Help with various Malware, please.

**kayc86** · 2008-07-08, 23:06

Hope you can help me. Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:05:03, on 7/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\ZVhQZXJpZW5jZQ\command.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\PCSuite\Services\NclBTHandler.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Java\jre1.6.0_04\bin\jucheck.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: (no name) - {23EF4B19-B616-4747-884F-6962181A6F3E} - C:\WINDOWS\system32\fccaXPfd.dll (file missing)
O2 - BHO: gooochi browser optimizer - {378ca758-4697-b357-73de-2b4355584429} - C:\WINDOWS\system32\{ceb50298-e179-b7cb-4041-af7ca76fab9d}.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: {63c1161a-fb18-2f2a-bc44-a19cc0192e3d} - {d3e2910c-c91a-44cb-a2f2-81bfa1611c36} - C:\WINDOWS\system32\vjurdn.dll
O2 - BHO: mysidesearch search enhancer - {d9888a93-3302-1a48-2020-fae6ca1f7b9b} - C:\WINDOWS\system32\lxzjpiqrczyjvezv.dll
O2 - BHO: (no name) - {F1D9CB4E-94D9-4179-9A5D-54B474F5AFFE} - C:\WINDOWS\system32\yaywvtQK.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\K52EEN0G\install_sbd_en[1].exe
O4 - HKLM\..\Run: [{2bb80403-3577-6448-1adc-da71886dc080}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{ceb50298-e179-b7cb-4041-af7ca76fab9d}.dll" DllInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BM17cec518] Rundll32.exe "C:\WINDOWS\system32\gcrxvnrm.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [TheSpyBot] C:\Program Files\TheSpyBot\TheSpyBot.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O20 - AppInit_DLLs: prio.dll C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\ZVhQZXJpZW5jZQ\command.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 6846 bytes

**kayc86** · 2008-07-09, 03:31

btw, Spybot SD found:

Commad Service
CoreMetrics
DoubleClick
MediaPlex
Right Media
Virtumonde.dll
Virtumonde.prx
WebTrends live
Zedo

**pskelley** · 2008-07-11, 01:28

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count. The same applies to bumping, please don't.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/comb...o-use-combofix

Thanks

**kayc86** · 2008-07-11, 01:52

Hello, thanks for your reply. I ran a few anti virus programs since my first post and there arent any popups anymore. Check the logs:

ComboFix 08-07-10.1 - Administrator 2008-07-11 0:39:56.1 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\aamsnbix.dll
C:\WINDOWS\system32\adryzl.dll
C:\WINDOWS\system32\afsglhwk.dll
C:\WINDOWS\system32\aiamwuyq.dll
C:\WINDOWS\system32\amarehwq.dll
C:\WINDOWS\system32\aornghao.dll
C:\WINDOWS\system32\baytwart.dll
C:\WINDOWS\system32\calktvid.dll
C:\WINDOWS\system32\cgrvcjec.dll
C:\WINDOWS\system32\cttoxtin.dll
C:\WINDOWS\system32\cvjxsvnc.dll
C:\WINDOWS\system32\dfPXaccf.ini
C:\WINDOWS\system32\dfPXaccf.ini2
C:\WINDOWS\system32\diqpmvtm.dll
C:\WINDOWS\system32\dwahda.dll
C:\WINDOWS\system32\feeomosx.dll
C:\WINDOWS\system32\fqofucfj.ini
C:\WINDOWS\system32\gdgynrgj.dll
C:\WINDOWS\system32\hdgnjy.dll
C:\WINDOWS\system32\hvaqrwxg.ini
C:\WINDOWS\system32\ievfhurr.ini
C:\WINDOWS\system32\ilslytxe.dll
C:\WINDOWS\system32\jmlbdd.dll
C:\WINDOWS\system32\kgkwqpyi.dll
C:\WINDOWS\system32\KQtvwyay.ini
C:\WINDOWS\system32\KQtvwyay.ini2
C:\WINDOWS\system32\ldstpigc.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\ncppbxwq.dll
C:\WINDOWS\system32\nxdtvx.dll
C:\WINDOWS\system32\ofdrhtax.dll
C:\WINDOWS\system32\pqwxkj.dll
C:\WINDOWS\system32\qcbkjgda.dll
C:\WINDOWS\system32\rev2
C:\WINDOWS\system32\rruhfvei.dll
C:\WINDOWS\system32\sbrnbfos.dll
C:\WINDOWS\system32\txjqbnep.dll
C:\WINDOWS\system32\vjurdn.dll
C:\WINDOWS\system32\vuduelbf.ini
C:\WINDOWS\system32\wnrvqd.dll
C:\WINDOWS\system32\xebtjgvk.dll
C:\WINDOWS\system32\xmtwatec.dll
C:\WINDOWS\system32\xqxjxdgh.dll
C:\WINDOWS\system32\yhswimae.dll
C:\WINDOWS\system32\yzsvhk.dll
C:\WINDOWS\ZVhQZXJpZW5jZQ\

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Service_cmdService

((((((((((((((((((((((((( Files Created from 2008-06-10 to 2008-07-10 )))))))))))))))))))))))))))))))
.

2008-07-11 00:43 . 2008-07-11 00:43 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-07-11 00:43 . 2008-07-11 00:43 <DIR> d-------- C:\WINDOWS\system32\oobe
2008-07-11 00:43 . 2008-07-11 00:43 <DIR> d-------- C:\WINDOWS\srchasst
2008-07-11 00:43 . 2008-07-11 00:43 <DIR> d-------- C:\WINDOWS\msagent
2008-07-11 00:43 . 2008-07-11 00:43 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-07-10 23:37 . 2007-11-27 22:56 116,416 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys
2008-07-10 23:37 . 2007-11-27 22:56 91,328 --a------ C:\WINDOWS\system32\drivers\msfwdrv.sys
2008-07-10 23:36 . 2008-05-15 16:15 53,168 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2008-07-10 23:11 . 2008-07-11 00:44 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-07-10 22:34 . 2008-07-10 23:37 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-07-10 22:34 . 2008-07-10 23:11 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-07-10 22:08 . 2008-07-11 00:05 <DIR> d-------- C:\Program Files\PartyGaming
2008-07-10 21:59 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-10 21:41 . 2008-07-10 22:02 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-07-08 20:34 . 2008-07-10 20:54 3,372 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-08 20:12 . 2008-07-08 20:12 3,704,444 --ahs---- C:\WINDOWS\system32\iksljjmq.tmp
2008-07-08 20:08 . 2008-07-08 20:08 <DIR> d-------- C:\Program Files\AskSBar
2008-07-08 20:08 . 2008-07-08 20:08 249,592 --a------ C:\WINDOWS\system32\cssdll32.dll
2008-07-08 20:07 . 2008-07-10 22:28 <DIR> d-------- C:\Program Files\COMODO
2008-07-08 20:07 . 2008-07-08 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-07-08 20:07 . 2008-07-08 20:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Comodo
2008-07-08 19:51 . 2008-07-08 19:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-08 19:51 . 2008-07-08 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-08 19:51 . 2008-07-08 19:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-08 19:51 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-08 19:51 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-08 19:04 . 2008-07-08 20:41 <DIR> d-------- C:\VundoFix Backups
2008-07-07 02:44 . 2008-07-07 02:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-05 11:47 . 2008-07-05 11:47 9,662 --a------ C:\WINDOWS\system32\blackip.ico
2008-07-03 18:09 . 2008-07-03 18:09 1,719,120 --ahs---- C:\WINDOWS\system32\mmcaqaqc.tmp
2008-07-03 02:07 . 2008-07-03 02:07 1,719,060 --ahs---- C:\WINDOWS\system32\hvaqrwxg.tmp
2008-07-02 20:30 . 2008-07-09 02:39 797 --a------ C:\WINDOWS\wininit.ini
2008-07-02 19:53 . 2008-07-08 18:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-02 19:53 . 2008-07-08 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-01 14:30 . 2008-07-01 14:30 1,713,002 --ahs---- C:\WINDOWS\system32\sbigijhm.tmp
2008-07-01 13:20 . 2008-07-09 21:42 110,463 --a------ C:\WINDOWS\BM17cec518.xml
2008-06-30 18:44 . 2008-07-08 20:22 <DIR> d-------- C:\WINDOWS\system32\mb9
2008-06-30 18:44 . 2008-06-30 18:44 <DIR> d-------- C:\Temp\syschk3
2008-06-30 18:44 . 2008-07-11 00:40 <DIR> d-------- C:\Temp
2008-06-30 18:44 . 2008-07-08 20:21 34,304 --a------ C:\WINDOWS\system32\ljJCtrst.dll.vir
2008-06-28 19:40 . 2008-06-28 19:40 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-27 03:53 . 2008-06-27 03:53 <DIR> d-------- C:\WINDOWS\Sun
2008-06-26 17:04 . 2008-04-14 04:42 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-06-26 17:04 . 2001-08-17 21:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-06-23 17:25 . 2008-06-23 17:25 221 --a------ C:\WINDOWS\NCLogConfig.ini
2008-06-23 17:04 . 2008-07-10 22:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2008-06-23 17:01 . 2008-06-23 17:01 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-06-23 17:00 . 2008-06-23 17:00 <DIR> d-------- C:\Program Files\Java
2008-06-23 17:00 . 2008-06-23 17:00 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-23 17:00 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-16 18:43 . 2008-06-16 18:43 <DIR> d-------- C:\Program Files\Nokia
2008-06-16 18:43 . 2008-06-16 18:43 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-06-16 18:43 . 2008-06-16 18:43 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-06-16 18:43 . 2006-05-29 08:26 127,488 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-06-16 18:43 . 2006-05-29 08:26 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-06-16 18:43 . 2006-05-29 08:26 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-06-16 18:43 . 2006-05-29 08:26 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-06-16 18:43 . 2006-05-29 08:26 8,704 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-06-16 18:43 . 2006-05-29 08:26 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll
2008-06-15 16:15 . 2008-06-15 16:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nokia
2008-06-15 16:15 . 2008-06-15 16:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Datalayer
2008-06-15 16:12 . 2008-06-16 18:46 <DIR> d-------- C:\Documents and Settings\Administrator\Phone Browser
2008-06-15 16:10 . 2008-06-15 16:10 <DIR> d-------- C:\Program Files\DIFX
2008-06-15 16:09 . 2008-07-10 23:37 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-06-15 16:09 . 2008-06-15 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-06-15 16:09 . 2008-06-16 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-06-15 16:09 . 2008-06-15 16:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-06-15 16:09 . 2006-05-29 08:26 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-06-12 16:52 . 2008-06-26 17:15 <DIR> d-------- C:\Documents and Settings\Administrator\.blurb
2008-06-12 16:48 . 2008-06-12 18:08 <DIR> d-------- C:\Program Files\BookSmart
2008-06-12 02:21 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-06-12 02:21 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-06-12 02:21 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-06-10 23:33 . 2008-06-10 23:33 <DIR> d-------- C:\Program Files\Windows Live
2008-06-10 23:33 . 2008-06-10 23:34 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-10 23:32 . 2008-06-12 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-06 23:51 --------- d-----w C:\Program Files\Google
2008-06-23 16:25 --------- d-----w C:\Documents and Settings\Administrator\Application Data\HP
2008-06-09 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-06-09 21:52 --------- d-----w C:\Program Files\HP
2008-06-09 21:52 --------- d-----w C:\Program Files\Common Files\HP
2008-06-09 21:49 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-06-05 14:45 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-05 02:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-06-05 02:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ATI
2008-06-04 08:02 --------- d-----w C:\Program Files\Reference Assemblies
2008-06-04 08:02 --------- d-----w C:\Program Files\MSBuild
2008-06-04 02:38 --------- d-----w C:\Program Files\Synaptics
2008-06-04 02:23 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-04 02:20 --------- d-----w C:\Program Files\WIDCOMM
2008-06-04 02:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-04 02:17 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-04 01:55 62,633 ----a-w C:\WINDOWS\prio197uninstall.exe
2008-06-04 01:52 --------- d-----w C:\Program Files\ATI Technologies
2008-06-04 01:43 --------- d-----w C:\Program Files\Windows Media Connect 2
.

------- Sigcheck -------

2008-04-24 13:00 361344 accf5a9a1ffaa490f33dba1c632b95e1 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-07-08 20:08 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-24 13:00 15360]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21 1449984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 14:51 774233]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-06-15 12:36 229376]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2008-06-25 06:48 67112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"DisableStatusMessages"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc8573e0-46cb-11dd-884c-000fb3a68496}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

*Newly Created Service* - HELPSVC
*Newly Created Service* - MSFWSVC
*Newly Created Service* - OCHEALTHMON
*Newly Created Service* - WINSS
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-{2bb80403-3577-6448-1adc-da71886dc080} - C:\WINDOWS\system32\{ceb50298-e179-b7cb-4041-af7ca76fab9d}.dll

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-11 00:43:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Common Files\PCSuite\Services\NclBTHandler.exe
.
**************************************************************************
.
Completion time: 2008-07-11 0:47:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-10 23:47:46

Pre-Run: 35,571,929,088 bytes free
Post-Run: 35,566,444,544 bytes free

279

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:48:39, on 7/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\PCSuite\Services\NclBTHandler.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 6375 bytes

**pskelley** · 2008-07-11, 02:38

Thanks for returning your information and the feedback:

I ran a few anti virus programs since my first post and there arent any popups anymore.

Whatever you ran missed a load of vundo, almost all of the files combofix removed are associated with that adware infection.

1) C:\Program Files\Java\jre1.6.0_04\ <<< update your Java program, see this:
http://forums.spybot.info/showpost.p...80&postcount=2

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Start > Control Panel > Add Remove programs and uninstall AskSBar

4) Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
C:\WINDOWS\system32\iksljjmq.tmp
C:\WINDOWS\system32\mmcaqaqc.tmp
C:\WINDOWS\system32\hvaqrwxg.tmp
C:\WINDOWS\system32\sbigijhm.tmp
C:\WINDOWS\BM17cec518.xml
C:\WINDOWS\system32\ljJCtrst.dll.vir

Folder::
C:\Program Files\AskSBar
C:\VundoFix Backups

Save this as CFScript

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(some may be gone, removed by CFScript)

R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the combofix log from CFScript, a new HJT log and some feedback from you. How is the computer running.

Thanks

**kayc86** · 2008-07-11, 03:33

OK, thanks. I didnt know where to find the ComboFix report after I restarted after the last step so I ran Combo Fix again after restart. The computers stays at the welcome screen for a bit at startup but I think its due to Windows Live care which I havent ebanled or configured yet. Here go the reports:

ComboFix 08-07-10.1 - Administrator 2008-07-11 2:22:19.3 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-11 to 2008-07-11 )))))))))))))))))))))))))))))))
.

2008-07-11 02:01 . 2008-07-11 02:01 <DIR> d-------- C:\Program Files\Sun
2008-07-11 01:49 . 2008-07-11 01:56 <DIR> d-------- C:\Documents and Settings\Administrator\.SunDownloadManager
2008-07-11 00:43 . 2008-07-11 00:43 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-07-11 00:43 . 2008-07-11 00:43 <DIR> d-------- C:\WINDOWS\system32\oobe
2008-07-11 00:43 . 2008-07-11 00:43 <DIR> d-------- C:\WINDOWS\srchasst
2008-07-11 00:43 . 2008-07-11 00:43 <DIR> d-------- C:\WINDOWS\msagent
2008-07-11 00:43 . 2008-07-11 00:43 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-07-10 23:37 . 2007-11-27 22:56 116,416 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys
2008-07-10 23:37 . 2007-11-27 22:56 91,328 --a------ C:\WINDOWS\system32\drivers\msfwdrv.sys
2008-07-10 23:36 . 2008-05-15 16:15 53,168 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2008-07-10 23:11 . 2008-07-11 02:20 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-07-10 22:34 . 2008-07-10 23:11 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-07-10 22:08 . 2008-07-11 00:05 <DIR> d-------- C:\Program Files\PartyGaming
2008-07-10 21:59 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-10 21:41 . 2008-07-10 22:02 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-07-08 20:34 . 2008-07-10 20:54 3,372 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-08 20:08 . 2008-07-08 20:08 249,592 --a------ C:\WINDOWS\system32\cssdll32.dll
2008-07-08 20:07 . 2008-07-10 22:28 <DIR> d-------- C:\Program Files\COMODO
2008-07-08 20:07 . 2008-07-08 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-07-08 20:07 . 2008-07-08 20:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Comodo
2008-07-08 19:51 . 2008-07-08 19:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-08 19:51 . 2008-07-08 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-08 19:51 . 2008-07-08 19:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-08 19:51 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-08 19:51 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-07 02:44 . 2008-07-07 02:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-05 11:47 . 2008-07-05 11:47 9,662 --a------ C:\WINDOWS\system32\blackip.ico
2008-07-02 20:30 . 2008-07-09 02:39 797 --a------ C:\WINDOWS\wininit.ini
2008-07-02 19:53 . 2008-07-08 18:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-02 19:53 . 2008-07-08 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-30 18:44 . 2008-07-08 20:22 <DIR> d-------- C:\WINDOWS\system32\mb9
2008-06-30 18:44 . 2008-06-30 18:44 <DIR> d-------- C:\Temp\syschk3
2008-06-30 18:44 . 2008-07-11 00:40 <DIR> d-------- C:\Temp
2008-06-28 19:40 . 2008-06-28 19:40 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-27 03:53 . 2008-06-27 03:53 <DIR> d-------- C:\WINDOWS\Sun
2008-06-26 17:04 . 2008-04-14 04:42 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-06-26 17:04 . 2001-08-17 21:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-06-23 17:25 . 2008-06-23 17:25 221 --a------ C:\WINDOWS\NCLogConfig.ini
2008-06-23 17:04 . 2008-07-11 02:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2008-06-23 17:01 . 2008-06-23 17:01 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-06-23 17:00 . 2008-07-11 02:01 <DIR> d-------- C:\Program Files\Java
2008-06-23 17:00 . 2008-06-23 17:00 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-23 17:00 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-16 18:43 . 2008-06-16 18:43 <DIR> d-------- C:\Program Files\Nokia
2008-06-16 18:43 . 2008-06-16 18:43 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-06-16 18:43 . 2008-06-16 18:43 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-06-16 18:43 . 2006-05-29 08:26 127,488 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-06-16 18:43 . 2006-05-29 08:26 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-06-16 18:43 . 2006-05-29 08:26 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-06-16 18:43 . 2006-05-29 08:26 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-06-16 18:43 . 2006-05-29 08:26 8,704 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-06-16 18:43 . 2006-05-29 08:26 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll
2008-06-15 16:15 . 2008-06-15 16:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nokia
2008-06-15 16:15 . 2008-06-15 16:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Datalayer
2008-06-15 16:12 . 2008-06-16 18:46 <DIR> d-------- C:\Documents and Settings\Administrator\Phone Browser
2008-06-15 16:10 . 2008-06-15 16:10 <DIR> d-------- C:\Program Files\DIFX
2008-06-15 16:09 . 2008-07-10 23:37 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-06-15 16:09 . 2008-06-15 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-06-15 16:09 . 2008-06-16 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-06-15 16:09 . 2008-06-15 16:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-06-15 16:09 . 2006-05-29 08:26 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-06-12 16:52 . 2008-06-26 17:15 <DIR> d-------- C:\Documents and Settings\Administrator\.blurb
2008-06-12 16:48 . 2008-06-12 18:08 <DIR> d-------- C:\Program Files\BookSmart
2008-06-12 02:21 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-06-12 02:21 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-06-12 02:21 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-06 23:51 --------- d-----w C:\Program Files\Google
2008-06-23 16:25 --------- d-----w C:\Documents and Settings\Administrator\Application Data\HP
2008-06-12 20:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-10 22:34 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-10 22:33 --------- d-----w C:\Program Files\Windows Live
2008-06-09 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-06-09 21:52 --------- d-----w C:\Program Files\HP
2008-06-09 21:52 --------- d-----w C:\Program Files\Common Files\HP
2008-06-09 21:49 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-06-05 14:45 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-05 02:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-06-05 02:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ATI
2008-06-04 08:02 --------- d-----w C:\Program Files\Reference Assemblies
2008-06-04 08:02 --------- d-----w C:\Program Files\MSBuild
2008-06-04 02:38 --------- d-----w C:\Program Files\Synaptics
2008-06-04 02:23 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-04 02:20 --------- d-----w C:\Program Files\WIDCOMM
2008-06-04 02:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-04 02:17 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-04 01:55 62,633 ----a-w C:\WINDOWS\prio197uninstall.exe
2008-06-04 01:52 --------- d-----w C:\Program Files\ATI Technologies
2008-06-04 01:43 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-14 04:42 8,192 ----a-w C:\WINDOWS\system32\wshirda.dll
2008-04-14 04:42 74,752 ----a-w C:\WINDOWS\system32\storprop.dll
2008-04-14 04:42 74,240 ----a-w C:\WINDOWS\system32\usbui.dll
2008-04-14 04:42 29,184 ----a-w C:\WINDOWS\system32\sdhcinst.dll
2008-04-14 04:42 23,552 ----a-w C:\WINDOWS\system32\wdmaud.drv
2008-04-14 04:42 151,552 ----a-w C:\WINDOWS\system32\irftp.exe
2008-04-14 04:41 30,208 ----a-w C:\WINDOWS\system32\bthserv.dll
2008-04-14 04:41 28,160 ----a-w C:\WINDOWS\system32\irmon.dll
2008-04-14 04:41 20,992 ----a-w C:\WINDOWS\system32\bthci.dll
2008-04-14 03:42 294,912 ----a-w C:\WINDOWS\system32\msh263.drv
2008-04-14 03:41 4,096 ----a-w C:\WINDOWS\system32\ksuser.dll
.

------- Sigcheck -------

2008-04-24 13:00 361344 accf5a9a1ffaa490f33dba1c632b95e1 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-07-11_ 0.47.35.22 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-10 23:42:59 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-11 01:18:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-10 23:49:35 3,902 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{912E4E5E-DD50-4359-A1FC-108E8DB00615}.bin
- 2007-12-13 23:57:22 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 00:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-12-13 23:57:24 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 00:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-12-14 00:59:16 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 01:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-07-10 21:33:40 66,692 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-11 01:23:53 66,692 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-10 21:33:40 430,914 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-11 01:23:53 430,914 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-11 01:21:42 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_824.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-24 13:00 15360]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21 1449984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 14:51 774233]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-06-15 12:36 229376]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2008-06-25 06:48 67112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"DisableStatusMessages"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc8573e0-46cb-11dd-884c-000fb3a68496}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-11 02:23:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-11 2:25:19
ComboFix-quarantined-files.txt 2008-07-11 01:25:07
ComboFix2.txt 2008-07-11 01:09:27
ComboFix3.txt 2008-07-10 23:47:54

Pre-Run: 34,921,734,144 bytes free
Post-Run: 34,907,807,744 bytes free

218

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:26:47, on 7/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\PCSuite\Services\NclBTHandler.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 5743 bytes

**pskelley** · 2008-07-11, 11:45

Thanks for the feedback, I need to see that report from CFScript. It will be here:
C:\Combofix.txt There may be two there, open it and look for the one that ends like this.
C:\Documents and Settings\Administrator\Desktop\CFScript.txt <<< this is what I need to see
C:\Documents and Settings\Administrator\Desktop\ComboFix.exe <<< not this

The HJT log apears to be clean, how is the computer running now? Once you post the report from CFScript, then run this scan to make sure we killed it all.

Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.

Thanks

**kayc86** · 2008-07-11, 15:12

Thanks again. I found it in C:\QooBox. The computer is running fine. Here they come:

ComboFix 08-07-10.1 - Administrator 2008-07-11 2:07:10.2 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BM17cec518.xml
C:\WINDOWS\system32\hvaqrwxg.tmp
C:\WINDOWS\system32\iksljjmq.tmp
C:\WINDOWS\system32\ljJCtrst.dll.vir
C:\WINDOWS\system32\mmcaqaqc.tmp
C:\WINDOWS\system32\sbigijhm.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\AskSBar
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
C:\Program Files\AskSBar\bar\History\search2
C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
C:\VundoFix Backups
C:\WINDOWS\BM17cec518.xml
C:\WINDOWS\system32\hvaqrwxg.tmp
C:\WINDOWS\system32\iksljjmq.tmp
C:\WINDOWS\system32\ljJCtrst.dll.vir
C:\WINDOWS\system32\mmcaqaqc.tmp
C:\WINDOWS\system32\sbigijhm.tmp

.
((((((((((((((((((((((((( Files Created from 2008-06-11 to 2008-07-11 )))))))))))))))))))))))))))))))
.

2008-07-11 02:04 . 2008-07-08 20:08 262,144 --a------ C:\Program Files\Uninstall Ask Toolbar.dll
2008-07-11 02:01 . 2008-07-11 02:01 <DIR> d-------- C:\Program Files\Sun
2008-07-11 01:49 . 2008-07-11 01:56 <DIR> d-------- C:\Documents and Settings\Administrator\.SunDownloadManager
2008-07-11 00:43 . 2008-07-11 00:43 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-07-11 00:43 . 2008-07-11 00:43 <DIR> d-------- C:\WINDOWS\system32\oobe
2008-07-11 00:43 . 2008-07-11 00:43 <DIR> d-------- C:\WINDOWS\srchasst
2008-07-11 00:43 . 2008-07-11 00:43 <DIR> d-------- C:\WINDOWS\msagent
2008-07-11 00:43 . 2008-07-11 00:43 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-07-10 23:37 . 2007-11-27 22:56 116,416 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys
2008-07-10 23:37 . 2007-11-27 22:56 91,328 --a------ C:\WINDOWS\system32\drivers\msfwdrv.sys
2008-07-10 23:36 . 2008-05-15 16:15 53,168 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2008-07-10 23:11 . 2008-07-11 00:44 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-07-10 22:34 . 2008-07-10 23:11 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-07-10 22:08 . 2008-07-11 00:05 <DIR> d-------- C:\Program Files\PartyGaming
2008-07-10 21:59 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-10 21:41 . 2008-07-10 22:02 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-07-08 20:34 . 2008-07-10 20:54 3,372 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-08 20:08 . 2008-07-08 20:08 249,592 --a------ C:\WINDOWS\system32\cssdll32.dll
2008-07-08 20:07 . 2008-07-10 22:28 <DIR> d-------- C:\Program Files\COMODO
2008-07-08 20:07 . 2008-07-08 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-07-08 20:07 . 2008-07-08 20:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Comodo
2008-07-08 19:51 . 2008-07-08 19:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-08 19:51 . 2008-07-08 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-08 19:51 . 2008-07-08 19:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-08 19:51 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-08 19:51 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-07 02:44 . 2008-07-07 02:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-05 11:47 . 2008-07-05 11:47 9,662 --a------ C:\WINDOWS\system32\blackip.ico
2008-07-02 20:30 . 2008-07-09 02:39 797 --a------ C:\WINDOWS\wininit.ini
2008-07-02 19:53 . 2008-07-08 18:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-02 19:53 . 2008-07-08 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-30 18:44 . 2008-07-08 20:22 <DIR> d-------- C:\WINDOWS\system32\mb9
2008-06-30 18:44 . 2008-06-30 18:44 <DIR> d-------- C:\Temp\syschk3
2008-06-30 18:44 . 2008-07-11 00:40 <DIR> d-------- C:\Temp
2008-06-28 19:40 . 2008-06-28 19:40 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-27 03:53 . 2008-06-27 03:53 <DIR> d-------- C:\WINDOWS\Sun
2008-06-26 17:04 . 2008-04-14 04:42 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-06-26 17:04 . 2001-08-17 21:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-06-23 17:25 . 2008-06-23 17:25 221 --a------ C:\WINDOWS\NCLogConfig.ini
2008-06-23 17:04 . 2008-07-11 00:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2008-06-23 17:01 . 2008-06-23 17:01 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-06-23 17:00 . 2008-07-11 02:01 <DIR> d-------- C:\Program Files\Java
2008-06-23 17:00 . 2008-06-23 17:00 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-23 17:00 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-16 18:43 . 2008-06-16 18:43 <DIR> d-------- C:\Program Files\Nokia
2008-06-16 18:43 . 2008-06-16 18:43 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-06-16 18:43 . 2008-06-16 18:43 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-06-16 18:43 . 2006-05-29 08:26 127,488 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-06-16 18:43 . 2006-05-29 08:26 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-06-16 18:43 . 2006-05-29 08:26 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-06-16 18:43 . 2006-05-29 08:26 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-06-16 18:43 . 2006-05-29 08:26 8,704 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-06-16 18:43 . 2006-05-29 08:26 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll
2008-06-15 16:15 . 2008-06-15 16:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nokia
2008-06-15 16:15 . 2008-06-15 16:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Datalayer
2008-06-15 16:12 . 2008-06-16 18:46 <DIR> d-------- C:\Documents and Settings\Administrator\Phone Browser
2008-06-15 16:10 . 2008-06-15 16:10 <DIR> d-------- C:\Program Files\DIFX
2008-06-15 16:09 . 2008-07-10 23:37 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-06-15 16:09 . 2008-06-15 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-06-15 16:09 . 2008-06-16 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-06-15 16:09 . 2008-06-15 16:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-06-15 16:09 . 2006-05-29 08:26 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-06-12 16:52 . 2008-06-26 17:15 <DIR> d-------- C:\Documents and Settings\Administrator\.blurb
2008-06-12 16:48 . 2008-06-12 18:08 <DIR> d-------- C:\Program Files\BookSmart
2008-06-12 02:21 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-06-12 02:21 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-06-12 02:21 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-06 23:51 --------- d-----w C:\Program Files\Google
2008-06-23 16:25 --------- d-----w C:\Documents and Settings\Administrator\Application Data\HP
2008-06-12 20:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-10 22:34 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-10 22:33 --------- d-----w C:\Program Files\Windows Live
2008-06-09 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-06-09 21:52 --------- d-----w C:\Program Files\HP
2008-06-09 21:52 --------- d-----w C:\Program Files\Common Files\HP
2008-06-09 21:49 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-06-05 14:45 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-05 02:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-06-05 02:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ATI
2008-06-04 08:02 --------- d-----w C:\Program Files\Reference Assemblies
2008-06-04 08:02 --------- d-----w C:\Program Files\MSBuild
2008-06-04 02:38 --------- d-----w C:\Program Files\Synaptics
2008-06-04 02:23 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-04 02:20 --------- d-----w C:\Program Files\WIDCOMM
2008-06-04 02:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-04 02:17 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-04 01:55 62,633 ----a-w C:\WINDOWS\prio197uninstall.exe
2008-06-04 01:52 --------- d-----w C:\Program Files\ATI Technologies
2008-06-04 01:43 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-14 04:42 8,192 ----a-w C:\WINDOWS\system32\wshirda.dll
2008-04-14 04:42 74,752 ----a-w C:\WINDOWS\system32\storprop.dll
2008-04-14 04:42 74,240 ----a-w C:\WINDOWS\system32\usbui.dll
2008-04-14 04:42 29,184 ----a-w C:\WINDOWS\system32\sdhcinst.dll
2008-04-14 04:42 23,552 ----a-w C:\WINDOWS\system32\wdmaud.drv
2008-04-14 04:42 151,552 ----a-w C:\WINDOWS\system32\irftp.exe
2008-04-14 04:41 30,208 ----a-w C:\WINDOWS\system32\bthserv.dll
2008-04-14 04:41 28,160 ----a-w C:\WINDOWS\system32\irmon.dll
2008-04-14 04:41 20,992 ----a-w C:\WINDOWS\system32\bthci.dll
2008-04-14 03:42 294,912 ----a-w C:\WINDOWS\system32\msh263.drv
2008-04-14 03:41 4,096 ----a-w C:\WINDOWS\system32\ksuser.dll
.

------- Sigcheck -------

2008-04-24 13:00 361344 accf5a9a1ffaa490f33dba1c632b95e1 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-07-11_ 0.47.35.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-10 23:49:35 2,286 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{912E4E5E-DD50-4359-A1FC-108E8DB00615}.bin
- 2007-12-13 23:57:22 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 00:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-12-13 23:57:24 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 00:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-12-14 00:59:16 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 01:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-07-10 21:33:40 66,692 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-10 23:49:00 66,692 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-10 21:33:40 430,914 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-10 23:49:00 430,914 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-24 13:00 15360]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21 1449984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 14:51 774233]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-06-15 12:36 229376]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2008-06-25 06:48 67112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"DisableStatusMessages"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc8573e0-46cb-11dd-884c-000fb3a68496}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

*Newly Created Service* - HELPSVC
*Newly Created Service* - MSFWSVC
*Newly Created Service* - OCHEALTHMON
*Newly Created Service* - WINSS
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-11 02:08:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-11 2:09:25
ComboFix-quarantined-files.txt 2008-07-11 01:09:21
ComboFix2.txt 2008-07-10 23:47:54

Pre-Run: 34,929,815,552 bytes free
Post-Run: 34,924,032,000 bytes free

238

Malwarebytes' Anti-Malware 1.20
Database version: 938
Windows 5.1.2600 Service Pack 3

2:06:31 PM 7/11/2008
mbam-log-7-11-2008 (14-06-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 57153
Time elapsed: 9 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\BM17cec518.txt (Trojan.Vundo) -> No action taken.

**pskelley** · 2008-07-11, 15:20

Thanks for the CFScript report and the feedback, what about this:

Files Infected:
C:\WINDOWS\BM17cec518.txt (Trojan.Vundo) -> No action taken. <<< ? Let's hope you took some action?

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/comb...o-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

Thanks

**kayc86** · 2008-07-11, 15:36

Yes I took action. I chose to install Recovery Console and this is the log:

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

Thread: Help with various Malware, please.

Thread Tools

Display

Help with various Malware, please.

Posting Permissions