Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.perfco & Trojan.blusod


  • This topic is locked This topic is locked
14 replies to this topic

#1 BJR

BJR

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 28 July 2008 - 10:31 AM

I have a HP computer running windows XP Pro SP2, that got infected with the Perfoc and Blusod Troajns. I believe i got rid of the Blusod, but the perfco seems to still be in there and i cant get rid of it. I keep getting a pop up in the lower rigth tray that says windows has detected a spyware infection and click here. Any help would be greatly appreciated. Thank you. I've attached HiJack this log below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:40 AM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlservr.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Laser App Enterprise\laupdate.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MI9E8D~1\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Access Runtime\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Access Runtime\OFFICE11\MSACCESS.EXE
C:\Program Files\Schwab Performance Technologies\PortfolioCenter\PortfolioCenter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\fyi\bjr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [buritos] buritos.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LaserAppUpdate] "C:\Program Files\Laser App Enterprise\laupdate.exe"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI9E8D~1\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.advisorservices.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fin-ed.com
O17 - HKLM\Software\..\Telephony: DomainName = fin-ed.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fin-ed.com
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5881 bytes

BC AdBot (Login to Remove)

 


#2 BJR

BJR
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 28 July 2008 - 08:43 PM

Title was: Windows Xp Security Center Installer/perfco & Blusod Trojans, i cant get rid of the spyware messages still infected ~ OB

I got infected with the blusod and perfco trojan, i'm pretty sure i got rid of blusod, but perfco is still there. Now somehow the computer installed a windows XP security center program which i'm pretty sure is NOT legit. A "spyware detected" pop up keeps showing up in the bottom right corner, but i'm pretty sure this is part of the infection. Any help would be greatly appreciated. Thanks BJR

Deckard's System Scanner v20071014.68
Run by AWhipple on 2008-07-28 21:06:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; unknown error code 0x00000001


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as AWhipple.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:20 PM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlservr.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Laser App Enterprise\laupdate.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\TEMP\5289.tmp
C:\WINDOWS\system32\pphc5eaj0e7wg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\AWhipple.FIN-ED\Desktop\fooled.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\fyi\AWhipple.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [buritos] buritos.exe
O4 - HKLM\..\Run: [lphc5eaj0e7wg] C:\WINDOWS\system32\lphc5eaj0e7wg.exe
O4 - HKLM\..\Run: [SMrhc1eaj0e7wg] C:\Program Files\rhc1eaj0e7wg\rhc1eaj0e7wg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LaserAppUpdate] "C:\Program Files\Laser App Enterprise\laupdate.exe"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI9E8D~1\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.advisorservices.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fin-ed.com
O17 - HKLM\Software\..\Telephony: DomainName = fin-ed.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fin-ed.com
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5941 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\fyi\backups\) ----------------

backup-20080725-163323-186 O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
backup-20080725-163323-193 O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
backup-20080725-163323-196 O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
backup-20080725-163323-202 O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
backup-20080725-163323-210 O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
backup-20080725-163323-245 O4 - HKUS\S-1-5-18\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe (User 'SYSTEM')
backup-20080725-163323-276 O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
backup-20080725-163323-293 O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
backup-20080725-163323-334 O4 - HKUS\.DEFAULT\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe (User 'Default user')
backup-20080725-163323-368 O4 - HKLM\..\Run: [buritos] buritos.exe
backup-20080725-163323-533 O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
backup-20080725-163323-609 O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
backup-20080725-163323-640 O15 - Trusted Zone: http://*.trymedia.com (HKLM)
backup-20080725-163323-650 O20 - AppInit_DLLs: cru629.dat
backup-20080725-163323-687 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
backup-20080725-163323-688 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20080725-163323-880 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
backup-20080725-163323-882 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1190656873771
backup-20080725-163323-950 O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
backup-20080725-163323-973 O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
backup-20080727-174743-300 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20080727-174743-334 O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
backup-20080727-174743-428 O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
backup-20080727-174743-554 O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
backup-20080727-174743-606 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
backup-20080727-174743-645 O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
backup-20080727-174743-695 O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
backup-20080727-174743-729 O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
backup-20080727-174743-761 O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
backup-20080727-174743-812 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080727-175920-246 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
backup-20080727-175920-312 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
backup-20080727-175920-327 O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
backup-20080727-175920-339 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
backup-20080727-175920-381 O20 - AppInit_DLLs: cru629.dat
backup-20080727-175920-424 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
backup-20080727-175920-513 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
backup-20080727-175920-559 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
backup-20080727-175920-671 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
backup-20080727-175920-704 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
backup-20080727-175920-712 O4 - HKLM\..\Run: [buritos] buritos.exe
backup-20080727-175920-803 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20080727-180335-689 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20080727-180335-771 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
backup-20080727-181258-177 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20080727-181258-260 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
backup-20080727-183433-821 O20 - AppInit_DLLs: cru629.dat
backup-20080727-183905-555 O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/AWhipple/LOCALS~1/Temp/msohtml1/01/clip_image002.gif
backup-20080727-184219-171 O20 - AppInit_DLLs: cru629.dat
backup-20080727-184219-798 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
backup-20080727-184219-881 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 bb-run (Promise driver accelerator) - c:\windows\system32\drivers\bb-run.sys <Not Verified; Promise Technology, Inc.; Promise® Disk Accelerator>
R0 ftsata2 - c:\windows\system32\drivers\ftsata2.sys <Not Verified; Promise Technology, Inc.; Promise FastTrak Series Driver>
R0 Ryg07 - c:\windows\system32\drivers\ryg07.sys

S1 intelppm (Intel Processor Driver) - c:\windows\system32\drivers\intelppm.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Speed Disk service - c:\progra~1\norton~2\speedd~1\nopdb.exe <Not Verified; Symantec Corporation; Norton Speed Disk>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0269\4&180DF4C5&0&01
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0269\4&180DF4C5&0&01
Service: NVENETFD


-- Files created between 2008-06-28 and 2008-07-28 -----------------------------

2008-07-28 15:25:17 0 d-------- C:\Program Files\rhc1eaj0e7wg
2008-07-28 15:24:30 60928 --a------ C:\WINDOWS\system32\blphc5eaj0e7wg.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-07-28 15:24:26 110080 --a------ C:\WINDOWS\system32\lphc5eaj0e7wg.exe
2008-07-27 18:33:09 0 --a------ C:\WINDOWS\system32\atiicdxx.dat
2008-07-25 16:28:23 0 d-------- C:\Program Files\bjr
2008-07-25 16:23:47 0 d-------- C:\Program Files\Trend Micro
2008-07-25 08:16:36 12380 --a------ C:\WINDOWS\wejuv.com
2008-07-25 08:16:36 13796 --a------ C:\WINDOWS\system32\cudemed.vbs
2008-07-25 08:16:36 12257 --a------ C:\WINDOWS\kozy.bin
2008-07-25 08:16:36 18901 --a------ C:\WINDOWS\dagew.sys
2008-07-25 08:16:36 15572 --a------ C:\Program Files\Common Files\qowiryzaku.bin
2008-07-25 08:06:07 304332 --a------ C:\WINDOWS\system32\winivstr.exe
2008-07-25 08:06:07 0 d-------- C:\Documents and Settings\AWhipple.FIN-ED\Application Data\rhc1eaj0e7wg
2008-07-24 16:41:26 94208 --a------ C:\WINDOWS\system32\pphc5eaj0e7wg.exe
2008-07-23 20:15:15 30848 --a------ C:\WINDOWS\system32\drivers\Ryg07.sys
2008-07-23 16:15:10 9216 --a------ C:\WINDOWS\system32\buritos.exe
2008-07-23 16:15:10 9216 --a------ C:\WINDOWS\buritos.exe
2008-07-23 16:13:06 33280 --a------ C:\WINDOWS\system32\crypts.dll
2008-07-23 16:13:04 104 --a------ C:\WINDOWS\system32\delself.bat
2008-07-23 16:13:04 9216 --a------ C:\WINDOWS\system32\braviax.exe
2008-07-02 12:04:25 0 d-------- C:\Documents and Settings\AWhipple.FIN-ED\Application Data\Sonic


-- Find3M Report ---------------------------------------------------------------

2008-07-28 17:17:00 0 d-------- C:\Program Files\ProTracker Advantage
2008-07-28 12:09:10 0 d-------- C:\Documents and Settings\AWhipple.FIN-ED\Application Data\AdobeUM
2008-07-25 16:51:06 0 d-------- C:\Program Files\Lavasoft
2008-07-25 16:50:55 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-25 08:16:36 0 d-------- C:\Program Files\Common Files
2008-07-25 08:16:36 13176 --a------ C:\Program Files\Common Files\akyfubora.db
2008-07-25 08:16:36 14299 --a------ C:\Documents and Settings\AWhipple.FIN-ED\Application Data\ijufu.ban
2008-07-25 08:16:36 18669 --a------ C:\Documents and Settings\AWhipple.FIN-ED\Application Data\hyqy.dl
2008-07-24 15:21:40 0 d-------- C:\Program Files\DYMO Label
2008-07-18 14:42:34 0 d-------- C:\Program Files\Laser App Enterprise
2008-06-19 08:07:19 0 d-------- C:\Program Files\GhostWare


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 05:01 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/09/2006 10:50 PM]
"nwiz"="nwiz.exe" [05/09/2006 10:50 PM C:\WINDOWS\system32\nwiz.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [07/22/2005 06:14 PM]
"@"="" []
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [02/15/2006 06:34 PM]
"RTHDCPL"="RTHDCPL.EXE" [03/08/2006 12:54 AM C:\WINDOWS\RTHDCPL.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [05/09/2006 10:50 PM]
"KBD"="C:\HP\KBD\KBD.EXE" [02/02/2005 04:44 PM]
"vptray"="C:\PROGRA~1\NavNT\vptray.exe" [07/30/2002 11:35 AM]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [01/02/2006 06:41 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"buritos"="buritos.exe" [07/27/2008 05:51 PM C:\WINDOWS\system32\buritos.exe]
"lphc5eaj0e7wg"="C:\WINDOWS\system32\lphc5eaj0e7wg.exe" [07/28/2008 03:24 PM]
"SMrhc1eaj0e7wg"="C:\Program Files\rhc1eaj0e7wg\rhc1eaj0e7wg.exe" [07/28/2008 10:01 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"LaserAppUpdate"="C:\Program Files\Laser App Enterprise\laupdate.exe" [07/18/2008 02:42 PM]

C:\Documents and Settings\AWhipple.FIN-ED\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2/29/2008 12:36:14 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [5/15/2003 2:19:50 AM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [5/3/2005 10:07:32 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ryg07.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
C:\Program Files\DISC\DISCover.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
C:\Program Files\DISC\DiscUpdMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\Program Files\NavNT\vptray.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5316de77-17f2-11db-a182-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480




-- Hosts -----------------------------------------------------------------------

10.0.0.26 fin-ed


-- End of Deckard's System Scanner: finished at 2008-07-28 21:09:15 ------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3800+
Percentage of Memory in Use: 52%
Physical Memory (total/avail): 1022.48 MiB / 481.18 MiB
Pagefile Memory (total/avail): 5014.5 MiB / 4551.14 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1926.34 MiB

C: is Fixed (NTFS) - 224.67 GiB total, 204.07 GiB free.
D: is Fixed (FAT32) - 8.19 GiB total, 0.54 GiB free.
E: is CDROM (CDFS)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
M: is Network (NTFS)
P: is Network (NTFS)
R: is Network (NTFS)
S: is Network (NTFS)
Z: is Network (NTFS)

\\.\PHYSICALDRIVE0 - ST3250824AS - 232.88 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 224.67 GiB - C:
\PARTITION1 - Unknown - 8.2 GiB - D:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

FW: Norton Internet Worm Protection v2006 (Symantec) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\DISC\\DiscStreamHub.exe"="C:\\Program Files\\DISC\\DiscStreamHub.exe:*:Enabled:DISCover Stream Hub"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Schwab Performance Technologies\\PortfolioCenter\\SPTServer.exe"="C:\\Program Files\\Schwab Performance Technologies\\PortfolioCenter\\SPTServer.exe:*:Enabled:SPTServer.exe"
"C:\\Program Files\\Schwab Performance Technologies\\PortfolioCenter\\PortfolioCenter.exe"="C:\\Program Files\\Schwab Performance Technologies\\PortfolioCenter\\PortfolioCenter.exe:*:Enabled:PortfolioCenter"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\DISC\\DISCover.exe"="C:\\Program Files\\DISC\\DISCover.exe:*:Enabled:DISCover Drop & Play System"
"C:\\Program Files\\DISC\\DiscStreamHub.exe"="C:\\Program Files\\DISC\\DiscStreamHub.exe:*:Enabled:DISCover Stream Hub"
"C:\\Program Files\\DISC\\myFTP.exe"="C:\\Program Files\\DISC\\myFTP.exe:*:Enabled:DISCover FTP"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\Schwab Performance Technologies\\PortfolioCenter\\SPTServer.exe"="C:\\Program Files\\Schwab Performance Technologies\\PortfolioCenter\\SPTServer.exe:*:Enabled:SPTServer.exe"
"C:\\Program Files\\Schwab Performance Technologies\\PortfolioCenter\\PortfolioCenter.exe"="C:\\Program Files\\Schwab Performance Technologies\\PortfolioCenter\\PortfolioCenter.exe:*:Enabled:PortfolioCenter"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\AWhipple.FIN-ED\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COMPAQDESKTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\AWhipple.FIN-ED
LOGONSERVER=\\PLATO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\ATI Technologies\ATI.ACE\;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=c:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\AWHIPP~1.FIN\LOCALS~1\Temp
TMP=C:\DOCUME~1\AWHIPP~1.FIN\LOCALS~1\Temp
USERDNSDOMAIN=FIN-ED.COM
USERDOMAIN=FIN-ED
USERNAME=AWhipple
USERPROFILE=C:\Documents and Settings\AWhipple.FIN-ED
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

brad (admin)
tschumann.FIN-ED (admin)
AWhipple (admin)
AWhipple.FIN-ED (admin)
administrator.FIN-ED (admin)
tschumann

Compaq_Administrator (admin)
tschumann.TEDCOMPUTER (new local, admin)
Administrator (admin)
Administrator.LJPR (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 4.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
Adobe Acrobat 6.0 Professional --> MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Creative Suite --> C:\PROGRA~1\INSTAL~1\{D52EC~1\setup.exe /Relaunched=yes /Uninstall /Relaunched=yes
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
Agere Systems PCI-SV92PP Soft Modem --> agrsmdel
AntivirXP08 --> "C:\Program Files\rhc1eaj0e7wg\uninstall.exe"
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{C5E211F5-7E9A-4D0A-88F0-D5E1FB849ABA}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI MCE Control Panel --> MsiExec.exe /X{F6E97C07-B897-4C8C-AA9B-C8E0A85BC858}
ATI Parental Control & Encoder --> MsiExec.exe /I{8D70145A-3BD3-4DBF-9CBF-223EF4A43257}
CFP Comprehensive Practice Exam 1.2.72 --> "C:\Program Files\Keir Educational Resources\1_2_72\unins000.exe"
Customer Experience Enhancement --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{23012310-3E05-46A5-88A9-C6CBCABCAC79} /l1033
DGE-530T --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{3294DF7D-9A5B-443E-85D3-A00486AA0A92}
DISCover --> "C:\Program Files\DISC\uninstall.exe"
DYMO Label Software --> C:\PROGRA~1\DYMOLA~1\UNINSTAL.EXE /U C:\PROGRA~1\DYMOLA~1\INSTALL.LOG
Enhanced Multimedia Keyboard Solution --> C:\HP\KBD\Install.exe /u
Fidelity Advisor CHANNEL --> MsiExec.exe /I{DF25C8A7-8175-4B9F-A02C-8CA1DC03E5E6}
GdiplusUpgrade --> MsiExec.exe /I{5421155F-B033-49DB-9B33-8F80F233D4D5}
GhostFill 5 --> MsiExec.exe /I{184BE6C1-0AF1-4BB0-88E7-7ACB0C77AF33}
GNU Ghostscript 7.06 --> C:\PROGRA~1\GNUGS\uninstgs.exe "C:\PROGRA~1\GNUGS\gs7.06\uninstal.txt"
GNU Ghostscript Fonts --> C:\PROGRA~1\GNUGS\uninstgs.exe "C:\PROGRA~1\GNUGS\fonts\uninstal.txt"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar4.dll"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\fyi\HijackThis.exe" /uninstall
HP Boot Optimizer --> MsiExec.exe /X{1341D838-719C-4A05-B50F-49420CA1B4BB}
HP Driver Diagnostics --> MsiExec.exe /I{16BE87BC-69F5-4D36-8CF0-E1CB3ACD5ED3}
HP DVD Play 2.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\Setup.exe" -uninstall
HP Game Console --> "C:\Program Files\WildTangent\Apps\HP Game Console\Uninstall.exe"
HP Imaging Device Functions 7.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Premier Software 6.5 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Product Detection --> MsiExec.exe /X{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}
HP Rhapsody --> C:\PROGRA~1\HPRHAP~1\Unwise32.exe /A C:\PROGRA~1\HPRHAP~1\install.log
HP Software Update --> MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}
HP Support Overview --> "C:\WINDOWS\unins000.exe"
HP Web Helper --> regsvr32 /u /s "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll"
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150050}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
KPrint --> C:\WINDOWS\KPUNINST.EXE
Kyocera KM-5050 Product Library --> C:\Program Files\Kyocera\KM-5050\KmUninstall.exe
Kyocera TWAIN Driver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{FF21E219-85A1-474F-B4D3-7D0505E21731} /l1033
Laser App Enterprise --> MsiExec.exe /I{CAF5A879-9647-4A05-A366-29E6DBF0D868}
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Microsoft Away Mode -->
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Money 2006 --> "C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Office Access 2003 Runtime --> MsiExec.exe /I{901C0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server Desktop Engine (FACW) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft SQL Server Native Client --> MsiExec.exe /I{BF251EAF-8697-4E89-BF09-C998F97BBC40}
Microsoft Visual J# .NET Redistributable Package 1.1 --> MsiExec.exe /X{1A655D51-1423-48A3-B748-8F5A0BE294C8}
Microsoft Visual J# 2.0 Redistributable Package --> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft Visual J# 2.0 Redistributable Package\install.exe
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Netscape Browser (remove only) --> "C:\Program Files\Netscape\Netscape Browser\NSUninst.exe"
Norton SystemWorks 2002 --> MsiExec.exe /I{43C3D832-AC96-463A-8FE4-1B8D1BFA2FA3}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Otto --> "C:\Program Files\EnglishOtto\uninstallotto.exe"
PC-Doctor 5 for Windows --> C:\Program Files\PC-Doctor 5 for Windows\uninst.exe
PortfolioCenter --> C:\Program Files\InstallShield Installation Information\{662608C6-597C-46F0-9D13-248BD7BEA3EC}\setup.exe -runfromtemp -l0x0409
ProTracker Advantage --> MsiExec.exe /I{291AF834-1798-44E2-9B5F-804F80078032}
ProTracker Advantage 5 --> "C:\WINDOWS\unins001.exe"
ProTracker PDF Writer --> C:\Program Files\ProTracker Advantage\PDF\uninstpw.exe C:\Program Files\ProTracker Advantage\PDF
Python 2.2 pywin32 extensions (build 203) --> "C:\Python22\Removepywin32.exe" -u "C:\Python22\pywin32-wininst.log"
Python 2.2.3 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
Quicken 2006 --> MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
SchwabLink Desktop --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{83287AA0-14B2-11D5-95ED-00C04FBE860F}\setup.exe"
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sonic Express Labeler --> MsiExec.exe /X{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus --> MsiExec.exe /X{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio --> MsiExec.exe /X{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy --> MsiExec.exe /X{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data --> MsiExec.exe /X{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /X{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Symantec AntiVirus Client --> MsiExec.exe /X{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E}
Tradewinds --> "C:\Program Files\HP Games\Tradewinds\Uninstall.exe"
Update Rollup 2 for Windows XP Media Center Edition 2005 -->
ViewSonic Monitor Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B4FEA924-630D-11D4-B78E-005004566E4D}\Setup.exe" -l0x9
VNC Free Edition 4.1.1 --> "C:\Program Files\RealVNC\VNC4\unins000.exe"
West's Drafting Wills and Trust Agreements --> MsiExec.exe /X{A745E4AF-B7EA-4060-BFFF-8F4840DE98D5}
WildTangent Web Driver --> C:\Program Files\WildTangent\Apps\CDA\CDAUninstall.exe
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB908246 --> "C:\WINDOWS\$NtUninstallKB908246$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB919803 --> "C:\WINDOWS\$NtUninstallKB919803$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type13314 / Error
Event Submitted/Written: 07/28/2008 07:37:51 PM
Event ID/Source: 1030 / Userenv
Event Description:
Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

Event Record #/Type13313 / Error
Event Submitted/Written: 07/28/2008 05:47:51 PM
Event ID/Source: 1030 / Userenv
Event Description:
Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

Event Record #/Type13312 / Error
Event Submitted/Written: 07/28/2008 03:52:12 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module urlmon.dll, version 6.0.2900.3231, fault address 0x0003b5ce.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type13311 / Error
Event Submitted/Written: 07/28/2008 03:40:36 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module urlmon.dll, version 6.0.2900.3231, fault address 0x0003b5ce.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type13309 / Error
Event Submitted/Written: 07/28/2008 11:44:46 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x1003546c.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type30999 / Warning
Event Submitted/Written: 07/28/2008 07:37:51 PM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server ldap/plato.fin-ed.com/fin-ed.com@fin-ed.com. No authentication protocol was available.

Event Record #/Type30998 / Warning
Event Submitted/Written: 07/28/2008 05:47:51 PM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server ldap/plato.fin-ed.com/fin-ed.com@fin-ed.com. No authentication protocol was available.

Event Record #/Type30964 / Error
Event Submitted/Written: 07/27/2008 06:34:47 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Norton Unerase Protection Driver service failed to start due to the following error:
%%1117

Event Record #/Type30954 / Error
Event Submitted/Written: 07/27/2008 06:34:47 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Symantec AntiVirus Client service to connect.

Event Record #/Type30953 / Error
Event Submitted/Written: 07/27/2008 06:34:47 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the DefWatch service to connect.



-- End of Deckard's System Scanner: finished at 2008-07-28 21:09:15 ------------

Merged topics. ~ OB

Edited by Orange Blossom, 28 July 2008 - 11:10 PM.


#3 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:56 AM

Posted 04 August 2008 - 11:06 AM

Hi there and welcome to BC! :thumbsup:

Please download Combofix to your desktop.
Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#4 BJR

BJR
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 04 August 2008 - 11:54 AM

Thanks in advance. here ComboFix log followed by The HiJack This



ComboFix 08-08-03.05 - AWhipple 2008-08-04 12:11:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.488 [GMT -4:00]
Running from: C:\Documents and Settings\AWhipple.FIN-ED\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\AWhipple.FIN-ED\Application Data\macromedia\Flash Player\#SharedObjects\B8BBFMQ5\interclick.com
C:\Documents and Settings\AWhipple.FIN-ED\Application Data\macromedia\Flash Player\#SharedObjects\B8BBFMQ5\interclick.com\ud.sol
C:\Documents and Settings\AWhipple.FIN-ED\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\AWhipple.FIN-ED\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\AWhipple.FIN-ED\Local Settings\Temporary Internet Files\dykuku._dl
C:\Documents and Settings\AWhipple.FIN-ED\Local Settings\Temporary Internet Files\eripi.bin
C:\Documents and Settings\AWhipple.FIN-ED\Local Settings\Temporary Internet Files\gyfycu.ban
C:\Documents and Settings\AWhipple.FIN-ED\Local Settings\Temporary Internet Files\hubyd.reg
C:\Documents and Settings\AWhipple\Application Data\macromedia\Flash Player\#SharedObjects\B8BBFMQ5\interclick.com
C:\Documents and Settings\AWhipple\Application Data\macromedia\Flash Player\#SharedObjects\B8BBFMQ5\interclick.com\ud.sol
C:\Documents and Settings\AWhipple\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\AWhipple\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\tschumann\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 )))))))))))))))))))))))))))))))
.

2008-07-30 12:51 . 2008-07-30 12:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-30 12:51 . 2008-07-30 12:51 <DIR> d-------- C:\Documents and Settings\AWhipple.FIN-ED\Application Data\Malwarebytes
2008-07-30 12:51 . 2008-07-30 12:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-30 12:51 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-30 12:51 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-28 21:06 . 2008-07-28 21:06 <DIR> d-------- C:\Deckard
2008-07-27 18:33 . 2008-07-27 18:33 0 --a------ C:\WINDOWS\system32\atiicdxx.dat
2008-07-25 16:28 . 2008-07-25 16:28 <DIR> d-------- C:\Program Files\bjr
2008-07-25 16:23 . 2008-07-25 16:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-25 08:16 . 2008-07-25 08:16 18,901 --a------ C:\WINDOWS\dagew.sys
2008-07-25 08:16 . 2008-07-25 08:16 15,572 --a------ C:\Program Files\Common Files\qowiryzaku.bin
2008-07-25 08:16 . 2008-07-25 08:16 15,193 --a------ C:\WINDOWS\system32\bacuqis._dl
2008-07-25 08:16 . 2008-07-25 08:16 13,796 --a------ C:\WINDOWS\system32\cudemed.vbs
2008-07-25 08:16 . 2008-07-25 08:16 12,380 --a------ C:\WINDOWS\wejuv.com
2008-07-25 08:16 . 2008-07-25 08:16 12,257 --a------ C:\WINDOWS\kozy.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 16:07 --------- d-----w C:\Program Files\ProTracker Advantage
2008-08-04 13:44 --------- d-----w C:\Documents and Settings\AWhipple.FIN-ED\Application Data\AdobeUM
2008-08-01 18:48 --------- d-----w C:\Program Files\DYMO Label
2008-07-25 20:51 --------- d-----w C:\Program Files\Lavasoft
2008-07-25 20:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-25 20:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-25 12:16 13,176 ----a-w C:\Program Files\Common Files\akyfubora.db
2008-07-18 18:42 --------- d-----w C:\Program Files\Laser App Enterprise
2008-07-02 16:04 --------- d-----w C:\Documents and Settings\AWhipple.FIN-ED\Application Data\Sonic
2008-06-19 12:07 --------- d-----w C:\Program Files\GhostWare
2008-05-09 20:55 61,224 ----a-w C:\Documents and Settings\AWhipple.FIN-ED\GoToAssistDownloadHelper.exe
2008-01-14 15:08 8,449,024 ----a-w C:\Program Files\u101-102.msp
2002-09-11 14:26 63,730 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"LaserAppUpdate"="C:\Program Files\Laser App Enterprise\laupdate.exe" [2008-07-18 14:42 1389336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 17:01 67584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 22:50 7311360]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 18:14 237568]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 18:34 249856]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-05-09 22:50 86016]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"vptray"="C:\PROGRA~1\NavNT\vptray.exe" [2002-07-30 11:35 77824]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 18:41 45056]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"nwiz"="nwiz.exe" [2006-05-09 22:50 1519616 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Administrator.LJPR\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-05-04 08:45:40 27136]

C:\Documents and Settings\AWhipple.FIN-ED\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2008-02-29 12:36:14 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50 217193]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ryg07.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
--a------ 2006-03-15 22:12 1077248 C:\Program Files\DISC\DISCover.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
--a------ 2006-03-15 22:11 61440 C:\Program Files\DISC\DISCUpdMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 02:11 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2002-07-30 11:35 77824 C:\Program Files\NavNT\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-03-08 00:54 16010240 C:\WINDOWS\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\Schwab Performance Technologies\\PortfolioCenter\\SPTServer.exe"=
"C:\\Program Files\\Schwab Performance Technologies\\PortfolioCenter\\PortfolioCenter.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM

R2 MSSQL$FACW;MSSQL$FACW;C:\Program Files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlservr.exe [2005-05-04 00:04]
R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;C:\WINDOWS\system32\DRIVERS\m4cxw2k3.sys [2005-03-10 07:42]
S0 Ryg07;Ryg07;C:\WINDOWS\system32\Drivers\Ryg07.sys []
S3 SQLAgent$FACW;SQLAgent$FACW;C:\Program Files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlagent.EXE [2005-05-03 21:42]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-buritos - buritos.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O15 -: Trusted Zone: *.advisorservices.com


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 12:43:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\NavNT\DefWatch.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Mace.exe
.
**************************************************************************
.
Completion time: 2008-08-04 12:46:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-04 16:46:50

Pre-Run: 220,121,124,864 bytes free
Post-Run: 220,749,225,984 bytes free

174
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:15 PM, on 8/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\NavNT\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlservr.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Laser App Enterprise\laupdate.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\mace.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\fyi\bjr.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LaserAppUpdate] "C:\Program Files\Laser App Enterprise\laupdate.exe"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI9E8D~1\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.advisorservices.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fin-ed.com
O17 - HKLM\Software\..\Telephony: DomainName = fin-ed.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fin-ed.com
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5740 bytes

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:56 AM

Posted 04 August 2008 - 04:19 PM

Good work, let's continue.. :thumbsup:

Click start > run and type: notepad, then hit enter.
Copy and paste in the following text into the window.

File::
C:\WINDOWS\dagew.sys
C:\Program Files\Common Files\qowiryzaku.bin
C:\WINDOWS\system32\Drivers\Ryg07.sys
C:\WINDOWS\system32\bacuqis._dl
C:\WINDOWS\system32\cudemed.vbs
C:\WINDOWS\wejuv.com
C:\WINDOWS\kozy.bin
C:\Program Files\Common Files\akyfubora.db

Driver::
Ryg07.sys

Click File > Save and call it "CFScript.txt" (without quotes).
Save it to your desktop.
Posted Image
Refering to the picture above, drag CFscript.txt into ComboFix.exe
Combofix will run, and a text file will open. Please post it back here.

Please perform this online scan: Kaspersky Webscan
Note that this scanner will only work on Internet Explorer, so please use this browser for the scan.
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.

When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

#6 BJR

BJR
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 05 August 2008 - 03:06 PM

Sorry it took so long that kaspersky takes forever. below are the new combo fix hijack and kas. logs

ComboFix 08-08-03.05 - AWhipple 2008-08-05 8:11:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.594 [GMT -4:00]
Running from: C:\Documents and Settings\AWhipple.FIN-ED\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\AWhipple.FIN-ED\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-07-30 12:51 . 2008-07-30 12:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-30 12:51 . 2008-07-30 12:51 <DIR> d-------- C:\Documents and Settings\AWhipple.FIN-ED\Application Data\Malwarebytes
2008-07-30 12:51 . 2008-07-30 12:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-30 12:51 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-30 12:51 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-28 21:06 . 2008-07-28 21:06 <DIR> d-------- C:\Deckard
2008-07-27 18:33 . 2008-07-27 18:33 0 --a------ C:\WINDOWS\system32\atiicdxx.dat
2008-07-25 16:28 . 2008-07-25 16:28 <DIR> d-------- C:\Program Files\bjr
2008-07-25 16:23 . 2008-07-25 16:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-25 08:16 . 2008-07-25 08:16 18,901 --a------ C:\WINDOWS\dagew.sys
2008-07-25 08:16 . 2008-07-25 08:16 15,572 --a------ C:\Program Files\Common Files\qowiryzaku.bin
2008-07-25 08:16 . 2008-07-25 08:16 15,193 --a------ C:\WINDOWS\system32\bacuqis._dl
2008-07-25 08:16 . 2008-07-25 08:16 13,796 --a------ C:\WINDOWS\system32\cudemed.vbs
2008-07-25 08:16 . 2008-07-25 08:16 12,380 --a------ C:\WINDOWS\wejuv.com
2008-07-25 08:16 . 2008-07-25 08:16 12,257 --a------ C:\WINDOWS\kozy.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 21:10 --------- d-----w C:\Program Files\ProTracker Advantage
2008-08-04 20:23 --------- d-----w C:\Documents and Settings\AWhipple.FIN-ED\Application Data\AdobeUM
2008-08-01 18:48 --------- d-----w C:\Program Files\DYMO Label
2008-07-25 20:51 --------- d-----w C:\Program Files\Lavasoft
2008-07-25 20:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-25 20:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-25 12:16 13,176 ----a-w C:\Program Files\Common Files\akyfubora.db
2008-07-18 18:42 --------- d-----w C:\Program Files\Laser App Enterprise
2008-07-02 16:04 --------- d-----w C:\Documents and Settings\AWhipple.FIN-ED\Application Data\Sonic
2008-06-19 12:07 --------- d-----w C:\Program Files\GhostWare
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-09 20:55 61,224 ----a-w C:\Documents and Settings\AWhipple.FIN-ED\GoToAssistDownloadHelper.exe
2008-01-14 15:08 8,449,024 ----a-w C:\Program Files\u101-102.msp
2002-09-11 14:26 63,730 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.

((((((((((((((((((((((((((((( snapshot@2008-08-04_12.46.36.83 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-05 12:01:01 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"LaserAppUpdate"="C:\Program Files\Laser App Enterprise\laupdate.exe" [2008-07-18 14:42 1389336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 17:01 67584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 22:50 7311360]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 18:14 237568]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 18:34 249856]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-05-09 22:50 86016]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"vptray"="C:\PROGRA~1\NavNT\vptray.exe" [2002-07-30 11:35 77824]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 18:41 45056]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"nwiz"="nwiz.exe" [2006-05-09 22:50 1519616 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Administrator.LJPR\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-05-04 08:45:40 27136]

C:\Documents and Settings\AWhipple.FIN-ED\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2008-02-29 12:36:14 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50 217193]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ryg07.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
--a------ 2006-03-15 22:12 1077248 C:\Program Files\DISC\DISCover.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
--a------ 2006-03-15 22:11 61440 C:\Program Files\DISC\DISCUpdMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 02:11 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2002-07-30 11:35 77824 C:\Program Files\NavNT\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-03-08 00:54 16010240 C:\WINDOWS\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\Schwab Performance Technologies\\PortfolioCenter\\SPTServer.exe"=
"C:\\Program Files\\Schwab Performance Technologies\\PortfolioCenter\\PortfolioCenter.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM

R2 MSSQL$FACW;MSSQL$FACW;C:\Program Files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlservr.exe [2005-05-04 00:04]
R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;C:\WINDOWS\system32\DRIVERS\m4cxw2k3.sys [2005-03-10 07:42]
S0 Ryg07;Ryg07;C:\WINDOWS\system32\Drivers\Ryg07.sys []
S3 SQLAgent$FACW;SQLAgent$FACW;C:\Program Files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlagent.EXE [2005-05-03 21:42]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 08:14:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-08-05 8:15:03
ComboFix-quarantined-files.txt 2008-08-05 12:14:56
ComboFix2.txt 2008-08-04 16:46:53

Pre-Run: 220,882,350,080 bytes free
Post-Run: 220,872,712,192 bytes free

134

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:59:28 PM, on 8/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\NavNT\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlservr.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Laser App Enterprise\laupdate.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\mace.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\MI9E8D~1\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Access Runtime\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Schwab Performance Technologies\PortfolioCenter\PortfolioCenter.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Microsoft Access Runtime\OFFICE11\MSACCESS.EXE
C:\Program Files\Laser App Enterprise\elas.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\Acrobat.exe
C:\Program Files\Trend Micro\fyi\bjr.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LaserAppUpdate] "C:\Program Files\Laser App Enterprise\laupdate.exe"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI9E8D~1\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.advisorservices.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fin-ed.com
O17 - HKLM\Software\..\Telephony: DomainName = fin-ed.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fin-ed.com
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6184 bytes

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, August 5, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, August 05, 2008 10:24:06
Records in database: 1056681
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
M:\
P:\
R:\
S:\
T:\
Z:\

Scan statistics:
Files scanned: 275888
Threat name: 23
Infected objects: 55
Suspicious objects: 0
Duration of the scan: 05:04:54


File name / Threat name / Threats count
C:\Program Files\RealVNC\VNC4\WinVNC4.exe/C:\Program Files\RealVNC\VNC4\WinVNC4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03D80000.VBN Infected: Backdoor.Win32.Small.eug 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03D80001.VBN Infected: Backdoor.Win32.Small.eug 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05140002.VBN Infected: Backdoor.Win32.Small.eug 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05140003.VBN Infected: Backdoor.Win32.Small.eug 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05140004.VBN Infected: Backdoor.Win32.Small.eug 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05140005.VBN Infected: Backdoor.Win32.Small.eug 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05300000.VBN Infected: Backdoor.Win32.Small.eug 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05300001.VBN Infected: Backdoor.Win32.Small.eug 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05300002.VBN Infected: Backdoor.Win32.Small.eug 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05300003.VBN Infected: Backdoor.Win32.Small.eug 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F2C0000.VBN Infected: Rootkit.Win32.Agent.byr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10D80002.VBN Infected: Trojan-Downloader.Win32.Agent.xiz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10D80003.VBN Infected: Trojan-Downloader.Win32.Agent.xiz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10D80004.VBN Infected: Trojan-Downloader.Win32.Agent.xiz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10D80005.VBN Infected: Trojan-Downloader.Win32.Agent.xiz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\18A80000.VBN Infected: Trojan-Spy.Win32.Zbot.dji 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\18A80001.VBN Infected: Trojan-Spy.Win32.Zbot.dji 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\22200000.VBN Infected: Backdoor.Win32.Small.eug 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\22200001.VBN Infected: Backdoor.Win32.Small.eug 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\22200002.VBN Infected: Backdoor.Win32.Small.eug 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\22200003.VBN Infected: Backdoor.Win32.Small.eug 1
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
D:\I386\APPS\APP23492\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2
D:\I386\APPS\APP23492\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2
M:\DebbieBUHome\Documents and Settings\Debbie\Local Settings\Temp\adlinstallwin32.exe Infected: Trojan-Downloader.Win32.IstBar.er 1
M:\DebbieBUHome\Documents and Settings\Debbie\Local Settings\Temp\adlinstallwin32.exe Infected: not-a-virus:AdWare.Win32.Adstart.b 4
M:\DebbieBUHome\Documents and Settings\Debbie\Local Settings\Temp\all_files7.exe Infected: Trojan-Downloader.Win32.Agent.ac 1
M:\DebbieBUHome\Documents and Settings\Debbie\Local Settings\Temp\all_files7.exe Infected: Trojan-Downloader.Win32.Turown.h 1
M:\DebbieBUHome\Documents and Settings\Debbie\Local Settings\Temp\all_files7.exe Infected: Trojan-Downloader.Win32.Turown.g 1
M:\DebbieBUHome\Documents and Settings\Debbie\Local Settings\Temp\all_files7.exe Infected: Trojan-Downloader.Win32.VB.cw 1
M:\DebbieBUHome\Documents and Settings\Debbie\Local Settings\Temp\all_files7.exe Infected: Backdoor.Win32.Ruledor.c 1
M:\DebbieBUHome\Documents and Settings\Debbie\Local Settings\Temp\all_files7.exe Infected: Trojan-Downloader.Win32.Apropo.e 1
M:\DebbieBUHome\Documents and Settings\Debbie\Local Settings\Temp\all_files7.exe Infected: not-a-virus:AdWare.Win32.EZula.l 1
M:\DebbieBUHome\Documents and Settings\Debbie\Local Settings\Temp\all_files7.exe Infected: Trojan-Downloader.Win32.QDown.j 1
M:\DebbieBUHome\Documents and Settings\Debbie\Local Settings\Temp\ClrSch\FNuninstaller.EXE Infected: not-a-virus:AdWare.Win32.ClearSearch.n 1
M:\DebbieBUHome\Documents and Settings\Debbie\Local Settings\Temp\ClrSch\FNuninstaller.EX_ Infected: not-a-virus:AdWare.Win32.ClearSearch.n 1
M:\DebbieBUHome\Documents and Settings\Debbie\Local Settings\Temp\Tvm.upd Infected: not-a-virus:AdWare.Win32.TotalVelocity.p 3
M:\DebbieBUHome\Documents and Settings\Debbie\Local Settings\Temp\update_1.exe Infected: not-a-virus:AdWare.Win32.WinFetcher.e 1
M:\DebbieBUHome\Documents and Settings\Sarah\Desktop\MediaTicket.exe Infected: not-a-virus:AdWare.Win32.MediaTickets.f 1
M:\DebbieBUHome\Documents and Settings\Sarah\Local Settings\Temp\!update.exe Infected: Trojan-Downloader.Win32.Agent.xh 1
M:\DebbieBUHome\Documents and Settings\Sarah\My Documents\download\cheerchicky0298\MediaTicket.exe Infected: not-a-virus:AdWare.Win32.MediaTickets.f 1
M:\LJPR Archived Client e-mails\archive.pst Infected: Email-Worm.VBS.KakWorm 1
M:\New Folder\SAntonelli\New Folder\Desktop\vnc-4_1_1-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1
M:\New Folder\SAntonelli\New Folder\Desktop\vnc-4_1_1-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
M:\vnc-4_1_1-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1
M:\vnc-4_1_1-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

The selected area was scanned.


Thank you

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:56 AM

Posted 06 August 2008 - 01:39 PM

There was a bug in the previous version of Combofix which meant the fix didn't work!
Please delete the version of combofix you previously had, and download a new one here:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Then please follow the instructions below again and they should work this time!
Click start > run and type: notepad, then hit enter.
Copy and paste in the following text into the window.

File::
C:\WINDOWS\dagew.sys
C:\Program Files\Common Files\qowiryzaku.bin
C:\WINDOWS\system32\Drivers\Ryg07.sys
C:\WINDOWS\system32\bacuqis._dl
C:\WINDOWS\system32\cudemed.vbs
C:\WINDOWS\wejuv.com
C:\WINDOWS\kozy.bin
C:\Program Files\Common Files\akyfubora.db

Driver::
Ryg07.sys

Click File > Save and call it "CFScript.txt" (without quotes).
Save it to your desktop.
Posted Image
Refering to the picture above, drag CFscript.txt into ComboFix.exe
Combofix will run, and a text file will open. Please post it back here..

#8 BJR

BJR
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 06 August 2008 - 03:11 PM

here it is.

ComboFix 08-08-06.01 - AWhipple 2008-08-06 16:01:46.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.620 [GMT -4:00]
Running from: C:\Documents and Settings\AWhipple.FIN-ED\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\AWhipple.FIN-ED\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\Common Files\akyfubora.db
C:\Program Files\Common Files\qowiryzaku.bin
C:\WINDOWS\dagew.sys
C:\WINDOWS\kozy.bin
C:\WINDOWS\system32\bacuqis._dl
C:\WINDOWS\system32\cudemed.vbs
C:\WINDOWS\system32\Drivers\Ryg07.sys
C:\WINDOWS\wejuv.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\AWhipple.FIN-ED\Application Data\macromedia\Flash Player\#SharedObjects\B8BBFMQ5\interclick.com
C:\Documents and Settings\AWhipple.FIN-ED\Application Data\macromedia\Flash Player\#SharedObjects\B8BBFMQ5\interclick.com\ud.sol
C:\Documents and Settings\AWhipple.FIN-ED\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\AWhipple.FIN-ED\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Program Files\Common Files\akyfubora.db
C:\Program Files\Common Files\qowiryzaku.bin
C:\WINDOWS\dagew.sys
C:\WINDOWS\kozy.bin
C:\WINDOWS\system32\bacuqis._dl
C:\WINDOWS\system32\cudemed.vbs
C:\WINDOWS\system32\REGOBJ.DLL
C:\WINDOWS\wejuv.com

.
((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.

2008-07-30 12:51 . 2008-07-30 12:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-30 12:51 . 2008-07-30 12:51 <DIR> d-------- C:\Documents and Settings\AWhipple.FIN-ED\Application Data\Malwarebytes
2008-07-30 12:51 . 2008-07-30 12:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-30 12:51 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-30 12:51 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-28 21:06 . 2008-07-28 21:06 <DIR> d-------- C:\Deckard
2008-07-27 18:33 . 2008-07-27 18:33 0 --a------ C:\WINDOWS\system32\atiicdxx.dat
2008-07-25 16:28 . 2008-07-25 16:28 <DIR> d-------- C:\Program Files\bjr
2008-07-25 16:23 . 2008-07-25 16:23 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 19:58 --------- d-----w C:\Program Files\ProTracker Advantage
2008-08-05 19:51 --------- d-----w C:\Documents and Settings\AWhipple.FIN-ED\Application Data\AdobeUM
2008-08-05 16:31 --------- d-----w C:\Program Files\DYMO Label
2008-07-25 20:51 --------- d-----w C:\Program Files\Lavasoft
2008-07-25 20:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-25 20:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-18 18:42 --------- d-----w C:\Program Files\Laser App Enterprise
2008-07-02 16:04 --------- d-----w C:\Documents and Settings\AWhipple.FIN-ED\Application Data\Sonic
2008-06-19 12:07 --------- d-----w C:\Program Files\GhostWare
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-09 20:55 61,224 ----a-w C:\Documents and Settings\AWhipple.FIN-ED\GoToAssistDownloadHelper.exe
2008-01-14 15:08 8,449,024 ----a-w C:\Program Files\u101-102.msp
2002-09-11 14:26 63,730 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.

((((((((((((((((((((((((((((( snapshot@2008-08-04_12.46.36.83 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-05 12:01:01 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"LaserAppUpdate"="C:\Program Files\Laser App Enterprise\laupdate.exe" [2008-07-18 14:42 1389336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 17:01 67584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 22:50 7311360]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 18:14 237568]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 18:34 249856]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-05-09 22:50 86016]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"vptray"="C:\PROGRA~1\NavNT\vptray.exe" [2002-07-30 11:35 77824]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 18:41 45056]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"nwiz"="nwiz.exe" [2006-05-09 22:50 1519616 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Administrator.LJPR\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-05-04 08:45:40 27136]

C:\Documents and Settings\AWhipple.FIN-ED\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2008-02-29 12:36:14 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50 217193]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ryg07.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
--a------ 2006-03-15 22:12 1077248 C:\Program Files\DISC\DISCover.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
--a------ 2006-03-15 22:11 61440 C:\Program Files\DISC\DISCUpdMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 02:11 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2002-07-30 11:35 77824 C:\Program Files\NavNT\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-03-08 00:54 16010240 C:\WINDOWS\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\Schwab Performance Technologies\\PortfolioCenter\\SPTServer.exe"=
"C:\\Program Files\\Schwab Performance Technologies\\PortfolioCenter\\PortfolioCenter.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM

R2 MSSQL$FACW;MSSQL$FACW;C:\Program Files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlservr.exe [2005-05-04 00:04]
R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;C:\WINDOWS\system32\DRIVERS\m4cxw2k3.sys [2005-03-10 07:42]
S0 Ryg07;Ryg07;C:\WINDOWS\system32\Drivers\Ryg07.sys []
S3 SQLAgent$FACW;SQLAgent$FACW;C:\Program Files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlagent.EXE [2005-05-03 21:42]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 16:04:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-08-06 16:05:08
ComboFix-quarantined-files.txt 2008-08-06 20:05:04
ComboFix2.txt 2008-08-05 12:15:05
ComboFix3.txt 2008-08-04 16:46:53

Pre-Run: 220,734,230,528 bytes free
Post-Run: 220,797,743,104 bytes free

152

Thanks

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:56 AM

Posted 06 August 2008 - 03:23 PM

Delete the previous CFScript.txt that's on your desktop.. :thumbsup:

Click start > run and type: notepad, then hit enter.
Copy and paste in the following text into the window.

Driver::
Ryg07

Click File > Save and call it "CFScript.txt" (without quotes).
Save it to your desktop.
Posted Image
Refering to the picture above, drag CFscript.txt into ComboFix.exe
Combofix will run, and a text file will open. Please post it back here.

I want you to remove a few infected quarantined files from your Norton Antivirus.
The instructions depend on the version of Norton that you are running
Please visit the following link, and follow the instructions by clicking the on the appropriate version:
http://service1.symantec.com/SUPPORT/nav.n...000041213443506

Find and delete the followin two files on what seems to be an external drive (M:)
M:\DebbieBUHome\Documents and Settings\Sarah\Desktop\MediaTicket.exe
M:\DebbieBUHome\Documents and Settings\Sarah\My Documents\download\cheerchicky0298\MediaTicket.exe

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° If prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the box --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

I also want you to clean your cache and cookies from your firefox browser.
There are a few infected files which need to be removed from your system.

° Open the firefox browser.
° Click on the "tools" button and click on "options".
° Click "privacy" in the menu on the left side window.
° Open the History, Cookies and Cache tabs individually.
° Choose the "clear" button on each.
° Click OK to close the Options window

Then please post a new Hijackthis log for inspection.

#10 BJR

BJR
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 07 August 2008 - 09:13 AM

Here is combo fix, followed hijackthis. i dont have firefox, but did it pick up netscape? i cleaned both IE and Netscape browsers.

ComboFix 08-08-06.01 - AWhipple 2008-08-07 9:07:48.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.560 [GMT -4:00]
Running from: C:\Documents and Settings\AWhipple.FIN-ED\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\AWhipple.FIN-ED\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RYG07
-------\Service_Ryg07


((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.

2008-07-30 12:51 . 2008-07-30 12:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-30 12:51 . 2008-07-30 12:51 <DIR> d-------- C:\Documents and Settings\AWhipple.FIN-ED\Application Data\Malwarebytes
2008-07-30 12:51 . 2008-07-30 12:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-30 12:51 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-30 12:51 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-28 21:06 . 2008-07-28 21:06 <DIR> d-------- C:\Deckard
2008-07-27 18:33 . 2008-07-27 18:33 0 --a------ C:\WINDOWS\system32\atiicdxx.dat
2008-07-25 16:28 . 2008-07-25 16:28 <DIR> d-------- C:\Program Files\bjr
2008-07-25 16:23 . 2008-07-25 16:23 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-07 13:02 --------- d-----w C:\Program Files\ProTracker Advantage
2008-08-05 19:51 --------- d-----w C:\Documents and Settings\AWhipple.FIN-ED\Application Data\AdobeUM
2008-08-05 16:31 --------- d-----w C:\Program Files\DYMO Label
2008-07-25 20:51 --------- d-----w C:\Program Files\Lavasoft
2008-07-25 20:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-25 20:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-18 18:42 --------- d-----w C:\Program Files\Laser App Enterprise
2008-07-02 16:04 --------- d-----w C:\Documents and Settings\AWhipple.FIN-ED\Application Data\Sonic
2008-06-19 12:07 --------- d-----w C:\Program Files\GhostWare
2008-05-09 20:55 61,224 ----a-w C:\Documents and Settings\AWhipple.FIN-ED\GoToAssistDownloadHelper.exe
2008-01-14 15:08 8,449,024 ----a-w C:\Program Files\u101-102.msp
2002-09-11 14:26 63,730 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.

((((((((((((((((((((((((((((( snapshot@2008-08-04_12.46.36.83 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 13:10:43 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"LaserAppUpdate"="C:\Program Files\Laser App Enterprise\laupdate.exe" [2008-07-18 14:42 1389336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 17:01 67584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 22:50 7311360]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 18:14 237568]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 18:34 249856]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-05-09 22:50 86016]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"vptray"="C:\PROGRA~1\NavNT\vptray.exe" [2002-07-30 11:35 77824]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 18:41 45056]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"nwiz"="nwiz.exe" [2006-05-09 22:50 1519616 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Administrator.LJPR\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-05-04 08:45:40 27136]

C:\Documents and Settings\AWhipple.FIN-ED\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2008-02-29 12:36:14 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50 217193]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ryg07.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
--a------ 2006-03-15 22:12 1077248 C:\Program Files\DISC\DISCover.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
--a------ 2006-03-15 22:11 61440 C:\Program Files\DISC\DISCUpdMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 02:11 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2002-07-30 11:35 77824 C:\Program Files\NavNT\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-03-08 00:54 16010240 C:\WINDOWS\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\Schwab Performance Technologies\\PortfolioCenter\\SPTServer.exe"=
"C:\\Program Files\\Schwab Performance Technologies\\PortfolioCenter\\PortfolioCenter.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM

R2 MSSQL$FACW;MSSQL$FACW;C:\Program Files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlservr.exe [2005-05-04 00:04]
R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;C:\WINDOWS\system32\DRIVERS\m4cxw2k3.sys [2005-03-10 07:42]
S3 SQLAgent$FACW;SQLAgent$FACW;C:\Program Files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlagent.EXE [2005-05-03 21:42]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 09:11:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\NavNT\DefWatch.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Mace.exe
.
**************************************************************************
.
Completion time: 2008-08-07 9:15:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-07 13:14:57
ComboFix2.txt 2008-08-06 20:05:09
ComboFix3.txt 2008-08-05 12:15:05
ComboFix4.txt 2008-08-04 16:46:53

Pre-Run: 220,769,783,808 bytes free
Post-Run: 220,718,608,384 bytes free

154

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:51 AM, on 8/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\NavNT\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlservr.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Laser App Enterprise\laupdate.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\mace.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\Program Files\Microsoft Access Runtime\OFFICE11\MSACCESS.EXE
C:\PROGRA~1\MI9E8D~1\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Access Runtime\OFFICE11\WINWORD.EXE
C:\Program Files\Schwab Performance Technologies\PortfolioCenter\PortfolioCenter.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\Acrobat.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\fyi\bjr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LaserAppUpdate] "C:\Program Files\Laser App Enterprise\laupdate.exe"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI9E8D~1\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.advisorservices.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fin-ed.com
O17 - HKLM\Software\..\Telephony: DomainName = fin-ed.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fin-ed.com
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6245 bytes

Thank you.

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:56 AM

Posted 07 August 2008 - 01:04 PM

Thanks for clearing the Netscape cookies, how is the PC running now?

#12 BJR

BJR
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 07 August 2008 - 01:20 PM

Seems Great. Do the logs look all Clear?

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:56 AM

Posted 07 August 2008 - 01:33 PM

Glad I could help! :thumbsup:
The latest log is looking clean!
Follow this list and your potential for being infected again will be reduced dramatically.

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. This link has listings of stand-alone anti virus programs:
* Click here for more information on -> Computer Safety On line - Anti-Virus
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls
* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

If you have any addition questions just ask...
David

#14 BJR

BJR
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 07 August 2008 - 01:43 PM

Thanks a Million. have great weekend!!

#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:56 AM

Posted 07 August 2008 - 01:50 PM

Since this issue appears resolved, this Topic is now closed.

If you need this topic reopened, please request this by sending me
a PM with the address of the thread using the link here. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users