Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Fake Windows Firewall possibly with AntivirusXP 08 [RESOLVED]

Started by mco12 , Aug 20 2008 07:05 PM

  • This topic is locked This topic is locked

#1
mco12
Posted 20 August 2008 - 07:05 PM

mco12

    New Member

  • Member
  • Pip
  • 4 posts
Hello,
Last night I am pretty sure I had Antivirus XP 08 but following instructions from another site I think I may have gotten rid of it. I scanned with Ad-aware, because I've been overseas all summer and my parents have been using my computer. That came up with a lot of stuff, then this site recommended Malwarebytes' Anti-Malware, so I ran that. My school also gave me Symantec, so that has been running sporadically. I also have Norton Security and Spyware Doctor. I'm pretty sure I don't need all of those, so if you can tell me which ones to uninstall after this mess is over that would be great. But now today I am getting what I'm 99% sure are fake windows firewall warnings like Trojan-clicker.win32.tiny.h and Trojan-spy.HTML.Bankfraud.dq and Trojan-Spy.Win32.Greenscreen. So, I ran HijackThis and the log said:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:13 PM, on 8/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Meetinghouse\AEGIS SecureConnect\ConnectionClient.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\rejgzyze.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\iTunes\iTunes.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [ssdiag] C:\WINDOWS\ssdiag.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [genhlp] C:\WINDOWS\system32\rejgzyze.exe
O4 - HKCU\..\Policies\Explorer\Run: [8Z68erYOBC] C:\Documents and Settings\HP_Administrator\Desktop\AdobeFlashPlayerHD.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1188576088250
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: smartuiwin - {6C9BFDF8-97B9-349F-120C-0B1B33BEF07F} - C:\Program Files\fbiiht\smartuiwin.dll
O23 - Service: AEGIS SecureConnect Service (AEGIS SecureConnect) - Meetinghouse Data Communications - C:\Program Files\Meetinghouse\AEGIS SecureConnect\ConnectionClient.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14211 bytes




I would really really appreciate any help you can give me. Thanks
  • 0

Advertisements

#2
greyknight17
Posted 23 August 2008 - 09:37 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O4 - HKCU\..\Run: [genhlp] C:\WINDOWS\system32\rejgzyze.exe
O21 - SSODL: smartuiwin - {6C9BFDF8-97B9-349F-120C-0B1B33BEF07F} - C:\Program Files\fbiiht\smartuiwin.dll
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hpdj.exe (file missing)

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\rejgzyze.exe
C:\Program Files\fbiiht\

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

Edited by greyknight17, 23 August 2008 - 09:37 AM.

  • 0

#3
mco12
Posted 23 August 2008 - 03:08 PM

mco12

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for the help, I couldn't delete C:\Program Files\fbiiht\ it said it was either protected or in use. The other file I could delete and the other items all were fixed my Hijackthis. Let me know what to do next, sorry about the PM.




ComboFix 08-08-21.02 - HP_Administrator 2008-08-23 16:49:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1403 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\U3CVN8B9\interclick.com
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\U3CVN8B9\interclick.com\ud.sol
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\U3CVN8B9\static.youku.com
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\U3CVN8B9\static.youku.com\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\U3CVN8B9\static.youku.com\v1.0.0200\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\U3CVN8B9\static.youku.com\v1.0.0201\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\U3CVN8B9\static.youku.com\v1.0.0231\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\U3CVN8B9\static.youku.com\v1.0.0233\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\U3CVN8B9\static.youku.com\v1.0.0234\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\U3CVN8B9\static.youku.com\v1.0.0314\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\U3CVN8B9\v.youku.com
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\U3CVN8B9\v.youku.com\v1.0.0134\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\U3CVN8B9\v.youku.com\v1.0.0143\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\U3CVN8B9\v.youku.com\v1.0.0155\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\U3CVN8B9\www.youku.com
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\#SharedObjects\U3CVN8B9\www.youku.com\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#v.youku.com
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#v.youku.com\settings.sol
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.youku.com
C:\Documents and Settings\HP_Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.youku.com\settings.sol
C:\Documents and Settings\HP_Administrator\Cookies\[email protected][2].txt
D:\Autorun.inf
F:\AUTORUN.INF

----- BITS: Possible infected sites -----

http://updates.pitt.edu
.
((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.

2008-08-23 15:18 . 2008-08-23 15:18 1,240 --a------ C:\net_save.dna
2008-08-23 15:17 . 2008-08-23 15:17 <DIR> d-------- C:\Program Files\support.com
2008-08-22 21:21 . 2007-12-11 14:42 49,904 -ra------ C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
2008-08-22 21:17 . 2008-08-23 15:57 <DIR> d-------- C:\Netgear
2008-08-20 20:51 . 2008-08-20 20:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-20 20:38 . 2008-08-20 20:38 <DIR> d-------- C:\Program Files\ERUNT
2008-08-20 17:34 . 2008-08-20 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-08-20 17:11 . 2008-08-20 17:11 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-20 11:29 . 2008-08-20 11:29 61,440 --a------ C:\WINDOWS\system32\drivers\gtpyna.sys
2008-08-20 01:41 . 2008-08-20 01:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-20 01:41 . 2008-08-20 01:41 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
2008-08-20 01:41 . 2008-08-20 01:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-20 01:41 . 2008-08-17 15:04 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-20 01:41 . 2008-08-17 15:04 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-20 01:25 . 2008-08-23 16:29 <DIR> d-------- C:\Program Files\fbiiht
2008-08-20 01:24 . 2008-08-20 01:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\zqfybkps
2008-08-20 00:03 . 2008-08-21 08:03 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\skypePM
2008-08-20 00:03 . 2008-08-20 00:03 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-08-20 00:01 . 2008-08-21 14:46 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Skype
2008-08-19 23:55 . 2008-08-19 23:55 <DIR> d-------- C:\Program Files\Skype
2008-08-19 23:55 . 2008-08-19 23:55 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-08-19 23:55 . 2008-08-19 23:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-08-19 23:41 . 2008-08-19 23:41 <DIR> d-------- C:\Program Files\iPod
2008-08-19 23:39 . 2008-08-19 23:39 <DIR> d-------- C:\Program Files\Bonjour
2008-07-24 13:31 . 2008-08-23 13:33 <DIR> d-------- C:\Documents and Settings\HP_Administrator\.blurb
2008-07-24 13:30 . 2008-07-24 13:30 <DIR> d-------- C:\Program Files\BookSmart

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 20:52 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-08-23 09:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-22 10:27 --------- d-----w C:\Program Files\Spyware Doctor
2008-08-22 00:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-20 15:45 --------- d-----w C:\Program Files\Java
2008-08-20 15:32 --------- d-----w C:\Program Files\Apple Software Update
2008-08-20 15:29 8,654 ----a-w C:\Program Files\tpsgkah.txt
2008-08-20 03:42 --------- d-----w C:\Program Files\iTunes
2008-08-20 03:38 --------- d-----w C:\Program Files\QuickTime
2008-08-15 19:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-07-10 07:04 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-06-26 00:23 --------- d-----w C:\Program Files\Canon
2008-06-24 00:31 --------- d-----w C:\Program Files\The Weather Channel FW
2008-05-31 00:30 0 -c--a-w C:\Program Files\temp01
2007-06-25 01:29 251 -c--a-w C:\Program Files\wt3d.ini
2006-10-27 01:41 709,525 -c--a-w C:\Program Files\iPodRip.zip
2006-09-13 00:01 1,444 -c--a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 21:45 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 00:00 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 12:15 50528]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-09-11 19:43 95536]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"DW6"="C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 16:18 785520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-30 00:01 67584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-24 22:15 7311360]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 02:35 49152]
"DMAScheduler"="c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 12:05 90112]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-23 01:14 237568]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 01:34 249856]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-17 23:18 180269]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 20:14 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-05-27 04:40 124656]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-03-11 17:37 936960]
"ssdiag"="C:\WINDOWS\ssdiag.exe" [2004-07-14 13:28 57401]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 07:54 16010240 C:\WINDOWS\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 02:19 77312 C:\WINDOWS\arpwrmsg.exe]
"nwiz"="nwiz.exe" [2006-01-24 22:15 1519616 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="C:\WINDOWS\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 04:06 12451]

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-04 03:25:06 124400]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 21:40:44 282624]
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2006-07-17 23:36:25 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Maple 10\\jre\\bin\\java.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Maple 10\\jre\\bin\\maple.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AEGIS SecureConnect;AEGIS SecureConnect Service;C:\Program Files\Meetinghouse\AEGIS SecureConnect\ConnectionClient.exe [2006-03-03 10:44]
R2 Mtghouse;Meetinghouse 802.1x Protocol v3.4.10.0;C:\WINDOWS\system32\DRIVERS\Mtghouse.sys [2006-08-31 19:25]
R2 RTWTKRNL;Real-Time Windows Target;C:\WINDOWS\system32\drivers\RTWTKRNL.sys [2007-07-26 23:29]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;C:\WINDOWS\system32\drivers\cxfalcon.sys [2006-04-20 17:35]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-10-19 11:11]
S3 usb20l;SMC EZ Networking Compact 10/100 USB 2.0 Adapter;C:\WINDOWS\system32\DRIVERS\SMC2209.sys [2003-03-31 09:51]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 06:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a73d6e3-316e-11dc-8261-001731b9ccda}]
\Shell\AutoRun\command - F:\wd_windows_tools\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-08-17 C:\WINDOWS\Tasks\Norton Security Scan.job
- C:\Program Files\Norton Security Scan\Nss.exe [2007-09-18 23:42]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)
HKCU-Explorer_Run-8Z68erYOBC - C:\Documents and Settings\HP_Administrator\Desktop\AdobeFlashPlayerHD.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ohloz8qu.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://my.pitt.edu/
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 16:54:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PSSdk23]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\PsSdk23.drv"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-08-23 17:02:10 - machine was rebooted [HP_Administrator]
ComboFix-quarantined-files.txt 2008-08-23 21:02:06

Pre-Run: 260,213,174,272 bytes free
Post-Run: 260,419,239,936 bytes free

235 --- E O F --- 2008-08-14 07:05:43
  • 0

#4
greyknight17
Posted 24 August 2008 - 09:05 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

File::
C:\Program Files\tpsgkah.txt
Folder::
C:\Program Files\fbiiht
C:\Documents and Settings\All Users\Application Data\zqfybkps
C:\Program Files\temp01

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#5
mco12
Posted 24 August 2008 - 10:26 AM

mco12

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
ComboFix 08-08-21.02 - HP_Administrator 2008-08-24 12:22:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1342 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\tpsgkah.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\zqfybkps
C:\Program Files\fbiiht
C:\Program Files\fbiiht\smartuiwin.dll
C:\Program Files\temp01\
C:\Program Files\tpsgkah.txt

.
((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 )))))))))))))))))))))))))))))))
.

2008-08-24 12:20 . 2008-08-24 12:21 <DIR> d-------- C:\Documents and Settings\HP_Administrator\0900a5a2802e946d
2008-08-23 19:32 . 2008-08-23 19:32 <DIR> d-------- C:\Program Files\0900a5a2802e946d
2008-08-23 19:05 . 2008-08-23 19:05 <DIR> d-------- C:\WINDOWS\LastGood
2008-08-23 19:04 . 2007-08-13 20:57 550,196 --a------ C:\WINDOWS\hpdj5600.hi2
2008-08-23 19:04 . 2007-08-13 20:57 12,790 --a------ C:\WINDOWS\hpdj5600.bu2
2008-08-23 18:32 . 2008-08-23 18:34 <DIR> d-------- C:\Program Files\ATnotes
2008-08-23 15:18 . 2008-08-23 15:18 1,240 --a------ C:\net_save.dna
2008-08-23 15:17 . 2008-08-23 15:17 <DIR> d-------- C:\Program Files\support.com
2008-08-22 21:21 . 2007-12-11 14:42 49,904 -ra------ C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
2008-08-22 21:17 . 2008-08-23 15:57 <DIR> d-------- C:\Netgear
2008-08-20 20:51 . 2008-08-20 20:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-20 20:38 . 2008-08-20 20:38 <DIR> d-------- C:\Program Files\ERUNT
2008-08-20 17:34 . 2008-08-20 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-08-20 17:11 . 2008-08-20 17:11 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-20 11:29 . 2008-08-20 11:29 61,440 --a------ C:\WINDOWS\system32\drivers\gtpyna.sys
2008-08-20 01:41 . 2008-08-20 01:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-20 01:41 . 2008-08-20 01:41 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
2008-08-20 01:41 . 2008-08-20 01:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-20 01:41 . 2008-08-17 15:04 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-20 01:41 . 2008-08-17 15:04 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-20 00:03 . 2008-08-21 08:03 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\skypePM
2008-08-20 00:03 . 2008-08-20 00:03 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-08-20 00:01 . 2008-08-21 14:46 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Skype
2008-08-19 23:55 . 2008-08-19 23:55 <DIR> d-------- C:\Program Files\Skype
2008-08-19 23:55 . 2008-08-19 23:55 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-08-19 23:55 . 2008-08-19 23:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-08-19 23:41 . 2008-08-19 23:41 <DIR> d-------- C:\Program Files\iPod
2008-08-19 23:39 . 2008-08-19 23:39 <DIR> d-------- C:\Program Files\Bonjour
2008-07-24 13:31 . 2008-08-23 13:33 <DIR> d-------- C:\Documents and Settings\HP_Administrator\.blurb
2008-07-24 13:30 . 2008-07-24 13:30 <DIR> d-------- C:\Program Files\BookSmart

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 02:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-23 23:33 --------- d-----w C:\Program Files\Hewlett-Packard
2008-08-23 20:52 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-08-23 09:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-22 10:27 --------- d-----w C:\Program Files\Spyware Doctor
2008-08-20 15:45 --------- d-----w C:\Program Files\Java
2008-08-20 15:32 --------- d-----w C:\Program Files\Apple Software Update
2008-08-20 03:42 --------- d-----w C:\Program Files\iTunes
2008-08-20 03:38 --------- d-----w C:\Program Files\QuickTime
2008-08-15 19:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-07-10 07:04 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-26 00:23 --------- d-----w C:\Program Files\Canon
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 14:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-24 00:31 --------- d-----w C:\Program Files\The Weather Channel FW
2008-06-23 09:20 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-31 00:30 0 -c--a-w C:\Program Files\temp01
2008-05-29 15:16 633,344 ------w C:\WINDOWS\system32\gpprefcl.dll
2007-06-25 01:29 251 -c--a-w C:\Program Files\wt3d.ini
2006-10-27 01:41 709,525 -c--a-w C:\Program Files\iPodRip.zip
2006-09-13 00:01 1,444 -c--a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-08-23_17.01.51.89 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-08-23\ERDNT.EXE
+ 2008-08-23 20:56:48 5,906,432 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-08-23\Users\00000001\NTUSER.DAT
+ 2008-08-23 20:56:48 188,416 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-08-23\Users\00000002\UsrClass.dat
- 2006-08-25 17:50:20 25,214 -c--a-r C:\WINDOWS\Installer\{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}\ARPPRODUCTICON.exe
+ 2008-08-23 21:09:21 25,214 ----a-r C:\WINDOWS\Installer\{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}\ARPPRODUCTICON.exe
- 2006-08-25 17:50:20 40,960 -c--a-r C:\WINDOWS\Installer\{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-08-23 21:09:21 40,960 ----a-r C:\WINDOWS\Installer\{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2006-08-25 17:50:20 40,960 -c--a-r C:\WINDOWS\Installer\{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-08-23 21:09:21 40,960 ----a-r C:\WINDOWS\Installer\{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2006-01-13 07:14:58 188,416 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 21:45 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 00:00 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 12:15 50528]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-09-11 19:43 95536]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"DW6"="C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 16:18 785520]
"ATnotes.exe"="C:\Program Files\ATnotes\ATnotes.exe" [2005-01-05 15:45 1015808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-30 00:01 67584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-24 22:15 7311360]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 02:35 49152]
"DMAScheduler"="c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 12:05 90112]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-23 01:14 237568]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 01:34 249856]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-17 23:18 180269]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 20:14 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-05-27 04:40 124656]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-03-11 17:37 936960]
"ssdiag"="C:\WINDOWS\ssdiag.exe" [2004-07-14 13:28 57401]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51 233472]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 03:14 188416]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 07:54 16010240 C:\WINDOWS\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 02:19 77312 C:\WINDOWS\arpwrmsg.exe]
"nwiz"="nwiz.exe" [2006-01-24 22:15 1519616 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="C:\WINDOWS\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 04:06 12451]

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-04 03:25:06 124400]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 21:40:44 282624]
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2006-07-17 23:36:25 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Maple 10\\jre\\bin\\java.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Maple 10\\jre\\bin\\maple.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AEGIS SecureConnect;AEGIS SecureConnect Service;C:\Program Files\Meetinghouse\AEGIS SecureConnect\ConnectionClient.exe [2006-03-03 10:44]
R2 Mtghouse;Meetinghouse 802.1x Protocol v3.4.10.0;C:\WINDOWS\system32\DRIVERS\Mtghouse.sys [2006-08-31 19:25]
R2 RTWTKRNL;Real-Time Windows Target;C:\WINDOWS\system32\drivers\RTWTKRNL.sys [2007-07-26 23:29]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;C:\WINDOWS\system32\drivers\cxfalcon.sys [2006-04-20 17:35]
S2 hpdj5600;hpdj5600;C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hpdj5600.exe []
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-10-19 11:11]
S3 usb20l;SMC EZ Networking Compact 10/100 USB 2.0 Adapter;C:\WINDOWS\system32\DRIVERS\SMC2209.sys [2003-03-31 09:51]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 06:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a73d6e3-316e-11dc-8261-001731b9ccda}]
\Shell\AutoRun\command - F:\wd_windows_tools\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-08-17 C:\WINDOWS\Tasks\Norton Security Scan.job
- C:\Program Files\Norton Security Scan\Nss.exe [2007-09-18 23:42]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-24 12:24:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\PSSdk23]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\PsSdk23.drv"
.
Completion time: 2008-08-24 12:25:21
ComboFix-quarantined-files.txt 2008-08-24 16:25:16
ComboFix2.txt 2008-08-23 21:02:11

Pre-Run: 260,167,987,200 bytes free
Post-Run: 260,149,985,280 bytes free

214 --- E O F --- 2008-08-14 07:05:43
  • 0

#6
greyknight17
Posted 26 August 2008 - 05:12 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download OTMoveIt2 at http://download.blee...r/OTMoveIt2.exe
* Save it to your desktop.
* Double-click OTMoveIt2.exe to run it. (Vista users, right click on OTMoveIt2.exe and select Run as an Administrator).
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\Documents and Settings\HP_Administrator\0900a5a2802e946d /u
C:\Program Files\0900a5a2802e946d /u
C:\Program Files\temp01

* Return to OTMoveIt2. Right click in the Paste List of Files/Folders to Move window (under the Yellow bar) and choose Paste.
* Click the red Moveit! button.
* A log of files and folders moved will be created in the C:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
* Close OTMoveIt2.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#7
mco12
Posted 26 August 2008 - 06:22 PM

mco12

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks a lot greyknight17, everything seems fine. Streaming videos takes a little longer but I'm not sure if that was related to the virus or something else. I have Malwarebytes' Anti-Malware, Symantec, Norton Security, Ad-aware and Spyware Doctor. I'm pretty sure I don't need all of those, so if you can recommend which ones to uninstall that would be great.
  • 0

#8
greyknight17
Posted 30 August 2008 - 09:33 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
You may keep all of them if you want. Most of them don't have a real-time protection enabled unless it's the paid version.
  • 0

#9
greyknight17
Posted 30 August 2008 - 09:33 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP