Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ntnut.exe, Slrundll.exe, Stcloader.exe, Taskman.exe, Mssvr.exe, Bokja.exe, Default.htm


  • Please log in to reply
3 replies to this topic

#1 bobwillis

bobwillis

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:32958
  • Local time:04:16 PM

Posted 14 April 2008 - 07:23 PM

Hello everyone,

There files mentioned above keeps reinstalling themselves. I think they are responsible for chaging my screen saver, pop-ups and disabeling my task manager. I have CA security suite, spy-bot but it keeps coming back. I also keep getting pop-ups about spyware and infections.

I ran hijackthis and I am attaching the log here. Any help will be appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:22 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\svcprs32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\System32\wltray.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\cfgmng32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\oops\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\System32\wltray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LMSXXD] LMSXXD.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [dvHighMem] C:\WINDOWS\cfgmng32.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mxopwwdp] C:\WINDOWS\system32\mrajgxez.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\oops\cftmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207494915703
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207494902093
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DBF4951-ABDF-4F8C-81DD-BA5B1BA23DB8}: NameServer = 200.14.104.51
O17 - HKLM\System\CCS\Services\Tcpip\..\{957C7945-B046-4EC7-B7C1-5C53AB9C3EFD}: NameServer = 200.14.104.51
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: Antiwpa - antiwpa.dll (file missing)
O21 - SSODL: RunOnceDrive - {169e00c7-c921-42b8-be38-21bca96850a7} - C:\WINDOWS\Installer\{169e00c7-c921-42b8-be38-21bca96850a7}\RunOnceDrive.dll (file missing)
O21 - SSODL: zip - {20eb3777-8f95-4a93-987e-808f5cd1158e} - C:\WINDOWS\Installer\{20eb3777-8f95-4a93-987e-808f5cd1158e}\zip.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: WinSock Svchost Manager (WinSvchostManager) - Unknown owner - C:\WINDOWS\system32\svcprs32.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8716 bytes

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 15 April 2008 - 02:18 AM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Please post that in your next reply with a fresh HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 bobwillis

bobwillis
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:32958
  • Local time:04:16 PM

Posted 18 April 2008 - 12:42 PM

Hello,

YOU ARE GENIOUS !!!!!!!! After I ran the combofix it cleaned up my computer - my task manager is back and stupid screen saver is gone.

I am still attaching log from combo fix and hijack this.

COMBOFIX log

ComboFix 08-04-17.1 - oops 2008-04-18 11:54:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.169 [GMT -5:00]
Running from: C:\Documents and Settings\oops\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\admin\Application Data\wsnpoem
C:\Documents and Settings\admin\Application Data\wsnpoem\audio.dll
C:\Documents and Settings\admin\Application Data\wsnpoem\video.dll
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\bajuhevob.lib
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\upamojawoh.bin
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\xuny.pif
C:\WINDOWS\123messenger.per
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\conf.inf
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\Downloaded Program Files\Quarantine
C:\WINDOWS\Installer\{169e00c7-c921-42b8-be38-21bca96850a7}\RunOnceDrive.dll
C:\WINDOWS\Installer\{20eb3777-8f95-4a93-987e-808f5cd1158e}\zip.dll
C:\WINDOWS\ky.sxc
C:\WINDOWS\licencia.txt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mscon.sio
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\nivavir.config
C:\WINDOWS\ntnut.exe
C:\WINDOWS\qdnkewfa.dll
C:\WINDOWS\saiemod.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\mkghj.dll
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.

2008-04-18 11:53 . 2008-04-18 11:53 1,024 --ah----- C:\Documents and Settings\Default User.WINDOWS\ntuser.dat.LOG
2008-04-14 17:05 . 2008-04-14 17:05 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-14 16:46 . 2008-04-14 16:47 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-14 16:46 . 2008-04-14 17:06 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-04-14 15:40 . 2008-04-15 16:15 <DIR> d-------- C:\WINDOWS\CAVTemp
2008-04-14 14:24 . 2008-04-14 14:24 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-14 13:56 . 2008-04-18 12:17 57,626 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-04-14 13:56 . 2008-04-18 12:17 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-04-14 13:56 . 2008-04-18 12:17 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-04-14 13:56 . 2008-04-18 12:17 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-04-14 13:56 . 2008-04-18 12:17 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-04-14 13:56 . 2008-04-18 12:17 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-04-14 13:56 . 2008-04-18 12:17 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-04-14 13:56 . 2008-04-18 12:17 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-04-14 13:05 . 2008-04-18 12:17 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-04-14 13:04 . 2008-04-14 13:05 <DIR> d-------- C:\WINDOWS\rnapxs
2008-04-14 13:04 . 2007-11-14 12:26 1,830,912 --a------ C:\WINDOWS\system32\winsflte.dll
2008-04-14 13:04 . 2002-01-01 13:02 7,440 --a------ C:\WINDOWS\system32\sporder.dll
2008-04-14 13:02 . 2008-04-14 13:05 <DIR> d-------- C:\Program Files\CA
2008-04-14 13:02 . 2008-04-15 16:16 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\CA
2008-04-14 12:14 . 2008-04-14 12:14 <DIR> d-------- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
2008-04-14 11:06 . 2008-04-14 12:18 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec
2008-04-14 10:24 . 2008-04-14 10:24 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Symantec
2008-04-14 09:48 . 2008-04-14 09:57 1,908 --a------ C:\WINDOWS\default
2008-04-13 07:51 . 25,472 C:\WINDOWS\system32\drivers\Irq41.sys
2008-04-13 04:45 . 2008-04-13 04:45 18,814 --a------ C:\Documents and Settings\admin\Application Data\gygysegepe.reg
2008-04-13 04:45 . 2008-04-13 04:45 17,013 --a------ C:\Documents and Settings\admin\Application Data\dexe.bin
2008-04-13 04:45 . 2008-04-13 04:45 17,004 --a------ C:\WINDOWS\obeqy.inf
2008-04-13 04:45 . 2008-04-13 04:45 16,991 --a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\elikazyli.scr
2008-04-13 04:45 . 2008-04-13 04:45 16,712 --a------ C:\Documents and Settings\admin\Application Data\upyteby.com
2008-04-13 04:45 . 2008-04-13 04:45 16,483 --a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\egulax.dat
2008-04-13 04:45 . 2008-04-13 04:45 15,887 --a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\oqyka.bat
2008-04-13 04:45 . 2008-04-13 04:45 14,031 --a------ C:\WINDOWS\system32\ysylugi.vbs
2008-04-13 04:45 . 2008-04-13 04:45 13,254 --a------ C:\Documents and Settings\admin\Application Data\wifewuf.dat
2008-04-13 04:45 . 2008-04-13 04:45 12,840 --a------ C:\WINDOWS\jidukiketu.db
2008-04-13 04:45 . 2008-04-13 04:45 12,775 --a------ C:\Documents and Settings\admin\Application Data\zysujana.pif
2008-04-13 04:45 . 2008-04-13 04:45 10,580 --a------ C:\Documents and Settings\admin\Application Data\iqysejaped.scr
2008-04-12 03:07 . 2006-08-21 04:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-12 03:07 . 2006-08-21 04:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-12 03:07 . 2006-08-21 07:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-12 02:04 . 2007-07-09 08:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-11 15:57 . 2008-04-11 15:57 197 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-10 08:46 . 2008-04-10 08:46 <DIR> d---s---- C:\Documents and Settings\admin\UserData
2008-04-08 16:41 . 2008-04-14 13:29 <DIR> d-------- C:\Documents and Settings\admin
2008-04-08 16:41 . 2008-04-18 11:53 1,024 --ah----- C:\Documents and Settings\admin\ntuser.dat.LOG
2008-04-06 12:12 . 2002-04-15 21:11 67,866 --------- C:\WINDOWS\system32\drivers\netwlan5.img
2008-04-06 12:12 . 2004-08-04 00:56 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2008-04-06 12:12 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
2008-04-06 12:12 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
2008-04-06 11:40 . 2008-04-06 11:40 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-06 10:56 . 2005-10-20 17:20 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2008-04-06 10:34 . 2008-04-06 10:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-06 10:34 . 2008-04-06 10:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 10:34 . 2008-04-06 10:34 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-04-06 10:21 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-06 10:19 . 2004-08-04 02:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-04-06 10:19 . 2004-08-04 02:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-04-06 10:19 . 2004-08-04 02:56 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-04-06 10:19 . 2004-08-04 02:56 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-04-06 10:17 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-06 10:17 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-06 10:15 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-04-06 10:15 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-04-06 10:15 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-06 10:15 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-06 10:15 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-05 17:08 . 2008-04-05 17:08 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\utedydwh
2008-03-22 09:57 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-03-22 09:57 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-03-22 09:57 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-03-22 09:57 . 2004-08-03 17:03 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2008-03-22 09:57 . 2004-08-03 17:01 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2008-03-22 09:57 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-03-21 20:05 . 2008-03-21 20:05 17,801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-03-21 20:05 . 2008-03-21 20:05 28 --a------ C:\WINDOWS\bcmwl.DMR
2008-03-21 19:54 . 2008-04-18 12:23 <DIR> d-------- C:\Documents and Settings\oops
2008-03-21 19:54 . 2008-04-14 13:29 <DIR> d--hs---- C:\Documents and Settings\LocalService.NT AUTHORITY
2008-03-21 19:54 . 2008-04-18 12:26 1,024 --ah----- C:\Documents and Settings\oops\ntuser.dat.LOG
2008-03-21 19:54 . 2008-04-18 12:23 1,024 --ah----- C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG
2008-03-21 19:53 . 2008-03-21 19:53 <DIR> d--hs---- C:\Documents and Settings\NetworkService.NT AUTHORITY
2008-03-21 19:53 . 2008-03-21 19:53 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-03-21 19:53 . 2008-04-18 12:23 1,024 --ah----- C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG
2008-03-21 19:50 . 2002-09-03 10:24 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-03-21 19:49 . 2001-08-18 01:36 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2008-03-21 19:48 . 2008-04-08 16:41 25,065 --a------ C:\WINDOWS\system32\wmpscheme.xml
2008-03-21 19:48 . 2008-03-21 19:48 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-03-21 19:48 . 2008-03-21 19:48 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-03-21 19:48 . 2008-03-21 19:48 2,577 --a------ C:\WINDOWS\system32\CONFIG.NT
2008-03-21 19:48 . 2008-03-21 19:48 0 --a------ C:\WINDOWS\control.ini
2008-03-21 19:47 . 2008-03-21 19:48 <DIR> d--hs---- C:\Documents and Settings\All Users.WINDOWS\DRM
2008-03-21 19:46 . 2002-09-03 10:49 4,399,505 --a--c--- C:\WINDOWS\system32\dllcache\nls302en.lex
2008-03-21 19:46 . 2008-03-21 19:46 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-03-21 19:46 . 2008-03-21 19:46 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-03-21 19:46 . 2008-03-21 19:46 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-03-21 19:46 . 2008-03-21 19:46 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-03-21 19:46 . 2008-03-21 19:46 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-03-21 19:46 . 2008-03-21 19:46 749 -rah----- C:\WINDOWS\system32\cdplayer.exe.manifest
2008-03-21 19:46 . 2008-03-21 19:46 488 -rah----- C:\WINDOWS\system32\WindowsLogon.manifest
2008-03-21 19:46 . 2008-03-21 19:46 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-03-21 19:44 . 2002-09-03 11:14 5,632 --a------ C:\WINDOWS\system32\write.exe
2008-03-21 19:44 . 2002-09-03 11:14 5,632 --a--c--- C:\WINDOWS\system32\dllcache\write.exe
2008-03-21 18:35 . 2008-04-18 07:20 138 --a------ C:\WINDOWS\shsftset.ini
2008-03-21 18:35 . 2008-04-18 07:20 29 --a------ C:\WINDOWS\spiemon.ini
2008-03-21 17:26 . 2003-06-18 20:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-03-21 17:26 . 2008-03-21 17:26 376 --a------ C:\WINDOWS\ODBC.INI
2008-03-21 17:25 . 2008-03-21 17:25 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-03-21 17:24 . 2008-03-21 17:24 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-03-21 17:24 . 2008-03-21 17:24 <DIR> d-------- C:\Program Files\Microsoft Works
2008-03-21 17:24 . 2008-03-21 17:24 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-03-21 17:23 . 2008-03-21 17:24 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-03-21 17:21 . 2008-03-21 17:21 <DIR> dr-h----- C:\MSOCache
2008-03-21 17:20 . 2008-03-21 17:20 <DIR> d-------- C:\IUware Online
2008-03-21 16:55 . 2008-03-21 16:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2008-03-21 16:51 . 2008-04-06 11:54 5,376 --a------ C:\WINDOWS\system32\antiwpa
2008-03-21 16:51 . 2001-10-26 23:29 3,584 -----c--- C:\WINDOWS\system32\dllcache\WgaTray.exe
2008-03-21 16:51 . 2001-10-26 23:27 3,584 -----c--- C:\WINDOWS\system32\dllcache\WgaLogon.dll
2008-03-21 16:39 . 2008-03-21 16:39 <DIR> d---s---- C:\Documents and Settings\oops\UserData
2008-03-21 16:31 . 2002-10-16 02:03 151,552 --a------ C:\WINDOWS\system32\igfxres.dll
2008-03-21 16:15 . 2004-08-03 17:04 185,624 --a------ C:\WINDOWS\system32\iuengine.dll
2008-03-21 16:15 . 2004-08-03 17:04 185,624 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2008-03-21 13:50 . 2008-03-21 13:50 1,024 --ah----- C:\Documents and Settings\Default User\NTUSER.DAT.LOG
2008-03-21 13:39 . 2005-11-29 16:27 364,544 --a--c--- C:\WINDOWS\system32\dllcache\npdsplay.dll
2008-03-21 13:39 . 2002-09-03 10:35 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-03-21 11:39 . 2001-08-17 08:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2008-03-21 11:38 . 2004-08-04 00:59 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 05:27 91,400 ----a-w C:\WINDOWS\system32\isafprod.dll
2008-04-18 05:27 32,264 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-04-18 05:27 26,376 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys
2008-04-18 05:27 21,512 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-04-18 05:27 21,128 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys
2008-04-14 18:05 2,732,032 ----a-w C:\WINDOWS\system32\win32cpr.dll
2008-04-14 18:05 1,564,771 ----a-w C:\WINDOWS\system32\winsflt.dll
2008-04-14 18:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-13 09:45 15,940 ----a-w C:\Program Files\Common Files\basezofohe.inf
2008-03-22 00:48 558,142 ----a-w C:\WINDOWS\java\Packages\KTZB1BXV.ZIP
2008-03-22 00:48 155,995 ----a-w C:\WINDOWS\java\Packages\4UZ9NZLB.ZIP
2008-03-21 21:58 16,320 ----a-w C:\WINDOWS\system32\drivers\TD3004F60v.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 15:46 --------- d-----w C:\Program Files\PC DVR-4-Net
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2004-08-04 07:56 698,368 ----a-r C:\Documents and Settings\admin\Application Data\ntos.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"mxopwwdp"="C:\WINDOWS\system32\mrajgxez.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wltray.exe"="C:\WINDOWS\System32\wltray.exe" [2005-06-08 20:32 778318]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-10-16 02:18 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-10-16 02:05 114688]
"LMSXXD"="LMSXXD.exe" []
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-04-18 00:27 181512]
"dvHighMem"="C:\WINDOWS\cfgmng32.exe" [2007-11-14 12:34 11333632]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-04-18 00:27 234760]
"cafw"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-04-15 16:15 771336]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-04-15 16:15 173320]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-04-15 16:15 259336]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe" [2008-04-15 16:15 14088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa]
antiwpa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 13:30 79368 C:\WINDOWS\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Irq41.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\PC DVR-4-Net\\PC DVR-4-Net\\PC DVR-4-Net.exe"=
"C:\\Program Files\\PC DVR-4-Net\\PC DVR-4-Net\\MEDIASERVER.EXE"=
"C:\\Program Files\\PC DVR-4-Net\\PC DVR-4-Net\\WSERVER.EXE"=

R0 Irq41;Irq41;C:\WINDOWS\system32\Drivers\Irq41.sys []
R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-10-18 10:24]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 13:30]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 13:30]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-10-18 10:24]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-11-02 12:09]
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-10-18 10:24]
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-10-18 10:24]
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2007-05-18 13:30]
R2 WinSvchostManager;WinSock Svchost Manager;C:\WINDOWS\system32\svcprs32.exe [2007-11-14 12:35]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-09-13 15:15]
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2008-04-15 16:15]
R3 TD3004F60v;TD3004F60v;C:\WINDOWS\system32\DRIVERS\TD3004F60v.sys [2008-03-21 16:58]
S1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-10-18 14:21]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 17:21:13 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-18 12:24:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\TMP000000383E1FFB1B8D87C0C3

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\WLCtrl32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
C:\WINDOWS\system32\wltrysvc.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\cappactiveprotection.exe
C:\WINDOWS\system32\mdmcls32.exe
.
**************************************************************************
.
Completion time: 2008-04-18 12:32:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-18 17:30:52

Pre-Run: 28,791,463,936 bytes free
Post-Run: 30,138,490,880 bytes free
.
2008-04-18 05:54:57 --- E O F ---


HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:07 PM, on 4/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\svcprs32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\System32\wltray.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\cfgmng32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\oops\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\System32\wltray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LMSXXD] LMSXXD.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [dvHighMem] C:\WINDOWS\cfgmng32.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mxopwwdp] C:\WINDOWS\system32\mrajgxez.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207494915703
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207494902093
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DBF4951-ABDF-4F8C-81DD-BA5B1BA23DB8}: NameServer = 200.14.104.51
O17 - HKLM\System\CCS\Services\Tcpip\..\{957C7945-B046-4EC7-B7C1-5C53AB9C3EFD}: NameServer = 200.14.104.51
O20 - Winlogon Notify: Antiwpa - antiwpa.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: WinSock Svchost Manager (WinSvchostManager) - Unknown owner - C:\WINDOWS\system32\svcprs32.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7426 bytes

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 19 April 2008 - 03:23 PM

Your Combofix log was cut off, but before we continue, please visit the page below, scroll down to the part which says "How to install and use the Windows XP Recovery Console," and follow those instructions:

How to download and use ComboFix

Then please run another scan with Combofix and post back the new [full] log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users