Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Version of Spyaxe infecting my PC (No cleaners working) [CLOSED]

Started by Mswei , Mar 05 2008 10:51 PM

  • This topic is locked This topic is locked

#1
Mswei
Posted 05 March 2008 - 10:51 PM

Mswei

    Member

  • Member
  • PipPip
  • 23 posts
My how the mighty have fallen. Just got done fixing the dreaded SCVHOST.exe virus on a friend's computer this weekend. I get home only to find that my room mate has downloaded some sort of virus into my PC. A red circle with a white "X" in it pops up in my taskbar informing me that my computer has been infected and that i should run a virus scan by clicking on the popup window. I know better than that, so I bust out Spybot S&D and went to work... Two minutes later Spybot hadn't opened. I proceeded to come to these forums and search for similar issues, figuring I may have been rootkitted. The story is long, and im sure you just want the details so here goes:

- Hijackthis downloaded, installed in safemode, will not run in safemode or regular windows mode.
- System restore has been disabled(there was only one from when my roomie said he was last on it, figuring this is a backup of the same problem)
- AVG Anti-Spyware downloaded, installed in safemode, will not run in safemode or regular windows mode.
- Spybot S&D re-downloaded and does not work either.
- Smitfraudfix downloaded and ran successfully, but it did not remove anything.
- ATF_Cleaner ran successfully, freed 203 MB after clearing everything. No scanners are working.
- After browsing the forums, I noticed some people had to rename Hijackthis to get it working. I have renamed it to Hija.exe, Runme.exe, runthisnow.exe and still nothing occurs.

At this point I'm at my wits end. I look forward to working with a professional here who can help solve this problem. Any information I can give will be given without attitude, and with strictest attention to detail. I have a laptop that I am currently working on for the time being. I can check these forums regularly, but am generally only in front of this computer from 7am-8:30am EST and from 9pm-1am EST.
  • 0

Advertisements

#2
sarahw
Posted 09 March 2008 - 07:58 AM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
Welcome to the site

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

I want you to show hidden files. There are instructions HERE to help you do this.
You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time.
Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.
These instuctions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat. :)
  • 0

#3
sarahw
Posted 09 March 2008 - 07:58 AM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Download ComboFix from Here, Here, or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#4
Mswei
Posted 09 March 2008 - 11:52 AM

Mswei

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi Sarah, thank you for looking into this matter for me! I really appreciate the help!!

Here's my problem though: I have tried downloading combo fix from the websites you gave me, but unfortunately, it would not run. My Hijackthis program will not run either.

No prompts opening when I double click Combo Fix. Waiting for further instructions.

UPDATE:After working on closing unknown process, I managed to get Hijackthis to work. Hurrah! Here's the log, thanks again!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:49, on 2008-03-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\Hija\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - (no file)
O2 - BHO: (no name) - {182C7ED7-E56D-4509-9D9B-AC49318D9895} - C:\WINDOWS\system32\efcbcya.dll (file missing)
O2 - BHO: (no name) - {B30C11E3-7F7C-4D2C-B31C-99A4C36266CC} - C:\WINDOWS\system32\jkhhg.dll (file missing)
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O3 - Toolbar: (no name) - {71B6ACF7-4F0F-4FD8-BB69-6D1A4D271CB7} - (no file)
O3 - Toolbar: (no name) - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [LaunchPDeviceConn] "C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvlon.dll,startup
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF13923.exe /c C:\Mr Wacky's Adventure\Combobatch.bat
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {160837A9-67E0-4E3F-8DD6-065361150FDA} (CollaborationCtl Class) - http://hdtelwebpa1.i...borationInf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {4C563F3F-5621-4F23-BAC8-6B84DCA61AB2} (GoonzuGlobal_downloader Control) - http://cdn.goonzu.co...nloader1222.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1148076574859
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://technisource...ort/ieatgpc.cab
O20 - Winlogon Notify: efcbcya - efcbcya.dll (file missing)
O20 - Winlogon Notify: winjrp32 - winjrp32.dll (file missing)
O21 - SSODL: zip - {31f9e817-78f3-43f6-a2b9-6be4db1f4c6d} - C:\WINDOWS\Installer\{31f9e817-78f3-43f6-a2b9-6be4db1f4c6d}\zip.dll
O21 - SSODL: BootRam - {9f548e5a-2138-4a5f-b37d-c8f8ed5d0082} - C:\WINDOWS\Installer\{9f548e5a-2138-4a5f-b37d-c8f8ed5d0082}\BootRam.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10292 bytes

Edited by Mswei, 09 March 2008 - 01:50 PM.

  • 0

#5
Mswei
Posted 09 March 2008 - 03:12 PM

Mswei

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
After getting hijackthis to run, i decided to try and run combofix as well...success!! HEre is the log from Combo Fix!

ComboFix 08-03-09.1 - HP_Administrator 2008-03-09 16:56:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.594 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\HP_Administrator\Application Data\printer.exe
C:\WINDOWS\system32\efcbcya.dll
C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\wowfx.dll
.
---- Previous Run -------
.
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\SystemDefender
C:\Program Files\ucleaner_setup.exe
C:\WINDOWS\BM708f7764.xml
C:\WINDOWS\braviax.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\cru629.dat
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aujlbctb.dll
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\ddcdcdc.dll
C:\WINDOWS\system32\djsixvbj.dll
C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\ghhkj.ini2
C:\WINDOWS\system32\gwbktpmt.dll
C:\WINDOWS\system32\hkerklck.dll
C:\WINDOWS\system32\jijqksuu.ini
C:\WINDOWS\system32\korouiaj.dll
C:\WINDOWS\system32\launcher.exe
C:\WINDOWS\system32\ljjihef.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mgqnhusi.dll
C:\WINDOWS\system32\ohlgqwrj.dll
C:\WINDOWS\system32\tmptkbwg.ini
C:\WINDOWS\system32\ujpcthre.dll
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\uuskqjij.dll
C:\WINDOWS\system32\vuvxcryc.dll
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\system32\winjrp32.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-09 15:47 . 2008-03-09 15:47 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Grisoft
2008-03-09 15:27 . 2008-03-09 15:44 <DIR> d-------- C:\Mr Wacky's Adventure
2008-03-09 13:42 . 2008-03-09 13:42 16,384 --a------ C:\WINDOWS\nod32se.exe
2008-03-09 13:39 . 2008-03-09 13:39 13,556 --a------ C:\Program Files\tmp234734.exe
2008-03-09 13:39 . 2008-03-09 13:39 13,496 --a------ C:\Program Files\tmp230156.exe
2008-03-08 11:09 . 2008-03-08 11:09 <DIR> d-------- C:\Program Files\SysCleaner
2008-03-08 11:04 . 2008-03-09 13:44 98,709 --a------ C:\Program Files\udefender_setup.exe
2008-03-08 10:59 . 2008-03-08 10:59 <DIR> d-------- C:\Program Files\IE Extensions
2008-03-08 10:59 . 2008-03-08 10:59 35,732 --a------ C:\Program Files\tmp208980750.exe
2008-03-08 10:59 . 2008-03-08 10:59 35,732 --a------ C:\Program Files\tmp208979125.exe
2008-03-08 10:59 . 2008-03-08 10:59 18,944 --a------ C:\WINDOWS\system32\drvlon.dll
2008-03-08 10:59 . 2008-03-08 10:59 16,480 --a------ C:\Program Files\tmp208970250.exe
2008-03-08 10:59 . 2008-03-08 10:59 13,580 --a------ C:\Program Files\tmp208974140.exe
2008-03-07 22:09 . 2008-03-09 13:38 1,307,681 ---hs---- C:\WINDOWS\system32\ovrcnaop.ini
2008-03-06 22:13 . 2008-03-06 22:13 1,306,677 ---hs---- C:\WINDOWS\system32\ugmyegrn.ini
2008-03-06 00:55 . 2008-03-06 00:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\acccore
2008-03-05 22:37 . 2008-03-06 00:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-05 22:28 . 2007-01-18 08:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-03-05 22:27 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-05 22:26 . 2008-03-06 00:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-05 22:07 . 2008-03-05 22:07 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-03-05 09:45 . 2008-03-05 09:45 59,392 --a------ C:\mmesckoj.exe
2008-03-05 09:45 . 2008-03-05 09:45 58,368 --a------ C:\mhyvfa.exe
2008-03-05 09:45 . 2008-03-05 09:45 51,712 --a------ C:\xoipvs.exe
2008-03-05 09:45 . 2008-03-05 22:28 16,384 --a------ C:\WINDOWS\system32\braviax.ex_
2008-03-05 09:45 . 2008-03-05 09:45 3,584 --a------ C:\xlth.exe
2008-03-03 22:46 . 2008-03-03 22:46 <DIR> d-------- C:\Program Files\Your Company Name
2008-03-03 22:46 . 2008-03-03 22:46 <DIR> d-------- C:\Program Files\Total Seminars
2008-02-22 12:02 . 2008-02-22 12:02 202,827 --a------ C:\WINDOWS\system32\atasnt40.dll
2008-02-22 12:01 . 2008-02-22 12:01 51,304 --a------ C:\WINDOWS\system32\drivers\atnt40k.sys
2008-02-22 00:25 . 2008-02-22 00:25 <DIR> d-------- C:\Program Files\OGPlanet
2008-02-14 03:08 . 2008-02-14 03:08 <DIR> d-------- C:\Program Files\MSECache
2008-02-14 03:08 . 2008-02-14 03:08 <DIR> d-------- C:\Program Files\Microsoft Office Outlook Connector
2008-02-14 03:07 . 2008-02-14 03:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 17:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-06 02:42 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp
2008-03-06 02:10 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-05 13:45 --------- d-----w C:\Program Files\Incomplete
2008-03-05 13:35 --------- d-----w C:\Program Files\LimeWire
2008-03-05 13:35 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\LimeWire
2008-03-05 06:24 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\gtk-2.0
2008-03-03 23:08 --------- d-----w C:\Program Files\AIM6
2008-03-03 23:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-03 23:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-03 04:31 --------- d-----w C:\Program Files\World of Warcraft
2008-02-29 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-26 07:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-26 07:52 --------- d-----w C:\Program Files\Sword of The New World
2008-02-26 07:51 --------- d-----w C:\Program Files\MasterOfDefense_at
2008-02-22 14:24 --------- d-----w C:\Documents and Settings\Technisource VPN\Application Data\ICAClient
2008-02-14 07:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-14 07:24 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-08 21:56 --------- d-----w C:\Documents and Settings\Technisource VPN\Application Data\acccore
2008-02-08 19:40 --------- d-----w C:\Documents and Settings\Technisource VPN\Application Data\DWRCC
2008-02-08 19:37 --------- d-----w C:\Documents and Settings\Technisource VPN\Application Data\DameWare Development
2008-02-08 19:36 --------- d-----w C:\Program Files\DameWare Development
2008-02-08 19:24 --------- d-----w C:\Program Files\SJLabs
2008-02-08 19:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-08 19:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-08 19:14 --------- d-----w C:\Program Files\Common Files\Crystal Decisions
2008-02-08 19:14 --------- d-----w C:\Program Files\AR System
2008-02-08 19:14 --------- d-----w C:\Documents and Settings\Technisource VPN\Application Data\AR System
2008-02-05 06:28 --------- d-----w C:\Program Files\WowGasm
2008-02-05 04:31 --------- d-----w C:\Program Files\Warcraft III
2008-02-04 06:48 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2008-02-01 00:46 --------- d-----w C:\Program Files\support.com
2008-02-01 00:46 --------- d-----w C:\Program Files\Common Files\SupportSoft
2008-01-25 13:42 --------- d-----w C:\Program Files\Google
2008-01-25 02:58 --------- d-----w C:\Program Files\CCleaner
2008-01-23 06:33 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-01-16 07:17 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\ICAClient
2008-01-16 04:21 --------- d-----w C:\Program Files\Java
2007-12-20 03:47 846,504 ----a-w C:\Documents and Settings\HP_Administrator\JNativeCpp.dll
2007-04-23 05:51 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2005-01-21 00:53 45,056 ------r C:\Program Files\SetAttrib.exe
2004-11-30 07:23 40,960 ------r C:\Program Files\delete.exe
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.
Files Infected - Win32.Agent.zb
c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp\cdloader2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 17:00 15360]
"cdloader"="C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp\cdloader2.exe" [2008-03-05 22:36 50520]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"braviax"="C:\WINDOWS\system32\braviax.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-05 22:36 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 17:56 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 20:19 77312 C:\WINDOWS\arpwrmsg.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"nwiz"="nwiz.exe" [2008-03-05 22:50 1626112 C:\WINDOWS\system32\nwiz.exe]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2008-03-05 22:36 49152]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2008-03-05 22:36 237568]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2008-03-05 22:36 249856]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 03:12 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-03-05 22:36 132496]
"LaunchPDeviceConn"="C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe" [2008-03-05 22:36 299008]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2008-03-05 22:36 124520]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2008-03-05 22:36 155648]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2008-03-05 22:36 249856]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-23 06:53 15969280 C:\WINDOWS\RTHDCPL.EXE]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-03-05 22:36 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-05 22:36 180269]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-06-10 05:21 217088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-03-09 15:48 6731312]
"MSDisp32"="C:\WINDOWS\system32\drvlon.dll" [2008-03-08 10:59 18944]
"braviax"="braviax.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-09 17:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2006-02-22 17:58:29 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"zip"= {31f9e817-78f3-43f6-a2b9-6be4db1f4c6d} - C:\WINDOWS\Installer\{31f9e817-78f3-43f6-a2b9-6be4db1f4c6d}\zip.dll [2008-03-08 10:59 38438]
"BootRam"= {9f548e5a-2138-4a5f-b37d-c8f8ed5d0082} - C:\WINDOWS\Installer\{9f548e5a-2138-4a5f-b37d-c8f8ed5d0082}\BootRam.dll [2008-03-08 10:59 14374]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjrp32]
winjrp32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
--a------ 2005-11-11 17:11 1064960 C:\Program Files\DISC\DISCover.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
--a------ 2005-11-11 17:10 61440 C:\Program Files\DISC\DiscUpdateMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
--a------ 2005-11-01 06:01 90112 c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-05-09 20:24 50760 C:\Program Files\Common Files\AOL\1147572088\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-10 09:18 270648 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-05 22:36 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1147572088\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1147572088\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Documents and Settings\\HP_Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S3 inwrdr;inwrdr;C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\inwrdr.sys []
S3 nenum13E;nenum13E;C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\nenum13E.sys []
S3 tbcspud;Santa Cruz Driver;C:\WINDOWS\system32\drivers\tbcspud.sys []
S3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\system32\drivers\tbcwdm.sys []
S3 vtdg46xx;vtdg46xx;C:\PROGRA~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys []
S3 XDva020;XDva020;C:\WINDOWS\system32\XDva020.sys []
S3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47876b4c-f72b-11da-8a91-0015f2eb0b2a}]
\Shell\AutoRun\command - J:\JDSecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56ac6ba3-ef32-11da-8a81-0015f2eb0b2a}]
\Shell\AutoRun\command - J:\JDSecure\Windows\JDSecure20.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 17:03:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\accctsggw]
"ImagePath"="\??\C:\WINDOWS\inf\accctsggw.cat"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\Installer\{31f9e817-78f3-43f6-a2b9-6be4db1f4c6d}\zip.dll
-> C:\WINDOWS\Installer\{9f548e5a-2138-4a5f-b37d-c8f8ed5d0082}\BootRam.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2008-03-09 17:09:49 - machine was rebooted [HP_Administrator]
ComboFix-quarantined-files.txt 2008-03-09 21:09:47
.
2007-11-28 06:53:27 --- E O F ---
  • 0

#6
sarahw
Posted 09 March 2008 - 08:26 PM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
Files Infected - Win32.Agent.zb
c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp\cdloader2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
You can see that in one of your log, it looks like a file infector. I advise you to not turn off your compute and not use it unless neccesary untill we can fix this. Try to respond as quickly as possible so we have a better chance of getting rid of it.


  • Physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

    "%userprofile%\desktop\ComboFix.exe" /KillAll


  • Click OK and this will start ComboFix in a special way.
  • When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply along with a fresh HJT log.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

When it has finnished, open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Program Files\tmp234734.exe
C:\Program Files\tmp230156.exe
C:\Program Files\tmp208980750.exe
C:\Program Files\tmp208979125.exe
C:\WINDOWS\system32\ovrcnaop.ini
C:\WINDOWS\system32\ugmyegrn.ini
C:\mmesckoj.exe
C:\mhyvfa.exe
C:\xoipvs.exe
C:\xlth.exe
C:\WINDOWS\system32\braviax.ex_
C:\Program Files\SetAttrib.exe
C:\Program Files\delete.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\drvlon.dll
C:\WINDOWS\system32\winjrp32.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"braviax"="-
"MSDisp32"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"braviax"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjrp32]



Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


* After you have saved the logs, restart your system to re-enable all the programs that were disabled during the running of ComboFix.

* Reconnect to the internet

* Post the following logs/Reports:
  • all ComboFix.txt logs
  • Fresh HijackThis log run after all the other tools have performed their cleanup.

Edited by sarahw, 09 March 2008 - 08:34 PM.

  • 0

#7
Mswei
Posted 09 March 2008 - 08:29 PM

Mswei

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
ill get on that right now, working from the laptop, so it may take a bit longer, ill let you know once im done...

Thanks for your reply, ill be in the chat room if that makes the process easier!

Edited by Mswei, 09 March 2008 - 08:35 PM.

  • 0

#8
Mswei
Posted 09 March 2008 - 09:21 PM

Mswei

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi Sarah!

Connected again, less stuff in my task bar this time. Here's the first combofix log:

ComboFix 08-03-09.1 - HP_Administrator 2008-03-09 22:31:51.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.646 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Administrator\desktop\ComboFix.exe
Command switches used :: /KillAll
.

((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))
.

2008-03-09 15:47 . 2008-03-09 15:47 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Grisoft
2008-03-09 15:27 . 2008-03-09 15:44 <DIR> d-------- C:\Mr Wacky's Adventure
2008-03-09 13:42 . 2008-03-09 13:42 16,384 --a------ C:\WINDOWS\nod32se.exe
2008-03-09 13:39 . 2008-03-09 13:39 13,556 --a------ C:\Program Files\tmp234734.exe
2008-03-09 13:39 . 2008-03-09 13:39 13,496 --a------ C:\Program Files\tmp230156.exe
2008-03-08 11:09 . 2008-03-08 11:09 <DIR> d-------- C:\Program Files\SysCleaner
2008-03-08 11:04 . 2008-03-09 13:44 98,709 --a------ C:\Program Files\udefender_setup.exe
2008-03-08 10:59 . 2008-03-08 10:59 <DIR> d-------- C:\Program Files\IE Extensions
2008-03-08 10:59 . 2008-03-08 10:59 35,732 --a------ C:\Program Files\tmp208980750.exe
2008-03-08 10:59 . 2008-03-08 10:59 35,732 --a------ C:\Program Files\tmp208979125.exe
2008-03-08 10:59 . 2008-03-08 10:59 18,944 --a------ C:\WINDOWS\system32\drvlon.dll
2008-03-08 10:59 . 2008-03-08 10:59 16,480 --a------ C:\Program Files\tmp208970250.exe
2008-03-08 10:59 . 2008-03-08 10:59 13,580 --a------ C:\Program Files\tmp208974140.exe
2008-03-07 22:09 . 2008-03-09 13:38 1,307,681 ---hs---- C:\WINDOWS\system32\ovrcnaop.ini
2008-03-06 22:13 . 2008-03-06 22:13 1,306,677 ---hs---- C:\WINDOWS\system32\ugmyegrn.ini
2008-03-06 00:55 . 2008-03-06 00:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\acccore
2008-03-05 22:37 . 2008-03-06 00:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-05 22:28 . 2007-01-18 08:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-03-05 22:27 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-05 22:26 . 2008-03-06 00:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-05 22:07 . 2008-03-05 22:07 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-03-05 09:45 . 2008-03-05 09:45 59,392 --a------ C:\mmesckoj.exe
2008-03-05 09:45 . 2008-03-05 09:45 58,368 --a------ C:\mhyvfa.exe
2008-03-05 09:45 . 2008-03-05 09:45 51,712 --a------ C:\xoipvs.exe
2008-03-05 09:45 . 2008-03-05 22:28 16,384 --a------ C:\WINDOWS\system32\braviax.ex_
2008-03-05 09:45 . 2008-03-05 09:45 3,584 --a------ C:\xlth.exe
2008-03-03 22:46 . 2008-03-03 22:46 <DIR> d-------- C:\Program Files\Your Company Name
2008-03-03 22:46 . 2008-03-03 22:46 <DIR> d-------- C:\Program Files\Total Seminars
2008-02-22 12:02 . 2008-02-22 12:02 202,827 --a------ C:\WINDOWS\system32\atasnt40.dll
2008-02-22 12:01 . 2008-02-22 12:01 51,304 --a------ C:\WINDOWS\system32\drivers\atnt40k.sys
2008-02-22 00:25 . 2008-02-22 00:25 <DIR> d-------- C:\Program Files\OGPlanet
2008-02-14 03:08 . 2008-02-14 03:08 <DIR> d-------- C:\Program Files\MSECache
2008-02-14 03:08 . 2008-02-14 03:08 <DIR> d-------- C:\Program Files\Microsoft Office Outlook Connector
2008-02-14 03:07 . 2008-02-14 03:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 17:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-06 02:42 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp
2008-03-06 02:10 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-05 13:45 --------- d-----w C:\Program Files\Incomplete
2008-03-05 13:35 --------- d-----w C:\Program Files\LimeWire
2008-03-05 13:35 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\LimeWire
2008-03-05 06:24 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\gtk-2.0
2008-03-03 23:08 --------- d-----w C:\Program Files\AIM6
2008-03-03 23:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-03 23:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-03 04:31 --------- d-----w C:\Program Files\World of Warcraft
2008-02-29 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-26 07:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-26 07:52 --------- d-----w C:\Program Files\Sword of The New World
2008-02-26 07:51 --------- d-----w C:\Program Files\MasterOfDefense_at
2008-02-22 14:24 --------- d-----w C:\Documents and Settings\Technisource VPN\Application Data\ICAClient
2008-02-14 07:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-14 07:24 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-08 21:56 --------- d-----w C:\Documents and Settings\Technisource VPN\Application Data\acccore
2008-02-08 19:40 --------- d-----w C:\Documents and Settings\Technisource VPN\Application Data\DWRCC
2008-02-08 19:37 --------- d-----w C:\Documents and Settings\Technisource VPN\Application Data\DameWare Development
2008-02-08 19:36 --------- d-----w C:\Program Files\DameWare Development
2008-02-08 19:24 --------- d-----w C:\Program Files\SJLabs
2008-02-08 19:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-08 19:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-08 19:14 --------- d-----w C:\Program Files\Common Files\Crystal Decisions
2008-02-08 19:14 --------- d-----w C:\Program Files\AR System
2008-02-08 19:14 --------- d-----w C:\Documents and Settings\Technisource VPN\Application Data\AR System
2008-02-05 06:28 --------- d-----w C:\Program Files\WowGasm
2008-02-05 04:31 --------- d-----w C:\Program Files\Warcraft III
2008-02-04 06:48 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2008-02-01 00:46 --------- d-----w C:\Program Files\support.com
2008-02-01 00:46 --------- d-----w C:\Program Files\Common Files\SupportSoft
2008-01-25 13:42 --------- d-----w C:\Program Files\Google
2008-01-25 02:58 --------- d-----w C:\Program Files\CCleaner
2008-01-23 06:33 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-01-16 07:17 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\ICAClient
2008-01-16 04:21 --------- d-----w C:\Program Files\Java
2007-12-20 03:47 846,504 ----a-w C:\Documents and Settings\HP_Administrator\JNativeCpp.dll
2007-04-23 05:51 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2005-01-21 00:53 45,056 ------r C:\Program Files\SetAttrib.exe
2004-11-30 07:23 40,960 ------r C:\Program Files\delete.exe
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.
Files Infected - Win32.Agent.zb
c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp\cdloader2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 17:00 15360]
"cdloader"="C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp\cdloader2.exe" [2008-03-05 22:36 50520]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"braviax"="C:\WINDOWS\system32\braviax.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-05 22:36 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 17:56 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 20:19 77312 C:\WINDOWS\arpwrmsg.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"nwiz"="nwiz.exe" [2008-03-05 22:50 1626112 C:\WINDOWS\system32\nwiz.exe]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2008-03-05 22:36 49152]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2008-03-05 22:36 237568]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2008-03-05 22:36 249856]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 03:12 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-03-05 22:36 132496]
"LaunchPDeviceConn"="C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe" [2008-03-05 22:36 299008]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2008-03-05 22:36 124520]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2008-03-05 22:36 155648]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2008-03-05 22:36 249856]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-23 06:53 15969280 C:\WINDOWS\RTHDCPL.EXE]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-03-05 22:36 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-05 22:36 180269]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-06-10 05:21 217088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-03-09 15:48 6731312]
"MSDisp32"="C:\WINDOWS\system32\drvlon.dll" [2008-03-08 10:59 18944]
"braviax"="braviax.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-09 17:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2006-02-22 17:58:29 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"zip"= {31f9e817-78f3-43f6-a2b9-6be4db1f4c6d} - C:\WINDOWS\Installer\{31f9e817-78f3-43f6-a2b9-6be4db1f4c6d}\zip.dll [2008-03-08 10:59 38438]
"BootRam"= {9f548e5a-2138-4a5f-b37d-c8f8ed5d0082} - C:\WINDOWS\Installer\{9f548e5a-2138-4a5f-b37d-c8f8ed5d0082}\BootRam.dll [2008-03-08 10:59 14374]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjrp32]
winjrp32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
--a------ 2005-11-11 17:11 1064960 C:\Program Files\DISC\DISCover.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
--a------ 2005-11-11 17:10 61440 C:\Program Files\DISC\DiscUpdateMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
--a------ 2005-11-01 06:01 90112 c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-05-09 20:24 50760 C:\Program Files\Common Files\AOL\1147572088\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-10 09:18 270648 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-05 22:36 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1147572088\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1147572088\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Documents and Settings\\HP_Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S3 inwrdr;inwrdr;C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\inwrdr.sys []
S3 nenum13E;nenum13E;C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\nenum13E.sys []
S3 tbcspud;Santa Cruz Driver;C:\WINDOWS\system32\drivers\tbcspud.sys []
S3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\system32\drivers\tbcwdm.sys []
S3 vtdg46xx;vtdg46xx;C:\PROGRA~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys []
S3 XDva020;XDva020;C:\WINDOWS\system32\XDva020.sys []
S3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47876b4c-f72b-11da-8a91-0015f2eb0b2a}]
\Shell\AutoRun\command - J:\JDSecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56ac6ba3-ef32-11da-8a81-0015f2eb0b2a}]
\Shell\AutoRun\command - J:\JDSecure\Windows\JDSecure20.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 22:35:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\accctsggw]
"ImagePath"="\??\C:\WINDOWS\inf\accctsggw.cat"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\Installer\{31f9e817-78f3-43f6-a2b9-6be4db1f4c6d}\zip.dll
-> C:\WINDOWS\Installer\{9f548e5a-2138-4a5f-b37d-c8f8ed5d0082}\BootRam.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-03-09 22:41:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-10 02:41:06
ComboFix2.txt 2008-03-09 21:09:50
.
2007-11-28 06:53:27 --- E O F ---
  • 0

#9
Mswei
Posted 09 March 2008 - 09:22 PM

Mswei

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Here's the second log that was run with the script:

ComboFix 08-03-09.1 - HP_Administrator 2008-03-09 23:13:58.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.588 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\mhyvfa.exe
C:\mmesckoj.exe
C:\Program Files\delete.exe
C:\Program Files\SetAttrib.exe
C:\Program Files\tmp208979125.exe
C:\Program Files\tmp208980750.exe
C:\Program Files\tmp230156.exe
C:\Program Files\tmp234734.exe
C:\WINDOWS\system32\braviax.ex_
C:\WINDOWS\system32\drvlon.dll
C:\WINDOWS\system32\ovncnaop.ini
C:\WINDOWS\system32\winjrp32.dll
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32egmyegrn.ini
C:\xlth.exe
C:\xoipvs.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drvlon.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))
.

2008-03-09 15:47 . 2008-03-09 15:47 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Grisoft
2008-03-09 15:27 . 2008-03-09 15:44 <DIR> d-------- C:\Mr Wacky's Adventure
2008-03-09 13:42 . 2008-03-09 13:42 16,384 --a------ C:\WINDOWS\nod32se.exe
2008-03-08 11:09 . 2008-03-08 11:09 <DIR> d-------- C:\Program Files\SysCleaner
2008-03-08 11:04 . 2008-03-09 13:44 98,709 --a------ C:\Program Files\udefender_setup.exe
2008-03-08 10:59 . 2008-03-08 10:59 <DIR> d-------- C:\Program Files\IE Extensions
2008-03-08 10:59 . 2008-03-08 10:59 16,480 --a------ C:\Program Files\tmp208970250.exe
2008-03-08 10:59 . 2008-03-08 10:59 13,580 --a------ C:\Program Files\tmp208974140.exe
2008-03-06 00:55 . 2008-03-06 00:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\acccore
2008-03-05 22:37 . 2008-03-06 00:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-05 22:28 . 2007-01-18 08:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-03-05 22:27 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-05 22:26 . 2008-03-06 00:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-05 22:07 . 2008-03-05 22:07 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-03-03 22:46 . 2008-03-03 22:46 <DIR> d-------- C:\Program Files\Your Company Name
2008-03-03 22:46 . 2008-03-03 22:46 <DIR> d-------- C:\Program Files\Total Seminars
2008-02-22 12:02 . 2008-02-22 12:02 202,827 --a------ C:\WINDOWS\system32\atasnt40.dll
2008-02-22 12:01 . 2008-02-22 12:01 51,304 --a------ C:\WINDOWS\system32\drivers\atnt40k.sys
2008-02-22 00:25 . 2008-02-22 00:25 <DIR> d-------- C:\Program Files\OGPlanet
2008-02-14 03:08 . 2008-02-14 03:08 <DIR> d-------- C:\Program Files\MSECache
2008-02-14 03:08 . 2008-02-14 03:08 <DIR> d-------- C:\Program Files\Microsoft Office Outlook Connector
2008-02-14 03:07 . 2008-02-14 03:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 17:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-06 05:35 4,038 ----a-w C:\WINDOWS\system32\tmp.reg
2008-03-06 03:29 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
2008-03-06 02:50 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2008-03-06 02:42 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp
2008-03-06 02:36 155,648 ----a-w C:\WINDOWS\system32\nerocheck.exe
2008-03-06 02:10 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-05 13:45 --------- d-----w C:\Program Files\Incomplete
2008-03-05 13:35 --------- d-----w C:\Program Files\LimeWire
2008-03-05 13:35 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\LimeWire
2008-03-05 06:24 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\gtk-2.0
2008-03-03 23:08 --------- d-----w C:\Program Files\AIM6
2008-03-03 23:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-03 23:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-03 04:31 --------- d-----w C:\Program Files\World of Warcraft
2008-03-02 04:12 86,016 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-02-29 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-26 07:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-26 07:52 --------- d-----w C:\Program Files\Sword of The New World
2008-02-26 07:51 --------- d-----w C:\Program Files\MasterOfDefense_at
2008-02-22 14:24 --------- d-----w C:\Documents and Settings\Technisource VPN\Application Data\ICAClient
2008-02-14 07:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-14 07:24 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-08 21:56 --------- d-----w C:\Documents and Settings\Technisource VPN\Application Data\acccore
2008-02-08 19:40 --------- d-----w C:\Documents and Settings\Technisource VPN\Application Data\DWRCC
2008-02-08 19:37 --------- d-----w C:\Documents and Settings\Technisource VPN\Application Data\DameWare Development
2008-02-08 19:36 --------- d-----w C:\Program Files\DameWare Development
2008-02-08 19:24 --------- d-----w C:\Program Files\SJLabs
2008-02-08 19:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-08 19:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-08 19:14 --------- d-----w C:\Program Files\Common Files\Crystal Decisions
2008-02-08 19:14 --------- d-----w C:\Program Files\AR System
2008-02-08 19:14 --------- d-----w C:\Documents and Settings\Technisource VPN\Application Data\AR System
2008-02-05 06:28 --------- d-----w C:\Program Files\WowGasm
2008-02-05 04:31 --------- d-----w C:\Program Files\Warcraft III
2008-02-04 23:23 693,792 ----a-w C:\WINDOWS\system32\OGACheckControl.DLL
2008-02-04 06:48 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2008-02-01 01:44 45,056 ----a-w C:\WINDOWS\system32\UTSCSI.EXE
2008-02-01 00:46 --------- d-----w C:\Program Files\support.com
2008-02-01 00:46 --------- d-----w C:\Program Files\Common Files\SupportSoft
2008-01-25 13:42 --------- d-----w C:\Program Files\Google
2008-01-25 02:58 --------- d-----w C:\Program Files\CCleaner
2008-01-23 06:33 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-01-16 07:17 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\ICAClient
2008-01-16 04:21 --------- d-----w C:\Program Files\Java
2007-12-20 03:47 846,504 ----a-w C:\Documents and Settings\HP_Administrator\JNativeCpp.dll
2007-12-11 19:46 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-12-11 19:46 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 19:46 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-12-11 19:46 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-12-11 19:46 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-12-11 19:45 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-12-11 19:45 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-12-11 19:43 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 05:51 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2005-09-24 08:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.
Files Infected - Win32.Agent.zb
c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp\cdloader2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 17:00 15360]
"cdloader"="C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp\cdloader2.exe" [2008-03-05 22:36 50520]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"braviax"="C:\WINDOWS\system32\braviax.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-05 22:36 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 17:56 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 20:19 77312 C:\WINDOWS\arpwrmsg.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"nwiz"="nwiz.exe" [2008-03-05 22:50 1626112 C:\WINDOWS\system32\nwiz.exe]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2008-03-05 22:36 49152]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2008-03-05 22:36 237568]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2008-03-05 22:36 249856]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 03:12 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-03-05 22:36 132496]
"LaunchPDeviceConn"="C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe" [2008-03-05 22:36 299008]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2008-03-05 22:36 124520]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2008-03-05 22:36 155648]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2008-03-05 22:36 249856]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-23 06:53 15969280 C:\WINDOWS\RTHDCPL.EXE]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-03-05 22:36 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-05 22:36 180269]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-06-10 05:21 217088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-03-09 15:48 6731312]
"braviax"="braviax.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-09 17:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2006-02-22 17:58:29 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"zip"= {31f9e817-78f3-43f6-a2b9-6be4db1f4c6d} - C:\WINDOWS\Installer\{31f9e817-78f3-43f6-a2b9-6be4db1f4c6d}\zip.dll [2008-03-08 10:59 38438]
"BootRam"= {9f548e5a-2138-4a5f-b37d-c8f8ed5d0082} - C:\WINDOWS\Installer\{9f548e5a-2138-4a5f-b37d-c8f8ed5d0082}\BootRam.dll [2008-03-08 10:59 14374]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
--a------ 2005-11-11 17:11 1064960 C:\Program Files\DISC\DISCover.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
--a------ 2005-11-11 17:10 61440 C:\Program Files\DISC\DiscUpdateMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
--a------ 2005-11-01 06:01 90112 c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-05-09 20:24 50760 C:\Program Files\Common Files\AOL\1147572088\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-10 09:18 270648 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-05 22:36 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1147572088\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1147572088\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Documents and Settings\\HP_Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S3 inwrdr;inwrdr;C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\inwrdr.sys []
S3 nenum13E;nenum13E;C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\nenum13E.sys []
S3 tbcspud;Santa Cruz Driver;C:\WINDOWS\system32\drivers\tbcspud.sys []
S3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\system32\drivers\tbcwdm.sys []
S3 vtdg46xx;vtdg46xx;C:\PROGRA~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys []
S3 XDva020;XDva020;C:\WINDOWS\system32\XDva020.sys []
S3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47876b4c-f72b-11da-8a91-0015f2eb0b2a}]
\Shell\AutoRun\command - J:\JDSecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56ac6ba3-ef32-11da-8a81-0015f2eb0b2a}]
\Shell\AutoRun\command - J:\JDSecure\Windows\JDSecure20.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 23:14:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\accctsggw]
"ImagePath"="\??\C:\WINDOWS\inf\accctsggw.cat"
.
Completion time: 2008-03-09 23:15:36
ComboFix-quarantined-files.txt 2008-03-10 03:15:29
ComboFix2.txt 2008-03-10 02:57:05
ComboFix3.txt 2008-03-10 02:41:09
ComboFix4.txt 2008-03-09 21:09:50
.
2007-11-28 06:53:27 --- E O F ---
  • 0

#10
Mswei
Posted 09 March 2008 - 09:23 PM

Mswei

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Lastly, here is the hijack this log, ran after restarting my computer:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:19, on 2008-03-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Trend Micro\Hija\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - (no file)
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O3 - Toolbar: (no name) - {71B6ACF7-4F0F-4FD8-BB69-6D1A4D271CB7} - (no file)
O3 - Toolbar: (no name) - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [LaunchPDeviceConn] "C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {160837A9-67E0-4E3F-8DD6-065361150FDA} (CollaborationCtl Class) - http://hdtelwebpa1.i...borationInf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {4C563F3F-5621-4F23-BAC8-6B84DCA61AB2} (GoonzuGlobal_downloader Control) - http://cdn.goonzu.co...nloader1222.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1148076574859
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://technisource...ort/ieatgpc.cab
O21 - SSODL: zip - {31f9e817-78f3-43f6-a2b9-6be4db1f4c6d} - C:\WINDOWS\Installer\{31f9e817-78f3-43f6-a2b9-6be4db1f4c6d}\zip.dll
O21 - SSODL: BootRam - {9f548e5a-2138-4a5f-b37d-c8f8ed5d0082} - C:\WINDOWS\Installer\{9f548e5a-2138-4a5f-b37d-c8f8ed5d0082}\BootRam.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9509 bytes
  • 0

Advertisements

#11
sarahw
Posted 09 March 2008 - 10:05 PM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
1.
Save text in the quotebox below as fixme.reg in Notepad. Under Save as type, select All Files and save it on your Desktop. Make sure there is no empty lines above REGEDIT4
REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{98DBBF16-CA43-4c33-BE80-99E66949468A4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98DBBF16-CA43-4c33-BE80-99E66949468A4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98DBBF16-CA43-4c33-BE80-99E66949468A4}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"=-
"braviax"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"braviax"=-
The above Registry file was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Locate fixme.reg on your Desktop and double-click on it. It should look like this -> Posted Image

You will receive a prompt similar to: Do you wish to merge the information into the registry?.
Answer Yes and wait for a message to appear similar to Merged Successfully.

2.
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\braviax.exe
    C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.


3.
TrendMicro™ HouseCall Java Scan
  • Please go HERE to run the Trend Micro™ HouseCall Scan.
  • Click Scan now. It's free!
  • Read and put a Check next to Yes I accept the terms of use.
  • Click the Launching HouseCall>> button.
  • Under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
  • You may receive a Security Warning about the TrendMicro Java applet, click YES.
  • Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  • Please be patient while it installs, updates, and scans your system.
  • Once the scan is complete, it will take you to the summary page.
  • Under Cleanup options, choose clean all detected infections automatically.
  • Click the Clean now>> button.
  • If anything was found you may be prompted to run the scan again, you can just close the browser window.

  • 0

#12
Mswei
Posted 09 March 2008 - 10:16 PM

Mswei

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
[Custom Input]
< C:\WINDOWS\system32\braviax.exe >
File/Folder C:\WINDOWS\system32\braviax.exe not found.
< C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp >
C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp\Upgrade moved successfully.
C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp\ug00001 moved successfully.
C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp\ug00000 moved successfully.
C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp\st00000 moved successfully.
C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp\in00000 moved successfully.
C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp\ar00000 moved successfully.
C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp moved successfully.

OTMoveIt2 v1.0.20 log created on 03102008_001144

There's the moveit log, thanks for your quick reply!!
  • 0

#13
sarahw
Posted 09 March 2008 - 10:17 PM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Can you please run Combofix again.
You had a ping timeout from chat, you will need to press the connect button to rejoin :)

Edited by sarahw, 09 March 2008 - 10:17 PM.

  • 0

#14
Mswei
Posted 09 March 2008 - 11:24 PM

Mswei

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi Sarah, here's the HJT results after the housecall scan. I'll have the Combofix out as soon as the scan is done running.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:23, on 2008-03-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\Hija\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - (no file)
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O3 - Toolbar: (no name) - {71B6ACF7-4F0F-4FD8-BB69-6D1A4D271CB7} - (no file)
O3 - Toolbar: (no name) - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [LaunchPDeviceConn] "C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {160837A9-67E0-4E3F-8DD6-065361150FDA} (CollaborationCtl Class) - http://hdtelwebpa1.i...borationInf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {4C563F3F-5621-4F23-BAC8-6B84DCA61AB2} (GoonzuGlobal_downloader Control) - http://cdn.goonzu.co...nloader1222.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1148076574859
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://technisource...ort/ieatgpc.cab
O21 - SSODL: zip - {31f9e817-78f3-43f6-a2b9-6be4db1f4c6d} - C:\WINDOWS\Installer\{31f9e817-78f3-43f6-a2b9-6be4db1f4c6d}\zip.dll
O21 - SSODL: BootRam - {9f548e5a-2138-4a5f-b37d-c8f8ed5d0082} - C:\WINDOWS\Installer\{9f548e5a-2138-4a5f-b37d-c8f8ed5d0082}\BootRam.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9553 bytes
  • 0

#15
Mswei
Posted 09 March 2008 - 11:34 PM

Mswei

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
And the combo fix:
ComboFix 08-03-09.1 - HP_Administrator 2008-03-10 1:27:27.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.584 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))
.

2008-03-10 00:13 . 2008-03-10 01:23 <DIR> d-------- C:\Documents and Settings\HP_Administrator\.housecall6.6
2008-03-10 00:11 . 2008-03-10 00:11 <DIR> d-------- C:\_OTMoveIt
2008-03-09 15:47 . 2008-03-09 15:47 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Grisoft
2008-03-09 15:27 . 2008-03-09 15:44 <DIR> d-------- C:\Mr Wacky's Adventure
2008-03-09 13:42 . 2008-03-09 13:42 16,384 --a------ C:\WINDOWS\nod32se.exe
2008-03-08 11:09 . 2008-03-08 11:09 <DIR> d-------- C:\Program Files\SysCleaner
2008-03-08 11:04 . 2008-03-09 13:44 98,709 --a------ C:\Program Files\udefender_setup.exe
2008-03-08 10:59 . 2008-03-08 10:59 <DIR> d-------- C:\Program Files\IE Extensions
2008-03-08 10:59 . 2008-03-08 10:59 16,480 --a------ C:\Program Files\tmp208970250.exe
2008-03-08 10:59 . 2008-03-08 10:59 13,580 --a------ C:\Program Files\tmp208974140.exe
2008-03-06 00:55 . 2008-03-06 00:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\acccore
2008-03-05 22:37 . 2008-03-06 00:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-05 22:28 . 2007-01-18 08:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-03-05 22:27 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-05 22:26 . 2008-03-06 00:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-05 22:19 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-05 22:19 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-05 22:19 . 2008-03-02 00:12 86,016 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-05 22:19 . 2008-03-05 23:29 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-05 22:19 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-05 22:19 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-05 22:19 . 2008-03-06 01:35 4,038 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-05 22:07 . 2008-03-05 22:07 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-03-03 22:46 . 2008-03-03 22:46 <DIR> d-------- C:\Program Files\Your Company Name
2008-03-03 22:46 . 2008-03-03 22:46 <DIR> d-------- C:\Program Files\Total Seminars
2008-02-22 12:02 . 2008-02-22 12:02 202,827 --a------ C:\WINDOWS\system32\atasnt40.dll
2008-02-22 12:01 . 2008-02-22 12:01 51,304 --a------ C:\WINDOWS\system32\drivers\atnt40k.sys
2008-02-22 00:25 . 2008-02-22 00:25 <DIR> d-------- C:\Program Files\OGPlanet
2008-02-14 03:08 . 2008-02-14 03:08 <DIR> d-------- C:\Program Files\MSECache
2008-02-14 03:08 . 2008-02-14 03:08 <DIR> d-------- C:\Program Files\Microsoft Office Outlook Connector
2008-02-14 03:07 . 2008-02-14 03:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 17:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-06 02:50 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2008-03-06 02:36 155,648 ----a-w C:\WINDOWS\system32\nerocheck.exe
2008-03-06 02:10 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-05 13:45 --------- d-----w C:\Program Files\Incomplete
2008-03-05 13:35 --------- d-----w C:\Program Files\LimeWire
2008-03-05 13:35 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\LimeWire
2008-03-05 06:24 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\gtk-2.0
2008-03-03 23:08 --------- d-----w C:\Program Files\AIM6
2008-03-03 23:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-03 23:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-03 04:31 --------- d-----w C:\Program Files\World of Warcraft
2008-02-29 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-26 07:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-26 07:52 --------- d-----w C:\Program Files\Sword of The New World
2008-02-26 07:51 --------- d-----w C:\Program Files\MasterOfDefense_at
2008-02-22 14:24 --------- d-----w C:\Documents and Settings\Technisource VPN\Application Data\ICAClient
2008-02-14 07:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-14 07:24 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-08 21:56 --------- d-----w C:\Documents and Settings\Technisource VPN\Application Data\acccore
2008-02-08 19:40 --------- d-----w C:\Documents and Settings\Technisource VPN\Application Data\DWRCC
2008-02-08 19:37 --------- d-----w C:\Documents and Settings\Technisource VPN\Application Data\DameWare Development
2008-02-08 19:36 --------- d-----w C:\Program Files\DameWare Development
2008-02-08 19:24 --------- d-----w C:\Program Files\SJLabs
2008-02-08 19:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-08 19:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-08 19:14 --------- d-----w C:\Program Files\Common Files\Crystal Decisions
2008-02-08 19:14 --------- d-----w C:\Program Files\AR System
2008-02-08 19:14 --------- d-----w C:\Documents and Settings\Technisource VPN\Application Data\AR System
2008-02-05 06:28 --------- d-----w C:\Program Files\WowGasm
2008-02-05 04:31 --------- d-----w C:\Program Files\Warcraft III
2008-02-04 23:23 693,792 ----a-w C:\WINDOWS\system32\OGACheckControl.DLL
2008-02-04 06:48 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2008-02-01 01:44 45,056 ----a-w C:\WINDOWS\system32\UTSCSI.EXE
2008-02-01 00:46 --------- d-----w C:\Program Files\support.com
2008-02-01 00:46 --------- d-----w C:\Program Files\Common Files\SupportSoft
2008-01-25 13:42 --------- d-----w C:\Program Files\Google
2008-01-25 02:58 --------- d-----w C:\Program Files\CCleaner
2008-01-23 06:33 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-01-16 07:17 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\ICAClient
2008-01-16 04:21 --------- d-----w C:\Program Files\Java
2007-12-20 03:47 846,504 ----a-w C:\Documents and Settings\HP_Administrator\JNativeCpp.dll
2007-12-11 19:46 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-12-11 19:46 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 19:46 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-12-11 19:46 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-12-11 19:46 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-12-11 19:45 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-12-11 19:45 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-12-11 19:43 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 05:51 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2005-09-24 08:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.
Files Infected - Win32.Agent.zb
c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 17:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-05 22:36 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 17:56 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 20:19 77312 C:\WINDOWS\arpwrmsg.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"nwiz"="nwiz.exe" [2008-03-05 22:50 1626112 C:\WINDOWS\system32\nwiz.exe]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2008-03-05 22:36 49152]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2008-03-05 22:36 237568]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2008-03-05 22:36 249856]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 03:12 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-03-05 22:36 132496]
"LaunchPDeviceConn"="C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe" [2008-03-05 22:36 299008]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2008-03-05 22:36 124520]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2008-03-05 22:36 155648]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2008-03-05 22:36 249856]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-23 06:53 15969280 C:\WINDOWS\RTHDCPL.EXE]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-03-05 22:36 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-05 22:36 180269]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-06-10 05:21 217088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-09 17:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2006-02-22 17:58:29 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"zip"= {31f9e817-78f3-43f6-a2b9-6be4db1f4c6d} - C:\WINDOWS\Installer\{31f9e817-78f3-43f6-a2b9-6be4db1f4c6d}\zip.dll [2008-03-08 10:59 38438]
"BootRam"= {9f548e5a-2138-4a5f-b37d-c8f8ed5d0082} - C:\WINDOWS\Installer\{9f548e5a-2138-4a5f-b37d-c8f8ed5d0082}\BootRam.dll [2008-03-08 10:59 14374]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
--a------ 2005-11-11 17:11 1064960 C:\Program Files\DISC\DISCover.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
--a------ 2005-11-11 17:10 61440 C:\Program Files\DISC\DiscUpdateMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
--a------ 2005-11-01 06:01 90112 c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-05-09 20:24 50760 C:\Program Files\Common Files\AOL\1147572088\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-10 09:18 270648 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-05 22:36 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1147572088\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1147572088\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S3 inwrdr;inwrdr;C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\inwrdr.sys []
S3 nenum13E;nenum13E;C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\nenum13E.sys []
S3 tbcspud;Santa Cruz Driver;C:\WINDOWS\system32\drivers\tbcspud.sys []
S3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\system32\drivers\tbcwdm.sys []
S3 vtdg46xx;vtdg46xx;C:\PROGRA~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys []
S3 XDva020;XDva020;C:\WINDOWS\system32\XDva020.sys []
S3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47876b4c-f72b-11da-8a91-0015f2eb0b2a}]
\Shell\AutoRun\command - J:\JDSecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56ac6ba3-ef32-11da-8a81-0015f2eb0b2a}]
\Shell\AutoRun\command - J:\JDSecure\Windows\JDSecure20.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 01:32:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\accctsggw]
"ImagePath"="\??\C:\WINDOWS\inf\accctsggw.cat"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\Installer\{31f9e817-78f3-43f6-a2b9-6be4db1f4c6d}\zip.dll
-> C:\WINDOWS\Installer\{9f548e5a-2138-4a5f-b37d-c8f8ed5d0082}\BootRam.dll
.
Completion time: 2008-03-10 1:33:25
ComboFix-quarantined-files.txt 2008-03-10 05:33:16
ComboFix2.txt 2008-03-10 03:15:37
ComboFix3.txt 2008-03-10 02:57:05
ComboFix4.txt 2008-03-10 02:41:09
ComboFix5.txt 2008-03-09 21:09:50
.
2007-11-28 06:53:27 --- E O F ---
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP