Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Files aftre Vundo remove


  • This topic is locked This topic is locked
17 replies to this topic

#1 dellphinus

dellphinus

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 24 December 2008 - 07:13 AM

Greetings,

I 've spent last two days removing something, identified as Vundo, Sheur, Generic12 at various times/stages. As of this AM, have been able to run AdAware, McAffee, Combofix all with no threats IDed. Have not reconnected to net yet, other than to download latest McAffee and AdAware filters. HOWEVER, Combofix identifies several files I can't identify, or find any info on on the net-
for example...
zycahufi.bat- can't read this one
ojugyz.exe
ezicosoqa.sys

SO, I'd like to get a reading on whether I'm really clean or not. HJT log below.
Thanks so much for this service, and this site!
DP




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:49:40 AM, on 12/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\user1\Desktop\RSIT.exe
C:\HiJackThis\user1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("aim.session.firsttime", false);
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.activation.screenname", "dellphinus");
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\Program Files\\Netscape");
user_pref("browser.display.screen_resolution", 96);
user_pref("browser.download.dir", "C:\\firefox");
user_pref("browser.download.progressDnldDialog.keepAlive", false);
user_pref("browser.download.progressDnlgDialog.dontAskForLaunch", true);
user_pref("browser.download.save_converter_index", 2);
user_pref("browser.downloadmanager.behavior", 1);
user_pref("browser.hi
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("aim.session.firsttime", false);
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.activation.screenname", "dellphinus");
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\Program Files\\Netscape");
user_pref("browser.display.screen_resolution", 96);
user_pref("browser.download.dir", "C:\\firefox");
user_pref("browser.download.progressDnldDialog.keepAlive", false);
user_pref("browser.download.progressDnlgDialog.dontAskForLaunch", true);
user_pref("browser.download.save_converter_index", 2);
user_pref("browser.downloadmanager.behavior", 1);
user_pref("browser.hi
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll (file missing)
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office2K\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Office2K\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Deskshop - {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - C:\Program Files\Discover Deskshop\Deskshop.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194397426484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194397286859
O16 - DPF: {7160FB1B-3DE0-4C42-81F0-41B4269990B0} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v12/ticker.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://boeing.webex.com/client/T23LBA/webex/ieatgpc.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: getPlus® Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 10633 bytes

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 PM

Posted 31 December 2008 - 02:58 PM

Hello.

Sorry for the wait.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable McAfee:
  • Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
    Right-click it -> chose Exit.
  • A popup will warn that protection will now be disabled. Click on Yes to disable the Antivirus guard.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Please also include a new HijackThis log.

With Regards,
The Panda

#3 dellphinus

dellphinus
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 01 January 2009 - 09:23 AM

Greetings Panda, looks like you folks have been pretty busy over the holidays...
REALLY appreciate the service you folks provide, thanks!

Since the first post I've added Proventia Firewall, and disabled Widows firewall. Also running AdAware and Malware scans daily. All have been clean.
All suspicious or un-identifiable files I've found I added a ".QUAR" to, and removed the file suffix "." so unknown.dll becomes unknowndll.QUAR
only suspicious activities now are an occasional unexplainable ! sound, usually shortly after a reboot/restart, and an occasional slowing of opening and populating a Windows Exporer window- may be due to McAfee and Proventia activity?

I also have the logs from the scans before, durign and after the "cleaning", if needed.

Logs as requested:
ComboFix 08-12-31.01 - Dennis 2009-01-01 7:33:03.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.549 [GMT -6:00]
Running from: c:\documents and settings\Dennis\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-01 to 2009-01-01 )))))))))))))))))))))))))))))))
.

2008-12-28 12:18 . 2008-12-28 12:21 <DIR> d-------- c:\documents and settings\Dennis\SecurityScans
2008-12-26 07:51 . 2008-12-26 07:51 <DIR> d-------- c:\program files\UninstallScripts
2008-12-26 07:50 . 2008-12-26 07:50 <DIR> d-------- c:\program files\ISS
2008-12-26 07:50 . 2007-01-16 14:37 197,106 --a------ c:\windows\system32\drivers\Blackcat.sys
2008-12-26 07:50 . 2006-09-13 16:59 76,849 --a------ c:\windows\system32\drivers\MakoNT.sys
2008-12-26 07:50 . 2007-01-16 14:37 47,788 --a------ c:\windows\system32\drivers\RapDrv.sys
2008-12-26 07:50 . 2008-12-26 07:50 256 --a------ c:\windows\system32\imagehlp_dll.iss
2008-12-26 07:50 . 2008-12-26 07:51 28 --a------ c:\windows\system32\ole32_dll.iss
2008-12-26 07:50 . 2008-12-26 07:50 28 --a------ c:\windows\system32\lz32_dll.iss
2008-12-26 07:50 . 2008-12-26 07:50 28 --a------ c:\windows\system32\gdi32_dll.iss
2008-12-26 07:50 . 2008-12-26 07:50 28 --a------ c:\windows\system32\comdlg32_dll.iss
2008-12-25 08:14 . 2008-12-25 08:14 <DIR> d-------- c:\program files\Bonjour
2008-12-25 08:13 . 2008-12-25 08:13 <DIR> d-------- c:\program files\iPod
2008-12-25 08:13 . 2008-12-25 08:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-24 06:48 . 2008-12-24 06:56 162 --ah----- c:\windows\~$cahufibat.quar
2008-12-24 05:40 . 2008-12-24 05:40 <DIR> d-------- C:\rsit
2008-12-24 05:40 . 2008-12-24 05:40 <DIR> d-------- c:\program files\trend micro
2008-12-23 17:35 . 2008-12-23 17:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-23 08:28 . 2008-12-27 06:08 <DIR> d-------- C:\HiJackThis
2008-12-23 06:58 . 2000-08-31 08:00 28,672 --a------ c:\windows\NIRCMDexe.quar
2008-12-22 21:52 . 2008-12-22 21:52 <DIR> d-------- c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP
2008-12-22 21:42 . 2008-12-22 21:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-22 21:42 . 2007-10-25 15:06 1,495,552 --a------ c:\windows\system32\epoPGPsdk.dll
2008-12-22 21:42 . 2008-05-22 20:50 174,952 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-12-22 21:42 . 2008-05-22 20:50 72,936 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-22 21:42 . 2008-05-22 20:50 64,232 --a------ c:\windows\system32\drivers\mfeapfk.sys
2008-12-22 21:42 . 2008-05-22 20:50 52,104 --a------ c:\windows\system32\drivers\mfetdik.sys
2008-12-22 21:42 . 2008-05-22 20:50 33,960 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-22 21:42 . 2007-10-25 15:06 280 --a------ c:\windows\system32\epoPGPsdk.dll.sig
2008-12-22 21:41 . 2008-12-22 21:42 <DIR> d-------- c:\program files\McAfee
2008-12-22 21:41 . 2008-12-22 21:41 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-22 21:27 . 2008-12-22 21:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2008-12-22 21:26 . 2008-12-22 21:26 <DIR> d-------- c:\windows\Sun
2008-12-22 18:39 . 2008-12-22 21:28 <DIR> d-------- c:\documents and settings\Administrator.DELL4500
2008-12-22 15:39 . 2008-12-22 15:39 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-22 15:39 . 2008-12-22 15:39 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-22 08:22 . 2008-12-22 08:22 <DIR> d-------- c:\documents and settings\admin\Application Data\Malwarebytes
2008-12-12 11:18 . 2008-12-12 11:18 87,336 --a------ c:\windows\system32\dns-sd.exe
2008-12-12 11:11 . 2008-12-12 11:11 61,440 --a------ c:\windows\system32\dnssd.dll
2008-12-09 15:32 . 2008-12-09 15:32 <DIR> d-------- c:\documents and settings\Dennis\Application Data\Viewpoint
2008-12-06 11:20 . 2008-12-06 11:20 <DIR> d-------- c:\documents and settings\Dennis\Application Data\PC Suite
2008-12-06 11:20 . 2008-12-06 11:58 <DIR> d-------- c:\documents and settings\Dennis\Application Data\Nokia
2008-12-06 11:20 . 2008-12-06 11:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Suite
2008-12-06 11:17 . 2008-12-06 11:17 <DIR> d-------- c:\program files\PC Connectivity Solution
2008-12-06 11:17 . 2008-12-06 11:17 <DIR> d-------- c:\program files\DIFX
2008-12-06 11:17 . 2007-09-17 15:53 21,632 --a------ c:\windows\system32\drivers\pccsmcfd.sys
2008-12-06 11:16 . 2008-12-06 12:01 <DIR> d-------- c:\program files\Nokia
2008-12-06 11:16 . 2008-05-07 07:38 90,624 --a------ c:\windows\system32\nmwcdcls.dll
2008-12-06 11:15 . 2008-12-06 11:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Installations
2008-12-06 10:49 . 2008-12-06 10:49 <DIR> d-------- C:\Output
2008-12-01 16:48 . 2004-08-04 00:08 25,600 --a------ c:\windows\system32\drivers\usbser.sys
2008-12-01 16:48 . 2004-08-04 00:08 25,600 --a------ c:\windows\system32\dllcache\usbser.sys
2008-12-01 16:42 . 2008-12-01 16:43 <DIR> d-------- C:\RAZR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 22:45 --------- d-----w c:\program files\quarantine
2008-12-25 14:13 --------- d-----w c:\program files\iTunes
2008-12-25 14:11 --------- d-----w c:\program files\QuickTime
2008-12-25 13:48 --------- d-----w c:\program files\Apple Software Update
2008-12-23 23:35 --------- d-----w c:\program files\Lavasoft
2008-12-23 23:34 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-23 03:44 --------- d-----w c:\documents and settings\All Users\Application Data\Network Associates
2008-12-23 03:38 --------- d-----w c:\program files\Common Files\Network Associates
2008-12-23 03:25 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-22 21:39 --------- d-----w c:\program files\Java
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-07 23:18 --------- d-----w c:\program files\Netscape
2008-12-06 16:57 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-04 01:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 01:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-20 01:18 --------- d--h--w c:\program files\Zero G Registry
2008-11-20 00:50 --------- d-----w c:\program files\Aglare Mp3 to Amr Converter
2008-11-19 23:47 --------- d-----w c:\program files\AviSynth 2.5
2008-11-19 23:46 --------- d-----w c:\program files\eRightSoft
2008-11-07 20:23 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-10-29 22:20 19,070 ----a-w c:\windows\iwyxusicom.quar.pif
2008-10-29 22:20 18,968 ----a-w c:\program files\Common Files\eduv._dl
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ----a-w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:57 332,800 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
2003-12-10 22:54 83,728 ----a-w c:\documents and settings\Dennis\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot_2008-12-26_16.06.36.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-09-11 10:40:36 484,272 ----a-w c:\windows\Downloaded Program Files\isusweb.dll
+ 2007-08-30 16:50:50 475,816 ----a-w c:\windows\Downloaded Program Files\isusweb.dll
- 2008-12-25 19:25:25 24,797 ----a-w c:\windows\system32\tablet.dat
+ 2009-01-01 13:20:43 24,797 ----a-w c:\windows\system32\tablet.dat
+ 2009-01-01 13:19:52 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_61c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-29 196608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-22 136600]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 c:\windows\LOGI_MWX.EXE]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.uyvy"= vvlcodec.dll
"vidc.yuy2"= vvlcodec.dll
"msvideo3"= STVqx3tg.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=c:\windows\pss\Forget Me Not.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RapidRes.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RapidRes.exe
backup=c:\windows\pss\RapidRes.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RapidRes.ini]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RapidRes.ini
backup=c:\windows\pss\RapidRes.iniCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Dennis\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^Greetings Workshop Reminders.lnk.disabled]
path=c:\documents and settings\Dennis\Start Menu\Programs\Startup\Greetings Workshop Reminders.lnk.disabled
backup=c:\windows\pss\Greetings Workshop Reminders.lnk.disabledStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\Dennis\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\Dennis\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"GEARSecurity"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMhelpr.sys [2004-03-21 4064]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2002-10-15 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2002-10-15 545088]
S0 black;black;c:\windows\system32\drivers\BlackCat.sys [2008-12-26 197106]
S2 BlackICE;BlackICE;"c:\program files\ISS\Proventia Desktop\blackd.exe" [2008-12-26 2011473]
S2 VPatch;ISS Buffer Overflow Exploit Prevention;c:\program files\ISS\Proventia Desktop\vpatch.exe [2008-12-26 426333]
S3 dsreader;MaxDrive Driver (dsreader.sys);c:\windows\system32\Drivers\dsreader.sys [2006-07-21 19677]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe []
S3 MakoNT;MakoNT;c:\windows\system32\drivers\MakoNT.sys [2008-12-26 76849]
S3 mgau;mgau;c:\windows\system32\DRIVERS\mgaum.sys [2008-06-28 320384]
S3 rap;rap;c:\windows\system32\drivers\RapDrv.sys [2008-12-26 47788]
S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.sys [2003-03-03 131776]
S3 USA19H;USA19H;c:\windows\system32\DRIVERS\USA19H2k.sys [2007-07-13 727908]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\DRIVERS\USA19H2kp.SYS [2007-07-13 44928]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee0a10f7-4367-11dd-9c88-da6084cae3c4}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-01 c:\windows\Tasks\gtrgginf.job
- c:\windows\system32\rundll32.exe [2004-08-04 01:56]

2009-01-01 c:\windows\Tasks\hufjijnw.job
- c:\windows\system32\rundll32.exe [2004-08-04 01:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gtec.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\Office2K\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Dennis\Application Data\Mozilla\Firefox\Profiles\9v0piu9s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gtec.com
FF - component: c:\documents and settings\Dennis\Application Data\Mozilla\Firefox\Profiles\9v0piu9s.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-01 07:35:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-01 7:37:19
combofix run 1_log.txt 2008-12-23 13:19:06
ComboFix-quarantined-files.txt 2009-01-01 13:37:03
ComboFix.txt 2008-12-23 13:26:17
ComboFix2.txt 2009-01-01 13:10:47
ComboFix3.txt 2008-12-26 22:07:39
ComboFix4.txt 2008-12-24 12:06:42
ComboFix5.txt 2009-01-01 13:32:11

Pre-Run: 207,577,509,888 bytes free
Post-Run: 207,560,933,376 bytes free

258 --- E O F --- 2008-12-14 17:58:59

Edited by PropagandaPanda, 01 January 2009 - 09:37 AM.
Removed dupe log.


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 PM

Posted 01 January 2009 - 09:39 AM

Hello dellphinus.

Looks like soome leftovers of an infection.

Not a bad job identifiying the baddies.

Please make sure your protection is disabled before we begin.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/188998/unknown-files-aftre-vundo-remove/
    
    Collect::
    c:\windows\system32\imagehlp_dll.iss
    c:\windows\system32\ole32_dll.iss
    c:\windows\system32\lz32_dll.iss
    
    File::
    c:\windows\system32\gdi32_dll.iss
    c:\windows\system32\comdlg32_dll.iss
    c:\windows\iwyxusicom.quar.pif
    c:\program files\Common Files\eduv._dl
    c:\windows\Tasks\gtrgginf.job
    c:\windows\Tasks\hufjijnw.job
    
    Folder::
    c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Upload Samples Collected by ComboFix
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.
Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Follow the directions given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

Re-enable your protection at this time.

Please post back with:
-the ComboFix log
-the MalwareBytes scan log
-a new HijackThis scan log

With Regards,
The panda

Edited by PropagandaPanda, 01 January 2009 - 09:39 AM.


#5 dellphinus

dellphinus
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 01 January 2009 - 10:19 AM

Files uploaded, logs below.

May I ask what the remnants were- just files, or was something still running?
ALso, I have Proventia blocking calls to rasautou.exe- I can't determine what's calling it... I do not use any dialup...

ComboFix 08-12-31.01 - Dennis 2009-01-01 8:55:04.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.558 [GMT -6:00]
Running from: c:\documents and settings\Dennis\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dennis\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\program files\Common Files\eduv._dl
c:\windows\iwyxusicom.quar.pif
c:\windows\system32\comdlg32_dll.iss
c:\windows\system32\gdi32_dll.iss
c:\windows\Tasks\gtrgginf.job
c:\windows\Tasks\hufjijnw.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\eduv._dl
c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP
c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP\WiseCustomCalla.dll
c:\windows\iwyxusicom.quar.pif
c:\windows\system32\comdlg32_dll.iss
c:\windows\system32\gdi32_dll.iss
c:\windows\system32\imagehlp_dll.iss
c:\windows\system32\lz32_dll.iss
c:\windows\system32\ole32_dll.iss
c:\windows\Tasks\gtrgginf.job
c:\windows\Tasks\hufjijnw.job

.
((((((((((((((((((((((((( Files Created from 2008-12-01 to 2009-01-01 )))))))))))))))))))))))))))))))
.

2008-12-28 12:18 . 2008-12-28 12:21 <DIR> d-------- c:\documents and settings\Dennis\SecurityScans
2008-12-26 07:51 . 2008-12-26 07:51 <DIR> d-------- c:\program files\UninstallScripts
2008-12-26 07:50 . 2008-12-26 07:50 <DIR> d-------- c:\program files\ISS
2008-12-26 07:50 . 2007-01-16 14:37 197,106 --a------ c:\windows\system32\drivers\Blackcat.sys
2008-12-26 07:50 . 2006-09-13 16:59 76,849 --a------ c:\windows\system32\drivers\MakoNT.sys
2008-12-26 07:50 . 2007-01-16 14:37 47,788 --a------ c:\windows\system32\drivers\RapDrv.sys
2008-12-25 08:14 . 2008-12-25 08:14 <DIR> d-------- c:\program files\Bonjour
2008-12-25 08:13 . 2008-12-25 08:13 <DIR> d-------- c:\program files\iPod
2008-12-25 08:13 . 2008-12-25 08:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-24 06:48 . 2008-12-24 06:56 162 --ah----- c:\windows\~$cahufibat.quar
2008-12-24 05:40 . 2008-12-24 05:40 <DIR> d-------- C:\rsit
2008-12-24 05:40 . 2008-12-24 05:40 <DIR> d-------- c:\program files\trend micro
2008-12-23 17:35 . 2008-12-23 17:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-23 08:28 . 2009-01-01 07:38 <DIR> d-------- C:\HiJackThis
2008-12-23 06:58 . 2000-08-31 08:00 28,672 --a------ c:\windows\NIRCMDexe.quar
2008-12-22 21:42 . 2008-12-22 21:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-22 21:42 . 2007-10-25 15:06 1,495,552 --a------ c:\windows\system32\epoPGPsdk.dll
2008-12-22 21:42 . 2008-05-22 20:50 174,952 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-12-22 21:42 . 2008-05-22 20:50 72,936 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-22 21:42 . 2008-05-22 20:50 64,232 --a------ c:\windows\system32\drivers\mfeapfk.sys
2008-12-22 21:42 . 2008-05-22 20:50 52,104 --a------ c:\windows\system32\drivers\mfetdik.sys
2008-12-22 21:42 . 2008-05-22 20:50 33,960 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-22 21:42 . 2007-10-25 15:06 280 --a------ c:\windows\system32\epoPGPsdk.dll.sig
2008-12-22 21:41 . 2008-12-22 21:42 <DIR> d-------- c:\program files\McAfee
2008-12-22 21:41 . 2008-12-22 21:41 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-22 21:27 . 2008-12-22 21:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2008-12-22 21:26 . 2008-12-22 21:26 <DIR> d-------- c:\windows\Sun
2008-12-22 18:39 . 2008-12-22 21:28 <DIR> d-------- c:\documents and settings\Administrator.DELL4500
2008-12-22 15:39 . 2008-12-22 15:39 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-22 15:39 . 2008-12-22 15:39 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-22 08:22 . 2008-12-22 08:22 <DIR> d-------- c:\documents and settings\admin\Application Data\Malwarebytes
2008-12-12 11:18 . 2008-12-12 11:18 87,336 --a------ c:\windows\system32\dns-sd.exe
2008-12-12 11:11 . 2008-12-12 11:11 61,440 --a------ c:\windows\system32\dnssd.dll
2008-12-09 15:32 . 2008-12-09 15:32 <DIR> d-------- c:\documents and settings\Dennis\Application Data\Viewpoint
2008-12-06 11:20 . 2008-12-06 11:20 <DIR> d-------- c:\documents and settings\Dennis\Application Data\PC Suite
2008-12-06 11:20 . 2008-12-06 11:58 <DIR> d-------- c:\documents and settings\Dennis\Application Data\Nokia
2008-12-06 11:20 . 2008-12-06 11:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Suite
2008-12-06 11:17 . 2008-12-06 11:17 <DIR> d-------- c:\program files\PC Connectivity Solution
2008-12-06 11:17 . 2008-12-06 11:17 <DIR> d-------- c:\program files\DIFX
2008-12-06 11:17 . 2007-09-17 15:53 21,632 --a------ c:\windows\system32\drivers\pccsmcfd.sys
2008-12-06 11:16 . 2008-12-06 12:01 <DIR> d-------- c:\program files\Nokia
2008-12-06 11:16 . 2008-05-07 07:38 90,624 --a------ c:\windows\system32\nmwcdcls.dll
2008-12-06 11:15 . 2008-12-06 11:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Installations
2008-12-06 10:49 . 2008-12-06 10:49 <DIR> d-------- C:\Output
2008-12-01 16:48 . 2004-08-04 00:08 25,600 --a------ c:\windows\system32\drivers\usbser.sys
2008-12-01 16:48 . 2004-08-04 00:08 25,600 --a------ c:\windows\system32\dllcache\usbser.sys
2008-12-01 16:42 . 2008-12-01 16:43 <DIR> d-------- C:\RAZR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 22:45 --------- d-----w c:\program files\quarantine
2008-12-25 14:13 --------- d-----w c:\program files\iTunes
2008-12-25 14:11 --------- d-----w c:\program files\QuickTime
2008-12-25 13:48 --------- d-----w c:\program files\Apple Software Update
2008-12-23 23:35 --------- d-----w c:\program files\Lavasoft
2008-12-23 23:34 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-23 03:44 --------- d-----w c:\documents and settings\All Users\Application Data\Network Associates
2008-12-23 03:38 --------- d-----w c:\program files\Common Files\Network Associates
2008-12-23 03:25 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-22 21:39 --------- d-----w c:\program files\Java
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-07 23:18 --------- d-----w c:\program files\Netscape
2008-12-06 16:57 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-04 01:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 01:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-20 01:18 --------- d--h--w c:\program files\Zero G Registry
2008-11-20 00:50 --------- d-----w c:\program files\Aglare Mp3 to Amr Converter
2008-11-19 23:47 --------- d-----w c:\program files\AviSynth 2.5
2008-11-19 23:46 --------- d-----w c:\program files\eRightSoft
2008-11-07 20:23 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ----a-w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:57 332,800 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
2003-12-10 22:54 83,728 ----a-w c:\documents and settings\Dennis\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot_2008-12-26_16.06.36.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-09-11 10:40:36 484,272 ----a-w c:\windows\Downloaded Program Files\isusweb.dll
+ 2007-08-30 16:50:50 475,816 ----a-w c:\windows\Downloaded Program Files\isusweb.dll
- 2008-11-10 01:12:43 53,812 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-01 14:27:58 53,812 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-10 01:12:43 383,584 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-01 14:27:58 383,584 ----a-w c:\windows\system32\perfh009.dat
- 2008-12-25 19:25:25 24,797 ----a-w c:\windows\system32\tablet.dat
+ 2009-01-01 13:46:08 24,797 ----a-w c:\windows\system32\tablet.dat
+ 2009-01-01 13:45:38 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_528.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-29 196608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-22 136600]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 c:\windows\LOGI_MWX.EXE]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.uyvy"= vvlcodec.dll
"vidc.yuy2"= vvlcodec.dll
"msvideo3"= STVqx3tg.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=c:\windows\pss\Forget Me Not.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RapidRes.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RapidRes.exe
backup=c:\windows\pss\RapidRes.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RapidRes.ini]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RapidRes.ini
backup=c:\windows\pss\RapidRes.iniCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Dennis\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^Greetings Workshop Reminders.lnk.disabled]
path=c:\documents and settings\Dennis\Start Menu\Programs\Startup\Greetings Workshop Reminders.lnk.disabled
backup=c:\windows\pss\Greetings Workshop Reminders.lnk.disabledStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\Dennis\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\Dennis\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"GEARSecurity"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMhelpr.sys [2004-03-21 4064]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2002-10-15 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2002-10-15 545088]
S0 black;black;c:\windows\system32\drivers\BlackCat.sys [2008-12-26 197106]
S2 BlackICE;BlackICE;"c:\program files\ISS\Proventia Desktop\blackd.exe" [2008-12-26 2011473]
S2 VPatch;ISS Buffer Overflow Exploit Prevention;c:\program files\ISS\Proventia Desktop\vpatch.exe [2008-12-26 426333]
S3 dsreader;MaxDrive Driver (dsreader.sys);c:\windows\system32\Drivers\dsreader.sys [2006-07-21 19677]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe []
S3 MakoNT;MakoNT;c:\windows\system32\drivers\MakoNT.sys [2008-12-26 76849]
S3 mgau;mgau;c:\windows\system32\DRIVERS\mgaum.sys [2008-06-28 320384]
S3 rap;rap;c:\windows\system32\drivers\RapDrv.sys [2008-12-26 47788]
S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.sys [2003-03-03 131776]
S3 USA19H;USA19H;c:\windows\system32\DRIVERS\USA19H2k.sys [2007-07-13 727908]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\DRIVERS\USA19H2kp.SYS [2007-07-13 44928]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee0a10f7-4367-11dd-9c88-da6084cae3c4}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gtec.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\Office2K\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Dennis\Application Data\Mozilla\Firefox\Profiles\9v0piu9s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gtec.com
FF - component: c:\documents and settings\Dennis\Application Data\Mozilla\Firefox\Profiles\9v0piu9s.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-01 08:57:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-01 8:59:09
combofix run 1_log.txt 2008-12-23 13:19:06
ComboFix-quarantined-files.txt 2009-01-01 14:58:52
ComboFix.txt 2008-12-23 13:26:17
ComboFix2.txt 2009-01-01 13:37:22
ComboFix3.txt 2009-01-01 13:10:47
ComboFix4.txt 2008-12-26 22:07:39
ComboFix5.txt 2009-01-01 14:54:21

Pre-Run: 207,590,178,816 bytes free
Post-Run: 207,573,061,632 bytes free

273 --- E O F --- 2008-12-14 17:58:59

Malwarebytes' Anti-Malware 1.31
Database version: 1589
Windows 5.1.2600 Service Pack 2

1/1/2009 9:09:23 AM
mbam-log-2009-01-01 (09-09-23).txt

Scan type: Quick Scan
Objects scanned: 67774
Time elapsed: 4 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of random's system information tool 1.05 (written by random/random)
Run by Dennis at 2009-01-01 09:38:37
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 198 GB (83%) free of 238 GB
Total RAM: 1023 MB (49% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:07 AM, on 1/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\ISS\Proventia Desktop\blackice.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dennis\Desktop\RSIT.exe
C:\Program Files\ISS\Proventia Desktop\RapUISvc.exe
C:\HiJackThis\Dennis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gtec.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.gtec.com"); (C:\Documents and Settings\DENNIS\Application Data\Mozilla\Profiles\default\kcj96xmh.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DENNIS\Application Data\Mozilla\Profiles\default\kcj96xmh.slt\prefs.js)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll (file missing)
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Proventia Desktop Agent.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office2K\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Office2K\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Deskshop - {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - C:\Program Files\Discover Deskshop\Deskshop.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194397426484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194397286859
O16 - DPF: {7160FB1B-3DE0-4C42-81F0-41B4269990B0} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v12/ticker.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://boeing.webex.com/client/T23LBA/webex/ieatgpc.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: getPlus® Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 9326 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-22 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll [2008-05-22 58688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-22 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - SnagIt - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe [2001-11-29 196608]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-09-17 13574144]
"Logitech Utility"=C:\WINDOWS\Logi_MwX.Exe [2003-11-07 19968]
"nwiz"=nwiz.exe /install []
"DellTouch"=C:\WINDOWS\DELLMMKB.EXE [2001-09-23 163840]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-09-17 86016]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-22 136600]
"ShStatEXE"=C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [2008-05-22 111952]
"McAfeeUpdaterUI"=C:\Program Files\McAfee\Common Framework\UdaterUI.exe [2007-10-25 136512]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"=C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2007-08-30 205480]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2006-09-11 86960]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2008-11-04 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [2002-08-06 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
C:\PROGRA~1\BRODER~1\AGCREA~1\AGRemind.exe [2001-07-03 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RapidRes.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RapidRes.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RapidRes.ini]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RapidRes.ini []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^Adobe Gamma.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [2002-08-06 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^Greetings Workshop Reminders.lnk.disabled]
C:\Documents and Settings\Dennis\Start Menu\Programs\Startup\Greetings Workshop Reminders.lnk.disabled []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
C:\Documents and Settings\Dennis\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
C:\Documents and Settings\Dennis\Start Menu\Programs\Startup\PowerReg Scheduler.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3
"GEARSecurity"=2

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
Proventia Desktop Agent.lnk -
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SYMTDI]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe"="C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\Network Diagnostic\xpnetdiag.exe"="C:\WINDOWS\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee0a10f7-4367-11dd-9c88-da6084cae3c4}]
shell\AutoRun\command - D:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2009-01-01 08:59:11 ----A---- C:\ComboFix.txt
2008-12-26 07:51:54 ----D---- C:\Program Files\UninstallScripts
2008-12-26 07:50:00 ----D---- C:\Program Files\ISS
2008-12-25 08:14:26 ----D---- C:\Program Files\Bonjour
2008-12-25 08:13:10 ----D---- C:\Program Files\iPod
2008-12-25 08:13:07 ----D---- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-24 09:47:29 ----A---- C:\WINDOWS\NIRCMD.exe
2008-12-24 05:40:24 ----D---- C:\Program Files\trend micro
2008-12-24 05:40:23 ----D---- C:\rsit
2008-12-23 17:35:31 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-12-23 08:28:55 ----D---- C:\HiJackThis
2008-12-23 06:56:23 ----A---- C:\Boot.bak
2008-12-23 06:56:14 ----RASHD---- C:\cmdcons
2008-12-23 06:52:50 ----A---- C:\WINDOWS\zip.exe
2008-12-23 06:52:50 ----A---- C:\WINDOWS\VFIND.exe
2008-12-23 06:52:50 ----A---- C:\WINDOWS\SWSC.exe
2008-12-23 06:52:50 ----A---- C:\WINDOWS\SWREG.exe
2008-12-23 06:52:50 ----A---- C:\WINDOWS\sed.exe
2008-12-23 06:52:50 ----A---- C:\WINDOWS\grep.exe
2008-12-23 06:52:50 ----A---- C:\WINDOWS\fdsv.exe
2008-12-23 06:52:49 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-12-23 06:52:22 ----D---- C:\WINDOWS\ERDNT
2008-12-23 06:52:22 ----D---- C:\Qoobox
2008-12-22 21:42:37 ----A---- C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-12-22 21:42:37 ----A---- C:\WINDOWS\system32\epoPGPsdk.dll
2008-12-22 21:42:36 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee
2008-12-22 21:41:34 ----D---- C:\Program Files\McAfee
2008-12-22 21:41:34 ----D---- C:\Program Files\Common Files\McAfee
2008-12-22 21:27:36 ----D---- C:\Documents and Settings\All Users\Application Data\Avg7
2008-12-22 21:26:12 ----D---- C:\WINDOWS\Sun
2008-12-22 19:03:39 ----D---- C:\Program Files\Grisoft
2008-12-22 15:39:20 ----A---- C:\WINDOWS\system32\javaws.exe
2008-12-22 15:39:20 ----A---- C:\WINDOWS\system32\javaw.exe
2008-12-22 15:39:20 ----A---- C:\WINDOWS\system32\java.exe
2008-12-22 15:39:20 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-12-22 15:37:37 ----D---- C:\Documents and Settings\Dennis\Application Data\Sun
2008-12-21 19:31:28 ----A---- C:\WINDOWS\system32\6b24ae7d-.txt
2008-12-14 11:58:51 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-14 11:58:38 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-14 11:50:59 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-14 11:50:49 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-12 11:18:16 ----A---- C:\WINDOWS\system32\dns-sd.exe
2008-12-12 11:11:46 ----A---- C:\WINDOWS\system32\dnssd.dll
2008-12-09 15:32:02 ----D---- C:\Documents and Settings\Dennis\Application Data\Viewpoint
2008-12-06 11:20:14 ----D---- C:\Documents and Settings\Dennis\Application Data\Nokia
2008-12-06 11:20:12 ----D---- C:\Documents and Settings\Dennis\Application Data\PC Suite
2008-12-06 11:20:11 ----D---- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-12-06 11:17:29 ----D---- C:\Program Files\DIFX
2008-12-06 11:17:16 ----D---- C:\Program Files\PC Connectivity Solution
2008-12-06 11:16:41 ----A---- C:\WINDOWS\system32\nmwcdcls.dll
2008-12-06 11:16:40 ----D---- C:\Program Files\Nokia
2008-12-06 11:15:54 ----D---- C:\Documents and Settings\All Users\Application Data\Installations
2008-12-06 10:49:50 ----D---- C:\Output

======List of files/folders modified in the last 1 months======

2009-01-01 09:38:29 ----D---- C:\WINDOWS\Temp
2009-01-01 09:16:04 ----D---- C:\Program Files\Mozilla Firefox
2009-01-01 09:15:01 ----A---- C:\WINDOWS\MSIOSD.INI
2009-01-01 09:13:35 ----D---- C:\WINDOWS\system32
2009-01-01 09:11:32 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-01 08:59:25 ----D---- C:\WINDOWS
2009-01-01 08:57:46 ----A---- C:\WINDOWS\system.ini
2009-01-01 08:56:48 ----D---- C:\WINDOWS\system32\drivers
2009-01-01 08:56:48 ----D---- C:\Program Files\Common Files
2009-01-01 08:56:47 ----D---- C:\WINDOWS\AppPatch
2009-01-01 08:55:18 ----SD---- C:\WINDOWS\Tasks
2009-01-01 08:27:58 ----D---- C:\WINDOWS\system32\wbem
2009-01-01 08:27:58 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-01-01 07:54:47 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-01 07:07:35 ----D---- C:\WINDOWS\Prefetch
2008-12-31 16:45:29 ----D---- C:\Program Files\quarantine
2008-12-29 16:18:18 ----D---- C:\WINDOWS\Minidump
2008-12-29 10:51:55 ----SHD---- C:\WINDOWS\Installer
2008-12-29 10:51:55 ----D---- C:\Config.Msi
2008-12-29 10:51:53 ----D---- C:\Program Files
2008-12-27 09:59:31 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-12-26 07:44:51 ----D---- C:\Anti Virus Tools
2008-12-25 13:29:00 ----RSHD---- C:\WINDOWS\system32\dllcache
2008-12-25 13:25:52 ----HD---- C:\WINDOWS\inf
2008-12-25 08:13:36 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-12-25 08:13:36 ----D---- C:\Program Files\iTunes
2008-12-25 08:11:34 ----D---- C:\Program Files\QuickTime
2008-12-25 07:48:50 ----D---- C:\Program Files\Apple Software Update
2008-12-25 06:56:35 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-24 10:46:56 ----A---- C:\WINDOWS\WORDPAD.INI
2008-12-24 09:37:38 ----A---- C:\WINDOWS\winzip32.ini
2008-12-24 09:37:38 ----A---- C:\WINDOWS\win.ini
2008-12-24 07:21:31 ----D---- C:\tools
2008-12-24 07:04:39 ----D---- C:\downloads
2008-12-23 17:35:32 ----D---- C:\Program Files\Lavasoft
2008-12-23 17:34:35 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-23 11:29:40 ----D---- C:\TEMP
2008-12-23 07:05:06 ----D---- C:\WINDOWS\system32\config
2008-12-23 06:56:23 ----RASH---- C:\boot.ini
2008-12-23 06:52:42 ----SHD---- C:\System Volume Information
2008-12-23 06:52:42 ----D---- C:\WINDOWS\system32\Restore
2008-12-22 21:44:44 ----D---- C:\Documents and Settings\All Users\Application Data\Network Associates
2008-12-22 21:38:44 ----D---- C:\Program Files\Common Files\Network Associates
2008-12-22 21:27:50 ----D---- C:\WINDOWS\Registration
2008-12-22 21:25:50 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-22 21:12:34 ----D---- C:\WINDOWS\system
2008-12-22 18:46:05 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-22 18:39:32 ----D---- C:\Documents and Settings
2008-12-22 15:39:03 ----D---- C:\Program Files\Java
2008-12-14 11:58:59 ----A---- C:\WINDOWS\imsins.BAK
2008-12-14 11:55:38 ----D---- C:\Program Files\Internet Explorer
2008-12-13 00:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-09 17:24:37 ----A---- C:\WINDOWS\system32\MRT.exe
2008-12-07 17:18:12 ----D---- C:\Program Files\Netscape
2008-12-06 11:16:34 ----D---- C:\WINDOWS\WinSxS
2008-12-06 10:57:40 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-04 05:26:15 ----A---- C:\fp.txt

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ATMhelpr;ATMhelpr; C:\WINDOWS\system32\drivers\ATMhelpr.sys [1997-06-17 4064]
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2006-08-09 2432]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2006-08-09 2560]
R1 cdudf_xp;cdudf_xp; C:\WINDOWS\system32\drivers\cdudf_xp.sys [2002-11-19 240640]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2004-08-03 14848]
R1 mferkdk;VSCore mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys []
R1 mfetdik;McAfee Inc.; C:\WINDOWS\system32\drivers\mfetdik.sys [2008-05-22 52104]
R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R1 PQNTDrv;PQNTDrv; C:\WINDOWS\system32\drivers\PQNTDrv.sys [2001-12-04 3360]
R1 pwd_2k;pwd_2k; C:\WINDOWS\system32\drivers\pwd_2k.sys [2002-11-19 134426]
R1 UdfReadr_xp;UdfReadr_xp; C:\WINDOWS\system32\drivers\UdfReadr_xp.sys [2002-11-19 206464]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2002-10-16 8552]
R2 Fallback;Fallback; C:\WINDOWS\system32\DRIVERS\fallback.sys [2001-07-18 310899]
R2 Fsks;Fsks; C:\WINDOWS\system32\DRIVERS\fsksnt.sys [2001-07-18 127405]
R2 K56;K56; C:\WINDOWS\system32\DRIVERS\k56nt.sys [2001-07-18 426783]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2004-08-03 11868]
R2 SoftFax;SoftFax; C:\WINDOWS\system32\DRIVERS\faxnt.sys [2001-07-18 217019]
R2 SpeakerPhone;SpeakerPhone; C:\WINDOWS\system32\DRIVERS\spkpnt.sys [2001-07-18 80449]
R2 Tones;Tones; C:\WINDOWS\system32\DRIVERS\tonesnt.sys [2001-07-18 56607]
R2 V124;V124; C:\WINDOWS\system32\DRIVERS\v124nt.sys [2001-07-18 534125]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter; C:\WINDOWS\System32\DRIVERS\AN983.sys [2002-08-28 36224]
R3 basic2;basic2; C:\WINDOWS\system32\DRIVERS\basic2.sys [2001-07-18 77426]
R3 btaudio;Bluetooth Audio Device; C:\WINDOWS\system32\drivers\btaudio.sys [2006-06-07 329901]
R3 BTKRNL;Bluetooth Bus Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys [2006-06-07 855018]
R3 dvd_2K;dvd_2K; C:\WINDOWS\system32\drivers\dvd_2K.sys [2002-11-19 25674]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 LHidFlt2;Logitech HID/USB Mouse Filter Driver; C:\WINDOWS\System32\DRIVERS\LHidFlt2.Sys [2003-11-07 25502]
R3 LHidUsb;Logitech USB Receiver device driver; C:\WINDOWS\System32\Drivers\LHidUsb.Sys [2003-11-07 37884]
R3 LMouFlt2;Logitech Mouse Class Filter Driver; C:\WINDOWS\System32\DRIVERS\LMouFlt2.Sys [2003-11-07 70798]
R3 MakoNT;MakoNT; C:\WINDOWS\system32\drivers\MakoNT.sys [2006-09-13 76849]
R3 mfeapfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeapfk.sys [2008-05-22 64232]
R3 mfeavfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeavfk.sys [2008-05-22 72936]
R3 mfebopk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfebopk.sys [2008-05-22 33960]
R3 mfehidk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfehidk.sys [2008-05-22 174952]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2008-09-17 6132576]
R3 rap;rap; C:\WINDOWS\System32\drivers\RapDrv.sys [2007-01-16 47788]
R3 Rksample;Rksample; C:\WINDOWS\system32\DRIVERS\rksample.sys [2001-07-18 67654]
R3 tbcspud;Santa Cruz Driver; C:\WINDOWS\system32\drivers\tbcspud.sys [2002-04-03 144768]
R3 tbcwdm;Santa Cruz WDM Driver; C:\WINDOWS\system32\drivers\tbcwdm.sys [2002-04-03 545088]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-04 25856]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2001-07-25 584336]
R3 WmaCDriverV32;WmaCDriverV32; C:\WINDOWS\system32\drivers\WmaCDriverV32.sys [2006-12-25 513152]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver; C:\WINDOWS\system32\drivers\WmBEnum.sys [2002-06-20 10144]
R3 WmXlCore;Logitech WingMan Translation Layer Driver; C:\WINDOWS\system32\drivers\WmXlCore.sys [2002-06-20 39776]
R4 black;black; C:\WINDOWS\System32\drivers\BlackCat.sys [2007-01-16 197106]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-03 60800]
S3 BTDriver;Bluetooth Virtual Communications Driver; C:\WINDOWS\system32\DRIVERS\btport.sys [2006-06-07 30459]
S3 BTWDNDIS;Bluetooth LAN Access Server; C:\WINDOWS\system32\DRIVERS\btwdndis.sys [2006-06-07 149028]
S3 btwhid;btwhid; C:\WINDOWS\system32\DRIVERS\btwhid.sys [2006-06-07 47811]
S3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2006-06-07 67384]
S3 catchme;catchme; \??\C:\DOCUME~1\Dennis\LOCALS~1\Temp\catchme.sys []
S3 dsreader;MaxDrive Driver (dsreader.sys); C:\WINDOWS\System32\Drivers\dsreader.sys [2001-01-02 19677]
S3 hidgame;Microsoft Hid to Joystick Port Enabler; C:\WINDOWS\System32\DRIVERS\hidgame.sys [2001-08-17 8576]
S3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSFDPSP2.sys [2004-08-03 1041536]
S3 hsf_msft;hsf_msft; C:\WINDOWS\System32\DRIVERS\HSF_MSFT.sys [2001-08-17 542879]
S3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\System32\DRIVERS\HSFBS2S2.sys [2004-08-03 220032]
S3 mgau;mgau; C:\WINDOWS\System32\DRIVERS\mgaum.sys [2001-08-17 320384]
S3 mmc_2K;mmc_2K; C:\WINDOWS\system32\drivers\mmc_2K.sys [2002-11-19 30406]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-03 61824]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2007-09-17 21632]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 STVqx3;Intel Play QX3 Microscope; C:\WINDOWS\system32\drivers\STVqx3.sys [2001-04-12 131776]
S3 tbhsd;Tunebite High-Speed Dubbing; C:\WINDOWS\system32\drivers\tbhsd.sys [2006-09-18 16640]
S3 USA19H;USA19H; C:\WINDOWS\system32\DRIVERS\USA19H2k.sys [2003-06-24 727908]
S3 USA19H2KP;Keyspan USB Serial Port Driver; C:\WINDOWS\system32\DRIVERS\USA19H2kp.SYS [2003-06-24 44928]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 usbser;Motorola USB Modem Driver; C:\WINDOWS\system32\DRIVERS\usbser.sys [2004-08-04 25600]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 WmFilter;Logitech WingMan HID Filter Driver; C:\WINDOWS\system32\drivers\WmFilter.sys [2002-06-20 20128]
S3 WmVirHid;Logitech Virtual Hid Device Driver; C:\WINDOWS\system32\drivers\WmVirHid.sys [2002-06-20 5728]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 RxFilter;RxFilter; C:\WINDOWS\system32\DRIVERS\RxFilter.sys [2006-12-13 50688]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-18 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 btwdins;Bluetooth Service; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [2006-06-07 266295]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-22 152984]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [2007-10-25 103744]
R2 McShield;McAfee McShield; C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe [2008-05-22 144704]
R2 McTaskManager;McAfee Task Manager; C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe [2008-05-22 54608]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-09-17 163908]
R2 TabletService;TabletService; C:\WINDOWS\system32\Tablet.exe [2003-12-04 634880]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S2 RoxLiveShare9;LiveShare P2P Server 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe [2007-03-12 310008]
S2 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2007-03-12 166648]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2006-01-21 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 getPlus® Helper;getPlus® Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe []
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2007-03-12 887544]
S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2008-08-07 575488]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-01-23 73728]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]

-----------------EOF-----------------

Edited by dellphinus, 01 January 2009 - 10:41 AM.


#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 PM

Posted 01 January 2009 - 11:05 AM

Hello dellphinus.

Looks like it was just some files. The ".job" entries may have tried to start something, but the files associated with that were probably removed. Most likely was nothing active.

Update Windows Installation
Your Microsoft Windows installation is out of date. Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Please click here to check for and install updates to Windows, and Microsoft applications. If you encounter any problems during the installation, please feel free to ask for help.

The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Reboot and repeat the update process until there are no more updates to install.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


With Regards,
The Panda

#7 dellphinus

dellphinus
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 01 January 2009 - 09:13 PM

Ran kaspersky- Scan screen showed 1 threat, 1 file, but the scan report was blank, and saving it resulted in no file being generated.
Updated and ran McAfee full scan- nothing identified.

Edited by dellphinus, 02 January 2009 - 07:47 AM.


#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 PM

Posted 02 January 2009 - 08:19 AM

Hello dellphinus.

Kaspersky should have atleast detected some of the files in ComboFix's quarentine.

If this comptuer has some spare time, then consider trying to run F-Secure. If you don't want to that's fine.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

If not, just post back a new HijackThis log.

Were you able to do updates?

With Regards,
The Panda

#9 dellphinus

dellphinus
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 02 January 2009 - 09:10 AM

I did some of the updates- there were no critical updates listed, and I've been holding off on doing the SP3 update, based on some negative press- I have two more updates to do when this McAfee scan finishes.
After doing the updates, I'l run the F-Secure.

Question- I'm a little nervous about having the computer online without the firewall running- is OK to leave it active while doing the F-Secure? ALso, while reading the instructions for F-Secure, I noticed it only runs on Explorer- and I completely missed your comments earlier about Kaspersky only being for Explorer- I ran it under FF. I'll rerun with Explorer 7.

[edit]- McAfee just hit a bunch of Vundo rgistry keys, and all the QooBox files- it's still running, though. Also, a bunch of tool-nir-cmds in the restore points.

Edited by dellphinus, 02 January 2009 - 09:18 AM.


#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 PM

Posted 02 January 2009 - 09:41 AM

Hello.

I don't think the Firewall will be a problem.

Nircmd.exe is a tool used by ComboFix. It can do things like hide windows, so McAfee suspects it to be dangerous.

ComboFix uses it to open the popup windows and some other functions.

With Regards,
The panda

#11 dellphinus

dellphinus
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 02 January 2009 - 11:45 PM

OK, ran the Kaspersky again, this time with Explorer, and this time it generated the report- the hit was in the Qoobox quarantine. The F-Secure found a couple cookies.
After McAfee finished, I disabled System Restore and let McAfee clean/delete everything it found- 39 hits, all backed up registry and restore points (the Nircmds it found were all tool-Nircmds, named A0000xxxx.com, where xxxx is a rnd num).

Kaspersky and F-Secure logs below.


Kaspersky Report:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, January 2, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, January 02, 2009 11:07:11
Records in database: 1547639
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
R:\

Scan statistics:
Files scanned: 103822
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:28:56


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Documents and Settings\Dennis\Local Settings\Temp\ddcBTlmK.dll.vir Infected: Trojan.Win32.Monder.agej 1

The selected area was scanned.





F-Secure Report:

Scanning Report
Friday, January 02, 2009 15:56:16 - 22:32:25

Computer name: DELL4500
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 2 malware found
TrackingCookie.Adbrite (spyware)

* System

TrackingCookie.Webtrends (spyware)

* System

Statistics
Scanned:

* Files: 47060
* System: 5494
* Not scanned: 6

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 2
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:

* F-Secure USS: 2.40.0
* F-Secure Hydra: 2.8.8110, 2009-01-02
* F-Secure AVP: 7.0.171, 2009-01-02
* F-Secure Pegasus: 1.20.0, 2008-11-17
* F-Secure Blacklight: 0.0.0

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Edited by dellphinus, 03 January 2009 - 06:50 AM.


#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 PM

Posted 03 January 2009 - 08:23 AM

Hello dellphinus.

Looks good :thumbsup: . If it's the same on your side, then we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.

If this tool has helped you, please consider making a donation to its author. Posted Image
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hide file extensions and hidden/system files.
  • Clear System Restore cache and creates new restore point.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#13 dellphinus

dellphinus
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 03 January 2009 - 10:42 AM

I think I'm good- only thing left is finding out what is calling Rasautou.exe- I can't catch it in process explorer to see what tree it's in- got any tools or tips that might help there? It's not a biggie, the firewall is blocking it from exectuting, I'd just like to know what the heck is calling it.

also, I'm assuming I can delete all the quarantined files now?

UPDATE- just did a reboot- and Process explorer redlined WMIPRVSE.exe. Googled it, and your data base has it listed as malware. Had AntiMalware scan it, and it came up clean. Searched the C drive for it and three copies came up, C:\Windows\ $NTServicePackInstall$, ServicePackFiles\i386, system32\wbem.

Update2- wmiprvse.exe is good...

Update 3- Panda, maybe I'm overly paranoid now, but one more item- when I reboot, sometimes (about half the time), my McAfee tray icon displays the slashed circle (disabled) briefly after it starts. I have access protection turned on for it. The other times, it starts, and dispays normally, no slash.

Edited by dellphinus, 03 January 2009 - 11:59 AM.


#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 PM

Posted 03 January 2009 - 12:08 PM

Hello dellphinus.

Rasautou.exe is the "Microsoft Remote Access Dialler". It is used by legit programs, but malware can hijack it.

I'm assuming I can delete all the quarantined files now?

Yes.

The startup database is not a list of items you see in Task Manager. If that filename was listed in a startup entry, it would be bad. Otherwise, it's normal :thumbsup: .

when I reboot, sometimes (about half the time), my McAfee tray icon displays the slashed circle (disabled) briefly after it starts.

Does it go to the enabled sign after a moment? Might be taking sometime to start.
---
Save Uninstall List with HijackThis
Let's see if we can identify programs that need remote access.
  • Double click the HijackThis icon on your desktop.
  • If you see a while screen, click Main Menu at the middle bottom of the window, otherwise move onto the next step.
  • Click Open the Misc Tools section.
  • Under System tools, select Uninstall Manager....
  • Near the bottom right, click Save list... and save uninstall_list.txt onto your desktop.
  • Post back with uninstall_list.txt.
With Regards,
The Panda

#15 dellphinus

dellphinus
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 03 January 2009 - 12:18 PM

Yes, the indication is only there for about a second.

.txt file attached

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users