Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With "windows Security Center" Trojan


  • This topic is locked This topic is locked
3 replies to this topic

#1 nfectd

nfectd

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 28 April 2008 - 07:13 AM

At startup, a "Windows Security Center" window opens and "balloons" periodically pop up warning of an assortment of security problems. Occasionally, the computer shuts down by itself.

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-04-28 06:53:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
97: 2008-04-28 11:53:40 UTC - RP133 - Deckard's System Scanner Restore Point
96: 2008-04-28 00:15:19 UTC - RP132 - ComboFix created restore point
95: 2008-04-27 23:56:11 UTC - RP131 - ComboFix created restore point
94: 2008-04-27 22:33:44 UTC - RP130 - Removed Symantec Technical Support Advanced Chat Controls
93: 2008-04-27 20:56:18 UTC - RP129 - Removed Windows Defender


-- First Restore Point --
1: 2008-01-30 09:01:27 UTC - RP37 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:04 AM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199493940937
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O20 - Winlogon Notify: plgvalxk - C:\WINDOWS\SYSTEM32\plgvalxk.dll
O20 - Winlogon Notify: __c00D1430 - C:\WINDOWS\system32\__c00D1430.dat (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 5478 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 catchme - c:\combofix\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-03-28 and 2008-04-28 -----------------------------

2008-04-28 06:03:40 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-04-28 06:03:38 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-27 19:15:45 0 d-------- C:\cmdcons
2008-04-27 18:48:54 68096 --a------ C:\WINDOWS\zip.exe
2008-04-27 18:48:54 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-27 18:48:54 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-27 18:48:54 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-27 18:48:54 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-27 18:48:54 98816 --a------ C:\WINDOWS\sed.exe
2008-04-27 18:48:54 80412 --a------ C:\WINDOWS\grep.exe
2008-04-27 18:48:54 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-27 18:36:17 0 d-------- C:\Program Files\Trend Micro
2008-04-27 14:28:05 18432 --a------ C:\WINDOWS\system32\kezb472.exe
2008-04-27 13:31:39 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-27 13:27:15 0 d-------- C:\Program Files\Remove-it
2008-04-27 13:14:34 1410 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-27 12:57:18 0 d-------- C:\WINDOWS\LMI17.tmp
2008-04-27 00:33:05 0 d-------- C:\Program Files\Windows Sidebar
2008-04-27 00:32:52 0 d-------- C:\Program Files\Norton 360
2008-04-27 00:30:57 0 d-------- C:\Program Files\Symantec
2008-04-27 00:30:57 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec
2008-04-27 00:21:08 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-27 00:12:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-23 08:05:45 249344 --a------ C:\WINDOWS\system32\plgvalxk.dll
2008-04-23 08:05:10 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Google
2008-04-23 08:05:09 0 dr------- C:\Documents and Settings\LocalService.NT AUTHORITY\Favorites
2008-04-22 05:04:15 0 d-------- C:\WINDOWS\system32\Client
2008-04-19 21:01:26 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-19 20:23:36 0 d-------- C:\Program Files\RogueRemover FREE
2008-04-19 19:51:11 0 d-------- C:\Program Files\Enigma Software Group
2008-04-15 21:08:45 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-11 15:26:15 0 d-------- C:\WINDOWS\Sun
2008-04-11 15:26:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-04-11 15:25:30 0 d-------- C:\Program Files\Java
2008-04-11 15:24:08 0 d-------- C:\Program Files\Common Files\Java


-- Find3M Report ---------------------------------------------------------------

Nothing modified in this timespan.


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
02/23/2008 09:08 PM 349552 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
04/27/2008 12:33 AM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll [02/23/2008 09:08 PM 349552]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/18/2008 02:37 PM]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [02/26/2008 09:50 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [05/05/2003 08:57 AM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [06/21/2005 04:48 PM]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [05/08/2003 11:34 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [03/01/2008 05:45 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\plgvalxk]
plgvalxk.dll 04/23/2008 08:05 AM 249344 C:\WINDOWS\SYSTEM32\plgvalxk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00D1430]
C:\WINDOWS\system32\__c00D1430.dat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)

*Newly Created Service* - COMHOST



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.it-mate.co.uk
127.0.0.1 it-mate.co.uk
127.0.0.1 mysteryfcm.co.uk
127.0.0.1 www.internetinspiration.co.uk
127.0.0.1 www.mvps.org
127.0.0.1 bughunter.it-mate.co.uk
127.0.0.1 www.bughunter.it-mate.co.uk
127.0.0.1 www.siri.geekstogo.com
127.0.0.1 siri.geekstogo.com
127.0.0.1 siri.urz.free.fr

18163 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-28 06:56:17 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.26GHz
Percentage of Memory in Use: 57%
Physical Memory (total/avail): 503.48 MiB / 213.75 MiB
Pagefile Memory (total/avail): 1230.63 MiB / 969.36 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1939.04 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 37.26 GiB total, 25.92 GiB free.
E: is CDROM (No Media)
Z: is Network (NTFS)

\\.\PHYSICALDRIVE0 - WDC WD400BB-60DGA0 - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 37.27 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.
AntivirusOverride is set.

FW: Norton 360 v2007 (SYMANTEC Corporation)
AV: Norton 360 v2007 (SYMANTEC Corperation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\Administrator\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COMPAQ-F05F179F
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\COMPAQ-F05F179F
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Intel\DMIX
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=COMPAQ-F05F179F
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\MACROMED\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\MACROMED\SHOCKW~2\Install.log
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Backup --> MsiExec.exe /I{24DF7221-644B-4C3A-A478-459502D40522}
ccCommon --> MsiExec.exe /I{B24E05CC-46FF-4787-BBB8-5CD516AFB118}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
GearDrvs --> MsiExec.exe /I{206FD69B-F9FE-4164-81BD-D52552BC9C23}
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Document Viewer 5.3 --> C:\Program Files\HP\Digital Imaging\DocumentViewer\hpzscr01.exe -datfile hpqbud04.dat
HP Image Zone 5.3 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Imaging Device Functions 5.3 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP PSC & OfficeJet 5.3.A --> "C:\Program Files\HP\Digital Imaging\{3E386744-10FA-44b2-98C9-DF7A270DECB3}\setup\hpzscr01.exe" -datfile hposcr06.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.3 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Intel® PRO Network Connections 12.1.12.0 --> MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LiveUpdate (Symantec Corporation) --> MsiExec.exe /x {E80F62FF-5D3C-4A19-8409-9721F2928206} /l*v "C:\Documents and Settings\All Users.WINDOWS\Application Data\LuUninstall.LiveUpdate"
LiveUpdate (Symantec Corporation) --> MsiExec.exe /X{E80F62FF-5D3C-4A19-8409-9721F2928206}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Publisher 2000 --> MsiExec.exe /I{00140409-78E1-11D2-B60F-006097C998E7}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Norton 360 --> MsiExec.exe /I{21829177-4DED-4209-AD08-490B3AC9C01A}
Norton 360 --> MsiExec.exe /I{2D617065-1C52-4240-B5BC-C0AE12157777}
Norton 360 (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{2D617065-1C52-4240-B5BC-C0AE12157777}_2_2_0_2\Setup.exe" /X
Norton 360 HTMLHelp --> MsiExec.exe /I{0BDD3FAD-61CD-4BF3-B9C4-4CEFD43F53F8}
Norton Confidential Core --> MsiExec.exe /I{55A6283C-638A-4EE0-B491-51118554BDA2}
ShellZip 3.0 Beta3 --> "C:\Program Files\ShellZip\unins000.exe"
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Symantec Real Time Storage Protection Component --> MsiExec.exe /I{D6E6FA4A-5445-4850-8365-CF216C1CBB7A}
Symantec Technical Support Controls --> MsiExec.exe /I{45690715-80A6-4445-B61D-ADEC5888E8CD}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Unlocker 1.8.6 --> C:\Program Files\Unlocker\uninst.exe
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type881 / Error
Event Submitted/Written: 04/27/2008 03:08:17 PM
Event ID/Source: 5000 / MPSampleSubmission
Event Description:
mptelemetry80070422updateservicemanager-_get_servicesfallbackcheck1.1.1593.0mpsigdwn.dll1.1.1593.0windows defenderNILNILNIL

Event Record #/Type875 / Error
Event Submitted/Written: 04/27/2008 02:35:32 PM
Event ID/Source: 5000 / MPSampleSubmission
Event Description:
mptelemetry80070422updateservicemanager-_get_servicesfallbackcheck1.1.1593.0mpsigdwn.dll1.1.1593.0windows defenderNILNILNIL

Event Record #/Type854 / Error
Event Submitted/Written: 04/27/2008 02:29:41 PM
Event ID/Source: 5000 / MPSampleSubmission
Event Description:
mptelemetry80070422updateservicemanager-_get_servicesfallbackcheck1.1.1593.0mpsigdwn.dll1.1.1593.0windows defenderNILNILNIL

Event Record #/Type852 / Error
Event Submitted/Written: 04/27/2008 02:29:24 PM
Event ID/Source: 5000 / MPSampleSubmission
Event Description:
mptelemetry80070422updateservicemanager-_get_servicesfallbackcheck1.1.1593.0mpsigdwn.dll1.1.1593.0windows defenderNILNILNIL

Event Record #/Type830 / Error
Event Submitted/Written: 04/27/2008 02:12:28 PM
Event ID/Source: 5000 / MPSampleSubmission
Event Description:
mptelemetry80070422updateservicemanager-_get_servicesfallbackcheck1.1.1593.0mpsigdwn.dll1.1.1593.0windows defenderNILNILNIL



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2027 / Error
Event Submitted/Written: 04/28/2008 06:34:16 AM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Microsoft DDE+ server service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type2012 / Error
Event Submitted/Written: 04/28/2008 06:32:13 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The SPBBCDrv service failed to start due to the following error:
%%31

Event Record #/Type1966 / Error
Event Submitted/Written: 04/27/2008 10:25:41 PM / 04/27/2008 10:25:42 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The SPBBCDrv service failed to start due to the following error:
%%31

Event Record #/Type1946 / Error
Event Submitted/Written: 04/27/2008 10:12:46 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The SPBBCDrv service failed to start due to the following error:
%%31

Event Record #/Type1916 / Error
Event Submitted/Written: 04/27/2008 08:58:07 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The SPBBCDrv service failed to start due to the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-04-28 06:56:17 ------------

Directories/Files moved to C:\Deckard\System Scanner\backup

2008-04-28 06:33:46 5774 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\conf.xml
2008-04-28 06:38:48 1038 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\jusched.log
2008-04-28 06:00:02 0 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp31.tmp
2008-04-28 06:03:44 0 d-------- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\KAV Updater update files
2008-04-27 22:24:46 16384 --a------ C:\WINDOWS\temp\Perflib_Perfdata_418.dat
2008-04-27 23:05:32 0 --a------ C:\WINDOWS\temp\tmp1.tmp
2008-04-27 23:15:38 0 --a------ C:\WINDOWS\temp\tmp2.tmp
2008-04-27 23:25:44 0 --a------ C:\WINDOWS\temp\tmp3.tmp
2008-04-27 23:35:52 0 --a------ C:\WINDOWS\temp\tmp4.tmp
2008-04-27 23:45:58 0 --a------ C:\WINDOWS\temp\tmp5.tmp
2008-04-27 23:56:04 0 --a------ C:\WINDOWS\temp\tmp6.tmp
2008-04-28 00:06:12 0 --a------ C:\WINDOWS\temp\tmp7.tmp
2008-04-28 00:16:18 0 --a------ C:\WINDOWS\temp\tmp8.tmp
2008-04-28 00:26:24 0 --a------ C:\WINDOWS\temp\tmp9.tmp
2008-04-28 00:36:32 0 --a------ C:\WINDOWS\temp\tmpA.tmp
2008-04-28 00:46:38 0 --a------ C:\WINDOWS\temp\tmpB.tmp
2008-04-28 00:56:46 0 --a------ C:\WINDOWS\temp\tmpC.tmp
2008-04-28 01:06:52 0 --a------ C:\WINDOWS\temp\tmpD.tmp
2008-04-28 01:16:58 0 --a------ C:\WINDOWS\temp\tmpE.tmp
2008-04-28 01:27:06 0 --a------ C:\WINDOWS\temp\tmp15.tmp
2008-04-28 01:37:12 0 --a------ C:\WINDOWS\temp\tmp16.tmp
2008-04-28 01:47:18 0 --a------ C:\WINDOWS\temp\tmp17.tmp
2008-04-28 01:57:26 0 --a------ C:\WINDOWS\temp\tmp18.tmp
2008-04-28 02:07:32 0 --a------ C:\WINDOWS\temp\tmp19.tmp
2008-04-28 02:17:38 0 --a------ C:\WINDOWS\temp\tmp1A.tmp
2008-04-28 02:27:46 0 --a------ C:\WINDOWS\temp\tmp1B.tmp
2008-04-28 02:37:52 0 --a------ C:\WINDOWS\temp\tmp1C.tmp
2008-04-28 02:48:00 0 --a------ C:\WINDOWS\temp\tmp1D.tmp
2008-04-28 02:58:06 0 --a------ C:\WINDOWS\temp\tmp1E.tmp
2008-04-28 03:08:12 0 --a------ C:\WINDOWS\temp\tmp1F.tmp
2008-04-28 03:18:20 0 --a------ C:\WINDOWS\temp\tmp20.tmp
2008-04-28 03:28:26 0 --a------ C:\WINDOWS\temp\tmp21.tmp
2008-04-28 03:38:32 0 --a------ C:\WINDOWS\temp\tmp22.tmp
2008-04-28 03:48:40 0 --a------ C:\WINDOWS\temp\tmp23.tmp
2008-04-28 03:58:46 0 --a------ C:\WINDOWS\temp\tmp24.tmp
2008-04-28 04:08:52 0 --a------ C:\WINDOWS\temp\tmp25.tmp
2008-04-28 04:19:00 0 --a------ C:\WINDOWS\temp\tmp26.tmp
2008-04-28 04:29:06 0 --a------ C:\WINDOWS\temp\tmp27.tmp
2008-04-28 04:39:12 0 --a------ C:\WINDOWS\temp\tmp28.tmp
2008-04-28 04:49:20 0 --a------ C:\WINDOWS\temp\tmp29.tmp
2008-04-28 04:59:26 0 --a------ C:\WINDOWS\temp\tmp2A.tmp
2008-04-28 05:09:32 0 --a------ C:\WINDOWS\temp\tmp2B.tmp
2008-04-28 05:19:40 0 --a------ C:\WINDOWS\temp\tmp2C.tmp
2008-04-28 05:29:46 0 --a------ C:\WINDOWS\temp\tmp2D.tmp
2008-04-28 05:39:52 0 --a------ C:\WINDOWS\temp\tmp2E.tmp
2008-04-28 05:50:00 0 --a------ C:\WINDOWS\temp\tmp2F.tmp
2008-04-28 06:00:00 0 --a------ C:\WINDOWS\temp\tmp30.tmp
2007-11-20 16:04:32 1523536 --a------ C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe <Verified; Adobe Systems Incorporated; Adobe® Flash® Player ActiveX>

-*- End of Logfile -*-

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 28, 2008 6:48:33 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/04/2008
Kaspersky Anti-Virus database records: 728705
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 14582
Number of viruses found: 3
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:11:03

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\kezb472.exe Infected: Trojan-Proxy.Win32.Xorpix.eb skipped
C:\WINDOWS\SYSTEM32\Client\svchost32.exe Infected: Trojan.Win32.Delf.btm skipped
C:\WINDOWS\SYSTEM32\.161f1e05\161f1e05.exe Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\SYSTEM32\.161f1e05\161f1e05.core.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_414.dat Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

Scan process completed.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 28, 2008 6:51:29 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/04/2008
Kaspersky Anti-Virus database records: 728781
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Memory:

Scan Statistics:
Total number of scanned objects: 1535
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:00:37

Infected Object Name / Virus Name / Last Action
[1328] SPOOLSV.EXE => C:\WINDOWS\system32\.161f1e05\161f1e05.core.dll Infected: Packed.Win32.Monder.gen skipped

Scan process completed.

BC AdBot (Login to Remove)

 


m

#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:37 AM

Posted 11 May 2008 - 01:40 AM

Hi Nfectd!

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible. I'm in Hijackthis school and Teachers will check my posts.
Posted Image

#3 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:37 AM

Posted 11 May 2008 - 04:10 AM

Hi.
Let's do this first:

Please visit Virustotal
* Click the Browse... button
* Navigate to the file C:\WINDOWS\SYSTEM32\plgvalxk.dll
* Click the Open button
* Click the Send button
* Copy and paste the results back here :thumbsup:

Edited by Baabiouz, 11 May 2008 - 04:10 AM.

Posted Image

#4 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:11:37 PM

Posted 16 May 2008 - 09:50 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users