Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Windows security alert popup. Please help! [RESOLVED]


  • This topic is locked This topic is locked

#1
Ty-Reef

Ty-Reef

    Member

  • Member
  • PipPip
  • 12 posts
Hello!!

I have this pesky windows security alert popup that continues to pop up about 30 seconds after i boot up my desktop. The entire message is this:

Warning! Potential Spyware Operation!
Your computer is making unauthorized copies of your system and Internet files. Run full scan now to prevent any unauthorized access to your files! Click here to download spyware remover...

I also have a red button with a white X in the middle and right beside it is a yield sign with a black exclamation point, which both tell me that my computer is infected. I believe if you try to click on either of them, they take you to protect.spyguardpro.com. I'm using spyware doctor on my computer so it blocks the site from being accessed.

I've had virtumonde and outerinfo and i took plenty of scans and figured that i got rid of it however i can't get rid of these icons or this pop up. I've tried scanning with spyware doctor, AVG anti- spyware, SUPER Anit-spyware, and Smitfraudfix. None of these have been able to fix my problem. I was thinking that it was a hidden file in Internet explorer like a hidden rootkit or something but i'm willing to try anything else at this point including using these programs over if need be.

This is my Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:42 PM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {42B18F05-59FA-495F-BB30-D6B82070B108} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvjuf.dll,startup
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvkat.dll,startup
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: awtrsst - awtrsst.dll (file missing)
O20 - Winlogon Notify: yvojmbvy - yvojmbvy.dll (file missing)
O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 5252 bytes

And i don't know if you need this but here is my uninstall file as well:
Adobe Flash Player Plugin
Adobe Reader 7.0.5
Adware Away v3.1.4.7
Apple Software Update
BUFFALO Client Manager 3
Compaq Connections (remove only)
Customer Experience Enhancement
Data Fax SoftModem with SmartCP
DivX Content Uploader
DivX Web Player
ffdshow [rev 1324] [2007-07-01]
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB935448)
HP Boot Optimizer
HP DVD Play 2.1
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Software Update
HP Support Overview
HP Web Helper
J2SE Runtime Environment 5.0 Update 6
Lexmark X1100 Series
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Money 2006
Microsoft Office Standard Edition 2003 60 days trial
Microsoft Works
Mozilla Firefox (2.0.0.12)
MSXML 4.0 SP2 (KB936181)
My HP Games
Netscape Browser (remove only)
NVIDIA Drivers
PC-Doctor 5 for Windows
Python 2.2 pywin32 extensions (build 203)
Quicken 2006
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Rhapsody
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Sonic Express Labeler
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spyware Doctor 5.5
SUPERAntiSpyware Free Edition
TVersity Codec Pack 1.1
TVersity Media Server 0.9.11.4 beta
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892050
Windows XP Hotfix - KB893066

Please help if you can!! I appreciate your time and concern!!
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
  • 0

#3
Ty-Reef

Ty-Reef

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Ahh when i downloaded spyware doctor, it said it had antivirus on it but i guess it wasn't good enough of a replacement. I accidently put it all on quarantine but i deleted everything in the quarantine folder. I'm not getting the pop-up anymore however there were some things that weren't deleted. Here is my Avira report:



AntiVir PersonalEdition Classic
Report file date: Wednesday, March 19, 2008 01:42

Scanning for 1157825 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: TJ

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 18:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 17:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 20:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 17:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 19:27:15
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 3/7/2008 21:08:03
ANTIVIR2.VDF : 7.0.3.3 2048 Bytes 3/7/2008 21:08:04
ANTIVIR3.VDF : 7.0.3.49 297472 Bytes 3/18/2008 21:08:04
AVEWIN32.DLL : 7.6.0.75 3334656 Bytes 3/18/2008 21:08:05
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 15:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 12:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 18:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 3/18/2008 21:08:05
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 12:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 17:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 12:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 16:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 17:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 17:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 14:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Wednesday, March 19, 2008 01:42

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'MediaServer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RtlWake.exe' - '1' Module(s) have been scanned
Scan process 'Compaq Connections.exe' - '1' Module(s) have been scanned
Scan process 'cm3_tray.exe' - '1' Module(s) have been scanned
Scan process 'lxbkbmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'lxbkbmgr.exe' - '1' Module(s) have been scanned
Scan process 'pctsTray.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '1' Module(s) have been scanned
Scan process 'pctsSvc.exe' - '1' Module(s) have been scanned
Scan process 'pctsAuxs.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'Bwsvc.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
36 processes with 36 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!

Starting to scan the registry.
C:\WINDOWS\system32\drvkat.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
[INFO] The file was moved to '4856a84f.qua'!
C:\WINDOWS\system32\drvkat.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen

The registry was scanned ( '34' files ).


Starting the file scan:

Begin scan in 'C:\' <PRESARIO>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B312472.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4813aa8b.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\11A55B1B.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4821aa80.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15313459.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4813aa87.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\153B324E.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4813aa89.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\153E5C4B.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4813aa8c.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15453043.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4814aac7.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\159D1DE2.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4819aad2.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15A047DF.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4821aad6.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15AA45D4.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4821aad8.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15AD6FD0.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4821ab25.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15B443C9.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4822ab27.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15B76DC6.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4822ab2b.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\16C16071.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4823ab2d.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\17810750.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4818ab2e.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\21DF6138.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4824ab29.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\45694673.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4816ab2d.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\506E4A7C.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4816ab28.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\50F90272.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4826ab29.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C170339.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4811ab3c.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C4666FC.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4814ab3d.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C530EED.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4815ab3d.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C6A34D4.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4816ab3e.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C7047A8.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4817ab3e.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C7371A4.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4817ab3f.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C7432C9.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '49af14a0.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C761BA1.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4817ab40.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C7A459D.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '49af14a1.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C801996.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4818ab40.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C8B58B0.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4818ab41.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5CDC7256.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4824ab41.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5CE91A48.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4825ab42.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5DBC2087.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4822ab44.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5DCB6B50.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4823ab48.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5E7B468E.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4817ab4c.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5E854483.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4818ab51.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5EF02E0D.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4826ab52.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5EF45809.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4826ab53.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5EFA2C02.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4826ab56.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F017FFB.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4810ab57.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F0E27EC.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4810ab58.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F1151E9.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4811ab59.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F1B4FDE.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4811ab5a.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F2877D0.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4812ab5b.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F351FC1.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4813ab5c.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F4F6FA4.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4814ab5f.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F636B8F.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4816ab5f.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F7D3B72.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4817ab60.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F8D0D60.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4818ab62.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F9E5F4E.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4819ab63.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5FA75D43.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4821ab64.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5FB40535.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4822ab64.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5FBB592E.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4822ab65.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5FC55723.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4823ab65.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5FD27F15.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4824ab66.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5FDF2706.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '499c1487.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60101CD0.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4811ab55.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\603E689E.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4813ab56.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6041129B.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4814ab56.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60443C97.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4814ab57.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60476693.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4814ab59.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\604B1090.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4814ab5a.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60516489.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4815ab5a.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60583881.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4815ab5b.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\605E0C7A.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '49ad14bc.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60613677.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4816ab5c.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60680A6F.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '49ae14bd.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60720865.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4817ab5d.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60753261.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '49af14be.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\607C065A.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4817ab5e.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\608F0244.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4818ab5f.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60C74C07.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4823ab62.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60D473F9.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4824ab63.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60DA47F2.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4824ab65.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60E11BEA.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4825ab65.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60EE43DC.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4825ab67.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60FB6BCE.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4826ab67.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\610B3DBC.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/Delf.BF Backdoor server programs
[INFO] The file was moved to '4810ab69.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61153BB1.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4811ab6a.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\611C0FAA.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '49a9148b.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\612263A3.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4812ab6b.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6129379B.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '49aa148c.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61365F8D.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4813ab6c.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\613C3386.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4813ab6d.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61405D82.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4814ab6d.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6146317B.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '49ac148e.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\614D0574.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4814ab6e.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61560369.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4815ab6f.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\615D5762.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '49ad1490.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61675557.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4816ab70.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6181253A.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4818ab71.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61E310CF.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4825ab71.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\62000AAE.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4810ab75.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\62105C9C.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4811ab75.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\63DD33C4.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4824ab77.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\63E407BD.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4825ab77.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\63E731B9.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4825ab78.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\65CE21A2.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4823ab7a.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\65D14B9E.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4824ab7a.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AB3651B.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4822ab87.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6ABD6311.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '499a1468.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AE3020B.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4825ab88.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AEA5604.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4825ab89.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AED0000.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '499d146a.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AF029FD.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4826ab89.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AF353F9.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4826ab8a.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AF77DF6.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4826ab8b.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6B007BEB.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4810ab8c.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6E731CFB.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4817ab90.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6E7F6C12.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4817ab91.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\713F3F0B.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4813ab7d.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\718874BB.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4818ab7e.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\726120A8.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4816ab7f.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\729B3B8D.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4819ab80.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\72A26860.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4821ab80.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\72A93C59.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4821ab81.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\72AC6655.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '49991462.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\73CF7F16.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4823ab82.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\75612B5C.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4816ab85.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\77A752B9.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Parite
[INFO] The file was moved to '4821ab88.qua'!
C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix.exe
[DETECTION] Contains detection pattern of the dropper DR/Tool.Reboot.F.44
[INFO] The file was moved to '4849ad5b.qua'!
C:\Program Files\HP Games\Cake Mania\CakeMania-WT.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '484bbb16.qua'!
C:\Program Files\HP Games\Diner Dash\Diner Dash.exe
[DETECTION] Contains suspicious code HEUR/Crypted
[INFO] The file was moved to '484ebb28.qua'!
C:\Program Files\Online Services\PeoplePC\ISP5900\Branding\ppal3ppc.exe
[DETECTION] Contains detection pattern of the dropper DR/Agent.aeh
[INFO] The file was moved to '4841bdcd.qua'!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
Begin scan in 'D:\' <PRESARIO_RP>


End of the scan: Wednesday, March 19, 2008 04:00
Used time: 2:18:15 min

The scan has been done completely.

14047 Scanning directories
610027 Files were scanned
122 viruses and/or unwanted programs were found
2 Files were classified as suspicious:
0 files were deleted
0 files were repaired
124 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
609905 Files not concerned
22563 Archives were scanned
3 Warnings
127 Notes

And this my second Hijackthis file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:25 PM, on 3/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {42B18F05-59FA-495F-BB30-D6B82070B108} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvjuf.dll,startup
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: awtrsst - awtrsst.dll (file missing)
O20 - Winlogon Notify: yvojmbvy - yvojmbvy.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 5849 bytes

This is all of my information so far but i'm not sure what to do from here.
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#5
Ty-Reef

Ty-Reef

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Okay i ran Combofix and here are the results of it:

ComboFix 08-03-18.1 - Compaq_Owner 2008-03-20 13:02:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.530 [GMT -4:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\#SharedObjects\Y8LA7QJD\www.broadcaster.com
C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\#SharedObjects\Y8LA7QJD\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\#SharedObjects\Y8LA7QJD\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\WINDOWS\adaway.lic
C:\WINDOWS\system32\ttstv.ini2
C:\WINDOWS\system32\vwfydjrd.ini
C:\WINDOWS\system32\yvojmbvy.dllbox
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 )))))))))))))))))))))))))))))))
.

2008-03-18 17:06 . 2008-03-18 17:06 <DIR> d-------- C:\Program Files\Avira
2008-03-18 17:06 . 2008-03-18 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-17 19:24 . 2008-03-17 19:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-17 19:23 . 2008-03-17 19:23 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-15 15:57 . 2008-03-15 15:57 20,747 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-03-15 15:57 . 2005-06-10 17:20 1,536 --a------ C:\WINDOWS\system32\bwsvc_event.dll
2008-03-15 15:56 . 2005-07-06 11:52 9,600 --a------ C:\WINDOWS\system32\BUFADPT.SYS
2008-03-15 15:55 . 2006-02-01 09:05 192,512 --a------ C:\WINDOWS\UN800114.EXE
2008-03-13 15:04 . 2008-03-14 21:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-13 15:04 . 2008-03-13 15:04 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-29 21:40 . 2008-02-29 21:40 <DIR> d--hs---- C:\found.000
2008-02-21 15:12 . 2008-02-21 15:12 <DIR> d-------- C:\Documents and Settings\Administrator.TJ\.housecall6.6
2008-02-21 15:12 . 2008-02-21 15:12 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-20 17:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-20 17:15 --------- d-----w C:\Program Files\Spyware Doctor
2008-03-18 00:20 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Azureus
2008-03-10 17:34 --------- d-----w C:\Program Files\Azureus
2008-03-04 02:56 --------- d-----w C:\Program Files\StepMania
2008-02-27 05:57 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-02-23 22:06 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-20 17:16 --------- d-----w C:\Program Files\The Cleaner
2008-02-19 17:57 --------- d-----w C:\Program Files\Adware Away
2008-02-12 20:09 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-02-08 08:28 --------- d-----w C:\Program Files\DivX
2008-02-05 22:07 --------- d-----w C:\Program Files\TVersity Codec Pack
2008-02-05 22:07 --------- d-----w C:\Program Files\ffdshow
2008-02-05 22:05 --------- d-----w C:\Program Files\TVersity
2008-02-05 21:57 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Apple Computer
2008-01-31 09:41 --------- d-----w C:\Program Files\QuickTime
2008-01-31 09:40 --------- d--h--w C:\Documents and Settings\Compaq_Owner\Application Data\ijjigame
2008-01-31 09:39 --------- d-----w C:\Program Files\Motorola USB Drivers
2008-01-31 09:39 --------- d-----w C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter
2008-01-30 05:22 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-01-29 17:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Tools
2008-01-29 17:46 --------- d-----w C:\Program Files\Common Files\PC Tools
2008-01-29 15:56 1,519,616 ----a-w C:\WINDOWS\system32\nwiz .exe
2008-01-29 09:04 218,504 ----a-w C:\WINDOWS\system32\drivers\pctfw2.sys
2008-01-29 05:25 --------- d-----w C:\Documents and Settings\Administrator.TJ\Application Data\Talkback
2008-01-29 03:57 --------- d-----w C:\Documents and Settings\Administrator.TJ\Application Data\SUPERAntiSpyware.com
2008-01-29 03:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-29 03:52 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2008-01-29 03:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-27 23:23 --------- d-----w C:\Documents and Settings\Administrator.TJ\Application Data\PC Tools
2008-01-25 06:19 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-24 20:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-24 05:15 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\PlayFirst
2008-01-24 05:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
2008-01-24 05:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-24 02:31 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\DAEMON Tools
2008-01-24 02:29 --------- d-----w C:\Program Files\PC-Doctor 5 for Windows
2008-01-24 02:22 --------- d-----w C:\Program Files\Trillian
2008-01-24 02:20 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-01-24 01:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-24 01:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-23 04:05 700,416 ----a-w C:\StubInstaller.exe
2008-01-23 03:57 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Netscape
2008-01-23 03:52 53,248 ----a-w C:\WINDOWS\ap561.exe
2008-01-23 03:46 1,688 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_RE467AA-ABA SR2010NX NA640_YC_0Pres_QCNH631_E64NAheREA2_48_INAOS_SASUSTek Computer INC._V1.05_B3.00_T060630_WXH2_L409_M959_J120_7AMD_8Sempron_91.8_#061002_N_Z14F12
F20_G10DE0241_OLITE-ON COMBO SOHC-4836K.MRK
2008-01-23 03:45 --------- d-----w C:\Program Files\Windows Defender
2008-01-22 06:08 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Aim
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2006-12-25 04:23 450 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2006-02-19 17:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2002-10-01 19:43 119,798 -c--a-w C:\WINDOWS\inf\spca561.sys
.
<pre>
----a-w			27,136 2008-01-24 23:35:07  C:\hp\bin\cloaker .exe
----a-w		   185,896 2008-01-23 03:46:28  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w			52,848 2008-01-24 02:29:49  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w		   218,240 2008-01-24 02:29:50  C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt .exe
----a-w			49,152 2008-01-29 15:56:47  C:\Program Files\HP\HP Software Update\HPwuSchd2 .exe
----a-w			36,975 2008-01-29 16:09:57  C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
----a-w		 1,694,208 2008-01-29 15:58:11  C:\Program Files\Messenger\msmsgs .exe
----a-w			53,248 2008-01-24 02:29:48  C:\Program Files\PC-Doctor 5 for Windows\RunProfiler .exe
----a-w		 1,103,752 2008-01-29 15:58:04  C:\Program Files\Spyware Doctor\pctsTray .exe
----a-w		 1,318,912 2008-01-29 15:58:37  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w		   663,552 2008-01-29 18:28:10  C:\WINDOWS\CREATOR\Remind_XP .exe
----a-w		   208,952 2008-01-23 03:39:06  C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
------w		   237,568 2008-01-25 05:53:13  C:\WINDOWS\SMINST\RECGUARD .EXE
----a-w		 1,519,616 2008-01-29 15:56:43  C:\WINDOWS\system32\nwiz .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ftutil2"="ftutil2.dll" [2004-06-07 17:05 106496 C:\WINDOWS\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 23:05 16239616 C:\WINDOWS\RTHDCPL.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 18:50 7311360]
"nwiz"="nwiz.exe" []
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [ ]
"PCDrProfiler"="" []
"MSDrive"="C:\WINDOWS\system32\drvjuf.dll" [ ]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-01-31 03:10 1103752]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 11:43 57344]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-03-18 17:08 249896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-12 15:46:23 113664]
ClientManager3.lnk - C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe [2008-03-15 15:55:55 466944]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-08-01 14:56:30 36903]
WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2007-05-17 13:12:22 745472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrsst]
awtrsst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yvojmbvy]
yvojmbvy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\BUFFALO\\Client Manager3\\BWSVC\\bwsvc.exe"=
"C:\\Program Files\\BUFFALO\\Client Manager3\\AOSS\\aoss.exe"=

R1 BUFADPT;BUFADPT;C:\WINDOWS\system32\BUFADPT.SYS [2005-07-06 11:52]
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-01-29 05:04]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 13:16:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-03-20 13:26:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-20 17:26:07
.
2008-03-12 20:09:09 --- E O F ---

And here is my new HijackThis file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:48 PM, on 3/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvjuf.dll,startup
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: awtrsst - awtrsst.dll (file missing)
O20 - Winlogon Notify: yvojmbvy - yvojmbvy.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 6091 bytes

Well, now that this is done, what is my next step? Also, thanks again for the help thus far. I appreciate it very much so.
  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Renv::
C:\hp\bin\cloaker .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt .exe
C:\Program Files\HP\HP Software Update\HPwuSchd2 .exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\PC-Doctor 5 for Windows\RunProfiler .exe
C:\Program Files\Spyware Doctor\pctsTray .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\WINDOWS\CREATOR\Remind_XP .exe
C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
C:\WINDOWS\SMINST\RECGUARD .EXE
C:\WINDOWS\system32\nwiz .exe
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSDrive"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrsst]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yvojmbvy]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Also, I see you have disabled your Windows Firewall. Please enable it again since you have no other firewall installed (unless you decide to install a desktop firewall)
  • 0

#7
Ty-Reef

Ty-Reef

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I cut off windows firewall only for that scan because i wasn't sure if i was supposed to have it on or not while it was scanning. However, i cut it back on now. Here is my new Combofix log:

ComboFix 08-03-18.1 - Compaq_Owner 2008-03-21 0:39:19.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.466 [GMT -4:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-02-21 to 2008-03-21 )))))))))))))))))))))))))))))))
.

2008-03-18 17:06 . 2008-03-18 17:06 <DIR> d-------- C:\Program Files\Avira
2008-03-18 17:06 . 2008-03-18 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-17 19:24 . 2008-03-17 19:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-17 19:23 . 2008-03-17 19:23 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-15 15:57 . 2008-03-15 15:57 20,747 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-03-15 15:57 . 2005-06-10 17:20 1,536 --a------ C:\WINDOWS\system32\bwsvc_event.dll
2008-03-15 15:56 . 2005-07-06 11:52 9,600 --a------ C:\WINDOWS\system32\BUFADPT.SYS
2008-03-15 15:55 . 2006-02-01 09:05 192,512 --a------ C:\WINDOWS\UN800114.EXE
2008-03-13 15:04 . 2008-03-14 21:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-13 15:04 . 2008-03-13 15:04 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-29 21:40 . 2008-02-29 21:40 <DIR> d--hs---- C:\found.000
2008-02-21 15:12 . 2008-02-21 15:12 <DIR> d-------- C:\Documents and Settings\Administrator.TJ\.housecall6.6
2008-02-21 15:12 . 2008-02-21 15:12 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 04:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-21 04:49 --------- d-----w C:\Program Files\Spyware Doctor
2008-03-21 04:39 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-21 04:39 --------- d-----w C:\Program Files\PC-Doctor 5 for Windows
2008-03-21 04:39 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-18 00:20 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Azureus
2008-03-10 17:34 --------- d-----w C:\Program Files\Azureus
2008-03-04 02:56 --------- d-----w C:\Program Files\StepMania
2008-02-27 05:57 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-02-20 17:16 --------- d-----w C:\Program Files\The Cleaner
2008-02-19 17:57 --------- d-----w C:\Program Files\Adware Away
2008-02-12 20:09 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-02-08 08:28 --------- d-----w C:\Program Files\DivX
2008-02-05 22:07 --------- d-----w C:\Program Files\TVersity Codec Pack
2008-02-05 22:07 --------- d-----w C:\Program Files\ffdshow
2008-02-05 22:05 --------- d-----w C:\Program Files\TVersity
2008-02-05 21:57 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Apple Computer
2008-01-31 09:41 --------- d-----w C:\Program Files\QuickTime
2008-01-31 09:40 --------- d--h--w C:\Documents and Settings\Compaq_Owner\Application Data\ijjigame
2008-01-31 09:39 --------- d-----w C:\Program Files\Motorola USB Drivers
2008-01-31 09:39 --------- d-----w C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter
2008-01-30 05:22 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-01-29 17:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Tools
2008-01-29 17:46 --------- d-----w C:\Program Files\Common Files\PC Tools
2008-01-29 09:04 218,504 ----a-w C:\WINDOWS\system32\drivers\pctfw2.sys
2008-01-29 05:25 --------- d-----w C:\Documents and Settings\Administrator.TJ\Application Data\Talkback
2008-01-29 03:57 --------- d-----w C:\Documents and Settings\Administrator.TJ\Application Data\SUPERAntiSpyware.com
2008-01-29 03:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-29 03:52 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2008-01-29 03:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-27 23:23 --------- d-----w C:\Documents and Settings\Administrator.TJ\Application Data\PC Tools
2008-01-25 06:19 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-24 20:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-24 05:15 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\PlayFirst
2008-01-24 05:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
2008-01-24 02:31 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\DAEMON Tools
2008-01-24 02:22 --------- d-----w C:\Program Files\Trillian
2008-01-24 02:20 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-01-24 01:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-24 01:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-23 04:05 700,416 ----a-w C:\StubInstaller.exe
2008-01-23 03:57 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Netscape
2008-01-23 03:52 53,248 ----a-w C:\WINDOWS\ap561.exe
2008-01-23 03:46 1,688 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_RE467AA-ABA SR2010NX NA640_YC_0Pres_QCNH631_E64NAheREA2_48_INAOS_SASUSTek Computer INC._V1.05_B3.00_T060630_WXH2_L409_M959_J120_7AMD_8Sempron_91.8_#061002_N_Z14F12
F20_G10DE0241_OLITE-ON COMBO SOHC-4836K.MRK
2008-01-23 03:45 --------- d-----w C:\Program Files\Windows Defender
2008-01-22 06:08 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Aim
2006-12-25 04:23 450 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2006-02-19 17:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ftutil2"="ftutil2.dll" [2004-06-07 17:05 106496 C:\WINDOWS\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 23:05 16239616 C:\WINDOWS\RTHDCPL.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 18:50 7311360]
"nwiz"="nwiz.exe" []
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2008-01-25 01:53 237568]
"PCDrProfiler"="" []
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-01-29 11:58 1103752]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 11:43 57344]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-03-18 17:08 249896]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2008-01-23 22:30:05 27136]

C:\Documents and Settings\Administrator.TJ\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2008-01-23 22:30:05 27136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-12 15:46:23 113664]
ClientManager3.lnk - C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe [2008-03-15 15:55:55 466944]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-08-01 14:56:30 36903]
WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2007-05-17 13:12:22 745472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\BUFFALO\\Client Manager3\\BWSVC\\bwsvc.exe"=
"C:\\Program Files\\BUFFALO\\Client Manager3\\AOSS\\aoss.exe"=

R1 BUFADPT;BUFADPT;C:\WINDOWS\system32\BUFADPT.SYS [2005-07-06 11:52]
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-01-29 05:04]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-21 00:50:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
.
**************************************************************************
.
Completion time: 2008-03-21 0:57:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-21 04:57:45
ComboFix2.txt 2008-03-20 17:26:15
.
2008-03-12 20:09:09 --- E O F ---


And here is my newest hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:00 AM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 5898 bytes

What is the next step that i take??
  • 0

#8
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

This looks OK again. :)

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 5.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 5".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version.
Let me know in your next reply how things are now.
  • 0

#9
Ty-Reef

Ty-Reef

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Actually everything seems pretty good right now. I really appreciate all of the help because i didn't think i'd ever get rid of this problem.

Thanks again for everything and i'll make sure to keep a close eye on everything for now on!

:)
  • 0

#10
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
  • 0

#11
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP