Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with VirtuMonde/Backdoor.Win32.Hupigon


  • This topic is locked This topic is locked
14 replies to this topic

#1 zish

zish

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 25 December 2008 - 11:38 PM

Hello People,

My anti virus says that I am infected with virtumonde, the exact message is "a variant of Win32/Adware.virtumonde application found". It found infected dll files in System32 but cannot remove them. So I tried trend micro, onecare.live but nothing seems to work. Kaspersky online scan tells me that I have Backdoor.Win32.Hupigon, which I believe is just another name for Virtumonde.

The fake/deceptive warning message of 'my pc being infected and i should try Antivirus 2009' pops up only when I browse with Internet Explorer, since I use Chrome, the pop-up doesn't bug me so much. Please I need some guidance as how to remove it. I have done the scan with DSS and also with Kaspersky online and the reports are pasted below. Hopefully anyone out there can help me. I apologise to bug you guys during holidays and thanks in advance for any help.



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, December 26, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, December 24, 2008 13:01:28
Records in database: 1509397
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 195320
Threat name: 3
Infected objects: 16
Suspicious objects: 0
Duration of the scan: 03:46:45


File name / Threat name / Threats count
C:\WINDOWS\system32\fccywTMF.dll/C:\WINDOWS\system32\fccywTMF.dll Infected: Backdoor.Win32.Hupigon.cncl 8
C:\WINDOWS\system32\yaywusqq.dll/C:\WINDOWS\system32\yaywusqq.dll Infected: Trojan.Win32.Agent.aywm 4
C:\Documents and Settings\Administrator\My Documents\Installations\secure folder\SECURE FOLDER.exe Infected: Trojan.Win32.Tiny.ah 1
C:\Program Files\Eset\infected\CXUTBAAA.NQF Infected: Backdoor.Win32.Hupigon.cncl 1
C:\WINDOWS\system32\fccywTMF.dll Infected: Backdoor.Win32.Hupigon.cncl 1
C:\WINDOWS\system32\yaywusqq.dll Infected: Trojan.Win32.Agent.aywm 1

The selected area was scanned.

<END OF REPORT>

------------------------------------------------------------------------------------------------------------------------------------

_______
DSS Log
_______


DDS (Version 1.1.0) - NTFSx86
Run by Administrator at 12:27:21.46 on 26/12/2008
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1527.729 [GMT 8:00]

AV: Eset NOD32 antivirus system 2.51 *On-access scanning enabled* (Updated)
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.8\MSSQL\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
c:\oracle\ora81\bin\ORACLE.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.8\MSSQL\Binn\SQLAGENT90.EXE
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.8\MSSQL\Binn\msftesql.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cricinfo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.hp.com
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyServer = 10.77.8.70:8080
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {3757fd32-5b34-4539-9dae-c81e7a05dabb} - c:\windows\system32\yaywusqq.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {8710fc9f-0816-49d7-ae14-4ba5269e838c} - c:\windows\system32\fccywTMF.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {070e2879-4fd5-8669-8824-300a5d4dfc6c}: {c6cfd4d5-a003-4288-9668-5df49782e070} - c:\windows\system32\jztkou.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PTHOSTTR] c:\program files\hpq\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [063902ae] rundll32.exe "c:\windows\system32\iaegieaj.dll",b
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
Notify: fccywTMF - fccywTMF.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: jztkou.dll
SEH: {8710fc9f-0816-49d7-ae14-4ba5269e838c} - c:\windows\system32\fccywTMF.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\yaywusqq

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
R2 MSSQL$ASC_SERVICES;MSSQL$ASC_SERVICES;c:\progra~1\mi6841~1\mssql$~1\binn\sqlservr.exe -sASC_SERVICES []
R2 MSSQL$SQLSERVER2005;SQL Server (SQLSERVER2005);"c:\program files\microsoft sql server\mssql.8\mssql\binn\sqlservr.exe" -sSQLSERVER2005 [2005-10-14 28768528]
R2 NOD32krn;NOD32 Kernel Service;"c:\program files\eset\nod32krn.exe" [2008-3-18 507904]
R2 OracleServiceORCL;OracleServiceORCL;c:\oracle\ora81\bin\ORACLE.EXE ORCL []
R2 SQLAgent$SQLSERVER2005;SQL Server Agent (SQLSERVER2005);"c:\program files\microsoft sql server\mssql.8\mssql\binn\SQLAGENT90.EXE" -i SQLSERVER2005 [2005-10-14 318680]
R2 VPCAppSv;Virtual PC Application Services;c:\windows\system32\drivers\VPCAppSv.sys [2002-5-21 10374]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2007-9-17 112688]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-3-1 87808]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\IFXTPM.SYS [2005-10-21 36352]
R3 msftesql$SQLSERVER2005;SQL Server FullText Search (SQLSERVER2005);"c:\program files\microsoft sql server\mssql.8\mssql\binn\msftesql.exe" -s:MSSQL.8 -f:SQLSERVER2005 [2005-8-26 92880]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20070916.002\naveng.sys [2007-9-17 81232]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20070916.002\navex15.sys [2007-9-17 865904]
S3 ccPwdSvc;Symantec Password Validation;"c:\program files\common files\symantec shared\ccPwdSvc.exe" [2005-10-4 83568]
S3 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2005-10-4 177776]
S3 MsDtsServer;SQL Server Integration Services;"c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe" [2005-10-14 199384]
S3 msftesql$SQL2005;SQL Server FullText Search (SQL2005);"c:\program files\microsoft sql server\mssql.5\mssql\binn\msftesql.exe" -s:MSSQL.5 -f:SQL2005 [2005-8-26 92880]
S3 MSOLAP$SQL2005;SQL Server Analysis Services (SQL2005);"c:\program files\microsoft sql server\mssql.6\olap\bin\msmdsrv.exe" -s "c:\program files\microsoft sql server\mssql.6\olap\Config" [2005-10-14 14557912]
S3 MSOLAP$SQLSERVER2005;SQL Server Analysis Services (SQLSERVER2005);"c:\program files\microsoft sql server\mssql.9\olap\bin\msmdsrv.exe" -s "c:\program files\microsoft sql server\mssql.9\olap\Config" [2005-10-14 14557912]
S3 MSSQL$SQL2005;SQL Server (SQL2005);"c:\program files\microsoft sql server\mssql.5\mssql\binn\sqlservr.exe" -sSQL2005 [2005-10-14 28768528]
S3 OKI OPHC DCS Loader;OKI OPHC DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHCLDCS.EXE [2005-10-14 24576]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;c:\oracle\ora81\bin\ONRSD.EXE [2000-10-19 411244]
S3 OracleOraHome81PagingServer;OracleOraHome81PagingServer;c:\oracle\ora81/bin/pagntsrv.exe [2008-5-23 52224]
S3 ReportServer$SQL2005;SQL Server Reporting Services (SQL2005);"c:\program files\microsoft sql server\mssql.7\reporting services\reportserver\bin\ReportingServicesService.exe" [2005-10-14 14552]
S3 ReportServer$SQLSERVER2005;SQL Server Reporting Services (SQLSERVER2005);"c:\program files\microsoft sql server\mssql.10\reporting services\reportserver\bin\ReportingServicesService.exe" [2005-10-14 14552]
S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);"c:\program files\microsoft sql server\mssql.4\reporting services\reportserver\bin\ReportingServicesService.exe" [2005-10-14 14552]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2005-11-15 169200]
S3 SQLAgent$ASC_SERVICES;SQLAgent$ASC_SERVICES;c:\progra~1\mi6841~1\mssql$~1\binn\sqlagent.exe -i ASC_SERVICES []
S3 SQLAgent$SQL2005;SQL Server Agent (SQL2005);"c:\program files\microsoft sql server\mssql.5\mssql\binn\SQLAGENT90.EXE" -i SQL2005 [2005-10-14 318680]
S4 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2005-10-4 185968]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe" /service msvsmon80 [2005-9-23 2799808]
S4 OracleServiceORACLE;OracleServiceORACLE;c:\oracle\ora81\bin\ORACLE.EXE ORACLE []
S4 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2005-11-15 1756912]
S4 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" [2006-8-24 1174152]

=============== Created Last 30 ================

2008-12-25 20:30 1,639,252 ---sh--- c:\windows\system32\jaeigeai.ini
2008-12-25 20:30 69,120 a------- c:\windows\system32\iaegieaj.dll
2008-12-25 20:27 103,936 a------- c:\windows\system32\jztkou.dll
2008-12-25 20:27 103,936 a------- c:\windows\system32\nxbwitys.dll
2008-12-24 20:28 103,424 a------- c:\windows\system32\jzpngh.dll
2008-12-24 20:28 103,424 a------- c:\windows\system32\hqkfmhgm.dll
2008-12-24 20:25 1,639,250 ---sh--- c:\windows\system32\hdhavoen.ini
2008-12-24 19:27 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-24 12:55 1,677,312 a------- C:\OfficeNovemberPayroll.dmp
2008-12-23 20:30 1,639,241 ---sh--- c:\windows\system32\rjvpjjgd.ini
2008-12-23 20:30 68,096 -------- c:\windows\system32\dgjjpvjr.dll
2008-12-23 20:27 103,936 a------- c:\windows\system32\pxpdwe.dll
2008-12-23 20:27 103,936 a------- c:\windows\system32\mqctdavx.dll
2008-12-23 20:10 103,936 a------- c:\windows\system32\xyruomok.dll
2008-12-23 20:10 103,936 a------- c:\windows\system32\rglhnn.dll
2008-12-23 15:08 <DIR> --d----- c:\documents and settings\administrator\.housecall6.6
2008-12-22 19:50 103,936 a------- c:\windows\system32\saecvu.dll
2008-12-22 19:50 103,936 a------- c:\windows\system32\llcyearw.dll
2008-12-22 19:49 1,639,241 ---sh--- c:\windows\system32\ajfobjny.ini
2008-12-22 19:49 68,096 -------- c:\windows\system32\ynjbofja.dll
2008-12-22 19:47 364,961 a--sh--- c:\windows\system32\qqsuwyay.ini2
2008-12-22 19:47 364,961 a--sh--- c:\windows\system32\qqsuwyay.ini
2008-12-22 19:47 235,520 a------- c:\windows\system32\yaywusqq.dll
2008-12-22 19:41 24,576 -------- c:\windows\system32\fccywTMF.dll
2008-12-01 12:39 <DIR> --d----- c:\program files\MSECache

==================== Find3M ====================

2007-12-26 15:23 2,162,688 a------- c:\docume~1\admini~1\applic~1\sa3125_02_fus_eng.exe
2007-11-06 17:11 324 a------- c:\program files\INSTALL.LOG

============= FINISH: 12:27:41.60 ===============

<END OF LOG>



With Best Regards
Zish

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:46 PM

Posted 04 January 2009 - 06:23 PM

Hello zish,

Posted Image

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you. To get a HijackThis log :

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 zish

zish
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 04 January 2009 - 08:49 PM

Hello Tea,

Happy New Year and thanks for considering my post. Yes my problem still exists :thumbsup:

Below is the latest HJT log of my machine:

----------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:25 AM, on 05/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.8\MSSQL\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
c:\oracle\ora81\bin\ORACLE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.8\MSSQL\Binn\SQLAGENT90.EXE
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cricinfo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.77.8.70:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [063902ae] rundll32.exe "C:\WINDOWS\system32\shejriek.dll",b
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O20 - AppInit_DLLs: kwwjzm.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: OKI OPHC DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHCLDCS.EXE
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81PagingServer - Unknown owner - C:\oracle\ora81/bin/pagntsrv.exe
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: PC Angel (PCA) - Unknown owner - C:\WINDOWS\TEMP\UPDATE\SMINST\PCAngel.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 9132 bytes


Thanks

Zish

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:46 PM

Posted 04 January 2009 - 09:04 PM

Hello,

Perfect, thanks. :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 zish

zish
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 04 January 2009 - 09:44 PM

Hi,

Looks like ComboFix went fine without crashing my system. :thumbsup:

Below are the two logs:

-----
HJT
-----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:53 AM, on 05/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.8\MSSQL\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
c:\oracle\ora81\bin\ORACLE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.8\MSSQL\Binn\SQLAGENT90.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cricinfo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.77.8.70:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O20 - AppInit_DLLs: kwwjzm.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: OKI OPHC DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHCLDCS.EXE
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81PagingServer - Unknown owner - C:\oracle\ora81/bin/pagntsrv.exe
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: PC Angel (PCA) - Unknown owner - C:\WINDOWS\TEMP\UPDATE\SMINST\PCAngel.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 9211 bytes

-----
ComboFix
-----

ComboFix 09-01-02.01 - Administrator 2009-01-05 10:27:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1527.878 [GMT 8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Eset NOD32 antivirus system 2.51 *On-access scanning enabled* (Updated)
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\sa3125_02_fus_eng.exe
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\Rapid-EasyProjects\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\Rapid-EasyProjects\bin\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\Rapid-EasyProjects\CSS\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\Rapid-EasyProjects\Images\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\Rapid-EasyProjects\Library\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\Rapid-EasyProjects\Modules\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\Rapid\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\Rapid\backup\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\Rapid\bin\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\Rapid\CSS\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\Rapid\Images\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\Rapid\Library\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\Rapid\Modules\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\Rapid\Modules\backup\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\ASBGen\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\ASBGen\bin\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\ASBGen\obj\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\ASBGen\obj\Debug\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\ASBGen\obj\Debug\temp\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\ASBGen\obj\Debug\TempPE\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\bin\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Client\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Client\bin\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Client\obj\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Client\obj\Debug\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Client\obj\Debug\temp\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Client\obj\Debug\TempPE\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Issue\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Issue\bin\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Issue\obj\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Issue\obj\Debug\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Issue\obj\Debug\temp\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Issue\obj\Debug\TempPE\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\LogIn\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\LogIn\bin\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\LogIn\obj\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\LogIn\obj\Debug\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\LogIn\obj\Debug\temp\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\LogIn\obj\Debug\TempPE\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Manager\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Manager\bin\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Manager\obj\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Manager\obj\Debug\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Manager\obj\Debug\temp\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Manager\obj\Debug\TempPE\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\obj\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\obj\Debug\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\obj\Debug\temp\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\obj\Debug\TempPE\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Project\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Project\bin\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Project\obj\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Project\obj\Debug\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Project\obj\Debug\temp\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Project\obj\Debug\TempPE\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Task\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Task\bin\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Task\obj\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Task\obj\Debug\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Task\obj\Debug\temp\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\Task\obj\Debug\TempPE\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\User\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\User\bin\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\User\obj\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\User\obj\Debug\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\User\obj\Debug\temp\_desktop.ini
c:\documents and settings\Administrator\Desktop\PERNAMA\Ascendsys UNIF\RapidClassLibrary\User\obj\Debug\TempPE\_desktop.ini
c:\program files\INSTALL.LOG
c:\univisioncent\Ascendsys\Database\_desktop.ini
c:\univisioncent\Ascendsys\Database\Alter\_desktop.ini
c:\univisioncent\Ascendsys\Database\Initial Data\_desktop.ini
c:\univisioncent\Ascendsys\Database\Program\_desktop.ini
c:\univisioncent\Ascendsys\Database\Scripts\_desktop.ini
c:\univisioncent\Ascendsys\Database\Triggers\_desktop.ini
c:\univisioncent\Ascendsys\Database\Views\_desktop.ini
c:\univisioncent\Ascendsys\Forms\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\Alter\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\Alter\Move EC to Production 2005-02-14\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\from flash drive\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\from flash drive\BPM\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\from flash drive\BPM\Backup 2005-04-06\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\from flash drive\BPM\Backup 2005-04-07\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\from flash drive\BPM\Backup 2005-04-08\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\from flash drive\BPM\Backup 2005-04-11\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\from flash drive\BPM\Backup 2005-04-12\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\from flash drive\BPM\Backup 2005-04-13\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\from flash drive\BPM\Backup 2005-04-15\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\from flash drive\BPM\Backup 2005-04-19\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\from flash drive\BPM\Backup 2005-04-20\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\from flash drive\BPM\Backup 2005-04-22\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\from flash drive\BPM\Backup 2005-04-25\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\from flash drive\BPM\Old\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\from flash drive\BPM\Programs\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\from flash drive\BPM\Univision BPM\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\from flash drive\BPM\Univision BPM\Development\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\from flash drive\BPM\Univision BPM\Development\Crystal Report\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\Initial Data\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\Previous Scripts\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\Previous Scripts\HR Table\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\Previous Scripts\HR Table\Alter Database\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\Previous Scripts\HR Table\TRAINNING\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\Previous Scripts\Payroll Setup Table\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\Program\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\Scripts\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\Scripts\GL Interface\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\Temp Scripts\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\Triggers\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Database\Views\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Forms\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Forms\au\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Forms\BackUp\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Forms\BackUp\New Folder\_desktop.ini
c:\univisioncent\BPM\forms before pass to seran\Forms\BPMWelfaredocs\_desktop.ini
c:\univisioncent\BPM\Forms\_desktop.ini
c:\univisioncent\Univision MDC\_desktop.ini
c:\univisioncent\Univision MDC\MDC\_desktop.ini
c:\univisioncent\Univision MDC\MDC\Support\_desktop.ini
c:\univisioncent\Univision MDC\MDCFlex\_desktop.ini
c:\univisioncent\Univision MDC\MDCFlex\_Themes\_desktop.ini
c:\univisioncent\Univision MDC\MDCFlex\_Themes\epg\_desktop.ini
c:\univisioncent\Univision MDC\MDCFlex\EmpFlex\_desktop.ini
c:\univisioncent\Univision MDC\MDCFlex\er911xf\_desktop.ini
c:\univisioncent\Univision MDC\MDCFlex\Help\_desktop.ini
c:\univisioncent\Univision MDC\MDCFlex\images\_desktop.ini
c:\univisioncent\Univision MDC\MDCFlex\InkInkInk\_desktop.ini
c:\univisioncent\Univision MDC\MDCFlex\MedicalClaims\_desktop.ini
c:\univisioncent\Univision MDC\MDCFlex\upEmpDet\_desktop.ini
c:\univisioncent\Univision MDC\MDCFlex\upEmpTrain\_desktop.ini
c:\univisioncent\Univision MDC\Source Code\_desktop.ini
c:\univisioncent\Univision MDC\Source Code\Database\_desktop.ini
c:\univisioncent\Univision MDC\Source Code\Database\Defect Fix\_desktop.ini
c:\univisioncent\Univision MDC\Source Code\Database\Initial Data\_desktop.ini
c:\univisioncent\Univision MDC\Source Code\Database\Programs\_desktop.ini
c:\univisioncent\Univision MDC\Source Code\Database\Queries\_desktop.ini
c:\univisioncent\Univision MDC\Source Code\Database\Scripts\_desktop.ini
c:\univisioncent\Univision MDC\Source Code\Database\Scripts\Change Employee ID\_desktop.ini
c:\univisioncent\Univision MDC\Source Code\Database\Scripts\Test\_desktop.ini
c:\univisioncent\Univision MDC\Source Code\Database\Scripts\Web\_desktop.ini
c:\univisioncent\Univision MDC\Source Code\Database\Triggers\_desktop.ini
c:\univisioncent\Univision MDC\Source Code\Database\Views\_desktop.ini
c:\univisioncent\Univision MDC\Source Code\E-Leave\_desktop.ini
c:\univisioncent\Univision MDC\Source Code\Forms\_desktop.ini
c:\univisioncent\Univision MDC\Source Code\Reports\_desktop.ini
c:\univisioncent\Univision MDC\WebPage\_desktop.ini
c:\univisioncent\Univision MDC\WebPage\_Themes\_desktop.ini
c:\univisioncent\Univision MDC\WebPage\_Themes\epg\_desktop.ini
c:\univisioncent\Univision MDC\WebPage\EmpFlex\_desktop.ini
c:\univisioncent\Univision MDC\WebPage\er911xf\_desktop.ini
c:\univisioncent\Univision MDC\WebPage\Help\_desktop.ini
c:\univisioncent\Univision MDC\WebPage\images\_desktop.ini
c:\univisioncent\Univision MDC\WebPage\InkInkInk\_desktop.ini
c:\univisioncent\Univision MDC\WebPage\MedicalClaims\_desktop.ini
c:\univisioncent\Univision MDC\WebPage\upEmpDet\_desktop.ini
c:\univisioncent\Univision MDC\WebPage\upEmpTrain\_desktop.ini
c:\windows\system32\aifoqdsw.dll
c:\windows\system32\ajfobjny.ini
c:\windows\system32\axkryobp.ini
c:\windows\system32\bxnggjar.ini
c:\windows\system32\Cache
c:\windows\system32\ckmpkf.dll
c:\windows\system32\cpltvvii.ini
c:\windows\system32\delekegn.ini
c:\windows\system32\dgjjpvjr.dll
c:\windows\system32\ehskoqcp.dll
c:\windows\system32\eqimqk.dll
c:\windows\system32\fccywTMF.dll
c:\windows\system32\fedivadl.dll
c:\windows\system32\guwpdisv.ini
c:\windows\system32\hdhavoen.ini
c:\windows\system32\hqkfmhgm.dll
c:\windows\system32\idvoihmw.ini
c:\windows\system32\iivvtlpc.dll
c:\windows\system32\jaeigeai.ini
c:\windows\system32\jebemg.dll
c:\windows\system32\jnegcgvn.dll
c:\windows\system32\jzpngh.dll
c:\windows\system32\jztkou.dll
c:\windows\system32\kbxbjrpg.ini
c:\windows\system32\keirjehs.ini
c:\windows\system32\kkjebwhi.dll
c:\windows\system32\ktqennxt.dll
c:\windows\system32\kwwjzm.dll
c:\windows\system32\llcyearw.dll
c:\windows\system32\mqctdavx.dll
c:\windows\system32\mxgjwc.dll
c:\windows\system32\ngekeled.dll
c:\windows\system32\nmlkkz.dll
c:\windows\system32\nuibye.dll
c:\windows\system32\nxbwitys.dll
c:\windows\system32\oylpsldr.dll
c:\windows\system32\pboyrkxa.dll
c:\windows\system32\pcqokshe.ini
c:\windows\system32\perlmi.dll
c:\windows\system32\pxpdwe.dll
c:\windows\system32\qqsuwyay.ini
c:\windows\system32\qqsuwyay.ini2
c:\windows\system32\rajggnxb.dll
c:\windows\system32\rglhnn.dll
c:\windows\system32\rjvpjjgd.ini
c:\windows\system32\rnluvbwe.dll
c:\windows\system32\royokflx.ini
c:\windows\system32\saecvu.dll
c:\windows\system32\sbiknrgh.dll
c:\windows\system32\sfbnsq.dll
c:\windows\system32\shejriek.dll
c:\windows\system32\svwudnar.dll
c:\windows\system32\thraylcp.dll
c:\windows\system32\twyzci.dll
c:\windows\system32\vgvxdoyg.dll
c:\windows\system32\vhpbuexw.ini
c:\windows\system32\vkrvstta.dll
c:\windows\system32\vpbsmbxk.ini
c:\windows\system32\wwnmfj.dll
c:\windows\system32\xqeoqe.dll
c:\windows\system32\xyruomok.dll
c:\windows\system32\yaywusqq.dll
c:\windows\system32\ygwornbo.dll
c:\windows\system32\ynjbofja.dll
c:\windows\system32\ysicpd.dll
c:\windows\system32\ywjneiku.ini
E:\Autorun.inf
e:\recycler\Desktop.ini
e:\recycler\Folder.htt
e:\recycler\Protect.ed
e:\recycler\Warning.bmp

.
((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2008-12-31 01:28 . 2008-12-31 01:28 116 --a------ c:\windows\is-02QH3.lst
2008-12-30 12:41 . 2008-12-30 12:41 <DIR> d-------- c:\program files\DebugMode
2008-12-29 23:31 . 2009-01-05 09:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-12-24 19:48 . 2008-12-31 01:25 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-24 19:27 . 2008-12-24 19:27 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-24 12:55 . 2008-12-24 12:56 1,677,312 --a------ C:\OfficeNovemberPayroll.dmp
2008-12-23 15:08 . 2008-12-23 22:27 <DIR> d-------- c:\documents and settings\Administrator\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-30 17:28 --------- d-----w c:\program files\ESTsoft
2008-12-30 17:28 --------- d-----w c:\documents and settings\Administrator\Application Data\ESTsoft
2008-12-30 17:24 --------- d-----w c:\documents and settings\All Users\Application Data\ESTsoft
2008-12-29 15:36 --------- d-----w c:\program files\Google
2008-12-24 11:27 --------- d-----w c:\program files\Java
2008-12-22 17:31 --------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent
2008-12-22 11:41 --------- d-----w c:\program files\Eset
2008-12-22 07:12 --------- d-----w c:\documents and settings\Administrator\Application Data\Skype
2008-12-01 04:39 --------- d-----w c:\program files\MSECache
2008-11-17 08:23 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-17 08:23 --------- d-----w c:\program files\Microsoft Mobile Explorer
2008-11-17 06:06 --------- d-----w c:\program files\DNWAB9
2008-11-17 05:50 --------- d-----w c:\documents and settings\All Users\Application Data\TEMP
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 1207080]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-19 307200]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-09 185896]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-24 136600]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-10-09 697976]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-09 806912]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"PTHOSTTR"="c:\program files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-02-15 122880]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-03-18 921600]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-02 3739648]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-01-27 172094]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"MsmqIntCert"="mqrt.dll" [2007-07-06 c:\windows\system32\mqrt.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-18 581693]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-08-20 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=kwwjzm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\mstsc.exe"=
"c:\\Program Files\\Microsoft Visual Studio .NET 2003\\Common7\\IDE\\devenv.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Administrator\\My Documents\\Installations\\utorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2007-09-17 112688]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-03-01 87808]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-10-21 36352]
R4 MSSQL$ASC_SERVICES;MSSQL$ASC_SERVICES;c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe -sASC_SERVICES --> c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe -sASC_SERVICES [?]
R4 MSSQL$SQLSERVER2005;SQL Server (SQLSERVER2005);c:\program files\Microsoft SQL Server\MSSQL.8\MSSQL\Binn\sqlservr.exe [2005-10-14 28768528]
R4 OracleServiceORCL;OracleServiceORCL;c:\oracle\ora81\bin\ORACLE.EXE ORCL --> c:\oracle\ora81\bin\ORACLE.EXE ORCL [?]
R4 SQLAgent$SQLSERVER2005;SQL Server Agent (SQLSERVER2005);c:\program files\Microsoft SQL Server\MSSQL.8\MSSQL\Binn\SQLAGENT90.EXE [2005-10-14 318680]
R4 VPCAppSv;Virtual PC Application Services;c:\windows\system32\drivers\VPCAppSv.sys [2002-05-21 10374]
S3 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2005-10-14 199384]
S3 msftesql$SQL2005;SQL Server FullText Search (SQL2005);c:\program files\Microsoft SQL Server\MSSQL.5\MSSQL\Binn\msftesql.exe [2005-08-26 92880]
S3 msftesql$SQLSERVER2005;SQL Server FullText Search (SQLSERVER2005);c:\program files\Microsoft SQL Server\MSSQL.8\MSSQL\Binn\msftesql.exe [2005-08-26 92880]
S3 MSOLAP$SQL2005;SQL Server Analysis Services (SQL2005);c:\program files\Microsoft SQL Server\MSSQL.6\OLAP\bin\msmdsrv.exe [2005-10-14 14557912]
S3 MSOLAP$SQLSERVER2005;SQL Server Analysis Services (SQLSERVER2005);c:\program files\Microsoft SQL Server\MSSQL.9\OLAP\bin\msmdsrv.exe [2005-10-14 14557912]
S3 MSSQL$SQL2005;SQL Server (SQL2005);c:\program files\Microsoft SQL Server\MSSQL.5\MSSQL\Binn\sqlservr.exe [2005-10-14 28768528]
S3 OKI OPHC DCS Loader;OKI OPHC DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHCLDCS.EXE [2005-10-14 24576]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;c:\oracle\ora81\bin\ONRSD.EXE [2000-10-19 411244]
S3 OracleOraHome81PagingServer;OracleOraHome81PagingServer;c:\oracle\ora81\bin\pagntsrv.exe [2008-05-23 52224]
S3 ReportServer$SQL2005;SQL Server Reporting Services (SQL2005);c:\program files\Microsoft SQL Server\MSSQL.7\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2005-10-14 14552]
S3 ReportServer$SQLSERVER2005;SQL Server Reporting Services (SQLSERVER2005);c:\program files\Microsoft SQL Server\MSSQL.10\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2005-10-14 14552]
S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL.4\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2005-10-14 14552]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-11-15 169200]
S3 SQLAgent$ASC_SERVICES;SQLAgent$ASC_SERVICES;c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlagent.exe -i ASC_SERVICES --> c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlagent.exe -i ASC_SERVICES [?]
S3 SQLAgent$SQL2005;SQL Server Agent (SQL2005);c:\program files\Microsoft SQL Server\MSSQL.5\MSSQL\Binn\SQLAGENT90.EXE [2005-10-14 318680]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S4 OracleServiceORACLE;OracleServiceORACLE;c:\oracle\ora81\bin\ORACLE.EXE ORACLE --> c:\oracle\ora81\bin\ORACLE.EXE ORACLE [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b411258-48d6-11dc-9203-0017a4cfa0e5}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6733ea9e-cb07-11dc-9308-0019d221ca17}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autoregistry.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7db43777-21a0-11dc-91bb-0017a4cfa0e5}]
\Shell\Auto\command - sxs.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9cc7e0be-64fa-11dc-9238-0017a4cfa0e5}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4de0e46-9976-11dc-929c-0017a4cfa0e5}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe maskrider2001.vbs
.
Contents of the 'Scheduled Tasks' folder

2009-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2989373622-2759337467-4227160692-500.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 14:11]
.
- - - - ORPHANS REMOVED - - - -

BHO-{883bf4d8-2697-4417-bc7c-5a020fbeee0e} - c:\windows\system32\kwwjzm.dll
BHO-{8EA8AEF8-A295-46BC-AE4E-F924C13F1FAF} - c:\windows\system32\yaywusqq.dll
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cricinfo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyServer = 10.77.8.70:8080
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\windows\system32\imon.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 10:37:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????@D????_????|?????? ??4B??????????????hB? ???@D?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:MSSQLSERVER"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$SQL2005]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.5\MSSQL\Binn\msftesql.exe\" -s:MSSQL.5 -f:SQL2005"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$SQLSERVER2005]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.8\MSSQL\Binn\msftesql.exe\" -s:MSSQL.8 -f:SQLSERVER2005"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome81PagingServer]
"ImagePath"="c:\oracle\ora81/bin/pagntsrv.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(660)
c:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\scardsvr.exe
c:\windows\system32\msdtc.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\progra~1\MI6841~1\MSSQL$~1\Binn\sqlservr.exe
c:\program files\Eset\nod32krn.exe
c:\oracle\ora81\bin\oracle.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\windows\system32\mqtgsvc.exe
.
**************************************************************************
.
Completion time: 2009-01-05 10:43:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-05 02:43:15

Pre-Run: 14,219,509,760 bytes free
Post-Run: 15,002,181,632 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /execute=optin /fastdetect

443 --- E O F --- 2008-03-12 19:02:41

-----


Thanks again for your time.

Zish

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:46 PM

Posted 04 January 2009 - 09:59 PM

Hello,

You're welcome. :) You did good with ComboFix. :thumbsup:

Please go to the following site : http://www.threatexpert.com/submit.aspx

In the "file to submit" area, please click the browse button and navigate to the following file :

C:\WINDOWS\SMINST\Scheduler.exe

Check the "I agree" box and when your file is uploaded, click submit.

Please post back with the URL of the page that comes up when it's done analyzing the file.

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

How is it running now please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 zish

zish
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 04 January 2009 - 10:43 PM

Hi,

Machine is running exceptionally well, I guess comboFix did the magic, thanks to you.

I have submitted the scheduler.exe as advised but ThreatExpert.com has yet to come back to me. Will update you with the URL as soon as I get a response from them.

About MBAM, quick scan went fine, it removed one infected entry from registry. Below are the logs from MBAM and HJT.

-----
MBAM
-----
Malwarebytes' Anti-Malware 1.32
Database version: 1616
Windows 5.1.2600 Service Pack 2

05/01/2009 11:25:12 AM
mbam-log-2009-01-05 (11-25-12).txt

Scan type: Quick Scan
Objects scanned: 68356
Time elapsed: 5 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

<END OF MBAM LOG>

-----
HJT Log
-----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:03 AM, on 05/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.8\MSSQL\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
c:\oracle\ora81\bin\ORACLE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.8\MSSQL\Binn\SQLAGENT90.EXE
C:\WINDOWS\system32\mqtgsvc.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\My Documents\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cricinfo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.77.8.70:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O20 - AppInit_DLLs: kwwjzm.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: OKI OPHC DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHCLDCS.EXE
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81PagingServer - Unknown owner - C:\oracle\ora81/bin/pagntsrv.exe
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: PC Angel (PCA) - Unknown owner - C:\WINDOWS\TEMP\UPDATE\SMINST\PCAngel.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 9836 bytes


Thanks again ya!!!

Zish

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:46 PM

Posted 04 January 2009 - 10:51 PM

Hello,

You're welcome. :) While we're waiting on Threat Expert, please do this :

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O20 - AppInit_DLLs: kwwjzm.dll

Close all browsers and other windows except for HijackThis!, and click "Fix checked".

* Using Windows Explorer, locate the following file and delete it if still present:

kwwjzm.dll

it *should* be in system32.

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Post the result when it comes in. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 zish

zish
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 04 January 2009 - 11:18 PM

Hi,

HijackThis managed to delete the kwwjzm .dll. I just did the clean up for comboFix as well. ThreatExpert have responded with a report, here is the link:

http://www.threatexpert.com/report.aspx?md...f666b1dcfe670e0

I am also pasting HJT log, in case you need to look at the latest condition:

-----
HJT Log
-----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:50 PM, on 05/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Microsoft SQL Server\MSSQL.8\MSSQL\Binn\sqlservr.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Eset\nod32krn.exe
c:\oracle\ora81\bin\ORACLE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.8\MSSQL\Binn\SQLAGENT90.EXE
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cricinfo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.77.8.70:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: OKI OPHC DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHCLDCS.EXE
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81PagingServer - Unknown owner - C:\oracle\ora81/bin/pagntsrv.exe
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: PC Angel (PCA) - Unknown owner - C:\WINDOWS\TEMP\UPDATE\SMINST\PCAngel.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 9640 bytes


With Thanks & Best Regards

Zish

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:46 PM

Posted 04 January 2009 - 11:25 PM

Well bah....that didn't tell us anything except that it's a new submission. :thumbsup: Could you navigate to it, then right click on it, click on properties, and tell me where it says it's from?

Everything else looks good, but I want to be sure about that file one way or another.

You're welcome for the help. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 zish

zish
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 04 January 2009 - 11:35 PM

Hi,

Its actually Hewlett-Packard's file. (Properties> Digital Signature Tab> Name of Signer: Hewlett-Packard Company)

I guess its part of the pre-installed programs that came with the machine. Sorry, I was not sure either because I never used it before.

So should I consider myself all cleaned? :thumbsup:

Thanks

Zish

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:46 PM

Posted 04 January 2009 - 11:41 PM

Yes, I think you should! :thumbsup:

Thank you so much for letting me know about that file. Now if it comes up again with someone else they can look at this thread and see what it is! :)

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

MOST IMPORTANT!
Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. Your current versions are outdated. I cannot stress enough how important this is.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 zish

zish
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 04 January 2009 - 11:44 PM

Thanks a billion Tea...

Well, I will be glad if someone else gets any help from my experience. :thumbsup:

Yes, I think I am done with torrents (thats what got me into this mess).

Thanks again for your time and help. You guys rule.

Have a good year ahead.

God Bless!!!

Zish

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:46 PM

Posted 04 January 2009 - 11:55 PM

You're welcome a billion! :)

You have a great 2009 too. :thumbsup:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:46 PM

Posted 06 January 2009 - 08:09 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users