Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware Launching Dcom Task


  • This topic is locked This topic is locked
8 replies to this topic

#1 sinatra

sinatra

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 23 June 2008 - 03:40 PM

Hi All,

I have been on the trail of this malware for most of the weekend. The malware behavior is to launch many connections to websites all over the world. I am not sure what this is doing, but it looks like a worm. It was easy to see that the process was originated out of a svchost.exe task. When I stop the task the unauthorized activity stops, but computer shuts down after 60 seconds with the NT authority shutdown box.

It also had connections to a specific IP periodically in the System Process:0 section of TCPview.

First noticed the extra connections in netstat and the network lights never stopping. I was using CA antivirus and nothing was noticed from any scan using CA.

Scanned with Avast- Boot scan and nothing.
Scanned with trend Trend Micro- housecall and nothing
Scanned with Kapersky and nothing.
Microsoft malicious software removal scanner nothing.

The last try, I loaded Trend Micro PC based version and that brought me to where I am now. Trend Micro AV install caused the malware to cause a scvhost.exe application error box to pop up when it tries to start. The box says The instruction at "0x0000000" referenced memory at 0x00000". The memory could not be "written. This box continues to pop up a long intervals, so the trigger is still in the system to launch this. The good part is that it can't launch itself any more.

When the system boots this box appears: Data Excution Prevention - Microsoft Windows. To help protect your computer, windows has closed this program. Name Generic Host Process for Win32 Services.

I could reload the system, but I want to know the damage and what this malware was capable of doing. Disabling DCOM stops everthing, but I want to know this is out of the system. I would like to isolate the code triggering the launch of the svchost task and submit it for review somewhere since it's not recognized. Thanks for any help. DSS log below:

Deckard's System Scanner v20071014.68
Run by HP_Administrator on 2008-06-23 13:04:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-06-23 18:04:36 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 22.11 GiB (less than 15%) free.


-- HijackThis (run as HP_Administrator.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:16 PM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\eEye Digital Security\Retina 5\Scanner\RetinaEngine.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\WINDOWS\system32\kktools\userdump.exe
C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
c:\000\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/p?v&k=pf_1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 74.50.107.172 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe -1 --delay 15
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4FE32123-369B-4D8C-B681-CBB0E08BD601}: NameServer = 65.24.7.10,65.24.7.11
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: admxprox32 - C:\WINDOWS\SYSTEM32\admxprox32.dll
O23 - Service: Anonymizer Management Service (AnonMgmtSvc) - Anonymizer - C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: eEye Application Bus (eeyeevnt) - eEye Digital Security - C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: eEye Retina Engine (RetinaEngine) - eEye Digital Security - C:\Program Files\eEye Digital Security\Retina 5\Scanner\RetinaEngine.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe

--
End of file - 7087 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080617-211304-626 O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
backup-20080617-211404-112 O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
backup-20080617-211424-512 O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
backup-20080617-211450-715 O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
backup-20080617-211810-388 O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://interactivebrokers.webex.com/client...nbr/ieatgpc.cab
backup-20080617-211836-235 O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
backup-20080617-211836-238 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
backup-20080617-211906-425 O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
backup-20080617-212149-140 O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cab
backup-20080617-212149-419 O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
backup-20080617-212150-176 O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
backup-20080617-212150-388 O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
backup-20080617-212150-451 O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
backup-20080617-212150-505 O17 - HKLM\System\CCS\Services\Tcpip\..\{4FE32123-369B-4D8C-B681-CBB0E08BD601}: NameServer = 65.24.7.10,65.24.7.11
backup-20080617-212150-934 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
backup-20080617-213446-222 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
backup-20080617-213446-388 O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
backup-20080617-213446-608 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080621-112109-717 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
backup-20080621-112301-275 O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
backup-20080621-121530-571 O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
backup-20080621-121555-290 O4 - HKLM\..\Run: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
backup-20080622-051420-937 O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
backup-20080622-051522-544 O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
backup-20080622-051522-764 O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
backup-20080622-051624-145 O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
backup-20080622-051624-906 O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
backup-20080622-051708-271 O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
backup-20080622-051709-612 O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
backup-20080622-052042-491 O4 - HKCU\..\Run: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
backup-20080622-052257-797 O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
backup-20080622-052400-162 O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
backup-20080622-052400-525 O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
backup-20080622-081228-123 O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
backup-20080622-081228-417 O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
backup-20080623-000716-469 O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
backup-20080623-000716-894 O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
backup-20080623-001100-322 O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
backup-20080623-001221-222 O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
backup-20080623-001242-791 O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
backup-20080623-001417-470 O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
backup-20080623-001417-737 O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)

-- File Associations -----------------------------------------------------------

.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\system32\notepad.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 ElbyCDFL - c:\windows\system32\drivers\elbycdfl.sys <Not Verified; Elaborate Bytes; CloneCD>

S0 ftsata2 - c:\windows\system32\drivers\ftsata2.sys (file missing)
S0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys (file missing)
S0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys (file missing)
S0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys (file missing)
S0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys (file missing)
S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S1 NTGDT - c:\windows\system32\drivers\ntgdt.sys (file missing)
S2 devdpl - c:\windows\system32\drivers\devdpl.sys (file missing)
S2 enodpl - c:\windows\system32\drivers\enodpl.sys (file missing)
S2 io.sys (IO.DLL Driver) - c:\windows\system32\drivers\io.sys (file missing)
S2 litdpl - c:\windows\system32\drivers\litdpl.sys (file missing)
S2 tandpl - c:\windows\system32\drivers\tandpl.sys (file missing)
S3 cglptnt - c:\program files\totalcmd\cglptnt.sys <Not Verified; C. Ghisler & Co.; Windows Commander 32 bit>
S3 DCamUSBSTK014 (STK014 Camera) - c:\windows\system32\drivers\stk014w2.sys (file missing)
S3 DrmRDriverV32 - c:\windows\system32\drivers\drmrdriverv32.sys (file missing)
S3 DrmRVideo32 - c:\windows\system32\drivers\drmrvideo32.sys (file missing)
S3 st324kj - c:\windows\system32\drivers\st324kj.sys (file missing)
S3 ZSMC0305 (VIMICRO USB PC Camera V) - c:\windows\system32\drivers\usbvm305.sys (file missing)
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)
S4 intelppm (Intel Processor Driver) - c:\windows\system32\drivers\intelppm.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 Ati HotKey Poller - c:\windows\system32\ati2evxx.exe (file missing)
S2 RoxLiveShare10 (LiveShare P2P Server 10) - "c:\program files\common files\roxio shared\10.0\sharedcom\roxliveshare10.exe" (file missing)
S3 IDriverT (InstallDriver Table Manager) - "c:\program files\common files\installshield\driver\1050\intel 32\idrivert.exe" (file missing)
S4 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
S4 SessionLauncher - c:\docume~1\hp_adm~1\locals~1\temp\dx9\sessionlauncher.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}
Description: NetMos Unusable Parallel Port
Device ID: MF\PCI#VEN_9710&DEV_9835&SUBSYS_00011000&REV_01\5&48665C7&1&00A4#CHILD0001
Manufacturer: NetMos Technology
Name: NetMos Unusable Parallel Port (LPT3)
PNP Device ID: MF\PCI#VEN_9710&DEV_9835&SUBSYS_00011000&REV_01\5&48665C7&1&00A4#CHILD0001
Service: Parport

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA


-- Files created between 2008-05-23 and 2008-06-23 -----------------------------

2008-06-22 23:24:39 120 --a------ C:\WINDOWS\system32\winsusrx.dll
2008-06-22 23:24:39 264 --a------ C:\WINDOWS\system32\winsusrm.dll
2008-06-22 23:23:40 0 d-------- C:\Program Files\Common Files\Data Dynamics
2008-06-22 23:23:17 0 d-------- C:\Program Files\eEye Digital Security
2008-06-22 23:23:17 0 d-------- C:\Program Files\Common Files\eEye Digital Security
2008-06-22 23:21:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Applications
2008-06-22 22:54:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-22 22:08:13 0 d-------- C:\Program Files\Windows Live Safety Center
2008-06-22 19:56:20 0 d-------- C:\info
2008-06-22 19:10:13 0 d-------- C:\WINDOWS\system32\drivers\AU_Backup
2008-06-22 19:04:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-06-22 18:43:32 0 d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-06-22 18:42:39 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-06-22 18:37:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-06-22 16:37:54 0 --a------ C:\WINDOWS\system32\test
2008-06-22 07:07:17 0 d-------- C:\kav
2008-06-22 04:14:51 0 d-------- C:\Documents and Settings\HP_Administrator\DoctorWeb
2008-06-22 01:46:48 0 d--hs---- C:\WINDOWS\CSC
2008-06-22 01:00:05 0 --a------ C:\WINDOWS\system32\w32apiw.dll
2008-06-22 00:11:59 0 d-------- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-06-22 00:11:05 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-21 22:00:51 68096 --a------ C:\WINDOWS\zip.exe
2008-06-21 22:00:51 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-21 22:00:51 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-21 22:00:51 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-21 22:00:51 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-21 22:00:51 98816 --a------ C:\WINDOWS\sed.exe
2008-06-21 22:00:51 80412 --a------ C:\WINDOWS\grep.exe
2008-06-21 22:00:51 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-21 11:16:47 0 d-------- C:\Documents and Settings\HP_Administrator\.housecall6.6
2008-06-21 10:35:28 0 d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-06-19 19:17:54 0 d-------- C:\Program Files\Garmin
2008-06-19 07:03:17 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\GARMIN
2008-06-17 21:10:51 0 d-------- C:\Program Files\Trend Micro
2008-06-17 20:58:54 0 d-------- C:\Program Files\Common Files\Nokia
2008-06-15 20:29:12 0 d-------- C:\My Home Power
2008-06-08 02:26:43 0 d-------- C:\Program Files\Replay Media Catcher
2008-06-08 02:06:34 0 d-------- C:\WINDOWS\Replay Media Catcher
2008-06-08 00:40:34 4480 -----n--- C:\WINDOWS\system32\drivers\ElbyCDFL.sys <Not Verified; Elaborate Bytes; CloneCD>
2008-06-07 18:35:51 0 d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-06-07 18:29:20 0 d-------- C:\WINDOWS\nview
2008-06-07 17:46:10 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\nCleaner
2008-06-07 17:46:06 0 d-------- C:\Program Files\NKProds
2008-06-07 13:36:47 0 d-------- C:\WINDOWS\nvidia icons
2008-06-07 12:11:53 0 d-------- C:\Program Files\SystemRequirementsLab
2008-05-30 00:25:44 0 d-------- C:\Program Files\Common Files\supportsoft


-- Find3M Report ---------------------------------------------------------------

2008-06-23 00:25:43 0 d-------- C:\Program Files\Common Files
2008-06-22 23:54:45 0 d-------- C:\Program Files\Symantec
2008-06-22 23:22:13 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-22 05:50:27 0 d-------- C:\Program Files\Common Files\TiVo Shared
2008-06-22 04:41:05 0 d-------- C:\Program Files\PeerGuardian2
2008-06-22 00:29:39 0 d-------- C:\Program Files\Roxio
2008-06-22 00:27:55 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-06-22 00:12:10 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-21 14:40:53 0 d-------- C:\Program Files\DAEMON Tools
2008-06-21 10:30:13 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Paltalk
2008-06-21 09:34:04 0 d-------- C:\Program Files\eMule
2008-06-20 03:53:40 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Skype
2008-06-19 19:36:28 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Roxio
2008-06-18 18:08:21 0 d-------- C:\Program Files\Steam
2008-06-17 20:58:53 0 d-------- C:\Program Files\Nokia
2008-06-16 22:27:13 0 d-------- C:\Program Files\Microsoft Streets & Trips
2008-06-15 09:12:36 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\BitTorrent
2008-06-14 14:37:41 0 d-------- C:\Program Files\Mp3tag
2008-06-10 21:41:22 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla
2008-06-10 21:26:45 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Adobe
2008-06-08 02:58:06 8 -----n--- C:\WINDOWS\system32\nvModes.dat
2008-06-08 02:00:00 0 d-------- C:\Program Files\ScottradeELITE
2008-06-08 01:44:40 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-07 19:18:18 0 d-------- C:\Program Files\AmiBroker
2008-06-06 15:35:34 768 -----n--- C:\WINDOWS\system32\d3d8caps.dat
2008-06-03 02:28:31 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2008-05-30 01:15:58 1324 -----n--- C:\WINDOWS\system32\d3d9caps.dat
2008-05-25 09:19:19 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Nokia
2008-05-24 19:59:04 0 d-------- C:\Program Files\Yawcam
2008-05-23 22:43:11 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\RipIt4Me
2008-05-10 11:53:39 0 d-------- C:\Program Files\Ontrack
2008-05-05 22:09:56 0 d-------- C:\Program Files\TradeStation 8.3 (Build 1631)
2008-05-04 12:41:37 0 d-------- C:\Program Files\InvestRT
2008-05-02 22:46:00 1630208 -----n--- C:\WINDOWS\system32\nwiz.exe
2008-05-02 22:46:00 1019904 -----n--- C:\WINDOWS\system32\nvwimg.dll
2008-05-02 22:46:00 1703936 -----n--- C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-02 22:46:00 466944 -----n--- C:\WINDOWS\system32\nvshell.dll
2008-05-02 22:46:00 1486848 -----n--- C:\WINDOWS\system32\nview.dll
2008-05-02 22:46:00 1339392 -----n--- C:\WINDOWS\system32\nvdspsch.exe
2008-05-02 22:46:00 442368 -----n--- C:\WINDOWS\system32\nvappbar.exe
2008-05-02 22:46:00 425984 -----n--- C:\WINDOWS\system32\keystone.exe
2008-04-29 00:13:21 0 d-------- C:\Program Files\Magic Audio Recorder
2008-04-11 17:47:18 119296 --a------ C:\WINDOWS\system32\zlib.dll <Not Verified; ; ZLib.DLL>
2008-04-11 17:47:16 119296 --a------ C:\WINDOWS\system32\zlibwapi.dll <Not Verified; ; ZLib.DLL>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [07/19/2005 05:32 PM]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [06/08/2005 03:24 PM]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [06/08/2005 03:14 PM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [12/10/2005 09:57 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/02/2008 10:46 PM]
"nwiz"="nwiz.exe" [05/02/2008 10:46 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [05/02/2008 10:46 PM]
"Trend Micro AntiVirus 2007"="C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" [07/05/2007 08:09 PM]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 07:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Updates from HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [10/10/2005 12:10:07 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\admxprox32]
admxprox32.dll 06/14/2004 07:16 PM 10752 C:\WINDOWS\system32\admxprox32.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b7e30d4-414a-11db-99b5-0013d387a543}]
AutoRun\command- N:\Autorun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"



-- Hosts -----------------------------------------------------------------------

74.50.107.172 localhost


-- End of Deckard's System Scanner: finished at 2008-06-23 13:07:56 ------------

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:13 AM

Posted 23 June 2008 - 06:04 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O20 - Winlogon Notify: admxprox32 - C:\WINDOWS\SYSTEM32\admxprox32.dll




Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\SYSTEM32\admxprox32.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Also post a new log from DSS.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 sinatra

sinatra
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 23 June 2008 - 08:04 PM

Hi Sam,

Thanks for the quick reply. The 04 HKLM\..\Run:[UserFaulkCheck] ... Did not show in the Hijack scan. Here is the Move log:

DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\admxprox32.dll
C:\WINDOWS\SYSTEM32\admxprox32.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\admxprox32.dll moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06232008_194847

______________________________--

System has stopped the popup faults from svchost and the bootup message.

Dss log:

Deckard's System Scanner v20071014.68
Run by HP_Administrator on 2008-06-23 20:01:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 22.15 GiB (less than 15%) free.


-- HijackThis (run as HP_Administrator.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:06 PM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\eEye Digital Security\Retina 5\Scanner\RetinaEngine.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\WINDOWS\system32\kktools\userdump.exe
C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\000\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_ADM~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/p?v&k=pf_1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 74.50.107.172 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe -1 --delay 15
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4FE32123-369B-4D8C-B681-CBB0E08BD601}: NameServer = 65.24.7.10,65.24.7.11
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Anonymizer Management Service (AnonMgmtSvc) - Anonymizer - C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: eEye Application Bus (eeyeevnt) - eEye Digital Security - C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: eEye Retina Engine (RetinaEngine) - eEye Digital Security - C:\Program Files\eEye Digital Security\Retina 5\Scanner\RetinaEngine.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe

--
End of file - 6958 bytes

-- Files created between 2008-05-23 and 2008-06-23 -----------------------------

2008-06-22 23:24:39 120 --a------ C:\WINDOWS\system32\winsusrx.dll
2008-06-22 23:24:39 264 --a------ C:\WINDOWS\system32\winsusrm.dll
2008-06-22 23:23:40 0 d-------- C:\Program Files\Common Files\Data Dynamics
2008-06-22 23:23:17 0 d-------- C:\Program Files\eEye Digital Security
2008-06-22 23:23:17 0 d-------- C:\Program Files\Common Files\eEye Digital Security
2008-06-22 23:21:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Applications
2008-06-22 22:54:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-22 22:08:13 0 d-------- C:\Program Files\Windows Live Safety Center
2008-06-22 19:56:20 0 d-------- C:\info
2008-06-22 19:10:13 0 d-------- C:\WINDOWS\system32\drivers\AU_Backup
2008-06-22 19:04:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-06-22 18:43:32 0 d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-06-22 18:42:39 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-06-22 18:37:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-06-22 16:37:54 0 --a------ C:\WINDOWS\system32\test
2008-06-22 07:07:17 0 d-------- C:\kav
2008-06-22 04:14:51 0 d-------- C:\Documents and Settings\HP_Administrator\DoctorWeb
2008-06-22 01:46:48 0 d--hs---- C:\WINDOWS\CSC
2008-06-22 01:00:05 0 --a------ C:\WINDOWS\system32\w32apiw.dll
2008-06-22 00:11:59 0 d-------- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-06-22 00:11:05 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-21 22:00:51 68096 --a------ C:\WINDOWS\zip.exe
2008-06-21 22:00:51 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-21 22:00:51 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-21 22:00:51 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-21 22:00:51 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-21 22:00:51 98816 --a------ C:\WINDOWS\sed.exe
2008-06-21 22:00:51 80412 --a------ C:\WINDOWS\grep.exe
2008-06-21 22:00:51 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-21 11:16:47 0 d-------- C:\Documents and Settings\HP_Administrator\.housecall6.6
2008-06-21 10:35:28 0 d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-06-19 19:17:54 0 d-------- C:\Program Files\Garmin
2008-06-19 07:03:17 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\GARMIN
2008-06-17 21:10:51 0 d-------- C:\Program Files\Trend Micro
2008-06-17 20:58:54 0 d-------- C:\Program Files\Common Files\Nokia
2008-06-15 20:29:12 0 d-------- C:\My Home Power
2008-06-08 02:26:43 0 d-------- C:\Program Files\Replay Media Catcher
2008-06-08 02:06:34 0 d-------- C:\WINDOWS\Replay Media Catcher
2008-06-08 00:40:34 4480 -----n--- C:\WINDOWS\system32\drivers\ElbyCDFL.sys <Not Verified; Elaborate Bytes; CloneCD>
2008-06-07 18:35:51 0 d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-06-07 18:29:20 0 d-------- C:\WINDOWS\nview
2008-06-07 17:46:10 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\nCleaner
2008-06-07 17:46:06 0 d-------- C:\Program Files\NKProds
2008-06-07 13:36:47 0 d-------- C:\WINDOWS\nvidia icons
2008-06-07 12:11:53 0 d-------- C:\Program Files\SystemRequirementsLab
2008-05-30 00:25:44 0 d-------- C:\Program Files\Common Files\supportsoft


-- Find3M Report ---------------------------------------------------------------

2008-06-23 00:25:43 0 d-------- C:\Program Files\Common Files
2008-06-22 23:54:45 0 d-------- C:\Program Files\Symantec
2008-06-22 23:22:13 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-22 05:50:27 0 d-------- C:\Program Files\Common Files\TiVo Shared
2008-06-22 04:41:05 0 d-------- C:\Program Files\PeerGuardian2
2008-06-22 00:29:39 0 d-------- C:\Program Files\Roxio
2008-06-22 00:27:55 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-06-22 00:12:10 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-21 14:40:53 0 d-------- C:\Program Files\DAEMON Tools
2008-06-21 10:30:13 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Paltalk
2008-06-21 09:34:04 0 d-------- C:\Program Files\eMule
2008-06-20 03:53:40 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Skype
2008-06-19 19:36:28 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Roxio
2008-06-18 18:08:21 0 d-------- C:\Program Files\Steam
2008-06-17 20:58:53 0 d-------- C:\Program Files\Nokia
2008-06-16 22:27:13 0 d-------- C:\Program Files\Microsoft Streets & Trips
2008-06-15 09:12:36 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\BitTorrent
2008-06-14 14:37:41 0 d-------- C:\Program Files\Mp3tag
2008-06-10 21:41:22 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla
2008-06-10 21:26:45 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Adobe
2008-06-08 02:58:06 8 -----n--- C:\WINDOWS\system32\nvModes.dat
2008-06-08 02:00:00 0 d-------- C:\Program Files\ScottradeELITE
2008-06-08 01:44:40 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-07 19:18:18 0 d-------- C:\Program Files\AmiBroker
2008-06-06 15:35:34 768 -----n--- C:\WINDOWS\system32\d3d8caps.dat
2008-06-03 02:28:31 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2008-05-30 01:15:58 1324 -----n--- C:\WINDOWS\system32\d3d9caps.dat
2008-05-25 09:19:19 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Nokia
2008-05-24 19:59:04 0 d-------- C:\Program Files\Yawcam
2008-05-23 22:43:11 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\RipIt4Me
2008-05-10 11:53:39 0 d-------- C:\Program Files\Ontrack
2008-05-05 22:09:56 0 d-------- C:\Program Files\TradeStation 8.3 (Build 1631)
2008-05-04 12:41:37 0 d-------- C:\Program Files\InvestRT
2008-05-02 22:46:00 1630208 -----n--- C:\WINDOWS\system32\nwiz.exe
2008-05-02 22:46:00 1019904 -----n--- C:\WINDOWS\system32\nvwimg.dll
2008-05-02 22:46:00 1703936 -----n--- C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-02 22:46:00 466944 -----n--- C:\WINDOWS\system32\nvshell.dll
2008-05-02 22:46:00 1486848 -----n--- C:\WINDOWS\system32\nview.dll
2008-05-02 22:46:00 1339392 -----n--- C:\WINDOWS\system32\nvdspsch.exe
2008-05-02 22:46:00 442368 -----n--- C:\WINDOWS\system32\nvappbar.exe
2008-05-02 22:46:00 425984 -----n--- C:\WINDOWS\system32\keystone.exe
2008-04-29 00:13:21 0 d-------- C:\Program Files\Magic Audio Recorder
2008-04-11 17:47:18 119296 --a------ C:\WINDOWS\system32\zlib.dll <Not Verified; ; ZLib.DLL>
2008-04-11 17:47:16 119296 --a------ C:\WINDOWS\system32\zlibwapi.dll <Not Verified; ; ZLib.DLL>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [07/19/2005 05:32 PM]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [06/08/2005 03:24 PM]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [06/08/2005 03:14 PM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [12/10/2005 09:57 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/02/2008 10:46 PM]
"nwiz"="nwiz.exe" [05/02/2008 10:46 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [05/02/2008 10:46 PM]
"Trend Micro AntiVirus 2007"="C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" [07/05/2007 08:09 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 07:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Updates from HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [10/10/2005 12:10:07 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b7e30d4-414a-11db-99b5-0013d387a543}]
AutoRun\command- N:\Autorun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"



-- End of Deckard's System Scanner: finished at 2008-06-23 20:02:37 ------------

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:13 AM

Posted 24 June 2008 - 07:25 AM

Please visit the online Jotti Virus Scanner
  • Click on Posted Image button.
  • Copy and paste the following filepath in the box:


    C:\WINDOWS\system32\winsusrx.dll


  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html



Also submit this file as well.

C:\WINDOWS\system32\winsusrm.dll
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 sinatra

sinatra
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 24 June 2008 - 08:55 AM

Hi Sam,

Both of the files are clean.

I would still love to find the exact cause though. I submitted the .dll that you had me move also "admxprox32.dll".
Sophos Antivirus came up with: Found SUS/Behav 1021 (probable variant). All the others found nothing. You probably knew that already.

Please let me know if there is anything else to check.

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:13 AM

Posted 24 June 2008 - 06:19 PM

Nope, everything else looks good to me.
Any problems on your end?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 sinatra

sinatra
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 24 June 2008 - 06:38 PM

Sam,

Thanks much for helping. The computer seems OK now. I am not sure how you knew that that files was the problem? I saw that the file I had is recognized at one site only "PREVX.com".

Did the OTmove program take out all references that launched the admxprox32.dll?

Thanks again.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:13 AM

Posted 24 June 2008 - 06:52 PM

It didn't belong where it was showing up. Pretty clear it was up to no good. :thumbsup:
This isn't one of those infections that gets really deep into your registry, but it's always possible there's something left in there. The best way to determine that and be sure it's cleaned up completely is to run a good antispyware program. I like Superantispyware for that purpose.


Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:13 AM

Posted 04 July 2008 - 01:33 PM

Unfortunately there has been no response. :thumbsup:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users