w c:\documents and settings\dmakoc\Application Data\ptidle
2009-04-28 14:21 . 2009-04-28 14:21 -------- d-----w c:\documents and settings\Matt2\Application Data\Malwarebytes
2009-04-26 02:20 . 2009-04-26 02:20 -------- d-----w c:\program files\Search Party
2009-04-20 17:48 . 2009-04-20 17:48 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-20 17:44 . 2009-04-20 17:46 -------- d-----w c:\windows\system32\drivers\UMDF
2009-04-20 17:44 . 2009-04-20 17:44 -------- d-----w c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 10:10 . 2009-02-16 19:55 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-26 22:43 . 2009-02-06 16:25 -------- d-----w c:\program files\ATTToolbar
2009-04-21 12:30 . 2002-11-09 17:53 98072 ----a-w c:\documents and settings\Alexander\Application Data\GDIPFONTCACHEV1.DAT
2009-04-19 04:45 . 2003-11-02 19:44 98072 ----a-w c:\documents and settings\Matt2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-17 14:02 . 2004-10-02 20:54 -------- d-----w c:\program files\EPSON
2009-04-15 10:03 . 2009-04-15 10:03 98072 ----a-w c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-15 00:37 . 2003-06-01 20:54 -------- d-----w c:\program files\Lavasoft
2009-04-15 00:35 . 2004-09-25 16:08 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-13 14:55 . 2009-04-13 14:55 51716 ----a-w c:\windows\system32\pdf995mon.dll
2009-04-13 14:55 . 2009-04-13 14:55 249856 ----a-w c:\windows\system32\pdfmona.dll
2009-04-13 14:55 . 2009-04-13 00:51 -------- d-----w c:\program files\PDF995
2009-04-13 00:54 . 2009-04-13 00:51 -------- d-----w c:\program files\TaxCut08
2009-04-10 21:58 . 2006-04-25 22:39 98072 ----a-w c:\documents and settings\Arthur\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-08 17:00 . 2004-04-23 19:10 98072 ----a-w c:\documents and settings\dmakoc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-06 23:23 . 2009-04-03 00:08 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:32 . 2009-04-03 00:08 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-04-03 00:08 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-30 00:15 . 2009-03-30 00:15 -------- d-----w c:\program files\Trend Micro
2009-03-29 23:46 . 2009-03-29 23:46 -------- d-----w c:\program files\ERUNT
2009-03-22 19:34 . 2009-03-22 19:34 129 ----a-w c:\documents and settings\dmakoc\Local Settings\Application Data\fusioncache.dat
2009-03-19 03:43 . 2009-03-19 03:43 2294837 ----a-w c:\documents and settings\Lilin\HCUpgrade3.1.exe
2009-03-06 14:22 . 2003-08-25 07:48 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-06-23 15:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ------w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinMem"="c:\program files\blcorp\UWCSuite\WinMem\WinMem.exe" [2003-12-02 376320]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ptidle"="c:\documents and settings\dmakoc\Application Data\ptidle\ptidle.exe" [2009-05-14 56832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 655360]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-03-28 102400]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-08-02 368720]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2002-07-15 1544192]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-02 4640768]
"MaxtorCombo"="c:\progra~1\Dantz\RETROS~1\ComboButton.exe" [2002-07-16 40960]
"MXO Auto Loader"="c:\windows\MXOaldr.exe" [2002-08-09 118784]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 188416]
"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 221184]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-20 483328]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-04-07 135224]
"DNS7reminder"="c:\program files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" [2003-11-17 729088]
"PinnacleDriverCheck"="c:\windows\System32\PSDrvCheck.exe" [2004-03-10 406016]
"RCScheduleCheck"="c:\program files\VCOM\Recovery Commander\RCSCHED.EXE" [2003-10-21 151552]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-29 180269]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2003-05-02 323584]

c:\documents and settings\dmakoc\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{a5780613-492e-4a2a-a7fd-549610edf6cc}"= "c:\program files\VCOM\Recovery Commander\RCHOOK.DLL" [2003-07-08 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2003-12-01 19:34 24665 ----a-w c:\windows\SYSTEM32\ckpNotify.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux1"= ctwdm32.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ERUNT\\ERUNT.EXE"=

R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [8/14/2002 3:11 PM 5632]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [1/1/1980 1:00 AM 28672]
R2 Scap;SecureClient Application Policy Module;c:\windows\SYSTEM32\DRIVERS\scap.sys [3/26/2004 2:01 PM 17296]
R2 VPN-1;VPN-1 Module;c:\windows\SYSTEM32\DRIVERS\vpn.sys [3/26/2004 2:01 PM 668336]
R3 FW1;SecuRemote Miniport;c:\windows\SYSTEM32\DRIVERS\fw.sys [3/26/2004 2:02 PM 2038128]
R3 Msikbd2k;DellTouch;c:\windows\SYSTEM32\DRIVERS\Msikbd2k.sys [4/19/2002 1:42 PM 6942]
R3 mxDisk;mxDisk;c:\progra~1\VCOM\Fix-It\mxDisk.sys [5/10/2005 8:26 PM 51656]
S2 VRDVC20;Sony VRD-VC20 [Video Capture];c:\windows\SYSTEM32\DRIVERS\VRDVC20X.SYS [2/25/2006 6:11 PM 31104]
S3 ati2mpaa;ati2mpaa;c:\windows\SYSTEM32\DRIVERS\ati2mpaa.sys [4/19/2002 1:26 PM 281856]
S3 NUVision;Pinnacle DVC 80 Video;c:\windows\SYSTEM32\DRIVERS\nuvvid2.sys [1/4/2005 1:57 PM 155264]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\SYSTEM32\DRIVERS\OMVA.sys [3/26/2004 2:02 PM 14924]
S3 VVRUSB;VVRUSB Device;c:\windows\SYSTEM32\DRIVERS\VVRUSB.sys [9/14/2004 3:42 AM 38479]
.
Contents of the 'Scheduled Tasks' folder

2009-05-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]

2009-05-02 c:\windows\Tasks\HP DArC Task 2003-08-20 09:23ewlett-Packard79002003-08-20 18:57N38V220VXEV.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-08-20 18:57]

2009-05-16 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2005-05-02 21:23]

2002-05-19 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2003-08-25 00:12]

2002-05-19 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2003-08-25 00:12]

2002-05-19 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2003-08-25 00:12]

2009-05-16 c:\windows\Tasks\Scheduled Checkpoint.job
- c:\program files\VCOM\Recovery Commander\RCSCHED.EXE [2005-07-17 17:20]

2009-05-16 c:\windows\Tasks\WebReg officejet 6300 series.job
- c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqwrg.exe [2006-02-19 09:09]
.
- - - - ORPHANS REMOVED - - - -

BHO-{f9328a9a-e18c-478e-b89b-bc896a7c9b6e} - c:\windows\system32\mizalaza.dll
HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
HKCU-Run-prnet - c:\windows\system32\prnet.tmp
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bofuwike.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.att.net/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: {{9239E4EC-C9A6-11D2-A844-00C04F68D538}
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-16 20:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DellTouch = c:\windows\DELLMMKB.EXE?E?L?L?M?M?K?B?.?E?X?E???@???????????x??????????????????????????????????????w???w????7??w???w?????????"?????w?"???????(?w????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
AdaptecDirectCD = "c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"??C?r?e?a?t?o?r? ?5?\?D?i?r?e?c?t?C?D?\?D?i?r?e?c?t?C?D?.?e?x?e?"??????????(?w????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
UpdReg = c:\windows\Updreg.exe?U?p?d?r?e?g?.?e?x?e???DirectCD\DirectCD.exe"??C?r?e?a?t?o?r? ?5?\?D?i?r?e?c?t?C?D?\?D?i?r?e?c?t?C?D?.?e?x?e?"??????????(?w????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
AHQInit = c:\program files\Creative\SBLive\Program\AHQInit.exe??B?L?i?v?e?\?P?r?o?g?r?a?m?\?A?H?Q?I?n?i?t?.?e?x?e???D?i?r?e?c?t?C?D?.?e?x?e?"??????????(?w????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
BJCFD = c:\program files\BroadJump\Client Foundation\CFD.exe??C?l?i?e?n?t? ?F?o?u?n?d?a?t?i?o?n?\?C?F?D?.?e?x?e???S?h?a?r?e?d?\?W?k?U?F?i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
tgcmd = "c:\program files\Support.com\bin\tgcmd.exe" /server /nosystray?n?\?t?g?c?m?d?.?e?x?e?"? ?/?s?e?r?v?e?r? ?/?n?o?s?y?s?t?r?a?y???i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
NvCplDaemon = RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup??t?e?m?3?2?\?N?v?C?p?l?.?d?l?l?,?N?v?S?t?a?r?t?u?p???/?n?o?s?y?s?t?r?a?y???i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
nwiz = nwiz.exe /install?/?i?n?s?t?a?l?l???pl.dll,NvStartup??t?e?m?3?2?\?N?v?C?p?l?.?d?l?l?,?N?v?S?t?a?r?t?u?p???/?n?o?s?y?s?t?r?a?y???i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
MaxtorCombo = "c:\progra~1\Dantz\RETROS~1\ComboButton.exe"??O?S?~?1?\?C?o?m?b?o?B?u?t?t?o?n?.?e?x?e?"???S?t?a?r?t?u?p???/?n?o?s?y?s?t?r?a?y???i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
MXO Auto Loader = c:\windows\MXOaldr.exe??X?O?a?l?d?r?.?e?x?e???O?S?~?1?\?C?o?m?b?o?B?u?t?t?o?n?.?e?x?e?"???S?t?a?r?t?u?p???/?n?o?s?y?s?t?r?a?y???i?n?d?.?e?x?e???????????XK??XK???%@?h???????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
HPDJ Taskbar Utility = c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe?i?v?e?r?s?\?w?3?2?x?8?6?\?3?\?h?p?z?t?s?b?0?9?.?e?x?e???rogram\ereg.ini"??x?e?"? ?/?S?t?a?r?t?e?d?F?r?o?m?R?u?n?K?e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
HPHUPD05 = c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe??D?C?A?B?-?4?0?9?3?-?8?E?E?8?-?6?1?6?4?4?5?7?5?1?7?F?0?}?\?h?p?h?u?p?d?0?5?.?e?x?e???e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
HP Component Manager = "c:\program files\HP\hpcoretech\hpcmpmgr.exe"?c?o?r?e?t?e?c?h?\?h?p?c?m?p?m?g?r?.?e?x?e?"???B?-?4?0?9?3?-?8?E?E?8?-?6?1?6?4?4?5?7?5?1?7?F?0?}?\?h?p?h?u?p?d?0?5?.?e?x?e???e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
HPHmon05 = c:\windows\System32\hphmon05.exe??3?2?\?h?p?h?m?o?n?0?5?.?e?x?e???p?c?m?p?m?g?r?.?e?x?e?"???B?-?4?0?9?3?-?8?E?E?8?-?6?1?6?4?4?5?7?5?1?7?F?0?}?\?h?p?h?u?p?d?0?5?.?e?x?e???e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
ShStatEXE = "c:\program files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE??\?V?i?r?u?s?S?c?a?n?\?S?H?S?T?A?T?.?E?X?E?"? ?/?S?T?A?N?D?A?L?O?N?E???\?h?p?h?u?p?d?0?5?.?e?x?e?????????????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
McAfeeUpdaterUI = "c:\program files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey?F?r?a?m?e?w?o?r?k?\?U?p?d?a?t?e?r?U?I?.?e?x?e?"? ?/?S?t?a?r?t?e?d?F?r?o?m?R?u?n?K?e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
DNS7reminder = "c:\program files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" -r "c:\program files\ScanSoft\NaturallySpeaking\Program\ereg.ini"??x?e?"? ?/?S?t?a?r?t?e?d?F?r?o?m?R?u?n?K?e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?
PinnacleDriverCheck = c:\windows\System32\PSDrvCheck.exe -CheckReg??r?v?C?h?e?c?k?.?e?x?e? ?-?C?h?e?c?k?R?e?g???ft\NaturallySpeaking\Program\ereg.ini"??x?e?"? ?/?S?t?a?r?t?e?d?F?r?o?m?R?u?n?K?e?y???????>????????????????????????????????(?w?????????????#@??????$@?%$@?XK??????XK?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2225589205-1256799619-874574627-1012\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2225589205-1256799619-874574627-1012\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-2225589205-1256799619-874574627-1012)
@Allowed: (Read) (S-1-5-21-2225589205-1256799619-874574627-1012)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,32,31,14,99,61,
31,74,86,c8,28,51,af,b0,29,a3,98,de,8c,45,98,c6,3d,6f,4f,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,be,db,f6,31,50,
8b,65,8a,71,3b,04,66,8b,46,0d,96,7b,86,1e,c8,f5,15,6a,6d,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,aa,6f,0a,18,3d,
39,ee,8a,25,da,ec,7e,55,20,c9,26,33,da,6e,a7,a0,c1,ff,36,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,5d,e2,8c,1c,7c,
30,56,c1,3e,1e,9e,e0,57,5a,93,61,53,99,e5,4b,fd,dd,52,d0,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,ce,cd,40,94,59,
2b,df,ba,cd,44,cd,b9,a6,33,6c,cd,e5,51,9c,d7,81,fd,51,06,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,74,1a,bd,2b,d8,
cb,8e,80,b0,18,ed,a7,3f,8d,37,a4,5b,c0,de,db,23,e0,b3,a6,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,5e,e7,f6,11,5f,
f4,84,c8,31,77,e1,ba,b1,f8,68,02,1a,66,6d,16,21,b5,05,ce,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,84,ed,f7,8b,f0,
35,8b,f2,83,6c,56,8b,a0,85,96,ab,e2,55,8a,87,1f,f7,9d,03,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,d2,34,6e,b1,b0,
88,cc,c6,51,fa,6e,91,28,9e,14,cc,d6,08,5c,25,5d,99,f8,b1,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,a7,8c,a9,c6,70,
a4,85,26,b1,cd,45,5a,a8,c4,f8,b9,e3,21,47,0c,b2,8f,4a,7c,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,db,48,e1,79,a9,
ae,52,31,e3,0e,66,d5,eb,bc,2f,6b,2e,9f,90,c5,08,6f,ca,5d,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,a8,6e,be,44,74,
ba,7c,c5,fa,ea,66,7f,d4,3b,6b,70,93,7a,fd,d1,66,cc,1b,4e,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3868)
c:\progra~1\VCOM\Fix-It\WinHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\progra~1\VCOM\Fix-It\MXTASK.exe
c:\progra~1\Symantec\NORTON~1\GHOSTS~2.EXE
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\program files\Network Associates\VirusScan\vstskmgr.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\progra~1\Dantz\RETROS~1\retrorun.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
c:\windows\wanmpsvc.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe
c:\progra~1\VCOM\Fix-It\MXTASK.exe
c:\windows\SYSTEM32\devldr32.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\Netropa\OSD.exe
c:\windows\SYSTEM32\HPZipm12.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-05-17 20:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-17 00:28

Pre-Run: 63,149,780,992 bytes free
Post-Run: 63,238,537,216 bytes free

316 --- E O F --- 2009-04-25 15:08



----------------------------------------

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:10 PM, on 5/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\MXOaldr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\dmakoc\Application Data\ptidle\ptidle.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (disabled by BHODemon)
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking\Program\ereg.ini"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [WinMem] C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ptidle] "C:\Documents and Settings\dmakoc\Application Data\ptidle\ptidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - S-1-5-18 Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (User 'Default user')
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://smportal.rti.org/dana-cached/setup/JuniperSetupSP1.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10586 bytes

pskelley
2009-05-17, 13:40
Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* .

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so Please post contents of that file & a new HJT log in your next replyimmediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

InfectedComputer
2009-05-17, 21:44
Hi,

Below are the MBAM and HJT logs.

Couple of things:

1. Recall that when I uninstalled Spybot S&D, the TeaTimer was not removed. After the restart requested by MBAM, I ran the HJT. After that, I noticed the Spybot Resident icon was present in the systray. I checked the Task Manager and TeaTimer.exe was present in the process list. What I don’t know is whether the TeaTimer loaded during the two restarts initiated by ComboFix. So it's possible the TeaTimer was running when I ran MBAM.

2. I forgot to mention in my last post that the computer started running at normal speed after ComboFix – no more extra copies of devldr.exe in the process list! That is a relief!

3. Question: Is it safe at this point to connect to the internet and start posting from the infected computer?

Regards,

Infected Computer

----------------------------------------------

MBAM log:

Malwarebytes' Anti-Malware 1.36
Database version: 2145
Windows 5.1.2600 Service Pack 3

5/17/2009 1:27:42 PM
mbam-log-2009-05-17 (13-27-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 267653
Time elapsed: 51 minute(s), 28 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 12

Memory Processes Infected:
C:\Documents and Settings\dmakoc\Application Data\ptidle\ptidle.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
KHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptidle (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\dmakoc\Application Data\ptidle (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\dmakoc\Application Data\ptidle\ptidle.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthnkvucvojinybhmrlylpbojvoycnfowem.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bowagina.dll.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kivereza.dll.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\luravufa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthykxbrfdmwfbifsxhtorfixqsvuofsjfw.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\prnet.tmp.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthyakjcbbolpuwfnpmiyaetuqfsqqppkek.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP110\A0013950.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP110\A0013952.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP110\A0013953.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP110\A0013975.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

-------------------------------------------------

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:49:32 PM, on 5/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\MXOaldr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (disabled by BHODemon)
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking\Program\ereg.ini"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [WinMem] C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (User 'Default user')
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://smportal.rti.org/dana-cached/setup/JuniperSetupSP1.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10380 bytes

pskelley
2009-05-17, 21:58
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Flash Player ActiveX
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html

Adobe Reader 7.0.5 <<< out of date and unsafe, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader_issue.html
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php

Viewpoint Media Player (Remove Only)
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546
http://vil.nai.com/vil/content/v_137262.htm

You will have to be online to update the above programs. The first thing you must do is update McAfee to provide updated protections. Once this is done, please tell me how the computer is running.

Thanks

InfectedComputer
2009-05-17, 22:39
Hi,

I’ve re-enabled McAfee On-Acess, updated McAfee, and re-enabled Windows Firewall.

The computer is running fine.

I will install the Secunia tool and follow-up on your suggestions for updating programs.

Two questions:

1. Is it time to reinstall Spybot S&D, update, and immunize?

2. I had 2 USB external hard drives and 1 flash drive plugged in when the infection started. I’ve had them unplugged since then. Is it time to plug them back in? Do I need to scan them with MBAM?

Regards,

Infected Computer

pskelley
2009-05-17, 22:56
1) No, I will tell you when.

2) No, I will tell you when.

3) Complete the instructions for updating those programs and having PSI check to make sure you have no other out of date programs.
When you get to that point, post a new Uninstall list.

InfectedComputer
2009-05-19, 07:45
Hi,

OK, I finally worked through all the FSI stuff, the basic and the advanced. The only remaining issues are:

1. Insecure program – Microsoft data Access Components (MDAC) 2.x. The fix from Secunia didn’t install it gave a popup message saying that the fix was not needed because I have Windows SP3. But the program link is c:\I386\MSADOX.DLL and the FSI said that if the file is in a backup location (such as c:\I386) then it’s OK and can be added to the ignore list.

2. End-of-life program – Macromedia Flash Player 5.x (ActiveX Control) – c:\I386\SWFLASH.OCX .

3. End-of-life program – Shockwave – c:\I386\SwInit.exe

But #2 and #3 are in c:\I386 so I assume I can also safely add them to the ignore list?

4. End-of-life program – McAfee VirusScan Enterprise 7.x . Although McAfee still provides updated signatures for this program, it seems that FSI thinks I need to replace it. Do you have a recommendation for a new Anti-Malware program?

A couple more things:

-- Every time I do a restart, Security Center pops up a warning that my virus scanner is disabled. Then the VirusScan icon comes up in the systray and immediately switches to the disabled icon. I’ve re-enabled the On-Access scan manually each time, and opened the scan window to confirm that it was scanning.

-- FYI, there is still a malware file, hidden, named “zofaziba” in c:\windows\system32 . This file was present the last time the computer had an infection.

Below is the new HJT uninstall list.

Regards,

InfectedComputer

----------------------------------------------

HJT uninstall list:

5000 Series
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 9.1.1
America Online
Anapod CopyGear (remove only)
Anapod Explorer (remove only)
AOL Coach Version 1.0(Build:20011028.1)
Apple Mobile Device Support
Apple Software Update
ArcSoft Media Card Companion
ArcSoft Software Suite
ATI Display Driver
Audacity 1.2.6
BellSouth® FastAccess® Connection Manager
Bonjour
BroadJump Client Foundation
BroadJump CorrectConnect Engine
CCleaner (remove only)
Cebuano Tutor 4.0
Check Point VPN-1 SecureClient NG_AI_R55
Compatibility Pack for the 2007 Office system
Conexant HSF V92 56K Data Fax PCI Modem
Critical Update for Windows Media Player 11 (KB959772)
CSDiff
DeductionPro 2003
Dell Picture Studio - Image Expert 2000
Dell ResourceCD
Dell Solution Center
DellTouch
Detto IntelliMover
DiscWizard for Windows
DivX 5.0.3 Bundle
Dragon NaturallySpeaking 7.3
Easy CD Creator 5 Basic
ERUNT 1.1j
FLV Player 2.0, build 24
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
hp instant support
HP Memories Disc
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
Intel Application Accelerator
iPod for Windows 2005-03-23
iPod for Windows 2005-09-06
iTunes
iTunes
Lavasoft VX2 Cleaner
LiveReg (Symantec Corporation)
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
LP Recorder
LP Ripper
Malwarebytes' Anti-Malware
McAfee QuickClean
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2002
Microsoft Halo
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Picture It! Photo 2002
Microsoft Silverlight
Microsoft Streets and Trips 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Word 2002
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
MiraScan V4.03
Modem Helper
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Muhlenberg College
MusicMatch Jukebox
My DSC
Nero Suite
Ninotech Path Copy 4.0
Norton Ghost
NVIDIA Windows 2000/XP Display Drivers
OCR Software by I.R.I.S 7.0
OLYMPUS CAMEDIA Master 4.1
Olympus Digital Wave Player
Olympus Voice Album
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
PhoneTools
Photosmart 140,240,7200,7600,7700,7900 Series
Pinnacle Hollywood FX
PowerDesk 5.0
PrintMusic! 2001
PRO200WL
QuickLink Mobile Phonebook
QuickTime
RealPlayer
Recovery Commander
Registry First Aid
Remove MiraScan USB Driver
Retrospect 5.6
Samsung USB Driver (MCCI 4.24 WHQL)
ScanButton 3.0
Secunia PSI
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Sony VRD-VCX [Video Capture] DS Filters v1.9.3i
Sound Blaster Live! Value
Spelling Dictionaries Support For Adobe Reader 9
Spychecker
Studio 9
TaxCut 2003
TaxCut 2004
TaxCut Deluxe 2005
TaxCut North Carolina 2008
TaxCut Premium + State + Efile 2008
Teach2000.7 XP
Ultra WinCleaner Utility Suite Version 8
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
USB Storage Adapter FX (MXO)
VCOM Fix-It Utilities Professional 6
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VNC 3.3.7
WD Diagnostics
Windows Driver Package - Sony (VRDVC20) MEDIA 11/10/2004 5.1.18.01
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Service Pack 3
WinFF 0.43
WinRAR archiver
Xvid 1.1.2 final uninstall

pskelley
2009-05-19, 12:36
1) "Microsoft data Access Components (MDAC)"
That should update via Windows Updates, it might not be available as a Critical Updates. When you have a little time, try this.
Open Internet Explorer > Tools > Windows Updates > Choose Custom.
Once the computer has been scanned, look to the left for items available for Windows XP. You can choose what to install from non-critical stuff from there.
If you have additional questions about this subject, ask them here:
http://support.microsoft.com/

2) c:\I386 <<< these are very important backups, be very carefully working here.

c:\I386\SWFLASH.OCX <<< delete the file in red only

3) c:\I386\SwInit.exe <<< delete the file in red only.

4) You would have to take that up with McAfee. I can suggest freeware antivirus programs and will post the link, but first I will ask you to do this;
Start > Control Panel > Security Center > tell me if all three items are Green and Go.


Every time I do a restart, Security Center pops up a warning that my virus scanner is disabled. Then the VirusScan icon comes up in the systray and immediately switches to the disabled icon. I’ve re-enabled the On-Access scan manually each time, and opened the scan window to confirm that it was scanning.
May be the old program? You would have to discuss that with McAfee:
http://www.mcafee.com/us/support/
This means Windows Security Center sees it as out of date and that is why I just asked that be checked.

there is still a malware file, hidden, named “zofaziba” in c:\windows\system32
c:\windows\system32\zofaziba <<< delete that file in red and then empty the recycle bin.

Uninstall list <<< as far as I can see, it looks good. Secunia PSI has a better eye then I do though.

Links to available programs:
http://users.telenet.be/bluepatchy/miekiemoes/Links.html

As soon as the above issues are resolved, let's proced with wrapping up like this.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, keep it updated and run it once a month or so)

Update the antivirus (whatever one you decide to run) and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

How hard are your passwords to crack?
http://www.microsoft.com/protect/yourself/password/checker.mspx

http://www.microsoft.com/windows/ie/community/columns/protection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/computer/advanced/browsing.mspx

InfectedComputer
2009-05-21, 00:36
Hi pskelley,

OK, some follow-ups on the tasks you requested. Sorry for the length of the post.

1) MDAC. I tried the custom Windows update, but there was nothing for MDAC in the list. I found the following information on the Windows “MDAC Utility: Component Checker” page:

“MCAC is installed with numerous Microsoft products and an also be redistributed using the redistribution program (mdac_typ.exe) that you can download from … Windows XP SP2 or later versions of Windows also installs MDAC as an ‘out of box’ system component of the Windows operating system. Since MDAC in windows XP SP2 or later is newer thant the version (MMDAC 2.8 SP1) in the last MDAC redistribution program, mdac_typ.exe no longer installs MDAC on Windows XP SP2 and later version.”

On my computer there is a version of MSADOX.DLL located in “[Drive letter]:\Program Files\Common Files\System\ado” and it has a file modified date of 4/18/2008, which I don’t understand because I installed SP2 for Windows XP in 4/2009. So I installed the MDAC Utility Component Checker (wasn’t easy to find and install), ran it, and it said I have MDAC 2.8 SP1 on Windows XP SP3. MDAC 2.8 SP1 is the most current version.

The version of MSADOX.DLL in C:\I386 dates back to the original installation of Windows XP that came with my computer – the modified date is 8/18/2001 and the creation date is 5/19/2002. PSI is not complaining about the version of MSADOX.DLL in “C:\Program Files\Common Files\System\ado”. PSI says if the installation path is not “[Drive letter]:\Program Files\Common Files\System\ado” but rather is in a backup area like c:\I386, then the user the Ignore Directories & Paths option so that PSI does not look in that location. PSI lists the Installation Path as c:\I386\MSADOX.DLL. Having said that, do you think I should tell PSI to ignore the version in c:\I386, or that I should back it up and delete it like I did for the shockwave files in c:\I386, or talk to Microsoft Support?

2) c:\I386\SWFLASH.OCX – I deleted the file as you instructed, after backing it up to CD.

3) c:\I386\SwInit.exe – I deleted the file as you instructed, after backing it up to CD.

4) McAfee. Regarding the 3 items in the Security Center, the first one (firewall) is green/ on. The second one (automatic updates) is yellow/ check settings. That’s because I prefer to have the updates downloaded but then I decide when I want to install them. The third (virus protection) one comes up red when I restart, but turns green some minutes after I re-enable the McAfee manually using a right click option on the McAfee icon in the systray. [As soon as I re-enable McAfee manually, it starts scanning – it takes awhile for the Security Center to recognize it.] Please note that this behavior was not happening with McAfee before the infection. I believe the McAfee was disabled entirely by the infection. It came back sometime after we ran ComboFix. I only noticed this behavior after we ran MBAM, so I don’t know whether this behavior started right after ComboFix, or later. This might be a moot question because I need to get a new antivirus program anyway?

Do I need a new antivirus program in place before doing the other steps, or can I make do for now by re-enabling McAfee manually?

As an aside, did I read somewhere that some malware can impersonate the Security Center?

5) Zofaziba – I deleted it and it has not regenerated itself (like it did with the first infection whenever I would try to delete it).


Before I start uninstalling ComboFix, run MBAM, etc., since it seems like we’re near the end, let me get some questions in while I can:

6) Related to deleting and reactivating the Windows restore, I also have Recovery Commander checkpoints as part of my Fix-It Utilities program. I don’t think those are protected storage, so I assume I don’t have to delete those?

7) Do I plug in and check my external HDs and flash drive after I get a clean MBAM report? Do I use MBAM and a virus scan to check them?

8) What about other user accounts? With the first infection in early April, after we had finished the forum thread, I discovered that there were still some stray startup entries in some user accounts. These were pointing toward malware files that we had removed, so when logging in to those accounts a popup would appear saying that the file they were pointing to couldn’t be found. Clicking “OK” would remove the pop-up. I have 2 administrative logins (plus “Administrator” in safe mode which I can’t get into because I lost the original password somehow), and 5 regular user accounts. How do we make sure there aren’t any remnants in other accounts?

9) Is the Window firewall sufficient or do I need something better? [If it’s just fancier feature options rather than stronger protection, it might not help me because I don’t even understand the features in Windows Firewall, I just use the defaults, I think.]

10) In addition to a real-time virus scanner, do I also need a real-time Malware scanner, such as is contained in the purchase version of MBAM or Ad-Aware? Do those clash with the real-time virus scanning? Are there combination products that scan in real time for all threats simultaneously?

11) Given the nature of this infection, will I need to change Windows user account passwords, online passwords (banking, Paypal, etc.), other passwords (for the ISP connection, email server, etc.)?

Regards,

InfectedComputer

pskelley
2009-05-21, 01:18
I will comment only when I think it is needed.

1) If you have additional questions about this subject, ask them here:
http://support.microsoft.com/

4) I don't know what you want to do with McAfee? being out of date is likely what is causing the Security Center to show red. If you want to install a new freeware program, uninstall McAfee in Add Remove first.

Here are freeware programs (install only one)
http://free.grisoft.com/ww.download-avg-anti-virus-free-edition
FAQ: http://www.avg.com/faq
AVG Free Forum: http://freeforum.avg.com/

http://www.avast.com/eng/avast_4_home.html
What's new in avast! version 4
http://www.avast.com/eng/whats_new_in_avast_v2.html

http://www.free-av.com/
http://www.free-av.com/en/support/index.html

Do I need a new antivirus program in place before doing the other steps, or can I make do for now by re-enabling McAfee manually?
I would say yes, the out of date program is likely giving you no protection anyway.

As an aside, did I read somewhere that some malware can impersonate the Security Center?
That's true but there is no evidence of that infection on theis computer...so don't be conerned.

6) I do not use the program, you would have to ask that question at the programs website.

Please read all links that I already posted, most of your questions are answered there.

11) Strong passwords: How to create and use them
http://www.microsoft.com/athome/security/privacy/password.mspx
5 tips to keep your passwords secret
http://www.microsoft.com/protect/yourself/password/secret.mspx

When you complete all of the instructions I already posted, post a fresh HJT log and tell me about any malware issues.

InfectedComputer
2009-05-25, 02:54
Hi,

Sorry it’s taken so long to reply, but this has been endless. The item numbering below is new. I've put some questions below in bold italics. I’ve at least skimmed each of the links you sent.

1) OK, I got a little out of sequence. I uninstalled McAfee and installed the 30-day trial of Kaspersky Internet Security, which includes their virus scanner, firewall, anti-malware, anti-spam, etc. I installed it in “interactive” mode, which means it pops up every time there is something questionable and prompts for a response. After restarting after the install, the real-time detection popped up the following message on 2 occasions:

“Kaspersky detected suspicious activity: Unknown application shows itself as a hidden object. Such behavior can be a result of user actions or can be caused by a malicious program – rootkit.” I clicked on "Terminate" both times.

I ran a full Kaspersky scan and included the deep rootkit option. The scan identified the nasties still located in the system restore folders and in the Qoobox folder from ComboFix. It also identified 3 “highly dangerous” files that PSI missed. More on that below.

I started the uninstall of ComboFix and had to click “allow” for dozens of Kaspersky popups as the uninstall proceeded. Eventually the ComboFix completed. However, the c:\ComboFix folder remains, and still contains two files – CF31660 (windows command processor) and Nircmd. Should I delete this folder?

Then I turned off the system restore, did a complete shutdown, and powered back up. When I logged back in the Security Center popped up with a message in the systray saying “Kaspersky Internet Security is turned off” but that went away as soon as Kaspersky loaded in the systray. It hasn’t done that since, but Kaspersky is coming up relatively late in the login process. Is there something I can or should do to get Kaspersky to load sooner in the sequence?

Then I turned system restore back on. I noticed that something (the Kaspersky install) had reset my Windows Explorer so that it wasn’t showing hidden and system files anymore. I went into options and reselected them to be visible.

I plugged in the Ethernet cable, updated MBAM and ran a full scan. Scan was clean.

2) Kaspersky had detected 3 “highly dangerous” files that PSI missed. The first was “flash.ocx” in a folder in c:\windows\SoftwareDistribution\Download. I followed their link to an Adobe update page. I had already done this update before on the advice of PSI (for \I386\SWFLASH.OCX, which we deleted), but I did the update again anyway. File still there. Should I use the Kaspersky quarantine option on it?

3) The other two “highly dangerous” files that Kaspersky indentified were two different versions of msxml4.dll in two folders under c:\windows\WinSxS. I followed the Kaspersky link for these two files and found links to fixes for MSXML 3.0, 4.0, and 6.0. Apparently all three can be installed on a computer simultaneously – 3.0 and 4.0 have legacy functions not covered by 6.0. I checked add/remove software and found that I had MSXML 4.0 SP2 installed. The fix recommended for that was Microsoft KB954430. I downloaded the update and ran it. It offered 3 options: modify, repair, and remove. I chose “repair”. After it ran, both of the msxml4.dll files were still there. Also in the add/remove list was MSMXL 4.0 SP2 Parser and SDK. I clicked on “Click here for support information” and was directed to http://www.msdn.microsoft.com/xml (sorry, I can't seem to figure out how to stop this from converting to a live link). There I found a link to MSXML 4.0 Service Pack 3 (SP3) which “provides a number of security and reliability bug fixes.” So I ran that. Now, in add/remove programs I have MSXML 4.0 SP2 (KB954430), MSXML 4.0 SP2 Parser and SDK, and MSXML 4.0 SP3 Parser. But the two problematic copies of msxml4.dll remain. Should I use the Kaspersky quarantine option on these 2 files?



4) Windows Security Center is not showing in my system tray, but when I open it from the control panel it’s showing Kaspersky firewall and virus protection both on.

5) I logged into all my other user accounts and ran Kaspersky quick scan and MBAM quick scan. In two of the accounts MBAM found registry entries pointing to some of the nasties that we’ve already removed. These were identified as Trojan.Vundo.H in one account and Trojan.Vundo in the other. I had MBAM fix these, successfully. [B]Logs are below.

When I scan with MBAM in an administrative account, why doesn’t it find registry startup nasties in the other user accounts? Are there other types of things in the other accounts that won’t be found? Must scanning always be done in every user account?

6) I looked at the password link you provided. My question is rather, is the nature of this infection such that I should change all of my passwords (regardless of whether they are strong or not)?

7) Time to reinstall Spybot S&D and immunize?

It feels like we're just about done. :)

Regards,

InfectedComputer


-----------------------------------------------------

Malwarebytes' Anti-Malware 1.36
Database version: 2168
Windows 5.1.2600 Service Pack 3

5/24/2009 1:13:34 PM
mbam-log-2009-05-24 (13-13-34).txt

Scan type: Quick Scan
Objects scanned: 89630
Time elapsed: 5 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pijupakapa (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm2fdd1d53 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2cee2ecf (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


--------------------------------------

Malwarebytes' Anti-Malware 1.36
Database version: 2175
Windows 5.1.2600 Service Pack 3

5/24/2009 5:08:31 PM
mbam-log-2009-05-24 (17-08-31).txt

Scan type: Quick Scan
Objects scanned: 83601
Time elapsed: 5 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

pskelley
2009-05-25, 03:11
Here is what I asked for:


When you complete all of the instructions I already posted, post a fresh HJT log and tell me about any malware issues.
And I did not get it.


I ran a full Kaspersky scan and included the deep rootkit option. The scan identified the nasties still located in the system restore folders and in the Qoobox folder from ComboFix. It also identified 3 “highly dangerous” files that PSI missed. More on that below.

I you had followed directions in my post #20, combofix would have been uninstalled and System Restore files would have been cleaned before you ran Kaspersky.

Ask your Kaspersky question here:
http://forum.kaspersky.com/index.php?showforum=36

This topic is closed