...but where is the dodgy file.

**pandacookie** · 2009-08-06, 16:33

ComboFix 09-08-04.03 - Compaq_Administrator 05/08/2009 16:16.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.958.566 [GMT 1:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1927043714-2865427238-3503779764-1007
c:\windows\Installer\127fce.msp
c:\windows\Installer\1d5ec1.msi
c:\windows\Installer\2321a.msp
c:\windows\Installer\23221.msp
c:\windows\Installer\263c1d4.msi
c:\windows\Installer\2ff3d8.msi
c:\windows\Installer\301fc.msp
c:\windows\Installer\30214.msp
c:\windows\Installer\31a286.msi
c:\windows\Installer\351c6.msp
c:\windows\Installer\387b4.msi
c:\windows\Installer\39fb06.msi
c:\windows\Installer\39fb09.msi
c:\windows\Installer\45bb3.msi
c:\windows\Installer\45bb9.msi
c:\windows\Installer\45bbf.msi
c:\windows\Installer\45bc6.msi
c:\windows\Installer\45bcc.msi
c:\windows\Installer\45bd6.msi
c:\windows\Installer\45bdc.msi
c:\windows\Installer\45be2.msi
c:\windows\Installer\45be8.msi
c:\windows\Installer\45bee.msi
c:\windows\Installer\45bf5.msi
c:\windows\Installer\45bfd.msi
c:\windows\Installer\45c03.msi
c:\windows\Installer\45c09.msi
c:\windows\Installer\45c0f.msi
c:\windows\Installer\45c15.msi
c:\windows\Installer\45c1b.msi
c:\windows\Installer\45c21.msi
c:\windows\Installer\4688f.msi
c:\windows\Installer\46890.msp
c:\windows\Installer\4c3ee1.msi
c:\windows\Installer\4c3eec.msi
c:\windows\Installer\4c3f47.msi
c:\windows\Installer\551186.msi
c:\windows\Installer\60301a.msi
c:\windows\Installer\626b0b.msi
c:\windows\Installer\6bb48e.msi
c:\windows\Installer\70b7f.msi
c:\windows\Installer\73bd1.msi
c:\windows\Installer\73c2d.msi
c:\windows\Installer\8a6ae.msi
c:\windows\Installer\8a6b4.msi
c:\windows\Installer\8a6ba.msi
c:\windows\Installer\8a6c0.msi
c:\windows\Installer\8a6c6.msi
c:\windows\Installer\8a6cc.msi
c:\windows\Installer\8a6d2.msi
c:\windows\Installer\8a6d8.msi
c:\windows\Installer\8a6de.msi
c:\windows\Installer\8a6e5.msi
c:\windows\Installer\8a6ec.msi
c:\windows\Installer\8a6f3.msi
c:\windows\Installer\8a6fa.msi
c:\windows\Installer\8a700.msi
c:\windows\Installer\8a707.msi
c:\windows\Installer\8a70d.msi
c:\windows\Installer\8a713.msi
c:\windows\Installer\8a719.msi
c:\windows\Installer\8a71f.msi
c:\windows\Installer\8a725.msi
c:\windows\Installer\8a72b.msi
c:\windows\Installer\8a731.msi
c:\windows\Installer\8a737.msi
c:\windows\Installer\8a73d.msi
c:\windows\Installer\8a743.msi
c:\windows\Installer\8a749.msi
c:\windows\Installer\8a750.msi
c:\windows\Installer\944048.msi
c:\windows\Installer\e394b3.msp
c:\windows\Installer\e394ba.msi
c:\windows\kb913800.exe
c:\windows\system32\eybtncyl.ini
c:\windows\system32\ubilofam.ini
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-07-05 to 2009-08-05 )))))))))))))))))))))))))))))))
.

2009-08-05 13:45 . 2009-08-05 13:44 404737 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\TMP_UPDATE\update.exe
2009-08-05 13:45 . 2008-12-05 10:32 126721 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\TMP_UPDATE\scewxmlw.dll
2009-08-04 05:12 . 2009-08-04 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2009-08-04 05:12 . 2009-08-04 05:12 -------- d-----w- c:\program files\RegCure
2009-08-03 17:36 . 2009-08-03 17:36 152576 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-08-03 17:24 . 2009-08-03 17:24 -------- d-----w- c:\program files\Secunia
2009-08-02 17:32 . 2009-08-02 17:32 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Malwarebytes
2009-08-02 17:32 . 2009-07-13 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-02 17:32 . 2009-08-02 17:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-02 17:32 . 2009-08-02 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-02 17:32 . 2009-07-13 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-29 17:01 . 2009-08-03 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-07-29 17:00 . 2009-07-29 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-25 17:58 . 2009-07-25 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-07-25 17:57 . 2009-07-26 07:13 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-07-25 17:57 . 2009-07-25 17:57 -------- d-----w- c:\program files\Common Files\iS3
2009-07-22 14:26 . 2009-07-22 14:26 592947 -c--a-w- c:\documents and settings\All Users\Application Data\{FC0EF073-EDB5-4CBE-B92D-5CE9A223F37B}\OFFLINE\mFileBagIDE.dll\bag\HJSetup.exe
2009-07-22 14:26 . 2009-07-22 14:26 595765 -c--a-w- c:\documents and settings\All Users\Application Data\{FC0EF073-EDB5-4CBE-B92D-5CE9A223F37B}\OFFLINE\mFileBagIDE.dll\bag\AdwareSetup.exe
2009-07-22 14:26 . 2009-07-22 14:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{FC0EF073-EDB5-4CBE-B92D-5CE9A223F37B}
2009-07-21 16:04 . 2001-08-17 21:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-07-21 16:04 . 2008-04-13 23:12 159232 ----a-w- c:\windows\system32\ptpusd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-05 13:45 . 2009-06-25 04:42 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-04 05:01 . 2009-03-04 15:51 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Spotify
2009-08-03 17:49 . 2008-07-08 19:05 -------- d-----w- c:\program files\Norton Security Scan
2009-08-03 17:37 . 2008-12-30 13:48 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-03 17:37 . 2006-09-01 12:30 -------- d-----w- c:\program files\Java
2009-08-02 18:46 . 2008-01-14 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-02 17:00 . 2006-09-01 13:16 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-02 16:36 . 2008-12-29 17:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-29 17:00 . 2006-09-01 13:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-28 13:01 . 2008-07-03 16:06 34 ----a-w- c:\documents and settings\Compaq_Administrator\jagex_runescape_preferences.dat
2009-07-26 05:46 . 2009-07-26 05:39 21832 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-07-20 09:36 . 2009-07-22 14:25 262424 -c--a-w- c:\documents and settings\All Users\Application Data\{FC0EF073-EDB5-4CBE-B92D-5CE9A223F37B}\OFFLINE\D5797E3B\3E688669\stbYahoo9.dll
2009-07-20 09:36 . 2009-07-22 14:25 254232 -c--a-w- c:\documents and settings\All Users\Application Data\{FC0EF073-EDB5-4CBE-B92D-5CE9A223F37B}\OFFLINE\6216A4BD\3E688669\stbYahoo8.dll
2009-07-20 09:36 . 2009-07-22 14:25 872728 -c--a-w- c:\documents and settings\All Users\Application Data\{FC0EF073-EDB5-4CBE-B92D-5CE9A223F37B}\OFFLINE\B75FA91E\3E688669\stbsvc.exe
2009-07-20 09:36 . 2009-07-22 14:25 205080 -c--a-w- c:\documents and settings\All Users\Application Data\{FC0EF073-EDB5-4CBE-B92D-5CE9A223F37B}\OFFLINE\mFileBagIDE.dll\bag\stbsh.dll
2009-07-20 09:34 . 2009-07-22 14:25 295656 -c--a-w- c:\documents and settings\All Users\Application Data\{FC0EF073-EDB5-4CBE-B92D-5CE9A223F37B}\OFFLINE\mFileBagIDE.dll\bag\stbrunwlm.exe
2009-07-20 09:34 . 2009-07-22 14:25 295328 -c--a-w- c:\documents and settings\All Users\Application Data\{FC0EF073-EDB5-4CBE-B92D-5CE9A223F37B}\OFFLINE\mFileBagIDE.dll\bag\stbrewlm.exe
2009-07-20 09:34 . 2009-07-22 14:25 295896 -c--a-w- c:\documents and settings\All Users\Application Data\{FC0EF073-EDB5-4CBE-B92D-5CE9A223F37B}\OFFLINE\mFileBagIDE.dll\bag\stbreaim.exe
2009-06-25 04:41 . 2009-06-25 04:41 -------- d-----w- c:\program files\Avira
2009-06-25 04:41 . 2009-06-25 04:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-21 06:57 . 2009-06-21 06:55 -------- d-----w- c:\program files\NetMeter
2009-06-17 12:20 . 2009-06-17 12:20 12648 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2007-01-21 09:47 . 2007-01-21 09:47 251 -c--a-w- c:\program files\wt3d.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-06-25 1578736]
"c:\program files\NetMeter\NetMeter.exe"="c:\program files\NetMeter\NetMeter.exe" [2007-08-11 331264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
"O2"="c:\program files\O2\bin\sprtcmd.exe" [2008-03-28 198184]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-03 148888]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-07-21 16261632]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-02 77312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-09 1519616]

c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-6-24 803176]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\moh_Breakthrough.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\moh_spearhead.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firaxis Game\\Sid Meyer's Railroad!\\RailRoads.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [25/06/2009 05:42 108289]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 16:19 202280]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [17/06/2009 13:20 12648]
.
Contents of the 'Scheduled Tasks' folder

2009-05-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-08-05 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-08-05 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-08-04 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]
.
- - - - ORPHANS REMOVED - - - -

BHO-{20569631-FE5F-4B6D-9D76-4F45DDC7BE75} - (no file)
BHO-{2B434974-D3AC-4880-B315-2FB21D7628A4} - (no file)
BHO-{F3027024-83EF-4B69-8B8C-6EE088F389DE} - (no file)
BHO-{f6f4d585-4d96-4efd-b069-403dea40538e} - (no file)
HKLM-Run-PCDrProfiler - (no file)

.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
IE: &Search - ?p=ZJfox000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\467j5zb9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://webmail.netidentity.com/webmail/driver?nimlet=showlogin
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-05 16:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3764)
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\arservice.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-05 16:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-05 15:29

Pre-Run: 120,548,429,824 bytes free
Post-Run: 120,433,541,120 bytes free

302 --- E O F --- 2008-12-21 05:00

**pskelley** · 2009-08-06, 17:35

1) Download TeaTimerWipe.bat to the Desktop
www.neoshine.co.uk/mina/Downloads/TTWipe.bat
Double click TeaTimerWipe.bat then read and follow the prompts carefully.
to remove all entries set by TeaTimer (and preventing TeaTimer from restoring them upon reactivation).

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
O2 - BHO: (no name) - {20569631-FE5F-4B6D-9D76-4F45DDC7BE75} - (no file)
O2 - BHO: (no name) - {2B434974-D3AC-4880-B315-2FB21D7628A4} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F3027024-83EF-4B69-8B8C-6EE088F389DE} - (no file)
O2 - BHO: (no name) - {f6f4d585-4d96-4efd-b069-403dea40538e} - (no file)
O3 - Toolbar: (no name) - {98828DED-A591-462F-83BA-D2F62A68B8B8} - (no file)
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O20 - AppInit_DLLs: C:\WINDOWS\system32\mulumobu.dll,C:\WINDOWS\system32\berateno.dll,C:\WINDOWS\system32\pimehori.dll,ebxugr.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/art...efetch-XP.html

How is the computer running?

Thanks

**pandacookie** · 2009-08-09, 18:35

Hello,

All done but a few of the Hijack This check & fix things were not there when scanned. Latest log attached just to make sure not going potty. Everything working all okay as well...until the next time the cats walk across the keyboard. I can blame them as they are fast asleep!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:31:53, on 09/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.21073)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\O2\bin\sprtcmd.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\crusty\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O8 - Extra context menu item: &Search - ?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe

--
End of file - 7689 bytes

**pskelley** · 2009-08-09, 21:12

If possible, please run two additional checks to make sure all malware is gone. If these return negative, we will remove remove combofix and wrap up.

1) This tool will look for a Rootkit infection.
Download it to your Desktop
ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
Double click the fsbl.exe and accept the agreement
Click NEXT...then Scan
BlackLight will Scan for hidden items
If anything is found save the report and post it.
Items found may be valid so do not remove anything.

2) Do an online scan with Kaspersky Online Scanner(KOS)

http://www.kaspersky.com/virusscanner

1. Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
2. Click on the Accept button and install any components it needs.
3. The program will install and then begin downloading the latest definition files.
4. After the files have been downloaded on the left side of the page in the Scan section select My Computer
5. This will start the program and scan your system.
6. The scan will take a while, so be patient and let it run.
7. Once the scan is complete, click on View scan report
8. Now, click on the Save Report as button.
9. Save the file to your desktop.
10. Copy and paste that information in your next post

Thanks...Phil

Thread: ...but where is the dodgy file.

Thread Tools

Display

Ooops

Posting Permissions