Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Randomly named .dll files in Windows\system32 + Trojans [CLOSED]

Started by Mikey Boh , Jul 17 2008 03:09 PM

  • This topic is locked This topic is locked

#1
Mikey Boh
Posted 17 July 2008 - 03:09 PM

Mikey Boh

    New Member

  • Member
  • Pip
  • 4 posts
Hey all, I've been trying to figure out what's going on with a user's computer. This user knows just enough to be dangerous. He's used HijackThis to remove some things after running AVG and Spybot. Hopefully he hasn't messed anything up too badly.

I've gone ahead and run Deckard's System Scanner; it created the main.txt file but not the extra.txt file. Here is the main.txt:

Deckard's System Scanner v20071014.68
Run by z43 on 2008-07-17 14:21:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-17 14:21:11
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\TIREMOTE\wuser32.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\Program Files\RealVNC\WinVNC\winvnc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\HPLamp.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\z43\winlogon.exe
C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
C:\Program Files\Caere\PageKeeper30\system\PKSlapi.exe
C:\Program Files\Caere\PageKeeper30\system\PKToPass.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Documents and Settings\z43\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {59AAD935-DB8D-4289-A0A3-67E2B3B55BAB} - C:\WINDOWS\system32\urqrQJAs.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {D22C5DD6-69C0-4C96-86BA-68AE91B01ABA} - C:\WINDOWS\system32\iifcASMC.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\z43\winlogon.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BM3f98707b] Rundll32.exe "C:\WINDOWS\system32\bdpfbgfu.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: cpeupdate.lnk = E:\Media\Xtras\ShareIns\cpeupdate.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: PageKeeper Jobs.lnk = C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120135301024
O16 - DPF: {708C978C-BBF5-4038-8DC1-64FF22BCFFB6} (AXScan Control) - https://10.254.254.2...aSpyRemoval.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.c...loadControl.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - http://www.microsoft...DI/0/GDIChk.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\Software\..\Telephony: DomainName = ileads.ad.hsvcity.com
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = ileads.ad.hsvcity.com
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = ileads.ad.hsvcity.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: urqrQJAs - C:\WINDOWS\system32\urqrQJAs.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Track-It! Remoting Helper (TIRemotingHelper) - Unknown owner - C:\WINDOWS\TIRHService.exe
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Intuit Track-It! - C:\WINDOWS\TIREMOTE\wuser32.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\winvnc.exe


--
End of file - 9677 bytes

-- Files created between 2008-06-17 and 2008-07-17 -----------------------------

2008-07-17 12:01:51 77 --a------ C:\Documents and Settings\TEMP.ILEADS\3198.bat
2008-07-17 08:55:49 0 d-------- C:\Documents and Settings\TEMP.ILEADS\Application Data\AVGTOOLBAR
2008-07-17 07:04:17 32256 --a------ C:\WINDOWS\system32\ddCVnmnl.dll
2008-07-17 07:04:10 32256 --a------ C:\WINDOWS\system32\wvustSih.dll
2008-07-17 07:03:46 77 --a------ C:\Documents and Settings\TEMP.ILEADS\2109.bat
2008-07-16 15:53:38 0 d--h----- C:\$AVG8.VAULT$
2008-07-16 15:31:20 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-16 15:31:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-07-16 14:53:13 102400 --a------ C:\WINDOWS\system32\msgcwwaq.dll
2008-07-16 14:51:06 81920 --a------ C:\WINDOWS\system32\gutmslqq.dll
2008-07-16 14:50:53 93696 --a------ C:\WINDOWS\system32\bdpfbgfu.dll
2008-07-16 14:50:13 847716 --ahs---- C:\WINDOWS\system32\CMSAcfii.ini2
2008-07-16 14:47:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-07-16 14:19:56 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2008-07-16 14:19:12 32256 --a------ C:\WINDOWS\system32\khfGWmJY.dll
2008-07-16 14:19:08 32256 --a------ C:\WINDOWS\system32\yaywXPij.dll
2008-07-16 12:21:29 102400 --a------ C:\WINDOWS\system32\uhjcfjoq.dll
2008-07-16 12:09:11 0 d-------- C:\WINDOWS\system32\aumsDK18
2008-07-16 12:09:00 32256 --a------ C:\WINDOWS\system32\nnnMefFw.dll
2008-07-16 12:08:58 32256 --a------ C:\WINDOWS\system32\urqrQJAs.dll
2008-07-16 12:08:29 77 --a------ C:\Documents and Settings\TEMP.ILEADS\7897.bat
2008-07-16 11:02:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-16 10:56:26 0 d-------- C:\Program Files\Alwil Software
2008-07-15 13:41:02 0 d-------- C:\Program Files\AVG
2008-07-15 12:38:21 77 --a------ C:\Documents and Settings\TEMP.ILEADS\1313.bat
2008-07-15 12:13:51 843642 --ahs---- C:\WINDOWS\system32\jQtsvGgh.ini2
2008-07-15 11:37:25 0 d-------- C:\Documents and Settings\z43\Application Data\Adobe
2008-07-15 11:11:51 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-15 10:48:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-15 10:38:28 63 --a------ C:\WINDOWS\system\SysSD.dll
2008-07-15 08:17:24 720194 --ahs---- C:\WINDOWS\system32\jmTDgMoq.ini2
2008-07-15 08:12:23 0 d-------- C:\WINDOWS\system32\olixds18
2008-07-15 08:12:06 77 --a------ C:\Documents and Settings\TEMP.ILEADS\4002.bat
2008-07-11 11:15:56 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-07-11 11:15:56 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-07-11 10:17:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-07-11 09:28:58 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-07-11 09:28:57 0 d--hs---- C:\WINDOWS\SHVudHN2aWxsZSBQb2xpY2UgRGVwYXJ0bWVudA
2008-07-11 09:28:56 0 d-------- C:\Program Files\Temporary
2008-07-11 08:47:55 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-07-11 05:02:05 101888 --a------ C:\WINDOWS\system32\haejqr.dll
2008-07-11 05:02:04 101888 --a------ C:\WINDOWS\system32\wusrhsqr.dll
2008-07-10 05:04:14 101376 --a------ C:\WINDOWS\system32\zzhpvc.dll
2008-07-10 05:04:13 101376 --a------ C:\WINDOWS\system32\bgbuucpg.dll
2008-07-09 16:06:27 2312 --ahs---- C:\WINDOWS\system32\adgPonnn.ini2
2008-07-09 15:58:28 37376 --a------ C:\Documents and Settings\TEMP.ILEADS\services.exe
2008-07-09 15:24:55 0 d-------- C:\Program Files\Conduit
2008-07-09 15:24:50 0 d-------- C:\Documents and Settings\TEMP.ILEADS\Application Data\BitZipper
2008-07-09 15:12:44 0 d-------- C:\Program Files\Motorola
2008-07-09 15:05:25 22768 --a------ C:\Documents and Settings\TEMP.ILEADS\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-07-09 10:08:47 0 d-------- C:\WINDOWS\system32\Adobe
2008-07-08 13:59:53 0 d-------- C:\Program Files\Common Files\DirectX
2008-07-08 13:59:46 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-27 18:38:32 53248 ---hs---- C:\Documents and Settings\z43\winlogon.exe
2008-06-27 18:38:32 53248 ---hs---- C:\Documents and Settings\TEMP.ILEADS\winlogon.exe
2008-06-27 18:38:32 53248 ---hs---- C:\Documents and Settings\Administrator\winlogon.exe
2008-06-17 09:37:14 0 d-------- C:\Documents and Settings\carlton.brooks.ad\Application Data\Adobe
2008-06-17 09:36:11 0 d-------- C:\Documents and Settings\carlton.brooks.ad\Application Data\Google
2008-06-17 09:31:12 0 d-------- C:\Documents and Settings\carlton.brooks.ad\Application Data\Identities
2008-06-17 09:28:12 0 dr------- C:\Documents and Settings\carlton.brooks.ad\Favorites
2008-06-17 09:28:12 0 d-------- C:\Documents and Settings\carlton.brooks.ad\Desktop
2008-06-17 09:28:12 0 d--hs---- C:\Documents and Settings\carlton.brooks.ad\Cookies
2008-06-17 09:28:12 0 dr-h----- C:\Documents and Settings\carlton.brooks.ad\Application Data
2008-06-17 09:28:12 0 d---s---- C:\Documents and Settings\carlton.brooks.ad\Application Data\Microsoft
2008-06-17 09:28:11 0 d--h----- C:\Documents and Settings\carlton.brooks.ad\Templates
2008-06-17 09:28:11 0 dr------- C:\Documents and Settings\carlton.brooks.ad\Start Menu
2008-06-17 09:28:11 0 dr-h----- C:\Documents and Settings\carlton.brooks.ad\SendTo
2008-06-17 09:28:11 0 dr-h----- C:\Documents and Settings\carlton.brooks.ad\Recent
2008-06-17 09:28:11 0 d--h----- C:\Documents and Settings\carlton.brooks.ad\PrintHood
2008-06-17 09:28:11 819200 --a------ C:\Documents and Settings\carlton.brooks.ad\NTUSER.DAT
2008-06-17 09:28:11 0 d--h----- C:\Documents and Settings\carlton.brooks.ad\NetHood
2008-06-17 09:28:11 0 dr------- C:\Documents and Settings\carlton.brooks.ad\My Documents
2008-06-17 09:28:11 0 d--h----- C:\Documents and Settings\carlton.brooks.ad\Local Settings
2008-06-17 09:21:46 0 d-------- C:\Program Files\MCS


-- Find3M Report ---------------------------------------------------------------

2008-07-15 13:21:52 0 d-------- C:\Program Files\Common Files
2008-07-14 08:59:43 0 d-------- C:\Program Files\Java
2008-07-09 16:00:18 109249 --a------ C:\Program Files\MSWINSCK.OCX <Not Verified; Microsoft Corporation; Microsoft Winsock Control>
2008-06-17 09:21:26 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-06-10 08:29:10 1080 --a------ C:\WINDOWS\AUTOLNCH.REG
2008-05-29 10:39:50 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-29 10:39:47 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-02 20:01:58 1568 --a------ C:\mcs.reg


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59AAD935-DB8D-4289-A0A3-67E2B3B55BAB}]
07/16/2008 12:08 PM 32256 --a------ C:\WINDOWS\system32\urqrQJAs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
07/16/2008 03:31 PM 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D22C5DD6-69C0-4C96-86BA-68AE91B01ABA}]
C:\WINDOWS\system32\iifcASMC.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [07/30/2002 11:35 AM]
"WinVNC"="C:\Program Files\RealVNC\WinVNC\WinVNC.exe" [11/27/2002 01:47 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"Track-It! Workstation Manager Service Monitor"="C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe" [01/31/2007 10:57 AM]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [06/07/2003 06:32 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [09/24/2005 12:08 AM]
"HP Lamp"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe" [06/25/1999 02:00 AM]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [05/01/2003 06:44 PM]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [07/18/2003 05:23 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/09/2008 09:47 AM]
"Windows Logon Applicationedc"="C:\Documents and Settings\z43\winlogon.exe" [06/27/2008 06:38 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/16/2008 03:31 PM]
"BM3f98707b"="C:\WINDOWS\system32\bdpfbgfu.dll" [07/16/2008 02:50 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B4977567-6B39-4AFA-9CD2-47A20209F5FE}"= C:\WINDOWS\system32\pmNHwvUN.dll [ ]
"{59AAD935-DB8D-4289-A0A3-67E2B3B55BAB}"= C:\WINDOWS\system32\urqrQJAs.dll [07/16/2008 12:08 PM 32256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqrQJAs]
urqrQJAs.dll 07/16/2008 12:08 PM 32256 C:\WINDOWS\system32\urqrQJAs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\iifcASMC

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\ad\SYSVOL\ad.hsvcity.com\scripts\addtrackitadmin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-1006\Scripts\Logon\0\0]
"Script"=\\hpdpsc\NETLOGON\removeileads.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-1006\Scripts\Logon\1\0]
"Script"=\\hpdpsc\NETLOGON\WrittenDirectives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-1006\Scripts\Logon\1\1]
"Script"=\\hpdpsc\NETLOGON\Written Directive Acknowledgement Web Site.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-1006\Scripts\Logon\1\2]
"Script"=\\hpdpsc\NETLOGON\AlaCOP.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2600\Scripts\Logon\0\0]
"Script"=\\hpdpsc\NETLOGON\IleadsMapReplace.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2600\Scripts\Logon\1\0]
"Script"=\\hpdpsc\NETLOGON\removeileads.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2600\Scripts\Logon\2\0]
"Script"=\\hpdpsc\NETLOGON\WrittenDirectives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2600\Scripts\Logon\2\1]
"Script"=\\hpdpsc\NETLOGON\Written Directive Acknowledgement Web Site.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2600\Scripts\Logon\2\2]
"Script"=\\hpdpsc\NETLOGON\AlaCOP.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2820\Scripts\Logon\0\0]
"Script"=\\hpdpsc\NETLOGON\WrittenDirectives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2820\Scripts\Logon\0\1]
"Script"=\\hpdpsc\NETLOGON\Written Directive Acknowledgement Web Site.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2820\Scripts\Logon\0\2]
"Script"=\\hpdpsc\NETLOGON\AlaCOP.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3438\Scripts\Logon\0\0]
"Script"=rgswaimhplj1200.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3438\Scripts\Logon\0\1]
"Script"=rgswaimhpljc4600.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3877\Scripts\Logon\0\0]
"Script"=\\hpdpsc\NETLOGON\WrittenDirectives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3877\Scripts\Logon\0\1]
"Script"=\\hpdpsc\NETLOGON\Written Directive Acknowledgement Web Site.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3877\Scripts\Logon\1\0]
"Script"=rgswaimhplj1200.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3877\Scripts\Logon\1\1]
"Script"=rgswaimhpljc4600.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]



[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}]
C:\Program Files\Services.exe



-- End of Deckard's System Scanner: finished at 2008-07-17 14:22:53

Thanks in advance for whatever help anyone can give me, this one is a little out of my league!
  • 0

Advertisements

#2
fenzodahl512
Posted 18 July 2008 - 08:29 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, my name is fenzodahl512 and welcome to Geekstogo.. Please do the following...


Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.



Regards
fenzodahl512
  • 0

#3
Mikey Boh
Posted 18 July 2008 - 11:18 AM

Mikey Boh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for the reply and the welcome!

Installed the Recovery Console by way of ComboFix and let ComboFix do it's thing. Here is the ComboFix.txt file:

ComboFix 08-07-17.4 - z43 2008-07-18 11:18:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.160 [GMT -5:00]
Running from: C:\Documents and Settings\z43\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\z43\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\Temporary
C:\WINDOWS\BM3f98707b.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\acmqcewj.ini
C:\WINDOWS\system32\adgPonnn.ini
C:\WINDOWS\system32\adgPonnn.ini2
C:\WINDOWS\system32\bdpfbgfu.dll
C:\WINDOWS\system32\bgbuucpg.dll
C:\WINDOWS\system32\CMSAcfii.ini
C:\WINDOWS\system32\CMSAcfii.ini2
C:\WINDOWS\system32\ddCVnmnl.dll
C:\WINDOWS\system32\esxrmbvn.dll
C:\WINDOWS\system32\gutmslqq.dll
C:\WINDOWS\system32\hnsjqb.dll
C:\WINDOWS\system32\jkkJyYrS.dll
C:\WINDOWS\system32\jmTDgMoq.ini
C:\WINDOWS\system32\jmTDgMoq.ini2
C:\WINDOWS\system32\jQtsvGgh.ini
C:\WINDOWS\system32\jQtsvGgh.ini2
C:\WINDOWS\system32\khfGWmJY.dll
C:\WINDOWS\system32\kwmqxjtn.ini
C:\WINDOWS\system32\lhqqipqr.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msgcwwaq.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nnnMefFw.dll
C:\WINDOWS\system32\nvbmrxse.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\plprrqwh.ini
C:\WINDOWS\system32\qqlsmtug.ini
C:\WINDOWS\system32\SrYyJkkj.ini
C:\WINDOWS\system32\SrYyJkkj.ini2
C:\WINDOWS\system32\tbrroeix.ini
C:\WINDOWS\system32\uhjcfjoq.dll
C:\WINDOWS\system32\urqrQJAs.dll
C:\WINDOWS\system32\vdcbwqpv.dll
C:\WINDOWS\system32\wopawkru.dll
C:\WINDOWS\system32\wvustSih.dll
C:\WINDOWS\system32\xnlccjwe.ini
C:\WINDOWS\system32\yaywXPij.dll
C:\WINDOWS\system32\zzhpvc.dll

----- BITS: Possible infected sites -----

hxxp://hpdpsc
hxxp://coh
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 )))))))))))))))))))))))))))))))
.

2008-07-17 14:24 . 2008-07-18 11:13 <DIR> d-------- C:\Documents and Settings\z43\Application Data\U3
2008-07-17 14:23 . 2008-07-18 07:46 <DIR> d-------- C:\Documents and Settings\z43\Application Data\AVGTOOLBAR
2008-07-17 14:15 . 2008-07-17 14:15 <DIR> d-------- C:\Deckard
2008-07-17 12:01 . 2008-07-17 12:01 77 --a------ C:\Documents and Settings\TEMP.ILEADS\3198.bat
2008-07-17 09:22 . 2008-07-17 09:22 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-07-17 09:21 . 2008-07-17 09:22 73,216 --ahs---- C:\Thumbs.db
2008-07-17 08:55 . 2008-07-17 09:06 <DIR> d-------- C:\Documents and Settings\TEMP.ILEADS\Application Data\AVGTOOLBAR
2008-07-17 07:03 . 2008-07-17 07:03 77 --a------ C:\Documents and Settings\TEMP.ILEADS\2109.bat
2008-07-16 15:53 . 2008-07-18 11:11 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-16 15:31 . 2008-07-18 09:32 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-16 15:31 . 2008-07-16 15:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-07-16 15:31 . 2008-07-16 15:31 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-16 15:31 . 2008-07-16 15:31 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-16 12:21 . 2008-07-16 12:21 102,400 --a------ C:\WINDOWS\system32\ffzumdzl.lir
2008-07-16 12:18 . 2008-07-16 12:18 81,920 --a------ C:\WINDOWS\system32\ipjqjonx.agz
2008-07-16 12:15 . 2008-07-16 12:15 93,696 --a------ C:\WINDOWS\system32\cflcswoc.txb
2008-07-16 12:09 . 2008-07-18 11:36 <DIR> d-------- C:\WINDOWS\system32\aumsDK18
2008-07-16 12:09 . 2008-07-16 12:09 <DIR> d-------- C:\Temp\zpv201
2008-07-16 12:08 . 2008-07-16 12:08 77 --a------ C:\Documents and Settings\TEMP.ILEADS\7897.bat
2008-07-16 11:02 . 2008-07-16 15:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-16 10:56 . 2008-07-16 10:56 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-15 21:49 . 2008-07-15 21:49 32,768 --a------ C:\WINDOWS\system32\aumsDK18\aumsDK182328.exe
2008-07-15 13:41 . 2008-07-15 13:41 <DIR> d-------- C:\Program Files\AVG
2008-07-15 12:38 . 2008-07-15 12:38 77 --a------ C:\Documents and Settings\TEMP.ILEADS\1313.bat
2008-07-15 12:13 . 2008-07-15 12:13 281,600 --a------ C:\WINDOWS\system32\qpyclhnn.ngn
2008-07-15 11:17 . 2008-07-15 11:17 2,386 --a------ C:\WINDOWS\wininit.ini
2008-07-15 11:11 . 2008-07-15 11:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-15 10:48 . 2008-07-15 10:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-15 10:48 . 2008-07-16 14:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-15 10:38 . 2008-07-15 10:38 63 --a------ C:\WINDOWS\system\SysSD.dll
2008-07-15 08:12 . 2008-07-15 12:08 <DIR> d-------- C:\WINDOWS\system32\olixds18
2008-07-15 08:12 . 2008-07-15 08:12 77 --a------ C:\Documents and Settings\TEMP.ILEADS\4002.bat
2008-07-11 11:46 . 2008-07-11 11:46 27 --a------ C:\WINDOWS\sssTbarV2.ini
2008-07-11 11:33 . 2008-07-11 11:33 74 --a------ C:\WINDOWS\st_affiliate.ini
2008-07-11 10:17 . 2008-07-15 10:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-07-11 09:28 . 2008-07-16 11:54 <DIR> d--hs---- C:\WINDOWS\SHVudHN2aWxsZSBQb2xpY2UgRGVwYXJ0bWVudA
2008-07-11 05:02 . 2008-07-11 05:02 101,888 --a------ C:\WINDOWS\system32\wusrhsqr.dll
2008-07-11 05:02 . 2008-07-11 05:02 101,888 --a------ C:\WINDOWS\system32\haejqr.dll
2008-07-10 04:58 . 2008-07-17 12:15 110,419 --a------ C:\WINDOWS\BM3f98707b.xml
2008-07-09 15:58 . 2008-07-09 15:58 <DIR> d-------- C:\Temp\stmpv4
2008-07-09 15:58 . 2008-07-17 12:01 37,376 --a------ C:\Documents and Settings\TEMP.ILEADS\services.exe
2008-07-09 15:24 . 2008-07-10 08:19 <DIR> d-------- C:\Program Files\Conduit
2008-07-09 15:24 . 2008-07-09 15:34 <DIR> d-------- C:\Documents and Settings\TEMP.ILEADS\Application Data\BitZipper
2008-07-09 15:14 . 2008-07-09 15:14 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2008-07-09 15:14 . 2008-07-09 15:14 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2008-07-09 15:13 . 2007-10-10 17:41 42,112 --a------ C:\WINDOWS\system32\drivers\motodrv.sys
2008-07-09 15:13 . 2007-06-18 15:18 23,680 --a------ C:\WINDOWS\system32\drivers\motport.sys
2008-07-09 15:13 . 2007-06-18 15:18 23,680 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-07-09 15:13 . 2007-11-02 15:36 18,176 --a------ C:\WINDOWS\system32\drivers\motccgp.sys
2008-07-09 15:13 . 2007-01-22 19:33 7,680 --a------ C:\WINDOWS\system32\drivers\motccgpfl.sys
2008-07-09 15:13 . 2007-11-02 15:51 6,400 --a------ C:\WINDOWS\system32\drivers\motswch.sys
2008-07-09 15:12 . 2008-07-09 15:12 <DIR> d-------- C:\Program Files\Motorola
2008-07-09 15:05 . 2008-07-09 15:05 25,600 --a------ C:\Documents and Settings\TEMP.ILEADS\usbsermptxp.sys
2008-07-09 15:05 . 2008-07-09 15:05 22,768 --a------ C:\Documents and Settings\TEMP.ILEADS\usbsermpt.sys
2008-07-09 10:08 . 2008-07-11 09:24 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-07-08 13:59 . 2008-07-08 13:59 <DIR> d-------- C:\Program Files\Common Files\DirectX
2008-07-08 13:59 . 2008-07-08 14:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-27 18:38 . 2008-06-27 18:38 53,248 ---hs---- C:\Documents and Settings\z43\winlogon.exe
2008-06-27 18:38 . 2008-06-27 18:38 53,248 ---hs---- C:\Documents and Settings\TEMP.ILEADS\winlogon.exe
2008-06-27 18:38 . 2008-06-27 18:38 53,248 ---hs---- C:\Documents and Settings\Administrator\winlogon.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-18 16:36 32,256 ----a-w C:\WINDOWS\system32\opnnKddc.dll
2008-07-18 16:36 32,256 ----a-w C:\WINDOWS\system32\ljJaWnMF.dll
2008-07-17 19:03 --------- d-----w C:\Documents and Settings\TEMP.ILEADS\Application Data\U3
2008-07-14 13:59 --------- d-----w C:\Program Files\Java
2008-07-09 21:00 109,249 ----a-w C:\Program Files\MSWINSCK.OCX
2008-07-09 20:48 --------- d-----w C:\Documents and Settings\TEMP.ILEADS\Application Data\LimeWire
2008-06-17 14:56 --------- d-----w C:\Program Files\MCS
2008-06-17 14:21 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-06-17 14:21 249,856 ------w C:\WINDOWS\Setup1.exe
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-29 15:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-29 15:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-03 01:01 1,568 ----a-w C:\mcs.reg
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-08 09:57 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Logon Applicationedc"="C:\Documents and Settings\z43\winlogon.exe" [2008-06-27 18:38 53248]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 11:35 77824]
"WinVNC"="C:\Program Files\RealVNC\WinVNC\WinVNC.exe" [2002-11-27 13:47 335872]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Track-It! Workstation Manager Service Monitor"="C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe" [2007-01-31 10:57 414720]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 06:32 50688]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 00:08 49152]
"HP Lamp"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe" [1999-06-25 02:00 45056]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-07-18 17:23 868352]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-09 09:47 413696]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-16 15:31 1232152]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2002-08-09 17:36:20 299008]

C:\Documents and Settings\TEMP.ILEADS\Start Menu\Programs\Startup\
Microsoft Outlook.lnk - C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE [2008-04-23 15:09:50 199688]
NameTray.exe [2003-09-03 12:17:28 28672]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{04F27F39-1C1B-4A4F-8B5A-A531E364B7A6}"= "C:\WINDOWS\system32\opnnKddc.dll" [2008-07-18 11:36 32256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnKddc]
2008-07-18 11:36 32256 C:\WINDOWS\system32\opnnKddc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\mlJDuuSi

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\ad\SYSVOL\ad.hsvcity.com\scripts\addtrackitadmin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-1006\Scripts\Logon\0\0]
"Script"=\\hpdpsc\NETLOGON\removeileads.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-1006\Scripts\Logon\1\0]
"Script"=\\hpdpsc\NETLOGON\WrittenDirectives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-1006\Scripts\Logon\1\1]
"Script"=\\hpdpsc\NETLOGON\Written Directive Acknowledgement Web Site.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-1006\Scripts\Logon\1\2]
"Script"=\\hpdpsc\NETLOGON\AlaCOP.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2600\Scripts\Logon\0\0]
"Script"=\\hpdpsc\NETLOGON\IleadsMapReplace.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2600\Scripts\Logon\1\0]
"Script"=\\hpdpsc\NETLOGON\removeileads.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2600\Scripts\Logon\2\0]
"Script"=\\hpdpsc\NETLOGON\WrittenDirectives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2600\Scripts\Logon\2\1]
"Script"=\\hpdpsc\NETLOGON\Written Directive Acknowledgement Web Site.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2600\Scripts\Logon\2\2]
"Script"=\\hpdpsc\NETLOGON\AlaCOP.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2820\Scripts\Logon\0\0]
"Script"=\\hpdpsc\NETLOGON\WrittenDirectives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2820\Scripts\Logon\0\1]
"Script"=\\hpdpsc\NETLOGON\Written Directive Acknowledgement Web Site.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2820\Scripts\Logon\0\2]
"Script"=\\hpdpsc\NETLOGON\AlaCOP.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3438\Scripts\Logon\0\0]
"Script"=rgswaimhplj1200.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3438\Scripts\Logon\0\1]
"Script"=rgswaimhpljc4600.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3877\Scripts\Logon\0\0]
"Script"=\\hpdpsc\NETLOGON\WrittenDirectives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3877\Scripts\Logon\0\1]
"Script"=\\hpdpsc\NETLOGON\Written Directive Acknowledgement Web Site.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3877\Scripts\Logon\1\0]
"Script"=rgswaimhplj1200.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3877\Scripts\Logon\1\1]
"Script"=rgswaimhpljc4600.vbs

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\RealVNC\\WinVNC\\winvnc.exe"=
"C:\\Program Files\\RealVNC\\vncviewer.exe"=
"C:\\WINDOWS\\TIREMOTE\\wuser32.exe"=
"C:\\WINDOWS\\TIREMOTE\\TIRemoteService.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-16 15:31]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-16 15:31]
R2 TIRmtCtl;Track-It! Remote Control;C:\WINDOWS\TIREMOTE\wuser32.exe [2007-01-31 10:43]
R2 TIRmtSvc;Track-It! Workstation Manager;C:\WINDOWS\TIREMOTE\TIRemoteService.exe [2007-01-31 10:57]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 01:01]
S2 Ca533av;Polaroid Digital Cam Video;C:\WINDOWS\system32\Drivers\Ca533av.sys [2002-10-20 20:37]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-11-02 15:36]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-22 19:33]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-10-10 17:41]
S3 motport;Motorola USB Diagnostic Port;C:\WINDOWS\system32\DRIVERS\motport.sys [2007-06-18 15:18]
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys [2002-07-24 20:19]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-18 16:33:00 C:\WINDOWS\Tasks\WebReg .job"
- C:\Program Files\HP\digital imaging\bin\hpqwrg.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{D22C5DD6-69C0-4C96-86BA-68AE91B01ABA} - C:\WINDOWS\system32\iifcASMC.dll
HKLM-Run-BM3f98707b - C:\WINDOWS\system32\wopawkru.dll
HKLM-Run-3cab43e7 - C:\WINDOWS\system32\esxrmbvn.dll
ShellExecuteHooks-{E91C2855-AC7E-4ED9-B488-0F78FAE8AD2D} - (no file)
ShellExecuteHooks-{B4977567-6B39-4AFA-9CD2-47A20209F5FE} - C:\WINDOWS\system32\pmNHwvUN.dll


**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
-> C:\WINDOWS\system32\opnnKddc.dll
-> C:\Documents and Settings\z43\winlogon.exe
-> C:\WINDOWS\system32\mlJDuuSi.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\mlJDuuSi.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
C:\Program Files\Caere\PageKeeper30\system\PKToPass.exe
C:\Program Files\Caere\PageKeeper30\system\PKSlapi.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-07-18 11:48:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-18 16:47:21

Pre-Run: 24,149,352,448 bytes free
Post-Run: 24,582,094,848 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

301 --- E O F --- 2008-07-09 07:07:36


And here is the hijackthis.log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:50 PM, on 7/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TIREMOTE\wuser32.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Documents and Settings\z43\winlogon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKTOPASS.EXE
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKSlapi.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\PROGRA~1\AVG\AVG8\avgscanx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\z43\winlogon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BM3f98707b] Rundll32.exe "C:\WINDOWS\system32\qxreqsos.dll",s
O4 - HKLM\..\Run: [3cab43e7] rundll32.exe "C:\WINDOWS\system32\wcipidxv.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: cpeupdate.lnk = E:\Media\Xtras\ShareIns\cpeupdate.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: PageKeeper Jobs.lnk = C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120135301024
O16 - DPF: {708C978C-BBF5-4038-8DC1-64FF22BCFFB6} (AXScan Control) - https://10.254.254.2...aSpyRemoval.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.c...loadControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ileads.ad.hsvcity.com
O17 - HKLM\Software\..\Telephony: DomainName = ileads.ad.hsvcity.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ileads.ad.hsvcity.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Track-It! Remoting Helper (TIRemotingHelper) - Unknown owner - C:\WINDOWS\TIRHService.exe
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Intuit Track-It! - C:\WINDOWS\TIREMOTE\wuser32.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe

--
End of file - 8043 bytes
  • 0

#4
fenzodahl512
Posted 18 July 2008 - 01:00 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\Documents and Settings\TEMP.ILEADS\3198.bat
C:\Documents and Settings\TEMP.ILEADS\2109.bat
C:\WINDOWS\system32\ffzumdzl.lir
C:\WINDOWS\system32\ipjqjonx.agz
C:\WINDOWS\system32\cflcswoc.txb
C:\Documents and Settings\TEMP.ILEADS\7897.bat
C:\Documents and Settings\TEMP.ILEADS\1313.bat
C:\WINDOWS\system32\qpyclhnn.ngn
C:\Documents and Settings\TEMP.ILEADS\4002.bat
C:\WINDOWS\system\SysSD.dll
C:\WINDOWS\sssTbarV2.ini
C:\WINDOWS\st_affiliate.ini
C:\WINDOWS\system32\wusrhsqr.dll
C:\WINDOWS\system32\haejqr.dll
C:\WINDOWS\BM3f98707b.xml
C:\WINDOWS\system32\opnnKddc.dll
C:\WINDOWS\system32\ljJaWnMF.dll
C:\WINDOWS\system32\mlJDuuSi.dll
C:\Documents and Settings\z43\winlogon.exe
C:\Documents and Settings\TEMP.ILEADS\winlogon.exe
C:\Documents and Settings\Administrator\winlogon.exe

Folder::
C:\WINDOWS\system32\aumsDK18
C:\Temp\zpv201
C:\WINDOWS\system32\olixds18
C:\Temp\stmpv4

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnKddc]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{04F27F39-1C1B-4A4F-8B5A-A531E364B7A6}"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#5
Mikey Boh
Posted 18 July 2008 - 02:12 PM

Mikey Boh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
After using ComboFix to run CFScript.txt, here is

1. the ComboFix.txt file:

ComboFix 08-07-17.4 - z43 2008-07-18 14:25:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.234 [GMT -5:00]
Running from: C:\Documents and Settings\z43\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\z43\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Administrator\winlogon.exe
C:\Documents and Settings\TEMP.ILEADS\1313.bat
C:\Documents and Settings\TEMP.ILEADS\2109.bat
C:\Documents and Settings\TEMP.ILEADS\3198.bat
C:\Documents and Settings\TEMP.ILEADS\4002.bat
C:\Documents and Settings\TEMP.ILEADS\7897.bat
C:\Documents and Settings\TEMP.ILEADS\winlogon.exe
C:\Documents and Settings\z43\winlogon.exe
C:\WINDOWS\BM3f98707b.xml
C:\WINDOWS\sssTbarV2.ini
C:\WINDOWS\st_affiliate.ini
C:\WINDOWS\system\SysSD.dll
C:\WINDOWS\system32\cflcswoc.txb
C:\WINDOWS\system32\ffzumdzl.lir
C:\WINDOWS\system32\haejqr.dll
C:\WINDOWS\system32\ipjqjonx.agz
C:\WINDOWS\system32\ljJaWnMF.dll
C:\WINDOWS\system32\mlJDuuSi.dll
C:\WINDOWS\system32\opnnKddc.dll
C:\WINDOWS\system32\qpyclhnn.ngn
C:\WINDOWS\system32\wusrhsqr.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\winlogon.exe
C:\Documents and Settings\TEMP.ILEADS\1313.bat
C:\Documents and Settings\TEMP.ILEADS\2109.bat
C:\Documents and Settings\TEMP.ILEADS\3198.bat
C:\Documents and Settings\TEMP.ILEADS\4002.bat
C:\Documents and Settings\TEMP.ILEADS\7897.bat
C:\Documents and Settings\TEMP.ILEADS\winlogon.exe
C:\Documents and Settings\z43\winlogon.exe
C:\Temp\stmpv4
C:\Temp\zpv201
C:\WINDOWS\BM3f98707b.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\sssTbarV2.ini
C:\WINDOWS\st_affiliate.ini
C:\WINDOWS\system\SysSD.dll
C:\WINDOWS\system32\aumsDK18
C:\WINDOWS\system32\cflcswoc.txb
C:\WINDOWS\system32\ffzumdzl.lir
C:\WINDOWS\system32\hqsvrviu.dll
C:\WINDOWS\system32\ipjqjonx.agz
C:\WINDOWS\system32\iSuuDJlm.ini
C:\WINDOWS\system32\iSuuDJlm.ini2
C:\WINDOWS\system32\ljJaWnMF.dll
C:\WINDOWS\system32\mlJDuuSi.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mzjphl.dll
C:\WINDOWS\system32\olixds18
C:\WINDOWS\system32\opnnKddc.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qpyclhnn.ngn
C:\WINDOWS\system32\qxreqsos.dll
C:\WINDOWS\system32\vxdipicw.ini
C:\WINDOWS\system32\wcipidxv.dll
C:\WINDOWS\system32\wusrhsqr.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 )))))))))))))))))))))))))))))))
.

2008-07-18 12:11 . 2008-07-18 12:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-18 11:49 . 54,156 C:\WINDOWS\QTFont.qfn
2008-07-18 11:49 . 1,409 C:\WINDOWS\QTFont.for
2008-07-17 14:24 . 2008-07-18 11:13 <DIR> d-------- C:\Documents and Settings\z43\Application Data\U3
2008-07-17 14:23 . 2008-07-18 07:46 <DIR> d-------- C:\Documents and Settings\z43\Application Data\AVGTOOLBAR
2008-07-17 14:15 . 2008-07-17 14:15 <DIR> d-------- C:\Deckard
2008-07-17 09:22 . 2008-07-17 09:22 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-07-17 09:21 . 2008-07-17 09:22 73,216 --ahs---- C:\Thumbs.db
2008-07-17 08:55 . 2008-07-17 09:06 <DIR> d-------- C:\Documents and Settings\TEMP.ILEADS\Application Data\AVGTOOLBAR
2008-07-16 15:53 . 2008-07-18 14:17 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-16 15:31 . 2008-07-18 09:32 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-16 15:31 . 2008-07-16 15:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-07-16 15:31 . 2008-07-16 15:31 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-16 15:31 . 2008-07-16 15:31 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-16 11:02 . 2008-07-16 15:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-16 10:56 . 2008-07-16 10:56 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-15 13:41 . 2008-07-15 13:41 <DIR> d-------- C:\Program Files\AVG
2008-07-15 11:17 . 2008-07-15 11:17 2,386 --a------ C:\WINDOWS\wininit.ini
2008-07-15 11:11 . 2008-07-15 11:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-15 10:48 . 2008-07-15 10:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-15 10:48 . 2008-07-16 14:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-11 10:17 . 2008-07-15 10:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-07-11 09:28 . 2008-07-16 11:54 <DIR> d--hs---- C:\WINDOWS\SHVudHN2aWxsZSBQb2xpY2UgRGVwYXJ0bWVudA
2008-07-09 15:58 . 2008-07-17 12:01 37,376 --a------ C:\Documents and Settings\TEMP.ILEADS\services.exe
2008-07-09 15:24 . 2008-07-10 08:19 <DIR> d-------- C:\Program Files\Conduit
2008-07-09 15:24 . 2008-07-09 15:34 <DIR> d-------- C:\Documents and Settings\TEMP.ILEADS\Application Data\BitZipper
2008-07-09 15:14 . 2008-07-09 15:14 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2008-07-09 15:14 . 2008-07-09 15:14 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2008-07-09 15:13 . 2007-10-10 17:41 42,112 --a------ C:\WINDOWS\system32\drivers\motodrv.sys
2008-07-09 15:13 . 2007-06-18 15:18 23,680 --a------ C:\WINDOWS\system32\drivers\motport.sys
2008-07-09 15:13 . 2007-06-18 15:18 23,680 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-07-09 15:13 . 2007-11-02 15:36 18,176 --a------ C:\WINDOWS\system32\drivers\motccgp.sys
2008-07-09 15:13 . 2007-01-22 19:33 7,680 --a------ C:\WINDOWS\system32\drivers\motccgpfl.sys
2008-07-09 15:13 . 2007-11-02 15:51 6,400 --a------ C:\WINDOWS\system32\drivers\motswch.sys
2008-07-09 15:12 . 2008-07-09 15:12 <DIR> d-------- C:\Program Files\Motorola
2008-07-09 15:05 . 2008-07-09 15:05 25,600 --a------ C:\Documents and Settings\TEMP.ILEADS\usbsermptxp.sys
2008-07-09 15:05 . 2008-07-09 15:05 22,768 --a------ C:\Documents and Settings\TEMP.ILEADS\usbsermpt.sys
2008-07-09 10:08 . 2008-07-11 09:24 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-07-08 13:59 . 2008-07-08 13:59 <DIR> d-------- C:\Program Files\Common Files\DirectX
2008-07-08 13:59 . 2008-07-08 14:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 19:03 --------- d-----w C:\Documents and Settings\TEMP.ILEADS\Application Data\U3
2008-07-14 13:59 --------- d-----w C:\Program Files\Java
2008-07-09 21:00 109,249 ----a-w C:\Program Files\MSWINSCK.OCX
2008-07-09 20:48 --------- d-----w C:\Documents and Settings\TEMP.ILEADS\Application Data\LimeWire
2008-06-17 14:56 --------- d-----w C:\Program Files\MCS
2008-06-17 14:21 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-06-17 14:21 249,856 ------w C:\WINDOWS\Setup1.exe
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-29 15:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-29 15:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-03 01:01 1,568 ----a-w C:\mcs.reg
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-18_11.42.10.94 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 07:56:44 116,224 -c--a-w C:\WINDOWS\system32\dllcache\p2p.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-08 09:57 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 11:35 77824]
"WinVNC"="C:\Program Files\RealVNC\WinVNC\WinVNC.exe" [2002-11-27 13:47 335872]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Track-It! Workstation Manager Service Monitor"="C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe" [2007-01-31 10:57 414720]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 06:32 50688]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 00:08 49152]
"HP Lamp"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe" [1999-06-25 02:00 45056]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-07-18 17:23 868352]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-09 09:47 413696]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-16 15:31 1232152]
"BM3f98707b"="C:\WINDOWS\system32\qxreqsos.dll" [BU]
"3cab43e7"="C:\WINDOWS\system32\wcipidxv.dll" [BU]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2002-08-09 17:36:20 299008]

C:\Documents and Settings\TEMP.ILEADS\Start Menu\Programs\Startup\
Microsoft Outlook.lnk - C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE [2008-04-23 15:09:50 199688]
NameTray.exe [2003-09-03 12:17:28 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\ad\SYSVOL\ad.hsvcity.com\scripts\addtrackitadmin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-1006\Scripts\Logon\0\0]
"Script"=\\hpdpsc\NETLOGON\removeileads.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-1006\Scripts\Logon\1\0]
"Script"=\\hpdpsc\NETLOGON\WrittenDirectives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-1006\Scripts\Logon\1\1]
"Script"=\\hpdpsc\NETLOGON\Written Directive Acknowledgement Web Site.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-1006\Scripts\Logon\1\2]
"Script"=\\hpdpsc\NETLOGON\AlaCOP.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2600\Scripts\Logon\0\0]
"Script"=\\hpdpsc\NETLOGON\IleadsMapReplace.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2600\Scripts\Logon\1\0]
"Script"=\\hpdpsc\NETLOGON\removeileads.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2600\Scripts\Logon\2\0]
"Script"=\\hpdpsc\NETLOGON\WrittenDirectives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2600\Scripts\Logon\2\1]
"Script"=\\hpdpsc\NETLOGON\Written Directive Acknowledgement Web Site.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2600\Scripts\Logon\2\2]
"Script"=\\hpdpsc\NETLOGON\AlaCOP.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2820\Scripts\Logon\0\0]
"Script"=\\hpdpsc\NETLOGON\WrittenDirectives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2820\Scripts\Logon\0\1]
"Script"=\\hpdpsc\NETLOGON\Written Directive Acknowledgement Web Site.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2820\Scripts\Logon\0\2]
"Script"=\\hpdpsc\NETLOGON\AlaCOP.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3438\Scripts\Logon\0\0]
"Script"=rgswaimhplj1200.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3438\Scripts\Logon\0\1]
"Script"=rgswaimhpljc4600.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3877\Scripts\Logon\0\0]
"Script"=\\hpdpsc\NETLOGON\WrittenDirectives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3877\Scripts\Logon\0\1]
"Script"=\\hpdpsc\NETLOGON\Written Directive Acknowledgement Web Site.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3877\Scripts\Logon\1\0]
"Script"=rgswaimhplj1200.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3877\Scripts\Logon\1\1]
"Script"=rgswaimhpljc4600.vbs

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\RealVNC\\WinVNC\\winvnc.exe"=
"C:\\Program Files\\RealVNC\\vncviewer.exe"=
"C:\\WINDOWS\\TIREMOTE\\wuser32.exe"=
"C:\\WINDOWS\\TIREMOTE\\TIRemoteService.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-16 15:31]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-16 15:31]
R2 TIRmtCtl;Track-It! Remote Control;C:\WINDOWS\TIREMOTE\wuser32.exe [2007-01-31 10:43]
R2 TIRmtSvc;Track-It! Workstation Manager;C:\WINDOWS\TIREMOTE\TIRemoteService.exe [2007-01-31 10:57]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 01:01]
S2 Ca533av;Polaroid Digital Cam Video;C:\WINDOWS\system32\Drivers\Ca533av.sys [2002-10-20 20:37]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-11-02 15:36]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-22 19:33]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-10-10 17:41]
S3 motport;Motorola USB Diagnostic Port;C:\WINDOWS\system32\DRIVERS\motport.sys [2007-06-18 15:18]
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys [2002-07-24 20:19]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-18 16:33:00 C:\WINDOWS\Tasks\WebReg .job"
- C:\Program Files\HP\digital imaging\bin\hpqwrg.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Windows Logon Applicationedc - C:\Documents and Settings\z43\winlogon.exe


**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
C:\Program Files\Caere\PageKeeper30\system\PKSlapi.exe
C:\Program Files\Caere\PageKeeper30\system\PKToPass.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2008-07-18 14:57:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-18 19:56:51
ComboFix2.txt 2008-07-18 16:48:53

Pre-Run: 24,558,817,280 bytes free
Post-Run: 24,533,143,552 bytes free

267 --- E O F --- 2008-07-09 07:07:36


2. the hijackthis.log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:00:46 PM, on 7/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TIREMOTE\wuser32.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKSlapi.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKTOPASS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BM3f98707b] Rundll32.exe "C:\WINDOWS\system32\qxreqsos.dll",s
O4 - HKLM\..\Run: [3cab43e7] rundll32.exe "C:\WINDOWS\system32\wcipidxv.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: cpeupdate.lnk = E:\Media\Xtras\ShareIns\cpeupdate.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: PageKeeper Jobs.lnk = C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120135301024
O16 - DPF: {708C978C-BBF5-4038-8DC1-64FF22BCFFB6} (AXScan Control) - https://10.254.254.2...aSpyRemoval.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.c...loadControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ileads.ad.hsvcity.com
O17 - HKLM\Software\..\Telephony: DomainName = ileads.ad.hsvcity.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ileads.ad.hsvcity.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Track-It! Remoting Helper (TIRemotingHelper) - Unknown owner - C:\WINDOWS\TIRHService.exe
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Intuit Track-It! - C:\WINDOWS\TIREMOTE\wuser32.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe

--
End of file - 8386 bytes
  • 0

#6
fenzodahl512
Posted 18 July 2008 - 09:14 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.




NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\qxreqsos.dll
C:\WINDOWS\system32\wcipidxv.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM3f98707b"=-
"3cab43e7"=-

DirLook::
C:\WINDOWS\SHVudHN2aWxsZSBQb2xpY2UgRGVwYXJ0bWVudA

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • SDFix
  • Combofix.txt
  • A new HijackThis log.

  • 0

#7
Mikey Boh
Posted 21 July 2008 - 08:17 AM

Mikey Boh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Sorry its taken so long for this follow-up reply, the computer that's being worked on is at work in a secure area. I can only get to it when the user is there (Mon-Fri 8-5).

Ran SDFix, ComboFix, and HijackThis. Here are the log files from each of them:

1. The SDFix report file:

SDFix: Version 1.207
Run by z43 on Mon 07/21/2008 at 08:40 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

disk not found C:\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\RealVNC\\WinVNC\\winvnc.exe"="C:\\Program Files\\RealVNC\\WinVNC\\winvnc.exe:*:Enabled:Run VNC Server"
"C:\\Program Files\\RealVNC\\vncviewer.exe"="C:\\Program Files\\RealVNC\\vncviewer.exe:*:Enabled:Run VNC Viewer"
"C:\\WINDOWS\\TIREMOTE\\wuser32.exe"="C:\\WINDOWS\\TIREMOTE\\wuser32.exe:*:Enabled:Track-It! Remote Control"
"C:\\WINDOWS\\TIREMOTE\\TIRemoteService.exe"="C:\\WINDOWS\\TIREMOTE\\TIRemoteService.exe:*:Enabled:Track-It! Workstation Manager"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\RealVNC\\WinVNC\\winvnc.exe"="C:\\Program Files\\RealVNC\\WinVNC\\winvnc.exe:*:Enabled:Run VNC Server"
"C:\\Program Files\\RealVNC\\vncviewer.exe"="C:\\Program Files\\RealVNC\\vncviewer.exe:*:Enabled:Run VNC Viewer"
"C:\\WINDOWS\\TIREMOTE\\TIRemoteService.exe"="C:\\WINDOWS\\TIREMOTE\\TIRemoteService.exe:*:Enabled:Track-It! Workstation Manager"
"C:\\WINDOWS\\TIREMOTE\\wuser32.exe"="C:\\WINDOWS\\TIREMOTE\\wuser32.exe:*:Enabled:Track-It! Remote Control"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Disabled:Ares p2p for windows"
"C:\\WINDOWS\\system32\\Winet556.Exe"="C:\\WINDOWS\\system32\\Winet556.Exe:*:Enabled:DPPlayer"
"C:\\Program Files\\CyberDefender\\AntiSpyware\\cdascaa.exe"="C:\\Program Files\\CyberDefender\\AntiSpyware\\cdascaa.exe:*:Enabled:CyberDefender Internet Security"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

Remaining Files :



Files with Hidden Attributes :

Sat 16 Dec 2006 1,310,720 A..H. --- "C:\Documents and Settings\chris.riley\prf137.tmp"
Fri 9 Mar 2007 1,126,400 A..H. --- "C:\Documents and Settings\chris.riley\prf14B.tmp"
Fri 16 Feb 2007 1,048,576 A..H. --- "C:\Documents and Settings\chris.riley\prf15.tmp"
Wed 18 Oct 2006 1,048,576 A..H. --- "C:\Documents and Settings\chris.riley\prf1ED.tmp"
Thu 18 Jan 2007 1,310,720 A..H. --- "C:\Documents and Settings\chris.riley\prf208.tmp"
Thu 12 Oct 2006 1,310,720 A..H. --- "C:\Documents and Settings\chris.riley\prf22D.tmp"
Wed 26 Jul 2006 983,040 A..H. --- "C:\Documents and Settings\chris.riley\prf25.tmp"
Wed 22 Nov 2006 1,310,720 A..H. --- "C:\Documents and Settings\chris.riley\prf265.tmp"
Thu 9 Nov 2006 1,048,576 A..H. --- "C:\Documents and Settings\chris.riley\prf27.tmp"
Thu 29 Mar 2007 1,310,720 A..H. --- "C:\Documents and Settings\chris.riley\prf29A.tmp"
Tue 25 Jul 2006 937,984 A..H. --- "C:\Documents and Settings\chris.riley\prf3F.tmp"
Sun 24 Sep 2006 1,040,384 A..H. --- "C:\Documents and Settings\chris.riley\prf401.tmp"
Fri 9 Mar 2007 1,310,720 A..H. --- "C:\Documents and Settings\chris.riley\prf47.tmp"
Fri 8 Jun 2007 1,310,720 A..H. --- "C:\Documents and Settings\chris.riley\prf828.tmp"
Thu 5 Jul 2007 1,310,720 A..H. --- "C:\Documents and Settings\chris.riley\prfA26.tmp"
Wed 6 Dec 2006 1,073,152 A..H. --- "C:\Documents and Settings\chris.riley\prfBD.tmp"
Mon 16 Oct 2006 937,984 A..H. --- "C:\Documents and Settings\chris.riley\prfC.tmp"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 7 Jul 2008 2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 10 Jan 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 11 Jun 2007 103,936 ...H. --- "C:\Documents and Settings\dnb.old\Personal\~WRL1812.tmp"
Mon 11 Jun 2007 104,960 ...H. --- "C:\Documents and Settings\dnb.old\Personal\~WRL4084.tmp"
Mon 7 Jan 2008 92,160 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\~WRL0724.tmp"
Mon 17 Mar 2008 107,520 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\~WRL0870.tmp"
Tue 4 Mar 2008 104,448 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\~WRL1288.tmp"
Mon 7 Jan 2008 92,672 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\~WRL1841.tmp"
Mon 17 Mar 2008 108,544 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\~WRL1915.tmp"
Sun 6 Jan 2008 94,208 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\~WRL2045.tmp"
Wed 28 Nov 2007 49,664 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\~WRL2165.tmp"
Wed 9 Jan 2008 94,208 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\~WRL2317.tmp"
Sun 6 Jan 2008 93,696 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\~WRL2485.tmp"
Sun 6 Jan 2008 94,208 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\~WRL2509.tmp"
Wed 9 Jan 2008 93,696 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\~WRL3009.tmp"
Mon 26 Nov 2007 92,672 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\~WRL3046.tmp"
Sat 5 Jan 2008 93,696 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\~WRL3175.tmp"
Tue 20 Nov 2007 49,664 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\~WRL3243.tmp"
Tue 8 Jan 2008 93,696 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\~WRL3369.tmp"
Mon 7 Jan 2008 94,208 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\~WRL3394.tmp"
Tue 8 Jan 2008 93,696 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\~WRL3487.tmp"
Tue 8 Jan 2008 93,696 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\~WRL3520.tmp"
Wed 9 Jan 2008 93,696 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\~WRL3712.tmp"
Mon 7 Jan 2008 92,160 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\~WRL3720.tmp"
Thu 24 Apr 2008 30,208 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\~WRL4087.tmp"
Mon 11 Jun 2007 103,936 A..H. --- "C:\Documents and Settings\TEMP.ILEADS\Personal\~WRL1812.tmp"
Mon 11 Jun 2007 104,960 A..H. --- "C:\Documents and Settings\TEMP.ILEADS\Personal\~WRL4084.tmp"
Wed 13 Sep 2006 101,888 ...H. --- "C:\Documents and Settings\dnb.old\Personal\IA CASES\~WRL1694.tmp"
Tue 27 Mar 2007 108,032 ...H. --- "C:\Documents and Settings\dnb.old\Personal\IA FORMS\~WRL2844.tmp"
Mon 17 Dec 2007 282,624 A.SH. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\2007-12 (Dec)\SIV252.tmp"
Mon 14 Jul 2008 103,936 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\IA CASES\~WRL0103.tmp"
Thu 27 Sep 2007 122,368 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\IA CASES\~WRL0150.tmp"
Fri 25 Apr 2008 127,488 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\IA CASES\~WRL0405.tmp"
Thu 24 Apr 2008 114,176 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\IA CASES\~WRL0542.tmp"
Thu 24 Apr 2008 113,664 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\IA CASES\~WRL0624.tmp"
Fri 25 Apr 2008 116,224 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\IA CASES\~WRL0760.tmp"
Fri 25 Apr 2008 127,488 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\IA CASES\~WRL0854.tmp"
Wed 23 Apr 2008 105,472 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\IA CASES\~WRL1311.tmp"
Mon 14 Jul 2008 105,984 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\IA CASES\~WRL1564.tmp"
Wed 13 Sep 2006 101,888 A..H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\IA CASES\~WRL1694.tmp"
Fri 25 Apr 2008 127,488 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\IA CASES\~WRL1922.tmp"
Mon 14 Jul 2008 103,936 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\IA CASES\~WRL2546.tmp"
Wed 23 Apr 2008 107,008 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\IA CASES\~WRL2777.tmp"
Wed 23 Apr 2008 111,616 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\IA CASES\~WRL2818.tmp"
Fri 25 Apr 2008 125,952 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\IA CASES\~WRL2909.tmp"
Fri 25 Apr 2008 115,712 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\IA CASES\~WRL3545.tmp"
Mon 14 Jul 2008 105,472 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\IA CASES\~WRL3788.tmp"
Thu 24 Apr 2008 115,712 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\IA CASES\~WRL3806.tmp"
Wed 23 Apr 2008 111,104 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\IA CASES\~WRL3902.tmp"
Mon 15 Oct 2007 114,176 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\IA FORMS\~WRL0383.tmp"
Mon 15 Oct 2007 112,640 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\IA FORMS\~WRL1947.tmp"
Tue 27 Mar 2007 108,032 A..H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\IA FORMS\~WRL2844.tmp"
Fri 12 Oct 2007 114,176 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\My Documents\IA FORMS\~WRL3808.tmp"
Wed 13 Sep 2006 101,888 A..H. --- "C:\Documents and Settings\TEMP.ILEADS\Personal\IA CASES\~WRL1694.tmp"
Tue 27 Mar 2007 108,032 A..H. --- "C:\Documents and Settings\TEMP.ILEADS\Personal\IA FORMS\~WRL2844.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT32.tmp"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe"
Tue 10 Jun 2008 30,208 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\Application Data\Microsoft\Word\~WRL0003.tmp"
Fri 21 Dec 2007 30,208 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\Application Data\Microsoft\Word\~WRL0004.tmp"
Wed 9 Jan 2008 30,208 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\Application Data\Microsoft\Word\~WRL0005.tmp"
Mon 21 Apr 2008 30,208 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\Application Data\Microsoft\Word\~WRL0457.tmp"
Tue 15 Apr 2008 30,208 ...H. --- "C:\Documents and Settings\TEMP.ILEADS\Application Data\Microsoft\Word\~WRL2594.tmp"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\TEMP.ILEADS\Application Data\U3\temp\Launchpad Removal.exe"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\z43\Application Data\U3\temp\Launchpad Removal.exe"

Finished!


2. The ComboFix.txt file:

ComboFix 08-07-17.4 - z43 2008-07-21 8:54:36.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.111 [GMT -5:00]
Running from: C:\Documents and Settings\z43\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\z43\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\qxreqsos.dll
C:\WINDOWS\system32\wcipidxv.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://hpdpsc
.
((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-21 08:59 . 2008-07-21 08:59 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-21 08:59 . 2008-07-21 08:59 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-21 08:35 . 2008-07-21 08:35 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-21 08:32 . 2008-07-21 08:50 <DIR> d-------- C:\SDFix
2008-07-18 15:26 . 2008-07-18 15:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GroupPolicy
2008-07-18 12:11 . 2008-07-18 12:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-17 14:24 . 2008-07-18 11:13 <DIR> d-------- C:\Documents and Settings\z43\Application Data\U3
2008-07-17 14:23 . 2008-07-21 08:31 <DIR> d-------- C:\Documents and Settings\z43\Application Data\AVGTOOLBAR
2008-07-17 14:15 . 2008-07-17 14:15 <DIR> d-------- C:\Deckard
2008-07-17 09:22 . 2008-07-17 09:22 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-07-17 09:21 . 2008-07-17 09:22 73,216 --ahs---- C:\Thumbs.db
2008-07-17 08:55 . 2008-07-17 09:06 <DIR> d-------- C:\Documents and Settings\TEMP.ILEADS\Application Data\AVGTOOLBAR
2008-07-16 15:53 . 2008-07-18 14:17 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-16 15:31 . 2008-07-20 20:50 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-16 15:31 . 2008-07-16 15:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-07-16 15:31 . 2008-07-16 15:31 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-16 15:31 . 2008-07-16 15:31 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-16 11:02 . 2008-07-16 15:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-16 10:56 . 2008-07-16 10:56 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-15 13:41 . 2008-07-15 13:41 <DIR> d-------- C:\Program Files\AVG
2008-07-15 11:17 . 2008-07-15 11:17 2,386 --a------ C:\WINDOWS\wininit.ini
2008-07-15 11:11 . 2008-07-15 11:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-15 10:48 . 2008-07-15 10:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-15 10:48 . 2008-07-16 14:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-11 10:17 . 2008-07-15 10:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-07-11 09:28 . 2008-07-16 11:54 <DIR> d--hs---- C:\WINDOWS\SHVudHN2aWxsZSBQb2xpY2UgRGVwYXJ0bWVudA
2008-07-09 15:58 . 2008-07-17 12:01 37,376 --a------ C:\Documents and Settings\TEMP.ILEADS\services.exe
2008-07-09 15:24 . 2008-07-10 08:19 <DIR> d-------- C:\Program Files\Conduit
2008-07-09 15:24 . 2008-07-09 15:34 <DIR> d-------- C:\Documents and Settings\TEMP.ILEADS\Application Data\BitZipper
2008-07-09 15:14 . 2008-07-09 15:14 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2008-07-09 15:14 . 2008-07-09 15:14 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2008-07-09 15:13 . 2007-10-10 17:41 42,112 --a------ C:\WINDOWS\system32\drivers\motodrv.sys
2008-07-09 15:13 . 2007-06-18 15:18 23,680 --a------ C:\WINDOWS\system32\drivers\motport.sys
2008-07-09 15:13 . 2007-06-18 15:18 23,680 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-07-09 15:13 . 2007-11-02 15:36 18,176 --a------ C:\WINDOWS\system32\drivers\motccgp.sys
2008-07-09 15:13 . 2007-01-22 19:33 7,680 --a------ C:\WINDOWS\system32\drivers\motccgpfl.sys
2008-07-09 15:13 . 2007-11-02 15:51 6,400 --a------ C:\WINDOWS\system32\drivers\motswch.sys
2008-07-09 15:12 . 2008-07-09 15:12 <DIR> d-------- C:\Program Files\Motorola
2008-07-09 15:05 . 2008-07-09 15:05 25,600 --a------ C:\Documents and Settings\TEMP.ILEADS\usbsermptxp.sys
2008-07-09 15:05 . 2008-07-09 15:05 22,768 --a------ C:\Documents and Settings\TEMP.ILEADS\usbsermpt.sys
2008-07-09 10:08 . 2008-07-11 09:24 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-07-09 02:23 . 2008-06-20 05:44 138,368 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-07-08 13:59 . 2008-07-08 13:59 <DIR> d-------- C:\Program Files\Common Files\DirectX
2008-07-08 13:59 . 2008-07-08 14:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 19:03 --------- d-----w C:\Documents and Settings\TEMP.ILEADS\Application Data\U3
2008-07-14 13:59 --------- d-----w C:\Program Files\Java
2008-07-09 21:00 109,249 ----a-w C:\Program Files\MSWINSCK.OCX
2008-07-09 20:48 --------- d-----w C:\Documents and Settings\TEMP.ILEADS\Application Data\LimeWire
2008-06-20 20:22 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-17 14:56 --------- d-----w C:\Program Files\MCS
2008-06-17 14:21 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-06-17 14:21 249,856 ------w C:\WINDOWS\Setup1.exe
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-29 16:16 633,344 ------w C:\WINDOWS\system32\gpprefcl.dll
2008-05-29 15:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-29 15:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-03 01:01 1,568 ----a-w C:\mcs.reg
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\SHVudHN2aWxsZSBQb2xpY2UgRGVwYXJ0bWVudA ----



((((((((((((((((((((((((((((( snapshot@2008-07-18_11.42.10.94 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-20 19:35:20 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-07-21 13:35:51 1,273,856 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-07-21 13:35:51 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-07-20 19:35:20 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-07-21 13:35:49 1,273,856 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-07-21 13:35:49 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-07-09 07:07:26 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-07-18 20:23:14 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-07-09 07:07:27 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-07-18 20:23:14 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-07-09 07:07:27 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-07-18 20:23:14 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-07-09 07:07:26 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-07-18 20:23:14 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-07-09 07:07:27 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-07-18 20:23:15 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-07-09 07:07:27 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-07-18 20:23:15 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-07-09 07:07:27 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-07-18 20:23:15 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-07-09 07:07:27 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-07-18 20:23:15 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-07-09 07:07:26 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-07-18 20:23:14 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-07-09 07:07:26 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-07-18 20:23:14 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-07-09 07:07:27 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-07-18 20:23:15 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-07-09 07:07:26 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-07-18 20:23:13 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-07-09 07:07:26 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-07-18 20:23:13 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-02-20 05:32:43 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-06-21 04:11:12 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
- 2004-08-04 07:56:44 245,248 -c--a-w C:\WINDOWS\system32\dllcache\mswsock.dll
+ 2008-06-20 17:41:10 245,248 -c--a-w C:\WINDOWS\system32\dllcache\mswsock.dll
+ 2004-08-04 07:56:44 116,224 -c--a-w C:\WINDOWS\system32\dllcache\p2p.dll
- 2007-10-30 17:20:55 360,064 -c----w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2008-06-20 10:45:13 360,320 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2006-08-16 09:37:30 225,664 -c----w C:\WINDOWS\system32\dllcache\tcpip6.sys
+ 2008-06-20 20:22:08 225,920 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
- 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-06-21 04:11:12 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2007-11-30 11:18:51 17,272 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2006-10-09 03:51:14 23,856 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2007-10-05 20:42:10 23,856 ----a-w C:\WINDOWS\system32\spupdsvc.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-08 09:57 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 11:35 77824]
"WinVNC"="C:\Program Files\RealVNC\WinVNC\WinVNC.exe" [2002-11-27 13:47 335872]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Track-It! Workstation Manager Service Monitor"="C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe" [2007-01-31 10:57 414720]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 06:32 50688]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 00:08 49152]
"HP Lamp"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe" [1999-06-25 02:00 45056]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-07-18 17:23 868352]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-09 09:47 413696]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-16 15:31 1232152]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2002-08-09 17:36:20 299008]

C:\Documents and Settings\TEMP.ILEADS\Start Menu\Programs\Startup\
Microsoft Outlook.lnk - C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE [2008-04-23 15:09:50 199688]
NameTray.exe [2003-09-03 12:17:28 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\ad\SYSVOL\ad.hsvcity.com\scripts\addtrackitadmin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-1006\Scripts\Logon\0\0]
"Script"=\\hpdpsc\NETLOGON\removeileads.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-1006\Scripts\Logon\1\0]
"Script"=\\hpdpsc\NETLOGON\WrittenDirectives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-1006\Scripts\Logon\1\1]
"Script"=\\hpdpsc\NETLOGON\Written Directive Acknowledgement Web Site.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-1006\Scripts\Logon\1\2]
"Script"=\\hpdpsc\NETLOGON\AlaCOP.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2600\Scripts\Logon\0\0]
"Script"=\\hpdpsc\NETLOGON\IleadsMapReplace.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2600\Scripts\Logon\1\0]
"Script"=\\hpdpsc\NETLOGON\removeileads.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2600\Scripts\Logon\2\0]
"Script"=\\hpdpsc\NETLOGON\WrittenDirectives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2600\Scripts\Logon\2\1]
"Script"=\\hpdpsc\NETLOGON\Written Directive Acknowledgement Web Site.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2600\Scripts\Logon\2\2]
"Script"=\\hpdpsc\NETLOGON\AlaCOP.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2820\Scripts\Logon\0\0]
"Script"=\\hpdpsc\NETLOGON\WrittenDirectives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2820\Scripts\Logon\0\1]
"Script"=\\hpdpsc\NETLOGON\Written Directive Acknowledgement Web Site.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-2820\Scripts\Logon\0\2]
"Script"=\\hpdpsc\NETLOGON\AlaCOP.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3438\Scripts\Logon\0\0]
"Script"=rgswaimhplj1200.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3438\Scripts\Logon\0\1]
"Script"=rgswaimhpljc4600.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3877\Scripts\Logon\0\0]
"Script"=\\hpdpsc\NETLOGON\WrittenDirectives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3877\Scripts\Logon\0\1]
"Script"=\\hpdpsc\NETLOGON\Written Directive Acknowledgement Web Site.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3877\Scripts\Logon\1\0]
"Script"=rgswaimhplj1200.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1748781540-81348466-22564546-3877\Scripts\Logon\1\1]
"Script"=rgswaimhpljc4600.vbs

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\RealVNC\\WinVNC\\winvnc.exe"=
"C:\\Program Files\\RealVNC\\vncviewer.exe"=
"C:\\WINDOWS\\TIREMOTE\\wuser32.exe"=
"C:\\WINDOWS\\TIREMOTE\\TIRemoteService.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-16 15:31]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-16 15:31]
R2 TIRmtCtl;Track-It! Remote Control;C:\WINDOWS\TIREMOTE\wuser32.exe [2007-01-31 10:43]
R2 TIRmtSvc;Track-It! Workstation Manager;C:\WINDOWS\TIREMOTE\TIRemoteService.exe [2007-01-31 10:57]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 01:01]
S2 Ca533av;Polaroid Digital Cam Video;C:\WINDOWS\system32\Drivers\Ca533av.sys [2002-10-20 20:37]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-11-02 15:36]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-22 19:33]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-10-10 17:41]
S3 motport;Motorola USB Diagnostic Port;C:\WINDOWS\system32\DRIVERS\motport.sys [2007-06-18 15:18]
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys [2002-07-24 20:19]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebc4650b-4f57-11dd-b9f7-0002e34aa33f}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2008-07-20 16:33:00 C:\WINDOWS\Tasks\WebReg .job"
- C:\Program Files\HP\digital imaging\bin\hpqwrg.exe
.
**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
Completion time: 2008-07-21 9:01:42
ComboFix-quarantined-files.txt 2008-07-21 14:01:34
ComboFix2.txt 2008-07-18 19:57:42
ComboFix3.txt 2008-07-18 16:48:53

Pre-Run: 24,310,493,184 bytes free
Post-Run: 24,288,677,888 bytes free

260 --- E O F --- 2008-07-18 20:23:59

3. The HijackThis.log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:28 AM, on 7/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TIREMOTE\wuser32.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKTOPASS.EXE
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKSlapi.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: cpeupdate.lnk = E:\Media\Xtras\ShareIns\cpeupdate.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: PageKeeper Jobs.lnk = C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120135301024
O16 - DPF: {708C978C-BBF5-4038-8DC1-64FF22BCFFB6} (AXScan Control) - https://10.254.254.2...aSpyRemoval.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.c...loadControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ileads.ad.hsvcity.com
O17 - HKLM\Software\..\Telephony: DomainName = ileads.ad.hsvcity.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ileads.ad.hsvcity.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Track-It! Remoting Helper (TIRemotingHelper) - Unknown owner - C:\WINDOWS\TIRHService.exe
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Intuit Track-It! - C:\WINDOWS\TIREMOTE\wuser32.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe

--
End of file - 8158 bytes
  • 0

#8
fenzodahl512
Posted 21 July 2008 - 09:49 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please show hidden files and folders. Please visit HERE if you don't know how.
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

    • C:\Documents and Settings\TEMP.ILEADS\services.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.




NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\Winet556.Exe

Folder::
C:\Program Files\CyberDefender
C:\WINDOWS\SHVudHN2aWxsZSBQb2xpY2UgRGVwYXJ0bWVudA

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\Winet556.Exe"=-
"C:\\Program Files\\CyberDefender\\AntiSpyware\\cdascaa.exe"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • VirScan.org result
  • Combofix.txt
  • A new HijackThis log.

  • 0

#9
fenzodahl512
Posted 27 July 2008 - 12:33 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP