Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Fakealert Xpsecurity Center


  • This topic is locked This topic is locked
20 replies to this topic

#1 pumice

pumice

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 04 August 2008 - 12:46 PM

It started with an error message about cmd.exe and my pc rebooted, next thing i know i'm getting massive popups about virus activities, ran my mcafee virusscan and it detected and removed a couple of fakealert xpsecurity and trojans but things only got worse after that happened...

I ran SDfix once, but the trojan is back :) i guess i'm running stuff in the wrong order :thumbsup:
helppp pleasee

DSS report
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-08-05 03:42:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 2.6 GiB (less than 15%) free.


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:42: VIRUS ALERT!, on 5/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

O2 - BHO: QXK Olive - {37355961-6141-4D45-845C-BE65438D9F66} - C:\WINDOWS\wnlmdakqpmr.dll
O2 - BHO: {ba5fbea5-f47b-ef7b-2284-ad163ccf57b7} - {7b75fcc3-61da-4822-b7fe-b74f5aebf5ab} - C:\WINDOWS\system32\snrtsi.dll
O2 - BHO: (no name) - {DF45B7B1-975B-4014-8B76-E97396965CF3} - C:\WINDOWS\system32\ddcBsrQg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: bgrqfetx - {29752075-A2DA-4AB7-97E9-C07AC3138561} - C:\WINDOWS\bgrqfetx.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [buritos] buritos.exe
O4 - HKLM\..\Run: [KernelDrv.exe clean] C:\WINDOWS\System32\KernelDrv.exe clean
O4 - HKLM\..\Run: [301411c9] rundll32.exe "C:\WINDOWS\system32\dtwsepsc.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O21 - SSODL: tfnslopk - {D841000E-3175-46B5-B7D0-B73DB5918C97} - C:\WINDOWS\tfnslopk.dll
O21 - SSODL: xokvrpwg - {B6921697-DD3F-4D86-AFFD-6C67BEDD15E1} - C:\WINDOWS\xokvrpwg.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 9513 bytes

-- Files created between 2008-07-05 and 2008-08-05 -----------------------------

2008-08-05 02:12:23 0 d-------- C:\Program Files\Trend Micro
2008-08-05 02:09:57 0 d-------- C:\WINDOWS\privacy_danger
2008-08-05 01:46:24 16896 -----n--- C:\WINDOWS\system32\WinCtrl32.dll
2008-08-05 01:40:46 0 d-------- C:\WINDOWS\ERUNT
2008-08-05 01:29:02 120960 --a------ C:\WINDOWS\system32\snrtsi.dll
2008-08-05 01:29:01 120960 --a------ C:\WINDOWS\system32\ewcafvnc.dll
2008-08-05 01:26:45 99200 --a------ C:\WINDOWS\system32\dtwsepsc.dll
2008-08-05 01:26:00 232781 --ahs---- C:\WINDOWS\system32\gQrsBcdd.ini2
2008-08-05 01:25:50 323328 --a------ C:\WINDOWS\system32\ddcBsrQg.dll
2008-08-05 01:09:01 0 --a------ C:\WINDOWS\system32\ksvcl.dll
2008-08-05 01:09:01 112640 --a------ C:\WINDOWS\system32\KernelDrv.exe
2008-08-05 01:09:01 27327 --a------ C:\WINDOWS\system32\kcopt.dll
2008-08-05 01:09:01 14848 --a------ C:\WINDOWS\system32\Dll.dll
2008-08-04 22:54:26 24255 --a------ C:\WINDOWS\system32\ljJYpOHA.dll
2008-08-04 22:49:22 34176 --a------ C:\WINDOWS\system32\ddcYsstT.dll
2008-08-04 22:48:50 0 d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
2008-08-04 22:48:39 233472 --a------ C:\WINDOWS\xokvrpwg.dll
2008-08-04 22:48:39 393216 --a------ C:\WINDOWS\wnlmdakqpmr.dll
2008-08-04 22:48:39 200704 --a------ C:\WINDOWS\tfnslopk.dll
2008-08-04 22:48:39 86016 --a------ C:\WINDOWS\lnvegaow.exe
2008-08-04 22:48:39 139264 --a------ C:\WINDOWS\eefq.exe
2008-08-04 22:48:39 192512 --a------ C:\WINDOWS\bgrqfetx.dll
2008-08-04 22:18:50 13383 --a------ C:\WINDOWS\xezyf.vbs
2008-08-04 22:18:50 18650 --a------ C:\WINDOWS\teqefaf.bin
2008-08-04 22:18:50 13420 --a------ C:\WINDOWS\system32\kecug.bin
2008-08-04 22:18:50 18360 --a------ C:\WINDOWS\system32\exizefiz.vbs
2008-08-04 22:18:50 12101 --a------ C:\WINDOWS\system32\apoci.bin
2008-08-04 22:18:50 16764 --a------ C:\WINDOWS\onixi.vbs
2008-08-04 22:18:50 18490 --a------ C:\Program Files\Common Files\qawac.scr
2008-08-04 22:18:50 14799 --a------ C:\Program Files\Common Files\hywocobur.exe
2008-08-04 22:18:50 18013 --a------ C:\Program Files\Common Files\exywap.dat
2008-08-04 22:18:50 19362 --a------ C:\Documents and Settings\Administrator\Application Data\waqudo.dat
2008-08-04 22:15:34 0 d-------- C:\QUARANTINE
2008-08-04 22:13:36 13817 --a------ C:\WINDOWS\yluvigolol.bin
2008-08-04 22:13:36 13903 --a------ C:\WINDOWS\ylunebu.dat
2008-08-04 22:13:36 14552 --a------ C:\WINDOWS\system32\wojym.dat
2008-08-04 22:13:36 19481 --a------ C:\WINDOWS\system32\nyzaxina.com
2008-08-04 22:13:36 12193 --a------ C:\WINDOWS\system32\ezeqijasu.sys
2008-08-04 22:13:36 11256 --a------ C:\WINDOWS\opybu.reg
2008-08-04 22:13:36 12531 --a------ C:\WINDOWS\opivoq.bin
2008-08-04 22:13:36 18442 --a------ C:\WINDOWS\mugoxufil.exe
2008-08-04 22:13:36 13319 --a------ C:\WINDOWS\fymavufo.reg
2008-08-04 22:13:36 18484 --a------ C:\Program Files\Common Files\ypefu.bat
2008-08-04 22:13:36 19688 --a------ C:\Program Files\Common Files\notuxelaja.scr
2008-08-04 22:13:36 14200 --a------ C:\Documents and Settings\All Users\Application Data\woqimyq.dat
2008-08-04 22:13:36 14824 --a------ C:\Documents and Settings\All Users\Application Data\tavim.pif
2008-08-04 22:13:36 18555 --a------ C:\Documents and Settings\All Users\Application Data\rigic.scr
2008-08-04 22:13:36 17887 --a------ C:\Documents and Settings\Administrator\Application Data\uryhe.dat
2008-08-04 22:13:36 13782 --a------ C:\Documents and Settings\Administrator\Application Data\ufuci.dll
2008-08-04 22:13:36 18270 --a------ C:\Documents and Settings\Administrator\Application Data\elovalewub.pif
2008-08-04 22:13:36 13701 --a------ C:\Documents and Settings\Administrator\Application Data\afutygyj.reg
2008-07-31 22:20:42 0 d-------- C:\etax2008
2008-07-16 23:44:46 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-16 23:44:43 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-14 03:21:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\Image Zone Express
2008-07-14 03:14:28 0 d-------- C:\Program Files\Common Files\HP
2008-07-14 03:14:01 0 d-------- C:\Program Files\Hewlett-Packard
2008-07-14 03:13:35 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-07-14 03:11:18 19696 -----n--- C:\WINDOWS\hpomdl05.dat
2008-07-14 03:11:18 69416 --a------ C:\WINDOWS\hpoins05.dat
2008-07-14 03:10:44 0 d-------- C:\temp
2008-07-13 22:42:12 57344 --a------ C:\WINDOWS\system32\HPZisn12.dll <Not Verified; HP; HP SNMP Windows>
2008-07-13 22:42:12 94208 --a------ C:\WINDOWS\system32\HPZipt12.dll <Not Verified; HP; HP SNMP Windows>
2008-07-13 22:42:12 204800 --a------ C:\WINDOWS\system32\HPZipr12.dll <Not Verified; HP; HP PmlRtl>
2008-07-13 22:42:12 69632 --a------ C:\WINDOWS\system32\HPZipm12.exe <Not Verified; HP; HP PML>
2008-07-13 22:42:12 61440 --a------ C:\WINDOWS\system32\HPZinw12.exe <Not Verified; HP; HP Dot4Net Windows>
2008-07-13 22:42:12 278584 --a------ C:\WINDOWS\system32\HPZidr12.dll <Not Verified; HP; HP Dot4Rtl>
2008-07-13 22:42:09 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShieldR unInstaller>
2008-07-13 22:28:08 0 d-------- C:\WINDOWS\system32\URTTemp
2008-07-13 22:09:32 0 d-------- C:\Program Files\HP


-- Find3M Report ---------------------------------------------------------------

2008-08-04 22:18:50 0 d-------- C:\Program Files\Common Files
2008-08-04 22:18:50 19834 --a------ C:\Program Files\Common Files\lucegeb.ban
2008-08-04 22:18:50 18222 --a------ C:\Program Files\Common Files\atubi.db
2008-08-04 22:18:50 13353 --a------ C:\Documents and Settings\Administrator\Application Data\uboh.db
2008-07-26 00:41:39 44665 --a------ C:\Documents and Settings\Administrator\Application Data\NMM-MetaData.db
2008-07-23 22:45:36 0 d-------- C:\Program Files\Java
2008-07-17 00:08:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\skypePM
2008-07-16 23:50:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Skype
2008-07-16 23:44:48 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-16 23:44:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-29 22:23:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\Creative
2008-06-29 17:14:07 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-28 22:45:15 1413 --a------ C:\WINDOWS\mozver.dat
2008-06-28 22:45:13 0 d-------- C:\Program Files\DivX
2008-06-24 21:48:58 0 d-------- C:\Program Files\Nokia
2008-06-24 21:48:29 0 d-------- C:\Program Files\Common Files\Nokia
2008-06-24 21:39:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Nokia
2008-06-24 19:31:25 0 d-------- C:\Program Files\Common Files\PCSuite
2008-06-24 19:31:11 0 d-------- C:\Program Files\DIFX
2008-06-24 19:31:09 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-06-24 19:31:03 0 d-------- C:\Program Files\PC Connectivity Solution
2008-06-24 18:13:07 0 d-------- C:\Program Files\NETGEAR
2008-06-22 23:06:48 0 d-------- C:\Program Files\QuickTime
2008-06-22 23:06:04 0 d-------- C:\Program Files\Apple Software Update
2008-06-16 00:05:45 0 d-------- C:\Program Files\Veoh Networks
2008-06-05 10:12:44 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-05 10:09:48 0 d-------- C:\Program Files\Skype
2008-06-05 10:09:45 0 d-------- C:\Program Files\Common Files\Skype


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37355961-6141-4D45-845C-BE65438D9F66}]
04/08/2008 21:01: VIRUS ALERT! 393216 --a------ C:\WINDOWS\wnlmdakqpmr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b75fcc3-61da-4822-b7fe-b74f5aebf5ab}]
05/08/2008 01:29: VIRUS ALERT! 120960 --a------ C:\WINDOWS\system32\snrtsi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF45B7B1-975B-4014-8B76-E97396965CF3}]
05/08/2008 01:25: VIRUS ALERT! 323328 --a------ C:\WINDOWS\system32\ddcBsrQg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [03/08/2004 20:32: VIRUS ALERT!]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 20:32: VIRUS ALERT!]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 20:32: VIRUS ALERT!]
"RTHDCPL"="RTHDCPL.EXE" [10/04/2007 17:28: VIRUS ALERT! C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [04/04/2007 19:22: VIRUS ALERT! C:\WINDOWS\SkyTel.exe]
"Alcmtr"="ALCMTR.EXE" [03/05/2005 20:43: VIRUS ALERT! C:\WINDOWS\Alcmtr.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [17/09/2007 00:07: VIRUS ALERT!]
"nwiz"="nwiz.exe" [17/09/2007 00:07: VIRUS ALERT! C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [17/09/2007 00:07: VIRUS ALERT!]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [12/01/2006 14:40: VIRUS ALERT!]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [27/05/2008 10:50: VIRUS ALERT!]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27: VIRUS ALERT!]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [30/11/2006 08:50: VIRUS ALERT!]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [17/11/2006 13:39: VIRUS ALERT!]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [07/09/2007 14:44: VIRUS ALERT!]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [13/09/2004 15:49: VIRUS ALERT!]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [11/01/2008 19:54: VIRUS ALERT!]
"buritos"="buritos.exe" []
"KernelDrv.exe"="" []
"301411c9"="C:\WINDOWS\system32\dtwsepsc.dll" [05/08/2008 01:26: VIRUS ALERT!]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [03/08/2004 22:56: VIRUS ALERT!]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [02/11/2007 11:26: VIRUS ALERT!]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 11:54: VIRUS ALERT!]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [14/12/2004 3:44:06 AM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2/11/2007 11:26:22 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [4/11/2004 7:28:24 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"DisableRegistryTools"=1 (0x1)
"NoDispCPL"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoToolbarCustomize"=1 (0x1)
"StartMenuLogoff"=1 (0x1)
"NoStartMenuMorePrograms"=1 (0x1)
"NoSetFolders"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"tfnslopk"= {D841000E-3175-46B5-B7D0-B73DB5918C97} - C:\WINDOWS\tfnslopk.dll [04/08/2008 21:01: VIRUS ALERT! 200704]
"xokvrpwg"= {B6921697-DD3F-4D86-AFFD-6C67BEDD15E1} - C:\WINDOWS\xokvrpwg.dll [04/08/2008 21:01: VIRUS ALERT! 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 05/08/2008 01:46: VIRUS ALERT! 16896 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddcBsrQg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winib84.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-08-05 03:43:03 ------------

Kapersky logs
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, August 5, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, August 04, 2008 14:02:13
Records in database: 1053042
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 92074
Threat name: 9
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 01:10:28


File name / Threat name / Threats count
svchost.exe\svchost.exe/svchost.exe\svchost.exe Infected: Backdoor.Win32.IRCBot.epu 1
C:\Documents and Settings\Administrator\Desktop\SDfix\SDFix\apps\swsc.exe Infected: Backdoor.Win32.Hupigon.dckd 1
C:\Documents and Settings\Administrator\Desktop\SDfix\SDFix\backups\backups.zip Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm 1
C:\Documents and Settings\Administrator\Desktop\SDfix\SDFix\backups\backups.zip Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.o 1
C:\Documents and Settings\Administrator\Desktop\SDfix\SDFix\backups\backups.zip Infected: Trojan-Downloader.Win32.Agent.bl 1
C:\Documents and Settings\Administrator\Desktop\SDfix\SDFix\backups\backups.zip Infected: Backdoor.Win32.Small.eug 1
C:\Documents and Settings\Administrator\Desktop\SDfix\SDFix\backups\catchme.zip Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm 2
C:\Documents and Settings\Administrator\Desktop\SDFix.exe Infected: Backdoor.Win32.Hupigon.dckd 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0Z4PQJ8V\ex32de[1].exe Infected: Trojan-Downloader.Win32.Mutant.aqt 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JKPH7GG0\Binaries2[1].zip Infected: not-a-virus:FraudTool.Win32.Reanimator.d 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\UJU1SRGR\Binaries1[1].zip Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.o 1
C:\WINDOWS\system32\drivers\Winib84.sys Infected: Trojan-Downloader.Win32.Mutant.aim 1

The selected area was scanned.

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:36 PM

Posted 05 August 2008 - 06:50 AM

Hi,

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 pumice

pumice
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 05 August 2008 - 07:47 AM

Many thanks for your assistance! And so the battle begins :thumbsup:

Combofix logs
ComboFix 08-08-04.01 - Administrator 2008-08-05 22:35:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.1594 [GMT 10:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\Error Cleaner.url
C:\Documents and Settings\Administrator\Desktop\Privacy Protector.url
C:\Documents and Settings\Administrator\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Administrator\Favorites\Error Cleaner.url
C:\Documents and Settings\Administrator\Favorites\Privacy Protector.url
C:\Documents and Settings\Administrator\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\awafesifam.pif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\decexocywa.pif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\esozahove.pif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\iwehezer.lib
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\iwutuq.bin
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\kalycu.dl
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\oweco.vbs
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\utiwyd.db
C:\WINDOWS\bgrqfetx.dll
C:\WINDOWS\eefq.exe
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\system32\16042.exe
C:\WINDOWS\system32\ddcBsrQg.dll
C:\WINDOWS\system32\ddcYsstT.dll
C:\WINDOWS\system32\dll.dll
C:\WINDOWS\system32\drivers\Winib84.sys
C:\WINDOWS\system32\ewcafvnc.dll
C:\WINDOWS\system32\gQrsBcdd.ini
C:\WINDOWS\system32\gQrsBcdd.ini2
C:\WINDOWS\system32\icqmlib.exe
C:\WINDOWS\system32\iepref32.dll
C:\WINDOWS\system32\ierplc.dll
C:\WINDOWS\system32\ips.dll
C:\WINDOWS\system32\jakbys.dll
C:\WINDOWS\system32\KernelDrv.exe
C:\WINDOWS\system32\ksvcl.dll
C:\WINDOWS\system32\lanmandrv.sys
C:\WINDOWS\system32\lanmanwrk.exe
C:\WINDOWS\system32\laprxy.dllexe
C:\WINDOWS\system32\ljJYpOHA.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ocxapi.dll
C:\WINDOWS\system32\ocxloader.exe
C:\WINDOWS\system32\qmopt.dll
C:\WINDOWS\system32\snrtsi.dll
C:\WINDOWS\system32\vqhnyigd.dll
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\tfnslopk.dll
C:\WINDOWS\wnlmdakqpmr.dll
C:\WINDOWS\xokvrpwg.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LANMANDRV
-------\Legacy_WINIB84
-------\Service_lanmandrv
-------\Service_Winib84


((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-05 22:40 . 2008-08-05 22:40 0 --a------ C:\WINDOWS\system32\mpmebpnr.tmp
2008-08-05 22:02 . 2008-08-05 22:16 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-05 22:02 . 2008-08-05 22:02 32,256 --a------ C:\WINDOWS\system32\drivers\453lmf.exe
2008-08-05 18:39 . 2008-08-05 18:39 32,256 --a------ C:\WINDOWS\system32\drivers\109lmf.exe
2008-08-05 10:08 . 2008-08-05 22:40 1,382,797 ---hs---- C:\WINDOWS\system32\mpmebpnr.ini
2008-08-05 10:08 . 2008-08-05 10:08 99,200 --a------ C:\WINDOWS\system32\rnpbempm.dll
2008-08-05 02:12 . 2008-08-05 02:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 02:08 . 2008-08-05 02:08 <DIR> d-------- C:\Deckard
2008-08-05 01:40 . 2008-08-05 01:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-05 01:26 . 2008-08-05 10:07 1,382,377 --ahs---- C:\WINDOWS\system32\cspeswtd.ini
2008-08-05 01:09 . 2008-08-05 22:20 27,359 --a------ C:\WINDOWS\system32\kcopt.dll
2008-08-04 22:48 . 2008-08-04 21:01 86,016 --a------ C:\WINDOWS\lnvegaow.exe
2008-08-04 22:18 . 2008-08-04 22:18 19,362 --a------ C:\Documents and Settings\Administrator\Application Data\waqudo.dat
2008-08-04 22:18 . 2008-08-04 22:18 19,133 --a------ C:\WINDOWS\nuvoda.db
2008-08-04 22:18 . 2008-08-04 22:18 18,650 --a------ C:\WINDOWS\teqefaf.bin
2008-08-04 22:18 . 2008-08-04 22:18 18,490 --a------ C:\Program Files\Common Files\qawac.scr
2008-08-04 22:18 . 2008-08-04 22:18 18,360 --a------ C:\WINDOWS\system32\exizefiz.vbs
2008-08-04 22:18 . 2008-08-04 22:18 18,013 --a------ C:\Program Files\Common Files\exywap.dat
2008-08-04 22:18 . 2008-08-04 22:18 16,764 --a------ C:\WINDOWS\onixi.vbs
2008-08-04 22:18 . 2008-08-04 22:18 16,325 --a------ C:\WINDOWS\huwarid.inf
2008-08-04 22:18 . 2008-08-04 22:18 15,795 --a------ C:\WINDOWS\akyhezofaw._sy
2008-08-04 22:18 . 2008-08-04 22:18 14,799 --a------ C:\Program Files\Common Files\hywocobur.exe
2008-08-04 22:18 . 2008-08-04 22:18 13,420 --a------ C:\WINDOWS\system32\kecug.bin
2008-08-04 22:18 . 2008-08-04 22:18 13,383 --a------ C:\WINDOWS\xezyf.vbs
2008-08-04 22:18 . 2008-08-04 22:18 12,101 --a------ C:\WINDOWS\system32\apoci.bin
2008-08-04 22:18 . 2008-08-04 22:18 11,107 --a------ C:\WINDOWS\ytexed.lib
2008-08-04 22:15 . 2008-08-05 02:01 <DIR> d-------- C:\QUARANTINE
2008-08-04 22:13 . 2008-08-04 22:13 19,688 --a------ C:\Program Files\Common Files\notuxelaja.scr
2008-08-04 22:13 . 2008-08-04 22:13 18,555 --a------ C:\Documents and Settings\All Users\Application Data\rigic.scr
2008-08-04 22:13 . 2008-08-04 22:13 18,484 --a------ C:\Program Files\Common Files\ypefu.bat
2008-08-04 22:13 . 2008-08-04 22:13 18,270 --a------ C:\Documents and Settings\Administrator\Application Data\elovalewub.pif
2008-08-04 22:13 . 2008-08-04 22:13 17,887 --a------ C:\Documents and Settings\Administrator\Application Data\uryhe.dat
2008-08-04 22:13 . 2008-08-04 22:13 14,824 --a------ C:\Documents and Settings\All Users\Application Data\tavim.pif
2008-08-04 22:13 . 2008-08-04 22:13 14,200 --a------ C:\Documents and Settings\All Users\Application Data\woqimyq.dat
2008-08-04 22:13 . 2008-08-04 22:13 13,782 --a------ C:\Documents and Settings\Administrator\Application Data\ufuci.dll
2008-08-04 22:13 . 2008-08-04 22:13 13,701 --a------ C:\Documents and Settings\Administrator\Application Data\afutygyj.reg
2008-08-03 14:37 . 2008-08-03 14:39 124,276 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-07-31 22:20 . 2008-08-01 00:46 <DIR> d-------- C:\etax2008
2008-07-16 23:44 . 2008-07-16 23:44 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-16 23:44 . 2008-07-16 23:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-14 03:21 . 2008-07-14 03:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Image Zone Express
2008-07-14 03:14 . 2008-07-14 03:14 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-07-14 03:14 . 2008-07-14 03:14 <DIR> d-------- C:\Program Files\Common Files\HP
2008-07-14 03:13 . 2008-07-14 03:13 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-07-14 03:11 . 2008-07-14 03:15 69,416 --a------ C:\WINDOWS\hpoins05.dat
2008-07-14 03:11 . 2004-12-15 00:07 19,696 --------- C:\WINDOWS\hpomdl05.dat
2008-07-14 03:10 . 2008-07-14 03:11 <DIR> d-------- C:\temp\HP_WebRelease
2008-07-14 03:10 . 2008-07-14 03:19 <DIR> d-------- C:\temp
2008-07-13 22:42 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-07-13 22:42 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-07-13 22:42 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-07-13 22:42 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-07-13 22:42 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-07-13 22:42 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-07-13 22:42 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-07-13 22:28 . 2008-07-13 22:45 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-07-13 22:09 . 2008-07-14 03:14 <DIR> d-------- C:\Program Files\HP
2008-07-13 22:08 . 2004-12-15 02:36 708,608 -ra------ C:\WINDOWS\system32\hpotiop.dll
2008-07-13 22:08 . 2004-12-15 02:36 278,528 -ra------ C:\WINDOWS\system32\hpgwiamd.dll
2008-07-13 22:08 . 2004-12-15 02:36 274,432 -ra------ C:\WINDOWS\system32\HPZc3212.dll
2008-07-13 22:08 . 2004-12-15 02:36 51,120 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-07-13 22:08 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-07-13 22:08 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-07-13 22:08 . 2004-12-15 02:36 21,744 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-07-13 22:08 . 2004-12-15 02:36 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-07-13 22:08 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-07-13 22:08 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 09:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-04 12:18 19,834 ----a-w C:\Program Files\Common Files\lucegeb.ban
2008-08-04 12:18 18,222 ----a-w C:\Program Files\Common Files\atubi.db
2008-08-04 12:13 19,481 ----a-w C:\WINDOWS\system32\nyzaxina.com
2008-08-04 12:13 18,442 ----a-w C:\WINDOWS\mugoxufil.exe
2008-08-04 12:13 13,817 ----a-w C:\WINDOWS\yluvigolol.bin
2008-08-04 12:13 13,319 ----a-w C:\WINDOWS\fymavufo.reg
2008-08-04 12:13 12,531 ----a-w C:\WINDOWS\opivoq.bin
2008-08-04 12:13 12,193 ----a-w C:\WINDOWS\system32\ezeqijasu.sys
2008-08-04 12:13 11,256 ----a-w C:\WINDOWS\opybu.reg
2008-08-02 18:05 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-07-23 12:45 --------- d-----w C:\Program Files\Java
2008-07-16 14:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\skypePM
2008-07-16 13:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-07-16 13:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-29 12:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Creative
2008-06-29 07:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-29 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-06-28 12:45 --------- d-----w C:\Program Files\DivX
2008-06-24 11:48 --------- d-----w C:\Program Files\Nokia
2008-06-24 11:48 --------- d-----w C:\Program Files\Common Files\Nokia
2008-06-24 11:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nokia
2008-06-24 11:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Nokia
2008-06-24 09:31 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-06-24 09:31 --------- d-----w C:\Program Files\DIFX
2008-06-24 09:31 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-06-24 09:31 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-06-24 08:15 21,035 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-06-24 08:13 --------- d-----w C:\Program Files\NETGEAR
2008-06-22 13:06 --------- d-----w C:\Program Files\QuickTime
2008-06-22 13:06 --------- d-----w C:\Program Files\Apple Software Update
2008-06-22 13:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-22 13:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-15 14:05 --------- d-----w C:\Program Files\Veoh Networks
2008-06-05 00:09 --------- d-----w C:\Program Files\Skype
2008-06-05 00:09 --------- d-----w C:\Program Files\Common Files\Skype
2008-06-05 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-05-22 22:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-02 11:26 68856]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 11:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 20:32 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 20:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 20:32 455168]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 00:07 8491008]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 00:07 81920]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40 155648]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 08:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-09-07 14:44 3100672]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49 49152]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"301411c9"="C:\WINDOWS\system32\rnpbempm.dll" [2008-08-05 10:08 99200]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 17:28 16126464 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-04-04 19:22 1822720 C:\WINDOWS\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06 29696]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-11-02 11:26:22 125624]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"D:\\Games\\CnC3\\RetailExe\\1.0\\cnc3game.dat"=
"D:\\Games\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Documents and Settings\\Administrator\\Desktop\\dss.exe"=

R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bus.sys [2004-03-12 21:41]
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346prt.sys [2004-03-12 21:41]
R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [2007-10-09 13:13]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2007-06-21 12:44]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;C:\WINDOWS\system32\DRIVERS\wg111v3.sys [2007-12-28 15:02]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-KernelDrv.exe clean - C:\WINDOWS\System32\KernelDrv.exe
HKLM-Run-buritos - buritos.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sm6dcwz3.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com.au/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 22:40:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-08-05 22:41:59 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-08-05 12:41:52

Pre-Run: 2,403,643,392 bytes free
Post-Run: 3,189,460,992 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

283 --- E O F --- 2007-11-02 02:15:09

DSS logs
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-08-05 22:44:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 2.99 GiB (less than 15%) free.


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:44, on 5/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [301411c9] rundll32.exe "C:\WINDOWS\system32\rnpbempm.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8414 bytes

-- Files created between 2008-07-05 and 2008-08-05 -----------------------------

2008-08-05 22:34:20 0 d-------- C:\cmdcons
2008-08-05 22:30:48 68096 --a------ C:\WINDOWS\zip.exe
2008-08-05 22:30:48 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-05 22:30:48 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-05 22:30:48 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-05 22:30:48 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-05 22:30:48 98816 --a------ C:\WINDOWS\sed.exe
2008-08-05 22:30:48 80412 --a------ C:\WINDOWS\grep.exe
2008-08-05 22:30:48 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-05 22:02:56 32256 --a------ C:\WINDOWS\system32\drivers\453lmf.exe
2008-08-05 22:02:15 0 d-------- C:\WINDOWS\system32\NtmsData
2008-08-05 18:39:58 32256 --a------ C:\WINDOWS\system32\drivers\109lmf.exe
2008-08-05 10:08:01 99200 --a------ C:\WINDOWS\system32\rnpbempm.dll
2008-08-05 02:12:23 0 d-------- C:\Program Files\Trend Micro
2008-08-05 01:40:46 0 d-------- C:\WINDOWS\ERUNT
2008-08-05 01:09:01 27359 --a------ C:\WINDOWS\system32\kcopt.dll
2008-08-04 22:48:39 86016 --a------ C:\WINDOWS\lnvegaow.exe
2008-08-04 22:18:50 13383 --a------ C:\WINDOWS\xezyf.vbs
2008-08-04 22:18:50 18650 --a------ C:\WINDOWS\teqefaf.bin
2008-08-04 22:18:50 13420 --a------ C:\WINDOWS\system32\kecug.bin
2008-08-04 22:18:50 18360 --a------ C:\WINDOWS\system32\exizefiz.vbs
2008-08-04 22:18:50 12101 --a------ C:\WINDOWS\system32\apoci.bin
2008-08-04 22:18:50 16764 --a------ C:\WINDOWS\onixi.vbs
2008-08-04 22:18:50 18490 --a------ C:\Program Files\Common Files\qawac.scr
2008-08-04 22:18:50 14799 --a------ C:\Program Files\Common Files\hywocobur.exe
2008-08-04 22:18:50 18013 --a------ C:\Program Files\Common Files\exywap.dat
2008-08-04 22:18:50 19362 --a------ C:\Documents and Settings\Administrator\Application Data\waqudo.dat
2008-08-04 22:15:34 0 d-------- C:\QUARANTINE
2008-08-04 22:13:36 13817 --a------ C:\WINDOWS\yluvigolol.bin
2008-08-04 22:13:36 13903 --a------ C:\WINDOWS\ylunebu.dat
2008-08-04 22:13:36 14552 --a------ C:\WINDOWS\system32\wojym.dat
2008-08-04 22:13:36 19481 --a------ C:\WINDOWS\system32\nyzaxina.com
2008-08-04 22:13:36 12193 --a------ C:\WINDOWS\system32\ezeqijasu.sys
2008-08-04 22:13:36 11256 --a------ C:\WINDOWS\opybu.reg
2008-08-04 22:13:36 12531 --a------ C:\WINDOWS\opivoq.bin
2008-08-04 22:13:36 18442 --a------ C:\WINDOWS\mugoxufil.exe
2008-08-04 22:13:36 13319 --a------ C:\WINDOWS\fymavufo.reg
2008-08-04 22:13:36 18484 --a------ C:\Program Files\Common Files\ypefu.bat
2008-08-04 22:13:36 19688 --a------ C:\Program Files\Common Files\notuxelaja.scr
2008-08-04 22:13:36 14200 --a------ C:\Documents and Settings\All Users\Application Data\woqimyq.dat
2008-08-04 22:13:36 14824 --a------ C:\Documents and Settings\All Users\Application Data\tavim.pif
2008-08-04 22:13:36 18555 --a------ C:\Documents and Settings\All Users\Application Data\rigic.scr
2008-08-04 22:13:36 17887 --a------ C:\Documents and Settings\Administrator\Application Data\uryhe.dat
2008-08-04 22:13:36 13782 --a------ C:\Documents and Settings\Administrator\Application Data\ufuci.dll
2008-08-04 22:13:36 18270 --a------ C:\Documents and Settings\Administrator\Application Data\elovalewub.pif
2008-08-04 22:13:36 13701 --a------ C:\Documents and Settings\Administrator\Application Data\afutygyj.reg
2008-07-31 22:20:42 0 d-------- C:\etax2008
2008-07-16 23:44:46 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-16 23:44:43 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-14 03:21:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\Image Zone Express
2008-07-14 03:14:28 0 d-------- C:\Program Files\Common Files\HP
2008-07-14 03:14:01 0 d-------- C:\Program Files\Hewlett-Packard
2008-07-14 03:13:35 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-07-14 03:11:18 19696 -----n--- C:\WINDOWS\hpomdl05.dat
2008-07-14 03:11:18 69416 --a------ C:\WINDOWS\hpoins05.dat
2008-07-14 03:10:44 0 d-------- C:\temp
2008-07-13 22:42:12 57344 --a------ C:\WINDOWS\system32\HPZisn12.dll <Not Verified; HP; HP SNMP Windows>
2008-07-13 22:42:12 94208 --a------ C:\WINDOWS\system32\HPZipt12.dll <Not Verified; HP; HP SNMP Windows>
2008-07-13 22:42:12 204800 --a------ C:\WINDOWS\system32\HPZipr12.dll <Not Verified; HP; HP PmlRtl>
2008-07-13 22:42:12 69632 --a------ C:\WINDOWS\system32\HPZipm12.exe <Not Verified; HP; HP PML>
2008-07-13 22:42:12 61440 --a------ C:\WINDOWS\system32\HPZinw12.exe <Not Verified; HP; HP Dot4Net Windows>
2008-07-13 22:42:12 278584 --a------ C:\WINDOWS\system32\HPZidr12.dll <Not Verified; HP; HP Dot4Rtl>
2008-07-13 22:42:09 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShieldR unInstaller>
2008-07-13 22:28:08 0 d-------- C:\WINDOWS\system32\URTTemp
2008-07-13 22:09:32 0 d-------- C:\Program Files\HP


-- Find3M Report ---------------------------------------------------------------

2008-08-05 22:36:47 0 d-------- C:\Program Files\Common Files
2008-08-04 22:18:50 19834 --a------ C:\Program Files\Common Files\lucegeb.ban
2008-08-04 22:18:50 18222 --a------ C:\Program Files\Common Files\atubi.db
2008-08-04 22:18:50 13353 --a------ C:\Documents and Settings\Administrator\Application Data\uboh.db
2008-07-26 00:41:39 44665 --a------ C:\Documents and Settings\Administrator\Application Data\NMM-MetaData.db
2008-07-23 22:45:36 0 d-------- C:\Program Files\Java
2008-07-17 00:08:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\skypePM
2008-07-16 23:50:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Skype
2008-07-16 23:44:48 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-16 23:44:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-29 22:23:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\Creative
2008-06-29 17:14:07 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-28 22:45:15 1413 --a------ C:\WINDOWS\mozver.dat
2008-06-28 22:45:13 0 d-------- C:\Program Files\DivX
2008-06-24 21:48:58 0 d-------- C:\Program Files\Nokia
2008-06-24 21:48:29 0 d-------- C:\Program Files\Common Files\Nokia
2008-06-24 21:39:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Nokia
2008-06-24 19:31:25 0 d-------- C:\Program Files\Common Files\PCSuite
2008-06-24 19:31:11 0 d-------- C:\Program Files\DIFX
2008-06-24 19:31:09 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-06-24 19:31:03 0 d-------- C:\Program Files\PC Connectivity Solution
2008-06-24 18:13:07 0 d-------- C:\Program Files\NETGEAR
2008-06-22 23:06:48 0 d-------- C:\Program Files\QuickTime
2008-06-22 23:06:04 0 d-------- C:\Program Files\Apple Software Update
2008-06-16 00:05:45 0 d-------- C:\Program Files\Veoh Networks
2008-06-05 10:12:44 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-05 10:09:48 0 d-------- C:\Program Files\Skype
2008-06-05 10:09:45 0 d-------- C:\Program Files\Common Files\Skype


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [03/08/2004 20:32]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 20:32]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 20:32]
"RTHDCPL"="RTHDCPL.EXE" [10/04/2007 17:28 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [04/04/2007 19:22 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [17/09/2007 00:07]
"nwiz"="nwiz.exe" [17/09/2007 00:07 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [17/09/2007 00:07]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [12/01/2006 14:40]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [27/05/2008 10:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [30/11/2006 08:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [17/11/2006 13:39]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [07/09/2007 14:44]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [13/09/2004 15:49]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [11/01/2008 19:54]
"301411c9"="C:\WINDOWS\system32\rnpbempm.dll" [05/08/2008 10:08]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [03/08/2004 22:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [02/11/2007 11:26]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 11:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [14/12/2004 3:44:06 AM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2/11/2007 11:26:22 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [4/11/2004 7:28:24 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)




-- End of Deckard's System Scanner: finished at 2008-08-05 22:44:46 ------------

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:36 PM

Posted 05 August 2008 - 08:00 AM

Hi,

Is your McAfee up to date? Because it suprises me that it didn't detect and remove a lot of malware present here.
Anyway...

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\mpmebpnr.tmp
C:\WINDOWS\system32\mpmebpnr.ini
C:\WINDOWS\lnvegaow.exe
C:\WINDOWS\nuvoda.db
C:\WINDOWS\huwarid.inf
C:\WINDOWS\akyhezofaw._sy
C:\WINDOWS\ytexed.lib
C:\Program Files\Common Files\lucegeb.ban
C:\Program Files\Common Files\atubi.db
C:\Documents and Settings\Administrator\Application Data\uboh.db
C:\WINDOWS\system32\drivers\453lmf.exe
C:\WINDOWS\system32\drivers\109lmf.exe
C:\WINDOWS\system32\rnpbempm.dll
C:\WINDOWS\system32\kcopt.dll
C:\WINDOWS\lnvegaow.exe
C:\WINDOWS\xezyf.vbs
C:\WINDOWS\teqefaf.bin
C:\WINDOWS\system32\kecug.bin
C:\WINDOWS\system32\exizefiz.vbs
C:\WINDOWS\system32\apoci.bin
C:\WINDOWS\onixi.vbs
C:\Program Files\Common Files\qawac.scr
C:\Program Files\Common Files\hywocobur.exe
C:\Program Files\Common Files\exywap.dat
C:\Documents and Settings\Administrator\Application Data\waqudo.dat
C:\WINDOWS\yluvigolol.bin
C:\WINDOWS\ylunebu.dat
C:\WINDOWS\system32\wojym.dat
C:\WINDOWS\system32\nyzaxina.com
C:\WINDOWS\system32\ezeqijasu.sys
C:\WINDOWS\opybu.reg
C:\WINDOWS\opivoq.bin
C:\WINDOWS\mugoxufil.exe
C:\WINDOWS\fymavufo.reg
C:\Program Files\Common Files\ypefu.bat
C:\Program Files\Common Files\notuxelaja.scr
C:\Documents and Settings\All Users\Application Data\woqimyq.dat
C:\Documents and Settings\All Users\Application Data\tavim.pif
C:\Documents and Settings\All Users\Application Data\rigic.scr
C:\Documents and Settings\Administrator\Application Data\uryhe.dat
C:\Documents and Settings\Administrator\Application Data\ufuci.dll
C:\Documents and Settings\Administrator\Application Data\elovalewub.pif
C:\Documents and Settings\Administrator\Application Data\afutygyj.reg
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"301411c9"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.
* it will create a zipped file on your Desktop - [8]-Submit_Date_Time.zip
* another file will be present on your desktop: CF-Submit.htm which will open after you ran Combofix.
* Where it says: "Submit files for further analysis", click OK and a browser Window will open. There you'll see: "copy/paste filepath into the box & click OK". You'll find the filepath below, so copy and paste this in the above field and click OK.
If the window didn't open, just submit the [8]-Submit_Date_Time.zip file here


After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 pumice

pumice
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 05 August 2008 - 08:15 AM

It is relatively updated, it did detect the trojan and tried removing some of them but I kinda noticed the trojan taking over during the scan, repeated scans didn't really help either :thumbsup:
This time with combofix it didn't reboot, or create a zip file, it just ended up with this log... i hope that isn't...bad

Combofix logs
ComboFix 08-08-04.01 - Administrator 2008-08-05 23:06:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.1598 [GMT 10:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-05 22:02 . 2008-08-05 22:16 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-05 22:02 . 2008-08-05 22:02 32,256 --a------ C:\WINDOWS\system32\drivers\453lmf.exe
2008-08-05 18:39 . 2008-08-05 18:39 32,256 --a------ C:\WINDOWS\system32\drivers\109lmf.exe
2008-08-05 10:08 . 2008-08-05 23:06 1,382,917 ---hs---- C:\WINDOWS\system32\mpmebpnr.ini
2008-08-05 10:08 . 2008-08-05 10:08 99,200 --a------ C:\WINDOWS\system32\rnpbempm.dll
2008-08-05 02:12 . 2008-08-05 02:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 02:08 . 2008-08-05 02:08 <DIR> d-------- C:\Deckard
2008-08-05 01:40 . 2008-08-05 01:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-05 01:26 . 2008-08-05 10:07 1,382,377 --ahs---- C:\WINDOWS\system32\cspeswtd.ini
2008-08-05 01:09 . 2008-08-05 22:20 27,359 --a------ C:\WINDOWS\system32\kcopt.dll
2008-08-04 22:48 . 2008-08-04 21:01 86,016 --a------ C:\WINDOWS\lnvegaow.exe
2008-08-04 22:18 . 2008-08-04 22:18 19,362 --a------ C:\Documents and Settings\Administrator\Application Data\waqudo.dat
2008-08-04 22:18 . 2008-08-04 22:18 19,133 --a------ C:\WINDOWS\nuvoda.db
2008-08-04 22:18 . 2008-08-04 22:18 18,650 --a------ C:\WINDOWS\teqefaf.bin
2008-08-04 22:18 . 2008-08-04 22:18 18,490 --a------ C:\Program Files\Common Files\qawac.scr
2008-08-04 22:18 . 2008-08-04 22:18 18,360 --a------ C:\WINDOWS\system32\exizefiz.vbs
2008-08-04 22:18 . 2008-08-04 22:18 18,013 --a------ C:\Program Files\Common Files\exywap.dat
2008-08-04 22:18 . 2008-08-04 22:18 16,764 --a------ C:\WINDOWS\onixi.vbs
2008-08-04 22:18 . 2008-08-04 22:18 16,325 --a------ C:\WINDOWS\huwarid.inf
2008-08-04 22:18 . 2008-08-04 22:18 15,795 --a------ C:\WINDOWS\akyhezofaw._sy
2008-08-04 22:18 . 2008-08-04 22:18 14,799 --a------ C:\Program Files\Common Files\hywocobur.exe
2008-08-04 22:18 . 2008-08-04 22:18 13,420 --a------ C:\WINDOWS\system32\kecug.bin
2008-08-04 22:18 . 2008-08-04 22:18 13,383 --a------ C:\WINDOWS\xezyf.vbs
2008-08-04 22:18 . 2008-08-04 22:18 12,101 --a------ C:\WINDOWS\system32\apoci.bin
2008-08-04 22:18 . 2008-08-04 22:18 11,107 --a------ C:\WINDOWS\ytexed.lib
2008-08-04 22:15 . 2008-08-05 02:01 <DIR> d-------- C:\QUARANTINE
2008-08-04 22:13 . 2008-08-04 22:13 19,688 --a------ C:\Program Files\Common Files\notuxelaja.scr
2008-08-04 22:13 . 2008-08-04 22:13 18,555 --a------ C:\Documents and Settings\All Users\Application Data\rigic.scr
2008-08-04 22:13 . 2008-08-04 22:13 18,484 --a------ C:\Program Files\Common Files\ypefu.bat
2008-08-04 22:13 . 2008-08-04 22:13 18,270 --a------ C:\Documents and Settings\Administrator\Application Data\elovalewub.pif
2008-08-04 22:13 . 2008-08-04 22:13 17,887 --a------ C:\Documents and Settings\Administrator\Application Data\uryhe.dat
2008-08-04 22:13 . 2008-08-04 22:13 14,824 --a------ C:\Documents and Settings\All Users\Application Data\tavim.pif
2008-08-04 22:13 . 2008-08-04 22:13 14,200 --a------ C:\Documents and Settings\All Users\Application Data\woqimyq.dat
2008-08-04 22:13 . 2008-08-04 22:13 13,782 --a------ C:\Documents and Settings\Administrator\Application Data\ufuci.dll
2008-08-04 22:13 . 2008-08-04 22:13 13,701 --a------ C:\Documents and Settings\Administrator\Application Data\afutygyj.reg
2008-08-03 14:37 . 2008-08-03 14:39 124,276 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-07-31 22:20 . 2008-08-01 00:46 <DIR> d-------- C:\etax2008
2008-07-16 23:44 . 2008-07-16 23:44 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-16 23:44 . 2008-07-16 23:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-14 03:21 . 2008-07-14 03:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Image Zone Express
2008-07-14 03:14 . 2008-07-14 03:14 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-07-14 03:14 . 2008-07-14 03:14 <DIR> d-------- C:\Program Files\Common Files\HP
2008-07-14 03:13 . 2008-07-14 03:13 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-07-14 03:11 . 2008-07-14 03:15 69,416 --a------ C:\WINDOWS\hpoins05.dat
2008-07-14 03:11 . 2004-12-15 00:07 19,696 --------- C:\WINDOWS\hpomdl05.dat
2008-07-14 03:10 . 2008-07-14 03:11 <DIR> d-------- C:\temp\HP_WebRelease
2008-07-14 03:10 . 2008-07-14 03:19 <DIR> d-------- C:\temp
2008-07-13 22:42 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-07-13 22:42 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-07-13 22:42 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-07-13 22:42 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-07-13 22:42 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-07-13 22:42 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-07-13 22:42 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-07-13 22:28 . 2008-07-13 22:45 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-07-13 22:09 . 2008-07-14 03:14 <DIR> d-------- C:\Program Files\HP
2008-07-13 22:08 . 2004-12-15 02:36 708,608 -ra------ C:\WINDOWS\system32\hpotiop.dll
2008-07-13 22:08 . 2004-12-15 02:36 278,528 -ra------ C:\WINDOWS\system32\hpgwiamd.dll
2008-07-13 22:08 . 2004-12-15 02:36 274,432 -ra------ C:\WINDOWS\system32\HPZc3212.dll
2008-07-13 22:08 . 2004-12-15 02:36 51,120 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-07-13 22:08 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-07-13 22:08 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-07-13 22:08 . 2004-12-15 02:36 21,744 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-07-13 22:08 . 2004-12-15 02:36 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-07-13 22:08 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-07-13 22:08 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 09:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-04 12:18 19,834 ----a-w C:\Program Files\Common Files\lucegeb.ban
2008-08-04 12:18 18,222 ----a-w C:\Program Files\Common Files\atubi.db
2008-08-04 12:13 19,481 ----a-w C:\WINDOWS\system32\nyzaxina.com
2008-08-04 12:13 18,442 ----a-w C:\WINDOWS\mugoxufil.exe
2008-08-04 12:13 13,817 ----a-w C:\WINDOWS\yluvigolol.bin
2008-08-04 12:13 13,319 ----a-w C:\WINDOWS\fymavufo.reg
2008-08-04 12:13 12,531 ----a-w C:\WINDOWS\opivoq.bin
2008-08-04 12:13 12,193 ----a-w C:\WINDOWS\system32\ezeqijasu.sys
2008-08-04 12:13 11,256 ----a-w C:\WINDOWS\opybu.reg
2008-08-02 18:05 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-07-23 12:45 --------- d-----w C:\Program Files\Java
2008-07-16 14:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\skypePM
2008-07-16 13:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-07-16 13:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-29 12:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Creative
2008-06-29 07:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-29 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-06-28 12:45 --------- d-----w C:\Program Files\DivX
2008-06-24 11:48 --------- d-----w C:\Program Files\Nokia
2008-06-24 11:48 --------- d-----w C:\Program Files\Common Files\Nokia
2008-06-24 11:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nokia
2008-06-24 11:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Nokia
2008-06-24 09:31 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-06-24 09:31 --------- d-----w C:\Program Files\DIFX
2008-06-24 09:31 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-06-24 09:31 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-06-24 08:15 21,035 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-06-24 08:13 --------- d-----w C:\Program Files\NETGEAR
2008-06-22 13:06 --------- d-----w C:\Program Files\QuickTime
2008-06-22 13:06 --------- d-----w C:\Program Files\Apple Software Update
2008-06-22 13:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-22 13:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-15 14:05 --------- d-----w C:\Program Files\Veoh Networks
2008-06-05 00:09 --------- d-----w C:\Program Files\Skype
2008-06-05 00:09 --------- d-----w C:\Program Files\Common Files\Skype
2008-06-05 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-05-22 22:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

((((((((((((((((((((((((((((( snapshot@2008-08-05_22.41.37.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-05 12:04:34 40,128 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-05 12:43:56 40,128 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-05 12:04:34 311,740 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-05 12:43:56 311,740 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-02 11:26 68856]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 11:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 20:32 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 20:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 20:32 455168]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 00:07 8491008]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 00:07 81920]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40 155648]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 08:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-09-07 14:44 3100672]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49 49152]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 17:28 16126464 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-04-04 19:22 1822720 C:\WINDOWS\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06 29696]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-11-02 11:26:22 125624]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"D:\\Games\\CnC3\\RetailExe\\1.0\\cnc3game.dat"=
"D:\\Games\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Documents and Settings\\Administrator\\Desktop\\dss.exe"=

R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bus.sys [2004-03-12 21:41]
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346prt.sys [2004-03-12 21:41]
R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [2007-10-09 13:13]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2007-06-21 12:44]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;C:\WINDOWS\system32\DRIVERS\wg111v3.sys [2007-12-28 15:02]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 23:07:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-05 23:07:46
ComboFix-quarantined-files.txt 2008-08-05 13:07:42
ComboFix2.txt 2008-08-05 12:42:00

Pre-Run: 3,188,277,248 bytes free
Post-Run: 3,175,161,856 bytes free

193 --- E O F --- 2007-11-02 02:15:09

DSS logs
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-08-05 23:12:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 3.02 GiB (less than 15%) free.


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:12, on 5/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [301411c9] rundll32.exe "C:\WINDOWS\system32\rnpbempm.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8324 bytes

-- Files created between 2008-07-05 and 2008-08-05 -----------------------------

2008-08-05 22:34:20 0 d-------- C:\cmdcons
2008-08-05 22:30:48 68096 --a------ C:\WINDOWS\zip.exe
2008-08-05 22:30:48 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-05 22:30:48 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-05 22:30:48 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-05 22:30:48 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-05 22:30:48 98816 --a------ C:\WINDOWS\sed.exe
2008-08-05 22:30:48 80412 --a------ C:\WINDOWS\grep.exe
2008-08-05 22:30:48 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-05 22:02:56 32256 --a------ C:\WINDOWS\system32\drivers\453lmf.exe
2008-08-05 22:02:15 0 d-------- C:\WINDOWS\system32\NtmsData
2008-08-05 18:39:58 32256 --a------ C:\WINDOWS\system32\drivers\109lmf.exe
2008-08-05 10:08:01 99200 --a------ C:\WINDOWS\system32\rnpbempm.dll
2008-08-05 02:12:23 0 d-------- C:\Program Files\Trend Micro
2008-08-05 01:40:46 0 d-------- C:\WINDOWS\ERUNT
2008-08-05 01:09:01 27359 --a------ C:\WINDOWS\system32\kcopt.dll
2008-08-04 22:48:39 86016 --a------ C:\WINDOWS\lnvegaow.exe
2008-08-04 22:18:50 13383 --a------ C:\WINDOWS\xezyf.vbs
2008-08-04 22:18:50 18650 --a------ C:\WINDOWS\teqefaf.bin
2008-08-04 22:18:50 13420 --a------ C:\WINDOWS\system32\kecug.bin
2008-08-04 22:18:50 18360 --a------ C:\WINDOWS\system32\exizefiz.vbs
2008-08-04 22:18:50 12101 --a------ C:\WINDOWS\system32\apoci.bin
2008-08-04 22:18:50 16764 --a------ C:\WINDOWS\onixi.vbs
2008-08-04 22:18:50 18490 --a------ C:\Program Files\Common Files\qawac.scr
2008-08-04 22:18:50 14799 --a------ C:\Program Files\Common Files\hywocobur.exe
2008-08-04 22:18:50 18013 --a------ C:\Program Files\Common Files\exywap.dat
2008-08-04 22:18:50 19362 --a------ C:\Documents and Settings\Administrator\Application Data\waqudo.dat
2008-08-04 22:15:34 0 d-------- C:\QUARANTINE
2008-08-04 22:13:36 13817 --a------ C:\WINDOWS\yluvigolol.bin
2008-08-04 22:13:36 13903 --a------ C:\WINDOWS\ylunebu.dat
2008-08-04 22:13:36 14552 --a------ C:\WINDOWS\system32\wojym.dat
2008-08-04 22:13:36 19481 --a------ C:\WINDOWS\system32\nyzaxina.com
2008-08-04 22:13:36 12193 --a------ C:\WINDOWS\system32\ezeqijasu.sys
2008-08-04 22:13:36 11256 --a------ C:\WINDOWS\opybu.reg
2008-08-04 22:13:36 12531 --a------ C:\WINDOWS\opivoq.bin
2008-08-04 22:13:36 18442 --a------ C:\WINDOWS\mugoxufil.exe
2008-08-04 22:13:36 13319 --a------ C:\WINDOWS\fymavufo.reg
2008-08-04 22:13:36 18484 --a------ C:\Program Files\Common Files\ypefu.bat
2008-08-04 22:13:36 19688 --a------ C:\Program Files\Common Files\notuxelaja.scr
2008-08-04 22:13:36 14200 --a------ C:\Documents and Settings\All Users\Application Data\woqimyq.dat
2008-08-04 22:13:36 14824 --a------ C:\Documents and Settings\All Users\Application Data\tavim.pif
2008-08-04 22:13:36 18555 --a------ C:\Documents and Settings\All Users\Application Data\rigic.scr
2008-08-04 22:13:36 17887 --a------ C:\Documents and Settings\Administrator\Application Data\uryhe.dat
2008-08-04 22:13:36 13782 --a------ C:\Documents and Settings\Administrator\Application Data\ufuci.dll
2008-08-04 22:13:36 18270 --a------ C:\Documents and Settings\Administrator\Application Data\elovalewub.pif
2008-08-04 22:13:36 13701 --a------ C:\Documents and Settings\Administrator\Application Data\afutygyj.reg
2008-07-31 22:20:42 0 d-------- C:\etax2008
2008-07-16 23:44:46 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-16 23:44:43 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-14 03:21:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\Image Zone Express
2008-07-14 03:14:28 0 d-------- C:\Program Files\Common Files\HP
2008-07-14 03:14:01 0 d-------- C:\Program Files\Hewlett-Packard
2008-07-14 03:13:35 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-07-14 03:11:18 19696 -----n--- C:\WINDOWS\hpomdl05.dat
2008-07-14 03:11:18 69416 --a------ C:\WINDOWS\hpoins05.dat
2008-07-14 03:10:44 0 d-------- C:\temp
2008-07-13 22:42:12 57344 --a------ C:\WINDOWS\system32\HPZisn12.dll <Not Verified; HP; HP SNMP Windows>
2008-07-13 22:42:12 94208 --a------ C:\WINDOWS\system32\HPZipt12.dll <Not Verified; HP; HP SNMP Windows>
2008-07-13 22:42:12 204800 --a------ C:\WINDOWS\system32\HPZipr12.dll <Not Verified; HP; HP PmlRtl>
2008-07-13 22:42:12 69632 --a------ C:\WINDOWS\system32\HPZipm12.exe <Not Verified; HP; HP PML>
2008-07-13 22:42:12 61440 --a------ C:\WINDOWS\system32\HPZinw12.exe <Not Verified; HP; HP Dot4Net Windows>
2008-07-13 22:42:12 278584 --a------ C:\WINDOWS\system32\HPZidr12.dll <Not Verified; HP; HP Dot4Rtl>
2008-07-13 22:42:09 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShieldR unInstaller>
2008-07-13 22:28:08 0 d-------- C:\WINDOWS\system32\URTTemp
2008-07-13 22:09:32 0 d-------- C:\Program Files\HP


-- Find3M Report ---------------------------------------------------------------

2008-08-05 23:06:59 0 d-------- C:\Program Files\Common Files
2008-08-04 22:18:50 19834 --a------ C:\Program Files\Common Files\lucegeb.ban
2008-08-04 22:18:50 18222 --a------ C:\Program Files\Common Files\atubi.db
2008-08-04 22:18:50 13353 --a------ C:\Documents and Settings\Administrator\Application Data\uboh.db
2008-07-26 00:41:39 44665 --a------ C:\Documents and Settings\Administrator\Application Data\NMM-MetaData.db
2008-07-23 22:45:36 0 d-------- C:\Program Files\Java
2008-07-17 00:08:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\skypePM
2008-07-16 23:50:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Skype
2008-07-16 23:44:48 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-16 23:44:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-29 22:23:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\Creative
2008-06-29 17:14:07 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-28 22:45:15 1413 --a------ C:\WINDOWS\mozver.dat
2008-06-28 22:45:13 0 d-------- C:\Program Files\DivX
2008-06-24 21:48:58 0 d-------- C:\Program Files\Nokia
2008-06-24 21:48:29 0 d-------- C:\Program Files\Common Files\Nokia
2008-06-24 21:39:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Nokia
2008-06-24 19:31:25 0 d-------- C:\Program Files\Common Files\PCSuite
2008-06-24 19:31:11 0 d-------- C:\Program Files\DIFX
2008-06-24 19:31:09 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-06-24 19:31:03 0 d-------- C:\Program Files\PC Connectivity Solution
2008-06-24 18:13:07 0 d-------- C:\Program Files\NETGEAR
2008-06-22 23:06:48 0 d-------- C:\Program Files\QuickTime
2008-06-22 23:06:04 0 d-------- C:\Program Files\Apple Software Update
2008-06-16 00:05:45 0 d-------- C:\Program Files\Veoh Networks
2008-06-05 10:12:44 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-05 10:09:48 0 d-------- C:\Program Files\Skype
2008-06-05 10:09:45 0 d-------- C:\Program Files\Common Files\Skype


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [03/08/2004 20:32]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 20:32]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 20:32]
"RTHDCPL"="RTHDCPL.EXE" [10/04/2007 17:28 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [04/04/2007 19:22 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [17/09/2007 00:07]
"nwiz"="nwiz.exe" [17/09/2007 00:07 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [17/09/2007 00:07]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [12/01/2006 14:40]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [27/05/2008 10:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [30/11/2006 08:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [17/11/2006 13:39]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [07/09/2007 14:44]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [13/09/2004 15:49]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [11/01/2008 19:54]
"301411c9"="C:\WINDOWS\system32\rnpbempm.dll" [05/08/2008 10:08]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [03/08/2004 22:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [02/11/2007 11:26]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 11:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [14/12/2004 3:44:06 AM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2/11/2007 11:26:22 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [4/11/2004 7:28:24 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)




-- End of Deckard's System Scanner: finished at 2008-08-05 23:12:55 ------------

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:36 PM

Posted 05 August 2008 - 08:21 AM

Hi,

Can you do above instruction with Combofix again please? Because you forgot to enter the File:: word on top of your script, so nothing got deleted.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 pumice

pumice
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 05 August 2008 - 08:33 AM

I'm sure i copied everything this time but i'm getting the same thing =(

ComboFix 08-08-04.01 - Administrator 2008-08-05 23:30:39.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.1559 [GMT 10:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-05 22:02 . 2008-08-05 22:16 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-05 22:02 . 2008-08-05 22:02 32,256 --a------ C:\WINDOWS\system32\drivers\453lmf.exe
2008-08-05 18:39 . 2008-08-05 18:39 32,256 --a------ C:\WINDOWS\system32\drivers\109lmf.exe
2008-08-05 10:08 . 2008-08-05 23:30 1,383,157 ---hs---- C:\WINDOWS\system32\mpmebpnr.ini
2008-08-05 10:08 . 2008-08-05 10:08 99,200 --a------ C:\WINDOWS\system32\rnpbempm.dll
2008-08-05 02:12 . 2008-08-05 02:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 02:08 . 2008-08-05 02:08 <DIR> d-------- C:\Deckard
2008-08-05 01:40 . 2008-08-05 01:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-05 01:26 . 2008-08-05 10:07 1,382,377 --ahs---- C:\WINDOWS\system32\cspeswtd.ini
2008-08-05 01:09 . 2008-08-05 22:20 27,359 --a------ C:\WINDOWS\system32\kcopt.dll
2008-08-04 22:48 . 2008-08-04 21:01 86,016 --a------ C:\WINDOWS\lnvegaow.exe
2008-08-04 22:18 . 2008-08-04 22:18 19,362 --a------ C:\Documents and Settings\Administrator\Application Data\waqudo.dat
2008-08-04 22:18 . 2008-08-04 22:18 19,133 --a------ C:\WINDOWS\nuvoda.db
2008-08-04 22:18 . 2008-08-04 22:18 18,650 --a------ C:\WINDOWS\teqefaf.bin
2008-08-04 22:18 . 2008-08-04 22:18 18,490 --a------ C:\Program Files\Common Files\qawac.scr
2008-08-04 22:18 . 2008-08-04 22:18 18,360 --a------ C:\WINDOWS\system32\exizefiz.vbs
2008-08-04 22:18 . 2008-08-04 22:18 18,013 --a------ C:\Program Files\Common Files\exywap.dat
2008-08-04 22:18 . 2008-08-04 22:18 16,764 --a------ C:\WINDOWS\onixi.vbs
2008-08-04 22:18 . 2008-08-04 22:18 16,325 --a------ C:\WINDOWS\huwarid.inf
2008-08-04 22:18 . 2008-08-04 22:18 15,795 --a------ C:\WINDOWS\akyhezofaw._sy
2008-08-04 22:18 . 2008-08-04 22:18 14,799 --a------ C:\Program Files\Common Files\hywocobur.exe
2008-08-04 22:18 . 2008-08-04 22:18 13,420 --a------ C:\WINDOWS\system32\kecug.bin
2008-08-04 22:18 . 2008-08-04 22:18 13,383 --a------ C:\WINDOWS\xezyf.vbs
2008-08-04 22:18 . 2008-08-04 22:18 12,101 --a------ C:\WINDOWS\system32\apoci.bin
2008-08-04 22:18 . 2008-08-04 22:18 11,107 --a------ C:\WINDOWS\ytexed.lib
2008-08-04 22:15 . 2008-08-05 02:01 <DIR> d-------- C:\QUARANTINE
2008-08-04 22:13 . 2008-08-04 22:13 19,688 --a------ C:\Program Files\Common Files\notuxelaja.scr
2008-08-04 22:13 . 2008-08-04 22:13 18,555 --a------ C:\Documents and Settings\All Users\Application Data\rigic.scr
2008-08-04 22:13 . 2008-08-04 22:13 18,484 --a------ C:\Program Files\Common Files\ypefu.bat
2008-08-04 22:13 . 2008-08-04 22:13 18,270 --a------ C:\Documents and Settings\Administrator\Application Data\elovalewub.pif
2008-08-04 22:13 . 2008-08-04 22:13 17,887 --a------ C:\Documents and Settings\Administrator\Application Data\uryhe.dat
2008-08-04 22:13 . 2008-08-04 22:13 14,824 --a------ C:\Documents and Settings\All Users\Application Data\tavim.pif
2008-08-04 22:13 . 2008-08-04 22:13 14,200 --a------ C:\Documents and Settings\All Users\Application Data\woqimyq.dat
2008-08-04 22:13 . 2008-08-04 22:13 13,782 --a------ C:\Documents and Settings\Administrator\Application Data\ufuci.dll
2008-08-04 22:13 . 2008-08-04 22:13 13,701 --a------ C:\Documents and Settings\Administrator\Application Data\afutygyj.reg
2008-08-03 14:37 . 2008-08-03 14:39 124,276 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-07-31 22:20 . 2008-08-01 00:46 <DIR> d-------- C:\etax2008
2008-07-16 23:44 . 2008-07-16 23:44 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-16 23:44 . 2008-07-16 23:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-14 03:21 . 2008-07-14 03:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Image Zone Express
2008-07-14 03:14 . 2008-07-14 03:14 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-07-14 03:14 . 2008-07-14 03:14 <DIR> d-------- C:\Program Files\Common Files\HP
2008-07-14 03:13 . 2008-07-14 03:13 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-07-14 03:11 . 2008-07-14 03:15 69,416 --a------ C:\WINDOWS\hpoins05.dat
2008-07-14 03:11 . 2004-12-15 00:07 19,696 --------- C:\WINDOWS\hpomdl05.dat
2008-07-14 03:10 . 2008-07-14 03:11 <DIR> d-------- C:\temp\HP_WebRelease
2008-07-14 03:10 . 2008-07-14 03:19 <DIR> d-------- C:\temp
2008-07-13 22:42 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-07-13 22:42 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-07-13 22:42 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-07-13 22:42 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-07-13 22:42 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-07-13 22:42 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-07-13 22:42 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-07-13 22:28 . 2008-07-13 22:45 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-07-13 22:09 . 2008-07-14 03:14 <DIR> d-------- C:\Program Files\HP
2008-07-13 22:08 . 2004-12-15 02:36 708,608 -ra------ C:\WINDOWS\system32\hpotiop.dll
2008-07-13 22:08 . 2004-12-15 02:36 278,528 -ra------ C:\WINDOWS\system32\hpgwiamd.dll
2008-07-13 22:08 . 2004-12-15 02:36 274,432 -ra------ C:\WINDOWS\system32\HPZc3212.dll
2008-07-13 22:08 . 2004-12-15 02:36 51,120 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-07-13 22:08 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-07-13 22:08 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-07-13 22:08 . 2004-12-15 02:36 21,744 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-07-13 22:08 . 2004-12-15 02:36 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-07-13 22:08 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-07-13 22:08 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 09:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-04 12:18 19,834 ----a-w C:\Program Files\Common Files\lucegeb.ban
2008-08-04 12:18 18,222 ----a-w C:\Program Files\Common Files\atubi.db
2008-08-04 12:13 19,481 ----a-w C:\WINDOWS\system32\nyzaxina.com
2008-08-04 12:13 18,442 ----a-w C:\WINDOWS\mugoxufil.exe
2008-08-04 12:13 13,817 ----a-w C:\WINDOWS\yluvigolol.bin
2008-08-04 12:13 13,319 ----a-w C:\WINDOWS\fymavufo.reg
2008-08-04 12:13 12,531 ----a-w C:\WINDOWS\opivoq.bin
2008-08-04 12:13 12,193 ----a-w C:\WINDOWS\system32\ezeqijasu.sys
2008-08-04 12:13 11,256 ----a-w C:\WINDOWS\opybu.reg
2008-08-02 18:05 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-07-23 12:45 --------- d-----w C:\Program Files\Java
2008-07-16 14:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\skypePM
2008-07-16 13:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-07-16 13:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-29 12:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Creative
2008-06-29 07:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-29 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-06-28 12:45 --------- d-----w C:\Program Files\DivX
2008-06-24 11:48 --------- d-----w C:\Program Files\Nokia
2008-06-24 11:48 --------- d-----w C:\Program Files\Common Files\Nokia
2008-06-24 11:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nokia
2008-06-24 11:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Nokia
2008-06-24 09:31 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-06-24 09:31 --------- d-----w C:\Program Files\DIFX
2008-06-24 09:31 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-06-24 09:31 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-06-24 08:15 21,035 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-06-24 08:13 --------- d-----w C:\Program Files\NETGEAR
2008-06-22 13:06 --------- d-----w C:\Program Files\QuickTime
2008-06-22 13:06 --------- d-----w C:\Program Files\Apple Software Update
2008-06-22 13:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-22 13:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-15 14:05 --------- d-----w C:\Program Files\Veoh Networks
2008-06-05 00:09 --------- d-----w C:\Program Files\Skype
2008-06-05 00:09 --------- d-----w C:\Program Files\Common Files\Skype
2008-06-05 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-05-22 22:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

((((((((((((((((((((((((((((( snapshot@2008-08-05_22.41.37.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-05 12:04:34 40,128 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-05 12:43:56 40,128 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-05 12:04:34 311,740 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-05 12:43:56 311,740 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-02 11:26 68856]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 11:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 20:32 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 20:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 20:32 455168]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 00:07 8491008]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 00:07 81920]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40 155648]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 08:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-09-07 14:44 3100672]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49 49152]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 17:28 16126464 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-04-04 19:22 1822720 C:\WINDOWS\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06 29696]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-11-02 11:26:22 125624]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"D:\\Games\\CnC3\\RetailExe\\1.0\\cnc3game.dat"=
"D:\\Games\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Documents and Settings\\Administrator\\Desktop\\dss.exe"=

R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bus.sys [2004-03-12 21:41]
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346prt.sys [2004-03-12 21:41]
R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [2007-10-09 13:13]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2007-06-21 12:44]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;C:\WINDOWS\system32\DRIVERS\wg111v3.sys [2007-12-28 15:02]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 23:31:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-05 23:31:46
ComboFix-quarantined-files.txt 2008-08-05 13:31:42
ComboFix2.txt 2008-08-05 13:25:25
ComboFix3.txt 2008-08-05 13:07:46
ComboFix4.txt 2008-08-05 12:42:00

Pre-Run: 3,195,056,128 bytes free
Post-Run: 3,182,518,272 bytes free

195 --- E O F --- 2007-11-02 02:15:09

DSS logs
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-08-05 23:32:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 2.98 GiB (less than 15%) free.


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:32, on 5/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [301411c9] rundll32.exe "C:\WINDOWS\system32\rnpbempm.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8291 bytes

-- Files created between 2008-07-05 and 2008-08-05 -----------------------------

2008-08-05 22:34:20 0 d-------- C:\cmdcons
2008-08-05 22:30:48 68096 --a------ C:\WINDOWS\zip.exe
2008-08-05 22:30:48 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-05 22:30:48 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-05 22:30:48 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-05 22:30:48 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-05 22:30:48 98816 --a------ C:\WINDOWS\sed.exe
2008-08-05 22:30:48 80412 --a------ C:\WINDOWS\grep.exe
2008-08-05 22:30:48 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-05 22:02:56 32256 --a------ C:\WINDOWS\system32\drivers\453lmf.exe
2008-08-05 22:02:15 0 d-------- C:\WINDOWS\system32\NtmsData
2008-08-05 18:39:58 32256 --a------ C:\WINDOWS\system32\drivers\109lmf.exe
2008-08-05 10:08:01 99200 --a------ C:\WINDOWS\system32\rnpbempm.dll
2008-08-05 02:12:23 0 d-------- C:\Program Files\Trend Micro
2008-08-05 01:40:46 0 d-------- C:\WINDOWS\ERUNT
2008-08-05 01:09:01 27359 --a------ C:\WINDOWS\system32\kcopt.dll
2008-08-04 22:48:39 86016 --a------ C:\WINDOWS\lnvegaow.exe
2008-08-04 22:18:50 13383 --a------ C:\WINDOWS\xezyf.vbs
2008-08-04 22:18:50 18650 --a------ C:\WINDOWS\teqefaf.bin
2008-08-04 22:18:50 13420 --a------ C:\WINDOWS\system32\kecug.bin
2008-08-04 22:18:50 18360 --a------ C:\WINDOWS\system32\exizefiz.vbs
2008-08-04 22:18:50 12101 --a------ C:\WINDOWS\system32\apoci.bin
2008-08-04 22:18:50 16764 --a------ C:\WINDOWS\onixi.vbs
2008-08-04 22:18:50 18490 --a------ C:\Program Files\Common Files\qawac.scr
2008-08-04 22:18:50 14799 --a------ C:\Program Files\Common Files\hywocobur.exe
2008-08-04 22:18:50 18013 --a------ C:\Program Files\Common Files\exywap.dat
2008-08-04 22:18:50 19362 --a------ C:\Documents and Settings\Administrator\Application Data\waqudo.dat
2008-08-04 22:15:34 0 d-------- C:\QUARANTINE
2008-08-04 22:13:36 13817 --a------ C:\WINDOWS\yluvigolol.bin
2008-08-04 22:13:36 13903 --a------ C:\WINDOWS\ylunebu.dat
2008-08-04 22:13:36 14552 --a------ C:\WINDOWS\system32\wojym.dat
2008-08-04 22:13:36 19481 --a------ C:\WINDOWS\system32\nyzaxina.com
2008-08-04 22:13:36 12193 --a------ C:\WINDOWS\system32\ezeqijasu.sys
2008-08-04 22:13:36 11256 --a------ C:\WINDOWS\opybu.reg
2008-08-04 22:13:36 12531 --a------ C:\WINDOWS\opivoq.bin
2008-08-04 22:13:36 18442 --a------ C:\WINDOWS\mugoxufil.exe
2008-08-04 22:13:36 13319 --a------ C:\WINDOWS\fymavufo.reg
2008-08-04 22:13:36 18484 --a------ C:\Program Files\Common Files\ypefu.bat
2008-08-04 22:13:36 19688 --a------ C:\Program Files\Common Files\notuxelaja.scr
2008-08-04 22:13:36 14200 --a------ C:\Documents and Settings\All Users\Application Data\woqimyq.dat
2008-08-04 22:13:36 14824 --a------ C:\Documents and Settings\All Users\Application Data\tavim.pif
2008-08-04 22:13:36 18555 --a------ C:\Documents and Settings\All Users\Application Data\rigic.scr
2008-08-04 22:13:36 17887 --a------ C:\Documents and Settings\Administrator\Application Data\uryhe.dat
2008-08-04 22:13:36 13782 --a------ C:\Documents and Settings\Administrator\Application Data\ufuci.dll
2008-08-04 22:13:36 18270 --a------ C:\Documents and Settings\Administrator\Application Data\elovalewub.pif
2008-08-04 22:13:36 13701 --a------ C:\Documents and Settings\Administrator\Application Data\afutygyj.reg
2008-07-31 22:20:42 0 d-------- C:\etax2008
2008-07-16 23:44:46 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-16 23:44:43 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-14 03:21:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\Image Zone Express
2008-07-14 03:14:28 0 d-------- C:\Program Files\Common Files\HP
2008-07-14 03:14:01 0 d-------- C:\Program Files\Hewlett-Packard
2008-07-14 03:13:35 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-07-14 03:11:18 19696 -----n--- C:\WINDOWS\hpomdl05.dat
2008-07-14 03:11:18 69416 --a------ C:\WINDOWS\hpoins05.dat
2008-07-14 03:10:44 0 d-------- C:\temp
2008-07-13 22:42:12 57344 --a------ C:\WINDOWS\system32\HPZisn12.dll <Not Verified; HP; HP SNMP Windows>
2008-07-13 22:42:12 94208 --a------ C:\WINDOWS\system32\HPZipt12.dll <Not Verified; HP; HP SNMP Windows>
2008-07-13 22:42:12 204800 --a------ C:\WINDOWS\system32\HPZipr12.dll <Not Verified; HP; HP PmlRtl>
2008-07-13 22:42:12 69632 --a------ C:\WINDOWS\system32\HPZipm12.exe <Not Verified; HP; HP PML>
2008-07-13 22:42:12 61440 --a------ C:\WINDOWS\system32\HPZinw12.exe <Not Verified; HP; HP Dot4Net Windows>
2008-07-13 22:42:12 278584 --a------ C:\WINDOWS\system32\HPZidr12.dll <Not Verified; HP; HP Dot4Rtl>
2008-07-13 22:42:09 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShieldR unInstaller>
2008-07-13 22:28:08 0 d-------- C:\WINDOWS\system32\URTTemp
2008-07-13 22:09:32 0 d-------- C:\Program Files\HP


-- Find3M Report ---------------------------------------------------------------

2008-08-05 23:31:00 0 d-------- C:\Program Files\Common Files
2008-08-04 22:18:50 19834 --a------ C:\Program Files\Common Files\lucegeb.ban
2008-08-04 22:18:50 18222 --a------ C:\Program Files\Common Files\atubi.db
2008-08-04 22:18:50 13353 --a------ C:\Documents and Settings\Administrator\Application Data\uboh.db
2008-07-26 00:41:39 44665 --a------ C:\Documents and Settings\Administrator\Application Data\NMM-MetaData.db
2008-07-23 22:45:36 0 d-------- C:\Program Files\Java
2008-07-17 00:08:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\skypePM
2008-07-16 23:50:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Skype
2008-07-16 23:44:48 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-16 23:44:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-29 22:23:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\Creative
2008-06-29 17:14:07 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-28 22:45:15 1413 --a------ C:\WINDOWS\mozver.dat
2008-06-28 22:45:13 0 d-------- C:\Program Files\DivX
2008-06-24 21:48:58 0 d-------- C:\Program Files\Nokia
2008-06-24 21:48:29 0 d-------- C:\Program Files\Common Files\Nokia
2008-06-24 21:39:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Nokia
2008-06-24 19:31:25 0 d-------- C:\Program Files\Common Files\PCSuite
2008-06-24 19:31:11 0 d-------- C:\Program Files\DIFX
2008-06-24 19:31:09 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-06-24 19:31:03 0 d-------- C:\Program Files\PC Connectivity Solution
2008-06-24 18:13:07 0 d-------- C:\Program Files\NETGEAR
2008-06-22 23:06:48 0 d-------- C:\Program Files\QuickTime
2008-06-22 23:06:04 0 d-------- C:\Program Files\Apple Software Update
2008-06-16 00:05:45 0 d-------- C:\Program Files\Veoh Networks
2008-06-05 10:12:44 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-05 10:09:48 0 d-------- C:\Program Files\Skype
2008-06-05 10:09:45 0 d-------- C:\Program Files\Common Files\Skype


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [03/08/2004 20:32]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 20:32]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 20:32]
"RTHDCPL"="RTHDCPL.EXE" [10/04/2007 17:28 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [04/04/2007 19:22 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [17/09/2007 00:07]
"nwiz"="nwiz.exe" [17/09/2007 00:07 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [17/09/2007 00:07]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [12/01/2006 14:40]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [27/05/2008 10:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [30/11/2006 08:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [17/11/2006 13:39]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [07/09/2007 14:44]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [13/09/2004 15:49]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [11/01/2008 19:54]
"301411c9"="C:\WINDOWS\system32\rnpbempm.dll" [05/08/2008 10:08]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [03/08/2004 22:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [02/11/2007 11:26]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 11:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [14/12/2004 3:44:06 AM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2/11/2007 11:26:22 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [4/11/2004 7:28:24 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)




-- End of Deckard's System Scanner: finished at 2008-08-05 23:32:58 ------------

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:36 PM

Posted 05 August 2008 - 08:48 AM

This is strange...

I've created the CFScript for you instead. Attached File  CFScript.txt   1.74KB   32 downloads

Can you also temporary disable your McAfee first, because it may interfere with it...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 pumice

pumice
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 05 August 2008 - 08:58 AM

Still the same with your text file, i'll try and restart and repeat this again

ComboFix 08-08-04.05 - Administrator 2008-08-05 23:55:47.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.1548 [GMT 10:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-05 22:02 . 2008-08-05 22:16 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-05 22:02 . 2008-08-05 22:02 32,256 --a------ C:\WINDOWS\system32\drivers\453lmf.exe
2008-08-05 18:39 . 2008-08-05 18:39 32,256 --a------ C:\WINDOWS\system32\drivers\109lmf.exe
2008-08-05 10:08 . 2008-08-05 23:56 2,569,271 ---hs---- C:\WINDOWS\system32\mpmebpnr.ini
2008-08-05 10:08 . 2008-08-05 10:08 99,200 --a------ C:\WINDOWS\system32\rnpbempm.dll
2008-08-05 02:12 . 2008-08-05 02:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 02:08 . 2008-08-05 02:08 <DIR> d-------- C:\Deckard
2008-08-05 01:40 . 2008-08-05 01:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-05 01:26 . 2008-08-05 10:07 1,382,377 --ahs---- C:\WINDOWS\system32\cspeswtd.ini
2008-08-05 01:09 . 2008-08-05 22:20 27,359 --a------ C:\WINDOWS\system32\kcopt.dll
2008-08-04 22:48 . 2008-08-04 21:01 86,016 --a------ C:\WINDOWS\lnvegaow.exe
2008-08-04 22:18 . 2008-08-04 22:18 19,362 --a------ C:\Documents and Settings\Administrator\Application Data\waqudo.dat
2008-08-04 22:18 . 2008-08-04 22:18 19,133 --a------ C:\WINDOWS\nuvoda.db
2008-08-04 22:18 . 2008-08-04 22:18 18,650 --a------ C:\WINDOWS\teqefaf.bin
2008-08-04 22:18 . 2008-08-04 22:18 18,490 --a------ C:\Program Files\Common Files\qawac.scr
2008-08-04 22:18 . 2008-08-04 22:18 18,360 --a------ C:\WINDOWS\system32\exizefiz.vbs
2008-08-04 22:18 . 2008-08-04 22:18 18,013 --a------ C:\Program Files\Common Files\exywap.dat
2008-08-04 22:18 . 2008-08-04 22:18 16,764 --a------ C:\WINDOWS\onixi.vbs
2008-08-04 22:18 . 2008-08-04 22:18 16,325 --a------ C:\WINDOWS\huwarid.inf
2008-08-04 22:18 . 2008-08-04 22:18 15,795 --a------ C:\WINDOWS\akyhezofaw._sy
2008-08-04 22:18 . 2008-08-04 22:18 14,799 --a------ C:\Program Files\Common Files\hywocobur.exe
2008-08-04 22:18 . 2008-08-04 22:18 13,420 --a------ C:\WINDOWS\system32\kecug.bin
2008-08-04 22:18 . 2008-08-04 22:18 13,383 --a------ C:\WINDOWS\xezyf.vbs
2008-08-04 22:18 . 2008-08-04 22:18 12,101 --a------ C:\WINDOWS\system32\apoci.bin
2008-08-04 22:18 . 2008-08-04 22:18 11,107 --a------ C:\WINDOWS\ytexed.lib
2008-08-04 22:15 . 2008-08-05 02:01 <DIR> d-------- C:\QUARANTINE
2008-08-04 22:13 . 2008-08-04 22:13 19,688 --a------ C:\Program Files\Common Files\notuxelaja.scr
2008-08-04 22:13 . 2008-08-04 22:13 18,555 --a------ C:\Documents and Settings\All Users\Application Data\rigic.scr
2008-08-04 22:13 . 2008-08-04 22:13 18,484 --a------ C:\Program Files\Common Files\ypefu.bat
2008-08-04 22:13 . 2008-08-04 22:13 18,270 --a------ C:\Documents and Settings\Administrator\Application Data\elovalewub.pif
2008-08-04 22:13 . 2008-08-04 22:13 17,887 --a------ C:\Documents and Settings\Administrator\Application Data\uryhe.dat
2008-08-04 22:13 . 2008-08-04 22:13 14,824 --a------ C:\Documents and Settings\All Users\Application Data\tavim.pif
2008-08-04 22:13 . 2008-08-04 22:13 14,200 --a------ C:\Documents and Settings\All Users\Application Data\woqimyq.dat
2008-08-04 22:13 . 2008-08-04 22:13 13,782 --a------ C:\Documents and Settings\Administrator\Application Data\ufuci.dll
2008-08-04 22:13 . 2008-08-04 22:13 13,701 --a------ C:\Documents and Settings\Administrator\Application Data\afutygyj.reg
2008-08-03 14:37 . 2008-08-03 14:39 124,276 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-07-31 22:20 . 2008-08-01 00:46 <DIR> d-------- C:\etax2008
2008-07-16 23:44 . 2008-07-16 23:44 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-16 23:44 . 2008-07-16 23:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-14 03:21 . 2008-07-14 03:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Image Zone Express
2008-07-14 03:14 . 2008-07-14 03:14 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-07-14 03:14 . 2008-07-14 03:14 <DIR> d-------- C:\Program Files\Common Files\HP
2008-07-14 03:13 . 2008-07-14 03:13 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-07-14 03:11 . 2008-07-14 03:15 69,416 --a------ C:\WINDOWS\hpoins05.dat
2008-07-14 03:11 . 2004-12-15 00:07 19,696 --------- C:\WINDOWS\hpomdl05.dat
2008-07-14 03:10 . 2008-07-14 03:11 <DIR> d-------- C:\temp\HP_WebRelease
2008-07-14 03:10 . 2008-07-14 03:19 <DIR> d-------- C:\temp
2008-07-13 22:42 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-07-13 22:42 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-07-13 22:42 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-07-13 22:42 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-07-13 22:42 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-07-13 22:42 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-07-13 22:42 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-07-13 22:28 . 2008-07-13 22:45 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-07-13 22:09 . 2008-07-14 03:14 <DIR> d-------- C:\Program Files\HP
2008-07-13 22:08 . 2004-12-15 02:36 708,608 -ra------ C:\WINDOWS\system32\hpotiop.dll
2008-07-13 22:08 . 2004-12-15 02:36 278,528 -ra------ C:\WINDOWS\system32\hpgwiamd.dll
2008-07-13 22:08 . 2004-12-15 02:36 274,432 -ra------ C:\WINDOWS\system32\HPZc3212.dll
2008-07-13 22:08 . 2004-12-15 02:36 51,120 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-07-13 22:08 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-07-13 22:08 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-07-13 22:08 . 2004-12-15 02:36 21,744 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-07-13 22:08 . 2004-12-15 02:36 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-07-13 22:08 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-07-13 22:08 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 09:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-04 12:18 19,834 ----a-w C:\Program Files\Common Files\lucegeb.ban
2008-08-04 12:18 18,222 ----a-w C:\Program Files\Common Files\atubi.db
2008-08-04 12:13 19,481 ----a-w C:\WINDOWS\system32\nyzaxina.com
2008-08-04 12:13 18,442 ----a-w C:\WINDOWS\mugoxufil.exe
2008-08-04 12:13 13,817 ----a-w C:\WINDOWS\yluvigolol.bin
2008-08-04 12:13 13,319 ----a-w C:\WINDOWS\fymavufo.reg
2008-08-04 12:13 12,531 ----a-w C:\WINDOWS\opivoq.bin
2008-08-04 12:13 12,193 ----a-w C:\WINDOWS\system32\ezeqijasu.sys
2008-08-04 12:13 11,256 ----a-w C:\WINDOWS\opybu.reg
2008-08-02 18:05 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-07-23 12:45 --------- d-----w C:\Program Files\Java
2008-07-16 14:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\skypePM
2008-07-16 13:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-07-16 13:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-29 12:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Creative
2008-06-29 07:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-29 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-06-28 12:45 --------- d-----w C:\Program Files\DivX
2008-06-24 11:48 --------- d-----w C:\Program Files\Nokia
2008-06-24 11:48 --------- d-----w C:\Program Files\Common Files\Nokia
2008-06-24 11:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nokia
2008-06-24 11:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Nokia
2008-06-24 09:31 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-06-24 09:31 --------- d-----w C:\Program Files\DIFX
2008-06-24 09:31 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-06-24 09:31 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-06-24 08:15 21,035 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-06-24 08:13 --------- d-----w C:\Program Files\NETGEAR
2008-06-22 13:06 --------- d-----w C:\Program Files\QuickTime
2008-06-22 13:06 --------- d-----w C:\Program Files\Apple Software Update
2008-06-22 13:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-22 13:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-15 14:05 --------- d-----w C:\Program Files\Veoh Networks
2008-06-05 00:09 --------- d-----w C:\Program Files\Skype
2008-06-05 00:09 --------- d-----w C:\Program Files\Common Files\Skype
2008-06-05 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-05-22 22:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

((((((((((((((((((((((((((((( snapshot@2008-08-05_22.41.37.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-05 12:04:34 40,128 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-05 12:43:56 40,128 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-05 12:04:34 311,740 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-05 12:43:56 311,740 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-02 11:26 68856]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 11:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 20:32 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 20:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 20:32 455168]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 00:07 8491008]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 00:07 81920]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40 155648]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 08:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-09-07 14:44 3100672]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49 49152]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 17:28 16126464 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-04-04 19:22 1822720 C:\WINDOWS\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06 29696]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-11-02 11:26:22 125624]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"D:\\Games\\CnC3\\RetailExe\\1.0\\cnc3game.dat"=
"D:\\Games\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Documents and Settings\\Administrator\\Desktop\\dss.exe"=

R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bus.sys [2004-03-12 21:41]
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346prt.sys [2004-03-12 21:41]
R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [2007-10-09 13:13]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2007-06-21 12:44]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;C:\WINDOWS\system32\DRIVERS\wg111v3.sys [2007-12-28 15:02]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 23:56:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-05 23:57:06
ComboFix-quarantined-files.txt 2008-08-05 13:57:01
ComboFix2.txt 2008-08-05 13:52:27
ComboFix3.txt 2008-08-05 13:31:47
ComboFix4.txt 2008-08-05 13:25:25
ComboFix5.txt 2008-08-05 13:55:28

Pre-Run: 3,147,706,368 bytes free
Post-Run: 3,133,693,952 bytes free

196 --- E O F --- 2007-11-02 02:15:09

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:36 PM

Posted 05 August 2008 - 09:03 AM

Hmm, odd, really odd.

Can you try in Windows Safe mode?
Can you also check if there's a C:\debug.txt present?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 pumice

pumice
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 05 August 2008 - 09:10 AM

i've restarted and tried that again but am still getting the same thing, seems like nothing is deleted

i've got a debug.txt in C:\temp oh... i think it may be because of my system locale lemme change that and try again

#12 pumice

pumice
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 05 August 2008 - 09:20 AM

So sorry about that, i've switched my system's locale and tried again, got 2 deletions this time

ComboFix 08-08-04.05 - Administrator 2008-08-06 0:14:41.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.1556 [GMT 10:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cspeswtd.ini
C:\WINDOWS\system32\mpmebpnr.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-05 22:02 . 2008-08-05 22:16 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-05 22:02 . 2008-08-05 22:02 32,256 --a------ C:\WINDOWS\system32\drivers\453lmf.exe
2008-08-05 18:39 . 2008-08-05 18:39 32,256 --a------ C:\WINDOWS\system32\drivers\109lmf.exe
2008-08-05 10:08 . 2008-08-05 10:08 99,200 --a------ C:\WINDOWS\system32\rnpbempm.dll
2008-08-05 02:12 . 2008-08-05 02:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 02:08 . 2008-08-05 02:08 <DIR> d-------- C:\Deckard
2008-08-05 01:40 . 2008-08-05 01:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-05 01:09 . 2008-08-05 22:20 27,359 --a------ C:\WINDOWS\system32\kcopt.dll
2008-08-04 22:48 . 2008-08-04 21:01 86,016 --a------ C:\WINDOWS\lnvegaow.exe
2008-08-04 22:18 . 2008-08-04 22:18 19,362 --a------ C:\Documents and Settings\Administrator\Application Data\waqudo.dat
2008-08-04 22:18 . 2008-08-04 22:18 19,133 --a------ C:\WINDOWS\nuvoda.db
2008-08-04 22:18 . 2008-08-04 22:18 18,650 --a------ C:\WINDOWS\teqefaf.bin
2008-08-04 22:18 . 2008-08-04 22:18 18,490 --a------ C:\Program Files\Common Files\qawac.scr
2008-08-04 22:18 . 2008-08-04 22:18 18,360 --a------ C:\WINDOWS\system32\exizefiz.vbs
2008-08-04 22:18 . 2008-08-04 22:18 18,013 --a------ C:\Program Files\Common Files\exywap.dat
2008-08-04 22:18 . 2008-08-04 22:18 16,764 --a------ C:\WINDOWS\onixi.vbs
2008-08-04 22:18 . 2008-08-04 22:18 16,325 --a------ C:\WINDOWS\huwarid.inf
2008-08-04 22:18 . 2008-08-04 22:18 15,795 --a------ C:\WINDOWS\akyhezofaw._sy
2008-08-04 22:18 . 2008-08-04 22:18 14,799 --a------ C:\Program Files\Common Files\hywocobur.exe
2008-08-04 22:18 . 2008-08-04 22:18 13,420 --a------ C:\WINDOWS\system32\kecug.bin
2008-08-04 22:18 . 2008-08-04 22:18 13,383 --a------ C:\WINDOWS\xezyf.vbs
2008-08-04 22:18 . 2008-08-04 22:18 12,101 --a------ C:\WINDOWS\system32\apoci.bin
2008-08-04 22:18 . 2008-08-04 22:18 11,107 --a------ C:\WINDOWS\ytexed.lib
2008-08-04 22:15 . 2008-08-05 02:01 <DIR> d-------- C:\QUARANTINE
2008-08-04 22:13 . 2008-08-04 22:13 19,688 --a------ C:\Program Files\Common Files\notuxelaja.scr
2008-08-04 22:13 . 2008-08-04 22:13 18,555 --a------ C:\Documents and Settings\All Users\Application Data\rigic.scr
2008-08-04 22:13 . 2008-08-04 22:13 18,484 --a------ C:\Program Files\Common Files\ypefu.bat
2008-08-04 22:13 . 2008-08-04 22:13 18,270 --a------ C:\Documents and Settings\Administrator\Application Data\elovalewub.pif
2008-08-04 22:13 . 2008-08-04 22:13 17,887 --a------ C:\Documents and Settings\Administrator\Application Data\uryhe.dat
2008-08-04 22:13 . 2008-08-04 22:13 14,824 --a------ C:\Documents and Settings\All Users\Application Data\tavim.pif
2008-08-04 22:13 . 2008-08-04 22:13 14,200 --a------ C:\Documents and Settings\All Users\Application Data\woqimyq.dat
2008-08-04 22:13 . 2008-08-04 22:13 13,782 --a------ C:\Documents and Settings\Administrator\Application Data\ufuci.dll
2008-08-04 22:13 . 2008-08-04 22:13 13,701 --a------ C:\Documents and Settings\Administrator\Application Data\afutygyj.reg
2008-08-03 14:37 . 2008-08-03 14:39 124,276 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-07-31 22:20 . 2008-08-01 00:46 <DIR> d-------- C:\etax2008
2008-07-16 23:44 . 2008-07-16 23:44 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-16 23:44 . 2008-07-16 23:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-14 03:21 . 2008-07-14 03:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Image Zone Express
2008-07-14 03:14 . 2008-07-14 03:14 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-07-14 03:14 . 2008-07-14 03:14 <DIR> d-------- C:\Program Files\Common Files\HP
2008-07-14 03:13 . 2008-07-14 03:13 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-07-14 03:11 . 2008-07-14 03:15 69,416 --a------ C:\WINDOWS\hpoins05.dat
2008-07-14 03:11 . 2004-12-15 00:07 19,696 --------- C:\WINDOWS\hpomdl05.dat
2008-07-14 03:10 . 2008-07-14 03:11 <DIR> d-------- C:\temp\HP_WebRelease
2008-07-14 03:10 . 2008-07-14 03:19 <DIR> d-------- C:\temp
2008-07-13 22:42 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-07-13 22:42 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-07-13 22:42 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-07-13 22:42 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-07-13 22:42 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-07-13 22:42 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-07-13 22:42 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-07-13 22:28 . 2008-07-13 22:45 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-07-13 22:09 . 2008-07-14 03:14 <DIR> d-------- C:\Program Files\HP
2008-07-13 22:08 . 2004-12-15 02:36 708,608 -ra------ C:\WINDOWS\system32\hpotiop.dll
2008-07-13 22:08 . 2004-12-15 02:36 278,528 -ra------ C:\WINDOWS\system32\hpgwiamd.dll
2008-07-13 22:08 . 2004-12-15 02:36 274,432 -ra------ C:\WINDOWS\system32\HPZc3212.dll
2008-07-13 22:08 . 2004-12-15 02:36 51,120 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-07-13 22:08 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-07-13 22:08 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-07-13 22:08 . 2004-12-15 02:36 21,744 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-07-13 22:08 . 2004-12-15 02:36 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-07-13 22:08 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-07-13 22:08 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 09:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-04 12:18 19,834 ----a-w C:\Program Files\Common Files\lucegeb.ban
2008-08-04 12:18 18,222 ----a-w C:\Program Files\Common Files\atubi.db
2008-08-04 12:13 19,481 ----a-w C:\WINDOWS\system32\nyzaxina.com
2008-08-04 12:13 18,442 ----a-w C:\WINDOWS\mugoxufil.exe
2008-08-04 12:13 13,817 ----a-w C:\WINDOWS\yluvigolol.bin
2008-08-04 12:13 13,319 ----a-w C:\WINDOWS\fymavufo.reg
2008-08-04 12:13 12,531 ----a-w C:\WINDOWS\opivoq.bin
2008-08-04 12:13 12,193 ----a-w C:\WINDOWS\system32\ezeqijasu.sys
2008-08-04 12:13 11,256 ----a-w C:\WINDOWS\opybu.reg
2008-08-02 18:05 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-07-23 12:45 --------- d-----w C:\Program Files\Java
2008-07-16 14:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\skypePM
2008-07-16 13:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-07-16 13:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-29 12:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Creative
2008-06-29 07:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-29 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-06-28 12:45 --------- d-----w C:\Program Files\DivX
2008-06-24 11:48 --------- d-----w C:\Program Files\Nokia
2008-06-24 11:48 --------- d-----w C:\Program Files\Common Files\Nokia
2008-06-24 11:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nokia
2008-06-24 11:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Nokia
2008-06-24 09:31 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-06-24 09:31 --------- d-----w C:\Program Files\DIFX
2008-06-24 09:31 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-06-24 09:31 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-06-24 08:15 21,035 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-06-24 08:13 --------- d-----w C:\Program Files\NETGEAR
2008-06-22 13:06 --------- d-----w C:\Program Files\QuickTime
2008-06-22 13:06 --------- d-----w C:\Program Files\Apple Software Update
2008-06-22 13:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-22 13:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-15 14:05 --------- d-----w C:\Program Files\Veoh Networks
2008-06-05 00:09 --------- d-----w C:\Program Files\Skype
2008-06-05 00:09 --------- d-----w C:\Program Files\Common Files\Skype
2008-06-05 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-05-22 22:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

((((((((((((((((((((((((((((( snapshot@2008-08-05_22.41.37.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-17 08:17:16 97,456 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-08-05 14:13:04 97,456 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2008-08-05 12:04:34 40,128 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-05 14:04:35 40,128 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-05 12:04:34 311,740 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-05 14:04:35 311,740 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-02 11:26 68856]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 11:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 20:32 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 20:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 20:32 455168]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 00:07 8491008]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 00:07 81920]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40 155648]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 08:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-09-07 14:44 3100672]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49 49152]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 17:28 16126464 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-04-04 19:22 1822720 C:\WINDOWS\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06 29696]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-11-02 11:26:22 125624]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"D:\\Games\\CnC3\\RetailExe\\1.0\\cnc3game.dat"=
"D:\\Games\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Documents and Settings\\Administrator\\Desktop\\dss.exe"=

R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bus.sys [2004-03-12 21:41]
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346prt.sys [2004-03-12 21:41]
R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [2007-10-09 13:13]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2007-06-21 12:44]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;C:\WINDOWS\system32\DRIVERS\wg111v3.sys [2007-12-28 15:02]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 00:15:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-06 0:16:40
ComboFix-quarantined-files.txt 2008-08-05 14:16:36
ComboFix2.txt 2008-08-05 14:04:19
ComboFix3.txt 2008-08-05 13:57:07
ComboFix4.txt 2008-08-05 13:52:27
ComboFix5.txt 2008-08-05 14:14:27

Pre-Run: 3,090,415,616 bytes free
Post-Run: 3,073,916,928 bytes free

201 --- E O F --- 2007-11-02 02:15:09

DSS logs
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-08-06 00:18:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 2.88 GiB (less than 15%) free.


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:18, on 6/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\CTFMON.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcrobatInfo.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8757 bytes

-- Files created between 2008-07-06 and 2008-08-06 -----------------------------

2008-08-05 22:34:20 0 d-------- C:\cmdcons
2008-08-05 22:30:48 68096 --a------ C:\WINDOWS\zip.exe
2008-08-05 22:30:48 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-05 22:30:48 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-05 22:30:48 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-05 22:30:48 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-05 22:30:48 98816 --a------ C:\WINDOWS\sed.exe
2008-08-05 22:30:48 80412 --a------ C:\WINDOWS\grep.exe
2008-08-05 22:30:48 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-05 22:02:56 32256 --a------ C:\WINDOWS\system32\drivers\453lmf.exe
2008-08-05 22:02:15 0 d-------- C:\WINDOWS\system32\NtmsData
2008-08-05 18:39:58 32256 --a------ C:\WINDOWS\system32\drivers\109lmf.exe
2008-08-05 10:08:01 99200 --a------ C:\WINDOWS\system32\rnpbempm.dll
2008-08-05 02:12:23 0 d-------- C:\Program Files\Trend Micro
2008-08-05 01:40:46 0 d-------- C:\WINDOWS\ERUNT
2008-08-05 01:09:01 27359 --a------ C:\WINDOWS\system32\kcopt.dll
2008-08-04 22:48:39 86016 --a------ C:\WINDOWS\lnvegaow.exe
2008-08-04 22:18:50 13383 --a------ C:\WINDOWS\xezyf.vbs
2008-08-04 22:18:50 18650 --a------ C:\WINDOWS\teqefaf.bin
2008-08-04 22:18:50 13420 --a------ C:\WINDOWS\system32\kecug.bin
2008-08-04 22:18:50 18360 --a------ C:\WINDOWS\system32\exizefiz.vbs
2008-08-04 22:18:50 12101 --a------ C:\WINDOWS\system32\apoci.bin
2008-08-04 22:18:50 16764 --a------ C:\WINDOWS\onixi.vbs
2008-08-04 22:18:50 18490 --a------ C:\Program Files\Common Files\qawac.scr
2008-08-04 22:18:50 14799 --a------ C:\Program Files\Common Files\hywocobur.exe
2008-08-04 22:18:50 18013 --a------ C:\Program Files\Common Files\exywap.dat
2008-08-04 22:18:50 19362 --a------ C:\Documents and Settings\Administrator\Application Data\waqudo.dat
2008-08-04 22:15:34 0 d-------- C:\QUARANTINE
2008-08-04 22:13:36 13817 --a------ C:\WINDOWS\yluvigolol.bin
2008-08-04 22:13:36 13903 --a------ C:\WINDOWS\ylunebu.dat
2008-08-04 22:13:36 14552 --a------ C:\WINDOWS\system32\wojym.dat
2008-08-04 22:13:36 19481 --a------ C:\WINDOWS\system32\nyzaxina.com
2008-08-04 22:13:36 12193 --a------ C:\WINDOWS\system32\ezeqijasu.sys
2008-08-04 22:13:36 11256 --a------ C:\WINDOWS\opybu.reg
2008-08-04 22:13:36 12531 --a------ C:\WINDOWS\opivoq.bin
2008-08-04 22:13:36 18442 --a------ C:\WINDOWS\mugoxufil.exe
2008-08-04 22:13:36 13319 --a------ C:\WINDOWS\fymavufo.reg
2008-08-04 22:13:36 18484 --a------ C:\Program Files\Common Files\ypefu.bat
2008-08-04 22:13:36 19688 --a------ C:\Program Files\Common Files\notuxelaja.scr
2008-08-04 22:13:36 14200 --a------ C:\Documents and Settings\All Users\Application Data\woqimyq.dat
2008-08-04 22:13:36 14824 --a------ C:\Documents and Settings\All Users\Application Data\tavim.pif
2008-08-04 22:13:36 18555 --a------ C:\Documents and Settings\All Users\Application Data\rigic.scr
2008-08-04 22:13:36 17887 --a------ C:\Documents and Settings\Administrator\Application Data\uryhe.dat
2008-08-04 22:13:36 13782 --a------ C:\Documents and Settings\Administrator\Application Data\ufuci.dll
2008-08-04 22:13:36 18270 --a------ C:\Documents and Settings\Administrator\Application Data\elovalewub.pif
2008-08-04 22:13:36 13701 --a------ C:\Documents and Settings\Administrator\Application Data\afutygyj.reg
2008-07-31 22:20:42 0 d-------- C:\etax2008
2008-07-16 23:44:46 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-16 23:44:43 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-14 03:21:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\Image Zone Express
2008-07-14 03:14:28 0 d-------- C:\Program Files\Common Files\HP
2008-07-14 03:14:01 0 d-------- C:\Program Files\Hewlett-Packard
2008-07-14 03:13:35 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-07-14 03:11:18 19696 -----n--- C:\WINDOWS\hpomdl05.dat
2008-07-14 03:11:18 69416 --a------ C:\WINDOWS\hpoins05.dat
2008-07-14 03:10:44 0 d-------- C:\temp
2008-07-13 22:42:12 57344 --a------ C:\WINDOWS\system32\HPZisn12.dll <Not Verified; HP; HP SNMP Windows>
2008-07-13 22:42:12 94208 --a------ C:\WINDOWS\system32\HPZipt12.dll <Not Verified; HP; HP SNMP Windows>
2008-07-13 22:42:12 204800 --a------ C:\WINDOWS\system32\HPZipr12.dll <Not Verified; HP; HP PmlRtl>
2008-07-13 22:42:12 69632 --a------ C:\WINDOWS\system32\HPZipm12.exe <Not Verified; HP; HP PML>
2008-07-13 22:42:12 61440 --a------ C:\WINDOWS\system32\HPZinw12.exe <Not Verified; HP; HP Dot4Net Windows>
2008-07-13 22:42:12 278584 --a------ C:\WINDOWS\system32\HPZidr12.dll <Not Verified; HP; HP Dot4Rtl>
2008-07-13 22:42:09 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-07-13 22:28:08 0 d-------- C:\WINDOWS\system32\URTTemp
2008-07-13 22:09:32 0 d-------- C:\Program Files\HP


-- Find3M Report ---------------------------------------------------------------

2008-08-06 00:15:34 0 d-------- C:\Program Files\Common Files
2008-08-04 22:18:50 19834 --a------ C:\Program Files\Common Files\lucegeb.ban
2008-08-04 22:18:50 18222 --a------ C:\Program Files\Common Files\atubi.db
2008-08-04 22:18:50 13353 --a------ C:\Documents and Settings\Administrator\Application Data\uboh.db
2008-07-26 00:41:39 44665 --a------ C:\Documents and Settings\Administrator\Application Data\NMM-MetaData.db
2008-07-23 22:45:36 0 d-------- C:\Program Files\Java
2008-07-17 00:08:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\skypePM
2008-07-16 23:50:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Skype
2008-07-16 23:44:48 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-16 23:44:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-29 22:23:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\Creative
2008-06-29 17:14:07 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-28 22:45:15 1413 --a------ C:\WINDOWS\mozver.dat
2008-06-28 22:45:13 0 d-------- C:\Program Files\DivX
2008-06-24 21:48:58 0 d-------- C:\Program Files\Nokia
2008-06-24 21:48:29 0 d-------- C:\Program Files\Common Files\Nokia
2008-06-24 21:39:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Nokia
2008-06-24 19:31:25 0 d-------- C:\Program Files\Common Files\PCSuite
2008-06-24 19:31:11 0 d-------- C:\Program Files\DIFX
2008-06-24 19:31:09 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-06-24 19:31:03 0 d-------- C:\Program Files\PC Connectivity Solution
2008-06-24 18:13:07 0 d-------- C:\Program Files\NETGEAR
2008-06-22 23:06:48 0 d-------- C:\Program Files\QuickTime
2008-06-22 23:06:04 0 d-------- C:\Program Files\Apple Software Update
2008-06-16 00:05:45 0 d-------- C:\Program Files\Veoh Networks
2008-06-05 10:12:44 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [03/08/2004 20:32]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 20:32]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 20:32]
"RTHDCPL"="RTHDCPL.EXE" [10/04/2007 17:28 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [04/04/2007 19:22 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [17/09/2007 00:07]
"nwiz"="nwiz.exe" [17/09/2007 00:07 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [17/09/2007 00:07]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [12/01/2006 14:40]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [27/05/2008 10:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [30/11/2006 08:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [17/11/2006 13:39]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [07/09/2007 14:44]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [13/09/2004 15:49]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [11/01/2008 19:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [03/08/2004 22:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [02/11/2007 11:26]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 11:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [14/12/2004 3:44:06 AM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2/11/2007 11:26:22 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [4/11/2004 7:28:24 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)




-- End of Deckard's System Scanner: finished at 2008-08-06 00:19:08 ------------

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:36 PM

Posted 05 August 2008 - 09:21 AM

i've got a debug.txt in C:\temp oh... i think it may be because of my system locale

How do you mean? Did you change a system variable previously and redirect it to another folder instead?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 pumice

pumice
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 05 August 2008 - 09:25 AM

i'm not sure if it matters but previously my regional and language settings -> language for non-unicode programs were set to japanese, i'm now switched it to english

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:36 PM

Posted 05 August 2008 - 09:27 AM

Ok, never mind... We can also deal with this manually though. The CFSCript was easier since it removed the files all in once..

I assume you know what you're doing and know how to manually delete files? :thumbsup:
In that case..

Navigate to and delete the following files:

C:\WINDOWS\system32\mpmebpnr.tmp
C:\WINDOWS\lnvegaow.exe
C:\WINDOWS\nuvoda.db
C:\WINDOWS\huwarid.inf
C:\WINDOWS\akyhezofaw._sy
C:\WINDOWS\ytexed.lib
C:\Program Files\Common Files\lucegeb.ban
C:\Program Files\Common Files\atubi.db
C:\Documents and Settings\Administrator\Application Data\uboh.db
C:\WINDOWS\system32\drivers\453lmf.exe
C:\WINDOWS\system32\drivers\109lmf.exe
C:\WINDOWS\system32\rnpbempm.dll
C:\WINDOWS\system32\kcopt.dll
C:\WINDOWS\lnvegaow.exe
C:\WINDOWS\xezyf.vbs
C:\WINDOWS\teqefaf.bin
C:\WINDOWS\system32\kecug.bin
C:\WINDOWS\system32\exizefiz.vbs
C:\WINDOWS\system32\apoci.bin
C:\WINDOWS\onixi.vbs
C:\Program Files\Common Files\qawac.scr
C:\Program Files\Common Files\hywocobur.exe
C:\Program Files\Common Files\exywap.dat
C:\Documents and Settings\Administrator\Application Data\waqudo.dat
C:\WINDOWS\yluvigolol.bin
C:\WINDOWS\ylunebu.dat
C:\WINDOWS\system32\wojym.dat
C:\WINDOWS\system32\nyzaxina.com
C:\WINDOWS\system32\ezeqijasu.sys
C:\WINDOWS\opybu.reg
C:\WINDOWS\opivoq.bin
C:\WINDOWS\mugoxufil.exe
C:\WINDOWS\fymavufo.reg
C:\Program Files\Common Files\ypefu.bat
C:\Program Files\Common Files\notuxelaja.scr
C:\Documents and Settings\All Users\Application Data\woqimyq.dat
C:\Documents and Settings\All Users\Application Data\tavim.pif
C:\Documents and Settings\All Users\Application Data\rigic.scr
C:\Documents and Settings\Administrator\Application Data\uryhe.dat
C:\Documents and Settings\Administrator\Application Data\ufuci.dll
C:\Documents and Settings\Administrator\Application Data\elovalewub.pif
C:\Documents and Settings\Administrator\Application Data\afutygyj.reg

Then post a new Deckard System scanner log in your next reply.

By the way, if you're having problems with deleting some files, try it in Windows Safe mode... But as far as I can see from your latest log, that wouldn't be needed since I see no malware loaded anymore.

IN CASE you can't remove the files: C:\WINDOWS\system32\rnpbempm.dll and C:\WINDOWS\system32\mpmebpnr.tmp, then end the task rundll32.exe in taskmanager (because it's hooked under that process). Then try to delete again.

Also, some files may be hidden, so Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


Then post a new Deckard scanner log in your next reply.

Edited by miekiemoes, 05 August 2008 - 09:28 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users