DR/Hupigon.dsx.914 dropper virus? (Resolved)

I don't have to run USBnorisk even once now, even after having turned the computer off since the last time it was run?

Any viruses should be on E:\ drive (unless they spread once I attached E:\ to the laptop). The C:\ drive was restored from a backup from January, when I believe everything was clean.
 
MalwareBytes log file

Here is the log file from MalwareBytes' scan --


Malwarebytes' Anti-Malware 1.39
Database version: 2498
Windows 5.1.2600 Service Pack 3

7/25/2009 9:45:33 PM
mbam-log-2009-07-25 (21-45-33).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 345105
Time elapsed: 11 hour(s), 12 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/WINDOWS/cpbrkpie.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\WINDOWS\cpbrkpie.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
c:\WINDOWS\cpbrkpie.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
c:\WinOrg.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WinRAR_UnPackerInstallation.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\winzip110.exe (Trojan.Agent) -> Quarantined and deleted successfully.
 
Problem running ComboFix

Two things --
After I had MalwareBytes remove the infected files and I allowed it to reboot, Windows didn't reboot successfully (on the first attempt) -- it said: "We apologize for the inconvenience but Windows did not start successfully." I chose Normal Startup for the re-try, and it did reboot that time.

Then I tried to run ComboFix, following the instructions about turning off anti-virus and even the Windows firewall. I use Avira Antivir PersonalEdition. I disabled it from the system tray just as the directions said. When I ran ComboFix though, it gave me a warning that it had detected real time scanners and it listed Antivir PersonalEdition about 6 times.

I then stopped AVGNT.EXE from the Task Manager, and AVGUARD.EXE via Service.msc (because it wouldn't let me stop it from Task Manager -- access denied messages). I can't find anywhere now that Avira is running, but ComboFix is still giving me 6 warning lines when I try to run it.

(I cancelled out of ComboFix at the Disclaimer page, since the only response to the anti-virus warning messages is "OK".)

What anti-vir is it finding, and how can I delete them? Is the 6 lines of warning indicative of multiple instances of the AntiVir running?

Oh and one more question --is this message: "Caution - ComboFix.exe may be downloaded from any of the above sites. If you have downloaded from some other site, there's a likely chance that it may be tainted. For peace of mind, I suggest that you delete the current copy and get a fresh one."
a message everyone gets, or is it an indication that I actually need to re-download it? I had used the link in your previous message to download ComboFix.

Thanks!
John
 
johntee said:
1) What anti-vir is it finding, and how can I delete them? Is the 6 lines of warning indicative of multiple instances of the AntiVir running?

2) --is this message: ~ a message everyone gets, or is it an indication that I actually need to re-download it? I had used the link in your previous message to download ComboFix.
Click to expand...

1) Security programs are notoriously difficult to stop, and most of the time that is a good thing :)
Use the instructions for AVIRA ANTIVIR on this page
http://www.bleepingcomputer.com/forums/topic114351.html

That will disable it sufficiently, if Combofix still detects Avira you can ignore the warning.

2) That is a standard message, if you used the link I posted then you are fine.
 
ComboFix log

And here's the ComboFix log.

(I noticed at least one weird entry -- hxxp://rick.viewnetcam.com:81/kxhcm10.ocx
I also noticed alot of extra programs mentioned that I'd love to disable from the Startup -- Itunes helper,
Adobe Reader, etc. -- to speed up my PC.
There's also a mention of Symantec NetDetect, which I don't think I use -- I use Avira.
I had started using Selective Startup to prune out some of these, but I'd been told
to switch back to Normal Startup for diagnosing/treating the virus infection.)

Thanks!
John

======================================
ComboFix 09-07-25.06 - newJohn 07/26/2009 10:50.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.151 [GMT -4:00]
Running from: c:\documents and settings\newJohn\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {00000000-FFA4-00DA-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {00000000-FFA4-00EB-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-00DA-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-00EB-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-00FC-0D24-347CA8A3377C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1390067357-764733703-839522115-1003
c:\recycler\S-1-5-21-3010599806-841414442-3136671617-1003
c:\windows\Installer\3f482.msp
c:\windows\Installer\51dcb2.msp

.
((((((((((((((((((((((((( Files Created from 2009-06-26 to 2009-07-26 )))))))))))))))))))))))))))))))
.

2009-07-25 14:06 . 2009-07-25 14:06 -------- d-----w- c:\documents and settings\newJohn\Application Data\Malwarebytes
2009-07-25 14:06 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-25 14:06 . 2009-07-25 14:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-25 14:06 . 2009-07-25 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-25 14:06 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-19 18:01 . 2009-07-19 18:53 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2009-07-19 17:31 . 2009-07-19 18:00 17815040 ----a-w- C:\dbg_x86_6.11.1.404.msi
2009-07-19 16:37 . 2009-07-19 16:37 -------- d-----w- C:\WindowsMemoryDiagnostic
2009-07-19 16:36 . 2009-07-19 16:36 654920 ----a-w- C:\mtinst.exe
2009-07-11 15:24 . 2009-07-20 13:50 -------- d-----w- C:\USBNoRisk
2009-07-11 15:17 . 2009-07-11 15:17 -------- d-----w- c:\windows\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$
2009-07-06 06:03 . 2009-06-18 03:22 30075904 ----a-w- C:\avira_antivir_personal_en.exe
2009-07-06 05:47 . 2009-07-06 05:42 1572864 ---ha-w- c:\documents and settings\newJohn\BackupCopy of NTUSER.DAT
2009-07-06 05:25 . 2009-07-06 05:25 -------- d-----w- c:\documents and settings\newJohn\Application Data\HP
2009-07-06 05:25 . 2009-07-06 05:25 -------- d-----w- c:\documents and settings\newJohn\Application Data\King Stairs
2009-07-06 05:25 . 2009-07-06 05:25 -------- d-----w- c:\documents and settings\newJohn\Application Data\InstallShield
2009-07-06 05:25 . 2009-07-06 05:25 -------- d-----w- c:\documents and settings\newJohn\Application Data\Lavasoft
2009-07-06 05:25 . 2009-07-06 05:25 -------- d-----w- c:\documents and settings\newJohn\Application Data\Konrad Papala
2009-07-06 05:24 . 2008-08-17 22:47 13505768 ----a-w- c:\documents and settings\newJohn\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airinstaller1x0\airinstaller1x0.exe
2009-07-06 05:24 . 2007-04-19 23:11 1214696 ----a-w- c:\documents and settings\newJohn\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-07-06 05:24 . 2009-07-06 05:29 -------- d-----w- c:\documents and settings\newJohn\Application Data\MailWasher
2009-07-06 05:24 . 2009-07-06 05:38 -------- d-----w- c:\documents and settings\newJohn\Application Data\MailWasherPro
2009-07-06 05:22 . 2009-07-06 05:29 -------- d-----w- c:\documents and settings\newJohn\Application Data\Quick To-Do Pro
2009-07-06 05:22 . 2009-07-06 05:29 -------- d-----w- c:\documents and settings\newJohn\Application Data\PDF reDirect
2009-07-06 05:22 . 2009-07-06 05:22 -------- d-----w- c:\documents and settings\newJohn\Application Data\NwDocx
2009-07-06 05:22 . 2009-07-06 05:22 -------- d-----w- c:\documents and settings\newJohn\Application Data\MyPublisher
2009-07-06 05:22 . 2009-07-06 05:22 -------- d-----w- c:\documents and settings\newJohn\Application Data\RhinoSoft.com
2009-07-06 05:22 . 2009-07-06 05:28 -------- d-----w- c:\documents and settings\newJohn\Application Data\StumbleUpon
2009-07-06 05:22 . 2009-07-06 05:22 -------- d-----w- c:\documents and settings\newJohn\Application Data\soft-evolution
2009-07-06 05:22 . 2009-07-06 05:22 -------- d-----w- c:\documents and settings\newJohn\Application Data\SmartFTP
2009-07-06 05:21 . 2009-07-06 05:28 -------- d-----w- c:\documents and settings\newJohn\Application Data\vlc
2009-07-06 05:21 . 2009-07-06 05:28 -------- d-----w- c:\documents and settings\newJohn\Application Data\uTorrent
2009-07-06 05:21 . 2009-07-06 05:28 -------- d-----w- c:\documents and settings\newJohn\Application Data\Template
2009-07-06 05:21 . 2009-07-06 05:21 -------- d-----w- c:\documents and settings\newJohn\Application Data\Yahoo! Messenger
2009-07-06 05:21 . 2009-07-06 05:21 -------- d-----w- c:\documents and settings\newJohn\Application Data\Yahoo!
2009-07-06 05:21 . 2009-07-06 05:21 -------- d-----w- c:\documents and settings\newJohn\Application Data\WinOrganizer
2009-07-06 05:21 . 2009-07-06 05:21 -------- d-----w- c:\documents and settings\newJohn\Application Data\U3
2009-07-06 05:13 . 2009-07-06 05:30 -------- d-----w- c:\documents and settings\newJohn\Application Data\FaxCtr
2009-07-06 05:12 . 2008-11-29 01:25 67240 ----a-w- c:\documents and settings\newJohn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 04:18 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-07-06 04:18 . 2009-02-06 10:39 35328 -c----w- c:\windows\system32\dllcache\sc.exe
2009-07-06 04:18 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-07-06 04:18 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-07-06 04:18 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-07-06 04:18 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-07-06 04:18 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-07-06 04:18 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-07-06 04:18 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-07-06 04:18 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-07-06 04:11 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-06 04:11 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-06 04:11 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-06 04:11 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-06 04:11 . 2009-07-06 04:11 -------- d-----w- c:\program files\Avira
2009-07-06 04:11 . 2009-07-06 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-06 04:09 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-07-06 04:09 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-06 03:38 . 2009-07-06 03:38 67240 ----a-w- c:\documents and settings\John (Personal).HURECON-LAPTOP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 03:30 . 2009-07-06 03:30 -------- d-----w- c:\documents and settings\John Trojnacki\Application Data\FaxCtr
2009-07-06 03:26 . 2009-07-06 03:26 -------- d-----w- c:\documents and settings\John (Personal).HURECON-LAPTOP\Application Data\FaxCtr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-26 14:37 . 2008-11-01 00:10 -------- d-----w- c:\program files\Swift To-Do List
2009-07-14 12:53 . 2009-07-14 12:53 16384 ----a-w- c:\windows\~DFB0C6.tmp
2009-07-06 03:26 . 2006-12-14 01:45 -------- d-----w- c:\program files\Lx_cats
2009-07-02 02:01 . 2006-03-19 21:25 -------- d-----w- c:\program files\Future Systems Solutions
2009-05-07 15:32 . 2003-08-12 17:07 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-02-06 22:05 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2008-12-02 20:12 . 2008-12-20 03:01 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-09 68856]
"SwiftToDoList"="c:\program files\Swift To-Do List\Swift To-Do List.exe" [2008-08-01 1462272]
"NBJ"="c:\progra~1\Nero\NERO7~1\NEROBA~1\NBJ.exe" [2005-10-11 1961984]
"DW6"="c:\progra~1\THEWEA~1\Desktop\DesktopWeather.exe" [2008-06-10 785520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="c:\windows\System32\EZSP_PX.EXE" [2002-08-20 40960]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-22 126976]
"PmProxy"="c:\program files\Analog Devices\SoundMAX\PmProxy.exe" [2003-03-01 40960]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 159744]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-12-25 159744]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-01-17 253952]
"LXCECATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-07-20 73728]
"lxcemon.exe"="c:\program files\Lexmark 4300 Series\lxcemon.exe" [2005-08-02 192512]
"EzPrint"="c:\program files\Lexmark 4300 Series\ezprint.exe" [2005-07-26 94208]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Tpwrtray"="TPWRTRAY.EXE" - c:\windows\system32\TPWRTRAY.EXE [2002-12-10 237568]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2001-08-04 73728]
"TFncKy"="TFncKy.exe" [BU]
"NDSTray.exe"="NDSTray.exe" [BU]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-24 24576]

c:\documents and settings\newJohn\Start Menu\Programs\Startup\
Evernote.lnk - c:\program files\Evernote\Evernote3\EvernoteTray.exe [2008-10-31 350144]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-1-11 39792]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-5-11 738968]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-8-12 155648]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\microsoft frontpage\\bin\\fpexplor.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\TOSHIBA\\Ivp\\NetInt\\Netint.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\nanoCom Corporation\\iSpQ VideoChat\\iSpQVideoChat75.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FTPVoyager.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FVScheduler.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 ALiAGP;ALi AGP Bus Filter Driver;c:\windows\system32\drivers\ALiAGP.SYS [8/12/2003 5:43 PM 26880]
R2 MSSQL$ENCOREPRO;MSSQL$ENCOREPRO;c:\program files\Microsoft SQL Server\MSSQL$ENCOREPRO\Binn\sqlservr.exe [5/4/2005 12:04 AM 9158656]
R3 tridxp;tridxp;c:\windows\system32\drivers\tridxpm.sys [4/24/2003 7:39 PM 248448]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/6/2009 12:11 AM 108289]
S2 mrtRate;mrtRate; [x]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [11/21/2004 3:49 PM 26488]
S3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\aliirda.sys [8/12/2003 5:36 PM 26112]
S3 SPCA508A;Micro WebCam;c:\windows\system32\drivers\SPCA508A.SYS [4/23/2001 2:23 PM 98073]
S3 SQLAgent$ENCOREPRO;SQLAgent$ENCOREPRO;c:\program files\Microsoft SQL Server\MSSQL$ENCOREPRO\Binn\sqlagent.EXE [5/3/2005 9:42 PM 323584]
S3 TTIUSB;TTIUSB;c:\windows\system32\drivers\2800.sys [5/26/2007 1:55 PM 39448]
S3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\drivers\wlags48b.sys [8/12/2003 5:37 PM 156672]
.
Contents of the 'Scheduled Tasks' folder

2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]

2004-01-08 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-12 19:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AVGCtrl - c:\program files\AVPersonal\AVGNT.EXE
HKLM-Run-RCHotKey - c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
uInternet Settings,ProxyServer = 127.0.0.1:8088
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: StumbleUpon: &Blog This - StumbleUponIEBar.dll/blogimage
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycdict.htm
Trusted Zone: stumbleupon.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://rick.viewnetcam.com:81/kxhcm10.ocx
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-26 11:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCECATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-26 11:27
ComboFix-quarantined-files.txt 2009-07-26 15:26

Pre-Run: 102,408,613,888 bytes free
Post-Run: 102,790,471,680 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

219
 
I'll give you a link for Winpatrol shortly
It is an excellent program to manage your startups.


Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    http://forums.spybot.info/showthread.php?p=324562#post324562
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

Driver::
mrtRate

Suspect::
c:\windows\system32\drivers\2800.sys
File::
c:\windows\Tasks\Symantec NetDetect.job
DDS::
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://rick.viewnetcam.com:81/kxhcm10.ocx

ADS::
  • Save this as CFScript.txt and place it on your desktop.


    CFScriptb.gif


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


----------------------------------------------------------------------------------------
 
ComboFix log after special code

(I didn't limit you to just looking for the few lines that looked inappropriate to me, right? Just that Symantec and rick-cam jumped out at me...)


ComboFix 09-07-25.08 - newJohn 07/26/2009 17:39.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.230 [GMT -4:00]
Running from: c:\documents and settings\newJohn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\newJohn\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {00000000-FFA4-00DA-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {00000000-FFA4-00EB-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-00DA-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-00EB-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {806ED0B3-FFA4-00FC-0D24-347CA8A3377C}

FILE ::
"c:\windows\Tasks\Symantec NetDetect.job"

file zipped: c:\windows\system32\drivers\2800.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\Symantec NetDetect.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MRTRATE
-------\Service_mrtRate


((((((((((((((((((((((((( Files Created from 2009-06-26 to 2009-07-26 )))))))))))))))))))))))))))))))
.

2009-07-25 14:06 . 2009-07-25 14:06 -------- d-----w- c:\documents and settings\newJohn\Application Data\Malwarebytes
2009-07-25 14:06 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-25 14:06 . 2009-07-25 14:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-25 14:06 . 2009-07-25 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-25 14:06 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-19 18:01 . 2009-07-19 18:53 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2009-07-19 17:31 . 2009-07-19 18:00 17815040 ----a-w- C:\dbg_x86_6.11.1.404.msi
2009-07-19 16:37 . 2009-07-19 16:37 -------- d-----w- C:\WindowsMemoryDiagnostic
2009-07-19 16:36 . 2009-07-19 16:36 654920 ----a-w- C:\mtinst.exe
2009-07-11 15:24 . 2009-07-20 13:50 -------- d-----w- C:\USBNoRisk
2009-07-11 15:17 . 2009-07-11 15:17 -------- d-----w- c:\windows\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$
2009-07-06 06:03 . 2009-06-18 03:22 30075904 ----a-w- C:\avira_antivir_personal_en.exe
2009-07-06 05:47 . 2009-07-06 05:42 1572864 ---ha-w- c:\documents and settings\newJohn\BackupCopy of NTUSER.DAT
2009-07-06 05:25 . 2009-07-06 05:25 -------- d-----w- c:\documents and settings\newJohn\Application Data\HP
2009-07-06 05:25 . 2009-07-06 05:25 -------- d-----w- c:\documents and settings\newJohn\Application Data\King Stairs
2009-07-06 05:25 . 2009-07-06 05:25 -------- d-----w- c:\documents and settings\newJohn\Application Data\InstallShield
2009-07-06 05:25 . 2009-07-06 05:25 -------- d-----w- c:\documents and settings\newJohn\Application Data\Lavasoft
2009-07-06 05:25 . 2009-07-06 05:25 -------- d-----w- c:\documents and settings\newJohn\Application Data\Konrad Papala
2009-07-06 05:24 . 2008-08-17 22:47 13505768 ----a-w- c:\documents and settings\newJohn\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airinstaller1x0\airinstaller1x0.exe
2009-07-06 05:24 . 2007-04-19 23:11 1214696 ----a-w- c:\documents and settings\newJohn\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-07-06 05:24 . 2009-07-06 05:29 -------- d-----w- c:\documents and settings\newJohn\Application Data\MailWasher
2009-07-06 05:24 . 2009-07-06 05:38 -------- d-----w- c:\documents and settings\newJohn\Application Data\MailWasherPro
2009-07-06 05:22 . 2009-07-06 05:29 -------- d-----w- c:\documents and settings\newJohn\Application Data\Quick To-Do Pro
2009-07-06 05:22 . 2009-07-06 05:29 -------- d-----w- c:\documents and settings\newJohn\Application Data\PDF reDirect
2009-07-06 05:22 . 2009-07-06 05:22 -------- d-----w- c:\documents and settings\newJohn\Application Data\NwDocx
2009-07-06 05:22 . 2009-07-06 05:22 -------- d-----w- c:\documents and settings\newJohn\Application Data\MyPublisher
2009-07-06 05:22 . 2009-07-06 05:22 -------- d-----w- c:\documents and settings\newJohn\Application Data\RhinoSoft.com
2009-07-06 05:22 . 2009-07-06 05:28 -------- d-----w- c:\documents and settings\newJohn\Application Data\StumbleUpon
2009-07-06 05:22 . 2009-07-06 05:22 -------- d-----w- c:\documents and settings\newJohn\Application Data\soft-evolution
2009-07-06 05:22 . 2009-07-06 05:22 -------- d-----w- c:\documents and settings\newJohn\Application Data\SmartFTP
2009-07-06 05:21 . 2009-07-06 05:28 -------- d-----w- c:\documents and settings\newJohn\Application Data\vlc
2009-07-06 05:21 . 2009-07-06 05:28 -------- d-----w- c:\documents and settings\newJohn\Application Data\uTorrent
2009-07-06 05:21 . 2009-07-06 05:28 -------- d-----w- c:\documents and settings\newJohn\Application Data\Template
2009-07-06 05:21 . 2009-07-06 05:21 -------- d-----w- c:\documents and settings\newJohn\Application Data\Yahoo! Messenger
2009-07-06 05:21 . 2009-07-06 05:21 -------- d-----w- c:\documents and settings\newJohn\Application Data\Yahoo!
2009-07-06 05:21 . 2009-07-06 05:21 -------- d-----w- c:\documents and settings\newJohn\Application Data\WinOrganizer
2009-07-06 05:21 . 2009-07-06 05:21 -------- d-----w- c:\documents and settings\newJohn\Application Data\U3
2009-07-06 05:13 . 2009-07-06 05:30 -------- d-----w- c:\documents and settings\newJohn\Application Data\FaxCtr
2009-07-06 05:12 . 2008-11-29 01:25 67240 ----a-w- c:\documents and settings\newJohn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 04:18 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-07-06 04:18 . 2009-02-06 10:39 35328 -c----w- c:\windows\system32\dllcache\sc.exe
2009-07-06 04:18 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-07-06 04:18 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-07-06 04:18 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-07-06 04:18 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-07-06 04:18 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-07-06 04:18 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-07-06 04:18 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-07-06 04:18 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-07-06 04:11 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-06 04:11 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-06 04:11 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-06 04:11 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-06 04:11 . 2009-07-06 04:11 -------- d-----w- c:\program files\Avira
2009-07-06 04:11 . 2009-07-06 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-06 04:09 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-07-06 04:09 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-06 03:38 . 2009-07-06 03:38 67240 ----a-w- c:\documents and settings\John (Personal).HURECON-LAPTOP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 03:30 . 2009-07-06 03:30 -------- d-----w- c:\documents and settings\John Trojnacki\Application Data\FaxCtr
2009-07-06 03:26 . 2009-07-06 03:26 -------- d-----w- c:\documents and settings\John (Personal).HURECON-LAPTOP\Application Data\FaxCtr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-26 22:20 . 2008-11-01 00:10 -------- d-----w- c:\program files\Swift To-Do List
2009-07-14 12:53 . 2009-07-14 12:53 16384 ----a-w- c:\windows\~DFB0C6.tmp
2009-07-06 03:26 . 2006-12-14 01:45 -------- d-----w- c:\program files\Lx_cats
2009-07-02 02:01 . 2006-03-19 21:25 -------- d-----w- c:\program files\Future Systems Solutions
2009-05-07 15:32 . 2003-08-12 17:07 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-02-06 22:05 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2008-12-02 20:12 . 2008-12-20 03:01 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-26_15.19.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-26 22:11 . 2009-07-26 22:11 16384 c:\windows\Temp\Perflib_Perfdata_4d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-09 68856]
"SwiftToDoList"="c:\program files\Swift To-Do List\Swift To-Do List.exe" [2008-08-01 1462272]
"NBJ"="c:\progra~1\Nero\NERO7~1\NEROBA~1\NBJ.exe" [2005-10-11 1961984]
"DW6"="c:\progra~1\THEWEA~1\Desktop\DesktopWeather.exe" [2008-06-10 785520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="c:\windows\System32\EZSP_PX.EXE" [2002-08-20 40960]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-22 126976]
"PmProxy"="c:\program files\Analog Devices\SoundMAX\PmProxy.exe" [2003-03-01 40960]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 159744]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-12-25 159744]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-01-17 253952]
"LXCECATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-07-20 73728]
"lxcemon.exe"="c:\program files\Lexmark 4300 Series\lxcemon.exe" [2005-08-02 192512]
"EzPrint"="c:\program files\Lexmark 4300 Series\ezprint.exe" [2005-07-26 94208]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Tpwrtray"="TPWRTRAY.EXE" - c:\windows\system32\TPWRTRAY.EXE [2002-12-10 237568]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2001-08-04 73728]
"TFncKy"="TFncKy.exe" [BU]
"NDSTray.exe"="NDSTray.exe" [BU]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-24 24576]

c:\documents and settings\newJohn\Start Menu\Programs\Startup\
Evernote.lnk - c:\program files\Evernote\Evernote3\EvernoteTray.exe [2008-10-31 350144]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-1-11 39792]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-5-11 738968]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-8-12 155648]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\microsoft frontpage\\bin\\fpexplor.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\TOSHIBA\\Ivp\\NetInt\\Netint.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\nanoCom Corporation\\iSpQ VideoChat\\iSpQVideoChat75.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FTPVoyager.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FVScheduler.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 ALiAGP;ALi AGP Bus Filter Driver;c:\windows\system32\drivers\ALiAGP.SYS [8/12/2003 5:43 PM 26880]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/6/2009 12:11 AM 108289]
R2 MSSQL$ENCOREPRO;MSSQL$ENCOREPRO;c:\program files\Microsoft SQL Server\MSSQL$ENCOREPRO\Binn\sqlservr.exe [5/4/2005 12:04 AM 9158656]
R3 tridxp;tridxp;c:\windows\system32\drivers\tridxpm.sys [4/24/2003 7:39 PM 248448]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [11/21/2004 3:49 PM 26488]
S3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\aliirda.sys [8/12/2003 5:36 PM 26112]
S3 SPCA508A;Micro WebCam;c:\windows\system32\drivers\SPCA508A.SYS [4/23/2001 2:23 PM 98073]
S3 SQLAgent$ENCOREPRO;SQLAgent$ENCOREPRO;c:\program files\Microsoft SQL Server\MSSQL$ENCOREPRO\Binn\sqlagent.EXE [5/3/2005 9:42 PM 323584]
S3 TTIUSB;TTIUSB;c:\windows\system32\drivers\2800.sys [5/26/2007 1:55 PM 39448]
S3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\drivers\wlags48b.sys [8/12/2003 5:37 PM 156672]
.
Contents of the 'Scheduled Tasks' folder

2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
uInternet Settings,ProxyServer = 127.0.0.1:8088
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: StumbleUpon: &Blog This - StumbleUponIEBar.dll/blogimage
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycdict.htm
Trusted Zone: stumbleupon.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-26 18:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCECATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\scardsvr.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\drivers\CDANTSRV.EXE
c:\windows\system32\DVDRAMSV.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\windows\wanmpsvc.exe
c:\program files\Toshiba\TOSHIBA Controls\TFncKy.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\windows\system32\lxcecoms.exe
c:\program files\WinZip\WZQKPICK.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-26 18:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-26 22:33
ComboFix2.txt 2009-07-26 15:27

Pre-Run: 102,816,759,808 bytes free
Post-Run: 102,603,636,736 bytes free

232
 
johntee said:
(I didn't limit you to just looking for the few lines that looked inappropriate to me, right?
Click to expand...

Not at all :)


Please Submit a file

Please open LINK >>> THIS PAGE <<<LINK in a new window.


In the box marked Link to topic where this file was requested: please put this text
Code: 
http://forums.spybot.info/showthread.php?p=324644#post324644

Click the Browse button and navigate to C:\Qoobox\Quarantine\
There should be a zip file there called [4]-Submit_****-**-**_**.**.**.zip ( the * denote Date and time stamp )
Select this file and click Open

In the Largest box please put
Code: 
File Requested By Katana
Failed Submit

Finally click SendFile


----------------------------------------------------------------------------------------

Download Winpatrol It is an excellent startup manager and then some !!

Install Winpatrol, and when running click on the Startup Programs tab
You can use this to disable any programs you don't need.


How are things running now, any problems still ?
 
OK, I uploaded the Quarantine file as requested.

The computer's been running stable (slow though) since I swapped out the failing RAM memory sticks before we started disinfecting. (Although I haven't used it for anything beyond disinfection, until I know it's clean.)

Did any of the programs that we've run find and eliminate the Hupigon virus? Remember that I'd gotten that warning, and my Yahoo email account had been hacked.

Thanks!
John
 
1) Did any of the programs that we've run find and eliminate the Hupigon virus? Remember that I'd gotten that warning, and my Yahoo email account had been hacked.
Click to expand...
There is no sign of it now, it's possible that it was in the registry. Since you have changed HDD's the registry will be new and the infection won't be present.
If you're AV was warning you about it, then it is likely that the actual file was removed.


----------------------------------------------------------------------------------------
Congratulations your logs look clean :)

Let's see if I can help you keep it that way

First lets tidy up

Uninstall Combofix
  • This will clear your System Volume Information restore points and remove all the infected files that were quarantined
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    • CF_Cleanup.png

OTCleanup
Please download OTCleanup from HERE
Click the OTC.exe icon and then click the CleanUp button.
If you get any pop ups asking if it is OK let the program proceed. At the end the program will ask to let it reboot the computer. Let it do so.
Let me know if there were any problems with OT CleanIt


You can also delete any logs we have produced, and empty your Recycle bin.

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.


You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

  • AntiSpyware is not the same thing as Antivirus.
    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
    Most of the programs in this list have a free (for Home Users ) and paid versions,
    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
  • MalwareBytes Anti-malware <<< A New and effective program
  • a-squared Free <<< A good "realtime" or "on demand" scanner
  • superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

  • These programs don't detect malware, they help stop it getting on your machine in the first place.
    Each does a different job, so you can have more than one
  • Winpatrol
    • An excellent startup manager and then some !!
    • Notifies you if programs are added to startup
    • Allows delayed startup
    • A must have addition
  • SpywareBlaster 4.0
    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
  • SpywareGuard 2.2
    • SpywareGuard provides real-time protection against spyware.
    • Not required if you have other "realtime" antispyware or Winpatrol
  • ZonedOut
    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
  • MVPS HOSTS
    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    • For information on how to download and install, please read this tutorial by WinHelp2002.
    • Not required if you are using other host file protections

Internet Browsers

  • Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
    Using a different web browser can help stop malware getting on your machine.
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialise and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    If you are still using IE6 then either update, or get one of the following.
    • FireFox
      • With many addons available that make customization easy this is a very popular choice
      • NoScript and AdBlockPlus addons are essential
    • Opera
      • Another popular alternative
    • Netscape
      • Another popular alternative
      • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

  • Temporary Internet Files are mainly the files that are downloaded when you open a web page.
    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
    It is a good idea to empty the Temporary Internet Files folder on a regular basis.

    Tracking Cookies are files that websites use to monitor which sites you visit and how often.
    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

    Both of these can be cleaned manually, but a quicker option is to use a program
  • ATF Cleaner
    • Free and very simple to use
  • CCleaner
    • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'
 
You must log in or register to reply here.
Back
Top