Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Computer Please Help!


  • Please log in to reply
6 replies to this topic

#1 EWE33

EWE33

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:15 AM

Posted 03 September 2007 - 07:52 PM

Hello everyone!
I'm new to the board and I am asking for help.
I am not sure what kin of infection I have here....

I am steadily getting this pop up: http://k8l.info/uttc/udata2.txt

I'm running PC-cillin it says there is a valera virus

SpyBot shows Virtumonde and DriveCleaner 2006

I would greatly appreciate any help, I've taken all of the steps in the sticky.

Thanks for any help!

Eric

Here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:46 PM, on 9/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\covspcxk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\xhrdhwcA.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [xhrdhwcA] C:\WINDOWS\xhrdhwcA.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\lawdlcwp.dll",forkonce
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175369601734
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/TrueInstall.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DomainService - - C:\WINDOWS\system32\covspcxk.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\wuosyruprym.html

--
End of file - 10648 bytes

Edited by EWE33, 03 September 2007 - 09:04 PM.


BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:12:15 PM

Posted 04 September 2007 - 04:35 AM

Hi EWE33,

Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.

:thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:12:15 PM

Posted 04 September 2007 - 11:12 AM

Hi

1. I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove either Symantec or Trend Micro.




2. Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows



3. Please click this link-->Jotti
  • When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
  • C:\WINDOWS\xhrdhwcA.exe
  • Please post back the results of the scan in your next post.
  • If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


4. Please download Combofix to your desktop.
  • Doubleclick combo.exe to launch the application.
  • Follow the prompts that will be displayed on the screen.
  • Don't click on the window while the fix is running, because that will cause your system to hang.
  • When finished, it should produce a log, combofix.txt.
  • Post this log in your next reply together with a new hijackthislog, and the results of jotti scan.
Regards,
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#4 EWE33

EWE33
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:15 AM

Posted 04 September 2007 - 08:23 PM

Thank You lusitano!
I removed Symantec (I think!)

Here are my logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:42 PM, on 9/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O2 - BHO: (no name) - {4F4C1987-F338-DDE5-1C14-FB8DB127D5E9} - C:\WINDOWS\system32\agmf.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Board Software\NotebookPlugin.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175369601734
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/TrueInstall.exe
O20 - Winlogon Notify: efcddaw - efcddaw.dll (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\wuosyruprym.html

--
End of file - 9603 bytes


_______________________________________________________________________________________

Scan taken on 05 Sep 2007 00:53:34 (GMT)
A-Squared Found Trojan-Downloader.Win32.VB.ang
AntiVir Found nothing
ArcaVir Found nothing
Avast Found Win32:VB-ESA
AVG Antivirus Found Downloader.Generic5.DMS
BitDefender Found Adware.WebBuying.D
ClamAV Found nothing
CPsecure Found Troj.Downloader.W32.VB.ang
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Downloader.Win32.VB.ang
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.VB.ang
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Downloader.Win32.VB.ang

_____________________________________________________________________________________________

ComboFix 07-08-30.3 - "HP_Owner" 2007-09-04 20:01:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.196 [GMT -5:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\winantispyware 2007
C:\DOCUME~1\HP_Owner\APPLIC~1\appatc~1
C:\DOCUME~1\HP_Owner\APPLIC~1\winantispyware 2007
C:\DOCUME~1\HP_Owner\APPLIC~1\winantispyware 2007 free
C:\DOCUME~1\HP_Owner\Desktop\internet.lnk
C:\DOCUME~1\HP_Owner\err.log
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\WinAntiSpyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\ISM
C:\Program Files\ISM\BndDrive.dll
C:\Program Files\ISM\bndloader.exe
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\ISMModule3.exe
C:\Program Files\ISM\syncupd.exe
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\Messenger\wuosyruprym.html
C:\Program Files\Movie Maker\poxekit4444.dll
C:\Program Files\WinAntiSpyware 2007
C:\Program Files\winantispyware 2007\RTMonitor.dat\42160f1b4f84468ec9c088b7\0bf876afe52344db5af2d4b8\032e20c33f02435c66cad8aa\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\42160f1b4f84468ec9c088b7\0bf876afe52344db5af2d4b8\032e20c33f02435c66cad8aa\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\42160f1b4f84468ec9c088b7\0bf876afe52344db5af2d4b8\032e20c33f02435c66cad8aa\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\42160f1b4f84468ec9c088b7\0bf876afe52344db5af2d4b8\24da8e275828407f24d7348f\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\42160f1b4f84468ec9c088b7\0bf876afe52344db5af2d4b8\24da8e275828407f24d7348f\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\42160f1b4f84468ec9c088b7\0bf876afe52344db5af2d4b8\24da8e275828407f24d7348f\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\42160f1b4f84468ec9c088b7\0bf876afe52344db5af2d4b8\4be1cf07b07f431bcc6ff3b6\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\42160f1b4f84468ec9c088b7\0bf876afe52344db5af2d4b8\4be1cf07b07f431bcc6ff3b6\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\42160f1b4f84468ec9c088b7\0bf876afe52344db5af2d4b8\4be1cf07b07f431bcc6ff3b6\#name
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\brr
C:\temp\brr\tmpZTF.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\afsjplpb.ini
C:\WINDOWS\system32\agtgkfxi.dll
C:\WINDOWS\system32\alcpwrxr.ini
C:\WINDOWS\system32\andsfevt.ini
C:\WINDOWS\system32\aphmwhts.exe
C:\WINDOWS\system32\avyiuioc.dll
C:\WINDOWS\system32\axelbvyn.dll
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\bkqjgwqr.exe
C:\WINDOWS\system32\bplpjsfa.dll
C:\WINDOWS\system32\bqvjbhdn.ini
C:\WINDOWS\system32\cbitdhfc.exe
C:\WINDOWS\system32\ccbeg.bak1
C:\WINDOWS\system32\ccbeg.bak2
C:\WINDOWS\system32\ccbeg.ini
C:\WINDOWS\system32\ccbeg.ini2
C:\WINDOWS\system32\ccbeg.tmp
C:\WINDOWS\system32\coiuiyva.ini
C:\WINDOWS\system32\configs
C:\WINDOWS\system32\covspcxk.exe
C:\WINDOWS\system32\djghqmfl.dll
C:\WINDOWS\system32\djwdiyfx.exe
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\dvjmceba.exe
C:\WINDOWS\system32\extjipcn.exe
C:\WINDOWS\system32\F2
C:\WINDOWS\system32\F3
C:\WINDOWS\system32\ffdonvco.exe
C:\WINDOWS\system32\fmmghqxx.exe
C:\WINDOWS\system32\fnuiplwd.exe
C:\WINDOWS\system32\foeisnov.ini
C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\gfjlpaii.dll
C:\WINDOWS\system32\honycieu.exe
C:\WINDOWS\system32\iftcytjs.ini
C:\WINDOWS\system32\iilioksc.exe
C:\WINDOWS\system32\iixsgcab.exe
C:\WINDOWS\system32\ixfkgtga.ini
C:\WINDOWS\system32\jhouymam.exe
C:\WINDOWS\system32\jpuaepix.ini
C:\WINDOWS\system32\jubfxnmt.exe
C:\WINDOWS\system32\kieuumnt.ini
C:\WINDOWS\system32\lajmjmqi.dll
C:\WINDOWS\system32\lawdlcwp.dll
C:\WINDOWS\system32\lfmqhgjd.ini
C:\WINDOWS\system32\ljrqotuo.exe
C:\WINDOWS\system32\ndhbjvqb.dll
C:\WINDOWS\system32\nfyvfjuy.exe
C:\WINDOWS\system32\ngcruvjn.dll
C:\WINDOWS\system32\njvurcgn.ini
C:\WINDOWS\system32\nnulybnk.exe
C:\WINDOWS\system32\npatothd.exe
C:\WINDOWS\system32\npnfxkjy.dll
C:\WINDOWS\system32\nuksqfay.ini
C:\WINDOWS\system32\nylvmfkh.exe
C:\WINDOWS\system32\nyvblexa.ini
C:\WINDOWS\system32\ooihfcgp.dll
C:\WINDOWS\system32\pgcfhioo.ini
C:\WINDOWS\system32\pwcldwal.ini
C:\WINDOWS\system32\qqyeujls.dll
C:\WINDOWS\system32\rxrwpcla.dll
C:\WINDOWS\system32\shapadqs.ini
C:\WINDOWS\system32\sjtyctfi.dll
C:\WINDOWS\system32\sljueyqq.ini
C:\WINDOWS\system32\spacqprv.dll
C:\WINDOWS\system32\sqdapahs.dll
C:\WINDOWS\system32\tnmuueik.dll
C:\WINDOWS\system32\tvefsdna.dll
C:\WINDOWS\system32\vonsieof.dll
C:\WINDOWS\system32\vrpqcaps.ini
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\system32\xipeaupj.dll
C:\WINDOWS\system32\yafqskun.dll
C:\WINDOWS\system32\ygecbimy.ini
C:\WINDOWS\system32\yjkxfnpn.ini
C:\WINDOWS\system32\ymibcegy.dll
C:\WINDOWS\system32\ysdaxjlw.exe
C:\WINDOWS\system32\ysdkgvun.exe
C:\WINDOWS\TISKY009.exe
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\xhrdhwcA.exe
C:\WINDOWS\ystem~1
D:\Autorun.inf


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-08-05 to 2007-09-05 )))))))))))))))))))))))))))))))


2007-09-04 19:58 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-31 18:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-31 15:28 102,800 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-29 21:31 <DIR> d-------- C:\DOCUME~1\HP_Owner\.housecall6.6
2007-08-24 16:37 <DIR> d-------- C:\Program Files\ComcastToolbar
2007-08-24 16:17 192,642 --a------ C:\WINDOWS\system32\owinmodt.exe
2007-08-23 18:05 75,088 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2007-08-23 18:05 36,112 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-08-23 18:05 288,848 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-08-23 18:05 203,024 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-08-23 18:05 111,888 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2007-08-23 18:05 1,126,328 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2007-08-23 18:04 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-14 20:56 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-08-14 20:56 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\ComcastToolbar
2007-08-14 14:37 7,923 --a------ C:\WINDOWS\system32\xqucxqes.dll
2007-08-13 11:39 7,923 --a------ C:\WINDOWS\system32\ugdkysnu.dll
2007-08-11 19:56 7,927 --a------ C:\WINDOWS\system32\gdprbute.dll
2007-08-10 12:42 7,927 --a------ C:\WINDOWS\system32\xusifpmr.dll
2007-08-10 00:27 7,927 --a------ C:\WINDOWS\system32\otpurlyi.dll
2007-08-09 20:56 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2007-08-09 20:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-08-09 00:43 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-04 19:33 --------- d--h----- C:\Program Files\Zero G Registry
2007-09-04 19:32 --------- d-------- C:\Program Files\Kids Cam Show and Share Creativity Center
2007-09-04 19:30 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-04 19:30 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-09-04 19:29 --------- d-------- C:\Program Files\Symantec
2007-08-19 20:53 --------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\AdobeUM
2007-08-12 14:58 --------- d-------- C:\Program Files\vso
2007-08-12 00:02 --------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Canon
2007-07-31 17:35 6466 --ahs---- C:\WINDOWS\system32\mpqss.bak1
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-30 08:34 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-07-30 08:34 8014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-07-30 08:34 48776 --a--c--- C:\WINDOWS\system32\S32EVNT1.DLL
2007-07-30 08:34 115000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-07-27 21:29 --------- d-------- C:\Program Files\TrueSwitch
2007-07-22 18:38 74872 --a------ C:\WINDOWS\TrueInstall.exe
2007-07-22 18:38 --------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\TrueSwitch
2007-07-22 18:23 --------- d-------- C:\Program Files\Comcast TW
2007-07-06 16:01 3645 --a--c--- C:\WINDOWS\viassary-hp.reg
2007-06-26 22:10 317440 --a------ C:\WINDOWS\system32\dllcache\unregmp2.exe
2007-06-26 10:13 851968 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 09:35 665600 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-15 03:12 96256 --a------ C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-15 03:12 616960 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-15 03:12 55808 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-15 03:12 532480 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-15 03:12 474112 --a------ C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-15 03:12 449024 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-15 03:12 39424 --a------ C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-15 03:12 357888 --a------ C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-15 03:12 3064320 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-15 03:12 251904 --a------ C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-15 03:12 205824 --a------ C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-15 03:12 16384 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-15 03:12 151040 --a------ C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-15 03:12 1498112 --a------ C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-15 03:12 146432 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-15 03:12 1054208 --a------ C:\WINDOWS\system32\dllcache\danim.dll
2007-06-15 03:12 1022976 --a------ C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 05:32 18432 --a------ C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-11 23:51 10834944 --a------ C:\WINDOWS\system32\dllcache\wmp.dll
2007-01-23 18:45 722176 --a------ C:\DOCUME~1\HP_Owner\gotomypc_428.exe
2006-08-19 23:59 235540 --a--c--- C:\Program Files\NHL_Fonts_Final.zip
2006-08-07 17:44 80192336 --a--c--- C:\Program Files\SMARTBoardSetup95562.exe
2006-07-21 10:34 563712 --a--c--- C:\DOCUME~1\HP_Owner\gotomypc_370.exe
2005-12-29 16:15 563712 --a--c--- C:\DOCUME~1\HP_Owner\370_gotomypc.exe
2005-09-16 09:05 483401 --a--c--- C:\DOCUME~1\HP_Owner\314_gotomypc.exe
2005-06-20 09:46 2449408 --a--c--- C:\DOCUME~1\HP_Owner\gosetup.exe
2005-06-19 20:33 483401 --a--c--- C:\DOCUME~1\HP_Owner\gotomypc.exe
2005-08-08 17:06:37 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F4C1987-F338-DDE5-1C14-FB8DB127D5E9}]
C:\WINDOWS\system32\agmf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-12-01 17:15]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 04:04]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 06:53]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 06:42]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 08:02]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-12-01 17:39]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-06-04 15:38]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 08:43]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 05:40]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 05:40]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 04:57]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 09:54]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"SiSPower"="SiSPower.dll" [2005-04-12 11:31 C:\WINDOWS\system32\SiSPower.dll]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 01:26]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:00]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Messenger\wuosyruprym.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcddaw]
efcddaw.dll

R2 tmxpflt;tmxpflt;C:\WINDOWS\system32\DRIVERS\tmxpflt.sys
R3 pc22nd5;Toshiba PCX2200 USB Cable Modem networking driver (NDIS);C:\WINDOWS\system32\DRIVERS\pc22nd5.sys
R3 pc22unic;Toshiba PCX2200 USB Cable Modem WDM driver;C:\WINDOWS\system32\DRIVERS\pc22unic.sys
S3 ca506aaf;ADS USB Audio Filter Driver (WDM);C:\WINDOWS\system32\drivers\ca506aaf.sys
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys
S3 SilverLink;Texas Instruments SilverLink (USB GraphLink) Cable;C:\WINDOWS\system32\Drivers\SilvrLnk.sys
S3 SPCA506AV;USB Instant VCD;C:\WINDOWS\system32\DRIVERS\CA506AV.SYS


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c14fb90-f3f5-11d9-b56c-000e9b3607bb}]
AutoRun\command- JDSecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
AutoRun\command- D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb51ac5a-d49f-11d9-b519-000e9b3607bb}]
AutoRun\command- K:\JDSecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d000b8ab-e0d8-11d9-b53a-000e9b3607bb}]
AutoRun\command- K:\JDSecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d000b8ac-e0d8-11d9-b53a-000e9b3607bb}]
AutoRun\command- K:\JDSecure\Windows\JDSecure20.exe


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-04 20:11:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-04 20:15:18 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-04 20:15

--- E O F ---

#5 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:12:15 PM

Posted 05 September 2007 - 07:03 AM

Hi

1. Please re-open HijackThis, click on "Scan" and check the boxes next to ONLY the entries listed below, "if still present":

O2 - BHO: (no name) - {4F4C1987-F338-DDE5-1C14-FB8DB127D5E9} - C:\WINDOWS\system32\agmf.dll (file missing)
O20 - Winlogon Notify: efcddaw - efcddaw.dll (file missing)

Then close all open windows (you should only see HijackThis on your Desktop and Taskbar)
Click on Posted Image button.

A box will pop up asking you if you wish to fix the selected items. Please choose YES.
Once it has fixed them, please exit/close HijackThis.


2. Please click this link-->Jotti
  • When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
  • C:\WINDOWS\DCEBoot.exe
  • Please post back the results of the scan in your next post.
  • If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/t/106994/infected-computer-please-help/

Collect::
C:\WINDOWS\system32\xqucxqes.dll
C:\WINDOWS\system32\ugdkysnu.dll
C:\WINDOWS\system32\gdprbute.dll
C:\WINDOWS\system32\xusifpmr.dll
C:\WINDOWS\system32\otpurlyi.dll
C:\WINDOWS\system32\agmf.dll
C:\WINDOWS\system32\efcddaw.dll
C:\Program Files\Messenger\wuosyruprym.html
C:\WINDOWS\system32\mpqss.bak1

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F4C1987-F338-DDE5-1C14-FB8DB127D5E9}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcddaw]
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

  • Save this as: CFScript.txt
    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply, along with a new HijackThis log.
  • Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
  • Please submit this file to: http://www.bleepingcomputer.com/submit-malware.php

Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#6 EWE33

EWE33
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:15 AM

Posted 05 September 2007 - 08:47 AM

I have to say that my computer is running much faster and the pop ups have gone away.
Wow!!!!

Here are my logs:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:43 AM, on 9/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Board Software\NotebookPlugin.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175369601734
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/TrueInstall.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\wuosyruprym.html

--
End of file - 9456 bytes
_____________________________________________________________________________

ComboFix 07-08-30.3 - "HP_Owner" 2007-09-05 8:35:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.315 [GMT -5:00]
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2007-08-05 to 2007-09-05 )))))))))))))))))))))))))))))))


2007-09-04 19:58 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-31 18:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-31 15:28 102,800 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-29 21:31 <DIR> d-------- C:\DOCUME~1\HP_Owner\.housecall6.6
2007-08-24 16:37 <DIR> d-------- C:\Program Files\ComcastToolbar
2007-08-24 16:17 192,642 --a------ C:\WINDOWS\system32\owinmodt.exe
2007-08-23 18:05 75,088 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2007-08-23 18:05 36,112 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-08-23 18:05 288,848 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-08-23 18:05 203,024 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-08-23 18:05 111,888 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2007-08-23 18:05 1,126,328 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2007-08-23 18:04 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-14 20:56 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-08-14 20:56 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\ComcastToolbar
2007-08-14 14:37 7,923 --a------ C:\WINDOWS\system32\xqucxqes.dll
2007-08-13 11:39 7,923 --a------ C:\WINDOWS\system32\ugdkysnu.dll
2007-08-11 19:56 7,927 --a------ C:\WINDOWS\system32\gdprbute.dll
2007-08-10 12:42 7,927 --a------ C:\WINDOWS\system32\xusifpmr.dll
2007-08-10 00:27 7,927 --a------ C:\WINDOWS\system32\otpurlyi.dll
2007-08-09 20:56 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2007-08-09 20:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-08-09 00:43 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-04 19:33 --------- d--h----- C:\Program Files\Zero G Registry
2007-09-04 19:32 --------- d-------- C:\Program Files\Kids Cam Show and Share Creativity Center
2007-09-04 19:30 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-04 19:30 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-09-04 19:29 --------- d-------- C:\Program Files\Symantec
2007-08-19 20:53 --------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\AdobeUM
2007-08-12 14:58 --------- d-------- C:\Program Files\vso
2007-08-12 00:02 --------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Canon
2007-07-31 17:35 6466 --ahs---- C:\WINDOWS\system32\mpqss.bak1
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-30 08:34 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-07-30 08:34 8014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-07-30 08:34 48776 --a--c--- C:\WINDOWS\system32\S32EVNT1.DLL
2007-07-30 08:34 115000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-07-27 21:29 --------- d-------- C:\Program Files\TrueSwitch
2007-07-22 18:38 74872 --a------ C:\WINDOWS\TrueInstall.exe
2007-07-22 18:38 --------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\TrueSwitch
2007-07-22 18:23 --------- d-------- C:\Program Files\Comcast TW
2007-07-06 16:01 3645 --a--c--- C:\WINDOWS\viassary-hp.reg
2007-06-26 22:10 317440 --a------ C:\WINDOWS\system32\dllcache\unregmp2.exe
2007-06-26 10:13 851968 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 09:35 665600 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-15 03:12 96256 --a------ C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-15 03:12 616960 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-15 03:12 55808 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-15 03:12 532480 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-15 03:12 474112 --a------ C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-15 03:12 449024 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-15 03:12 39424 --a------ C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-15 03:12 357888 --a------ C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-15 03:12 3064320 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-15 03:12 251904 --a------ C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-15 03:12 205824 --a------ C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-15 03:12 16384 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-15 03:12 151040 --a------ C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-15 03:12 1498112 --a------ C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-15 03:12 146432 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-15 03:12 1054208 --a------ C:\WINDOWS\system32\dllcache\danim.dll
2007-06-15 03:12 1022976 --a------ C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 05:32 18432 --a------ C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-11 23:51 10834944 --a------ C:\WINDOWS\system32\dllcache\wmp.dll
2007-01-23 18:45 722176 --a------ C:\DOCUME~1\HP_Owner\gotomypc_428.exe
2006-08-19 23:59 235540 --a--c--- C:\Program Files\NHL_Fonts_Final.zip
2006-08-07 17:44 80192336 --a--c--- C:\Program Files\SMARTBoardSetup95562.exe
2006-07-21 10:34 563712 --a--c--- C:\DOCUME~1\HP_Owner\gotomypc_370.exe
2005-12-29 16:15 563712 --a--c--- C:\DOCUME~1\HP_Owner\370_gotomypc.exe
2005-09-16 09:05 483401 --a--c--- C:\DOCUME~1\HP_Owner\314_gotomypc.exe
2005-06-20 09:46 2449408 --a--c--- C:\DOCUME~1\HP_Owner\gosetup.exe
2005-06-19 20:33 483401 --a--c--- C:\DOCUME~1\HP_Owner\gotomypc.exe
2005-08-08 17:06:37 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-12-01 17:15]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 04:04]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 06:53]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 06:42]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 08:02]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-12-01 17:39]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-06-04 15:38]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 08:43]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 05:40]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 05:40]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 04:57]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 09:54]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"SiSPower"="SiSPower.dll" [2005-04-12 11:31 C:\WINDOWS\system32\SiSPower.dll]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 01:26]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:00]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Messenger\wuosyruprym.html
FriendlyName=

R2 tmxpflt;tmxpflt;C:\WINDOWS\system32\DRIVERS\tmxpflt.sys
R3 pc22nd5;Toshiba PCX2200 USB Cable Modem networking driver (NDIS);C:\WINDOWS\system32\DRIVERS\pc22nd5.sys
R3 pc22unic;Toshiba PCX2200 USB Cable Modem WDM driver;C:\WINDOWS\system32\DRIVERS\pc22unic.sys
S3 ca506aaf;ADS USB Audio Filter Driver (WDM);C:\WINDOWS\system32\drivers\ca506aaf.sys
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys
S3 SilverLink;Texas Instruments SilverLink (USB GraphLink) Cable;C:\WINDOWS\system32\Drivers\SilvrLnk.sys
S3 SPCA506AV;USB Instant VCD;C:\WINDOWS\system32\DRIVERS\CA506AV.SYS


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c14fb90-f3f5-11d9-b56c-000e9b3607bb}]
AutoRun\command- JDSecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
AutoRun\command- D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb51ac5a-d49f-11d9-b519-000e9b3607bb}]
AutoRun\command- K:\JDSecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d000b8ab-e0d8-11d9-b53a-000e9b3607bb}]
AutoRun\command- K:\JDSecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d000b8ac-e0d8-11d9-b53a-000e9b3607bb}]
AutoRun\command- K:\JDSecure\Windows\JDSecure20.exe


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-05 08:38:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-05 8:39:19
C:\ComboFix-quarantined-files.txt ... 2007-09-05 08:38
C:\ComboFix2.txt ... 2007-09-04 20:15

--- E O F ---

#7 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:12:15 PM

Posted 06 September 2007 - 04:07 AM

Hi EWE33,

You miss the step 2 from my previous post :thumbsup:

Please be careful with all the instrucions, thank you. :flowers:


1. Please re-open HijackThis, click on "Scan" and check the boxes next to ONLY the entries listed below, "if still present":

O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\wuosyruprym.html

Then close all open windows (you should only see HijackThis on your Desktop and Taskbar)
Click on Posted Image button.
A box will pop up asking you if you wish to fix the selected items. Please choose YES.
Once it has fixed them, please exit/close HijackThis.


2. Please click this link-->Jotti
  • When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
  • C:\WINDOWS\DCEBoot.exe
  • Repeat for this: C:\WINDOWS\system32\owinmodt.exe
  • Please post back the results of the scan in your next post.
  • If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\xqucxqes.dll
C:\WINDOWS\system32\ugdkysnu.dll
C:\WINDOWS\system32\gdprbute.dll
C:\WINDOWS\system32\xusifpmr.dll
C:\WINDOWS\system32\otpurlyi.dll
C:\Program Files\Messenger\wuosyruprym.html
C:\WINDOWS\system32\mpqss.bak1

Registry::
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

  • Save this as: CFScript.txt
    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply, along with a new HijackThis log.
  • Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
  • Please submit this file to: http://www.bleepingcomputer.com/submit-malware.php

4. In your next reply, please post:
  • New HijackThis log.
  • Jotti results (DCEBoot.exe and owinmodt.exe)
  • Combofix log.
Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users