1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: buritos.exe

Discussion in 'Virus & Other Malware Removal' started by robin.alden, Jul 31, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. robin.alden

    robin.alden Thread Starter

    Joined:
    Jul 29, 2008
    Messages:
    16
    Hi Everyone,

    I have been infected by a very sticky Trogen. It came in a email that posed as an invoice from UPS and was sent from a college.

    Unfortunatly due to the fact I had not had sleep in 36 hours (Just come home from my first daughters birth) when I read my email I opened the zip file and clicked on the file that said something like Invoice.exe. Note something I would usually do I can assure you. When the file didnt open the invoice and my PC started shutting down. I suddenly realized what I'd clicked on :eek: and turned of the PC :mad:.

    The next day I went about trying to remove the Trogen. I found the following extra tasks were being launched...

    buritos.exe (HKLM\...\run) - Located in c:\Windows\buritos.exe
    braviax.exe (HKLM\...\run) - Located in c:\Windows\System32\braviax.exe
    lphc5joj0ea2r.exe (HKLM\...\run) - Located in c:\Windows\System32\lphc5joj0ea2r.exe
    rhc1joj0ea2r.exe (HKCU\...\run) - Located in c:\Program Files\rhc1joj0ea2r\rhc1joj0ea2r.exe
    9.tmp (Changes every time the system restarts & is running as the SYSTEM user - I cannot find its mount point)

    I installed and run the HijackThis but nothing happens. Both the latest version and 1.99.1

    So I went to safe mode and tried removing the files manually. When I restarted and logged back in as the infected user it got most upset and shut down the computer. I then created a limited user and a Administrator in safe mode, restarted and logged back in. So far it has not logged me out again. All the tasks have re-appeared!

    The trogen has installed a fake spyware removal tool I have seen in the past, it has a red cross icon in the task bar and tells the user "Your Computer is Infected ..... etc" then says click here to remove it.

    The desktop image has been changed to say "Warning spyware detected on your computer. Install an antivirus or spyware remover to clean your computer". It is on a blue background with yellow. This message also shows just before the windows login screen shows when the computer starts up!

    Adaware detected something but had no idea what it was and asked me to send details. I did not remove it.

    This is a worrying Trojen and I cannot find a solution on the NET! I will check back on this thread every few days to see what people have to say. Sorry I would check more often but I'm a bit busy at the moment what with a new baby girl and all. :)

    Thanks for taking the time to read my post. (y)
     
  2. robin.alden

    robin.alden Thread Starter

    Joined:
    Jul 29, 2008
    Messages:
    16
    OK, I have added a HijackThis log. I had to rename HijackThis.exe to get it to work. I also renamed the folders it was in too just in case. (Thanks to PCcruncher for this advice (y)).

    I also noticed tanker guy managed to remove this infection using this program http://www.malwarebytes.org/mbam.php. I have decided not to remove the infection yet incase there is anything to be learnt from my logs.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:23:27 p.m., on 2/08/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\ehome\mcrdsvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rsvp.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\TEMP\D585.tmp
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\lphc5joj0ea2r.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\WINDOWS\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micros\aHijackThis\Temp.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
    O4 - HKLM\..\Run: [lphc5joj0ea2r] C:\WINDOWS\system32\lphc5joj0ea2r.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www4.snapfish.co.nz/SnapfishActivia.cab
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: karina.dat
    O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
    O20 - Winlogon Notify: wlcrdplauncher - C:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll
    O23 - Service: Google Update Service (gupdate1c8d8c839b4ffe2) (gupdate1c8d8c839b4ffe2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    --
    End of file - 5268 bytes


    :)
     
  3. robin.alden

    robin.alden Thread Starter

    Joined:
    Jul 29, 2008
    Messages:
    16
    Hmm, went to bath the baby came back and my pc had a blue screen stating something like WQL_IRL or similar :eek:. I pressed <CTRL> <ALT> <DEL> and the windows startup screen (the one with the windows logo and the progress bar) was showing but with like EGA colors :eek:. I hit ESC and the login screen appeared.

    The login screen still had me logged in :confused: with the applications I was using showing as running (4 running tasks). I logged in and everything is back as I left the PC 20mins ago.

    I'm guessing the PC tried to go to standby and the infection didn't like that. I have never before seen a PC recover from a blue screen. I have disabled my data partition as I have seen talk of buritos.exe killing files. The worst that can happen now is the infection destroys the windows partition or perhaps my MBR.
     
  4. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Hi and welcome. And what virus program would you be running?
     
  5. robin.alden

    robin.alden Thread Starter

    Joined:
    Jul 29, 2008
    Messages:
    16
    Hi AcaCandy. I dont usually run a anti virus as I dont typically do things that attract viruses. Unfortunatly on this occasion due to sleep deprivation I was caught out. :(
     
  6. cybertech

    cybertech Moderator

    Joined:
    Apr 16, 2002
    Messages:
    69,451
    Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of SDFix and make sure you are disconnected from the Internet after downloading the program but before extracting the files.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix and remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re-enable the protection again afterwards before connecting to the Internet.


    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
    • Instead of Windows loading as normal, the Advanced Options Menu should appear
    • Select the first option, to run Windows in Safe Mode, then press Enter
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to the clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


    Next


    Visit this webpage for instructions for downloading and running ComboFix.

    Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
     
  7. robin.alden

    robin.alden Thread Starter

    Joined:
    Jul 29, 2008
    Messages:
    16
    Hi cybertech,

    Well thats better.

    I ran SDFix (had to rename it to make it start). When it finished I noticed it had killed all the nasty tasks bar one that was still showing in the Task Manager (lphc5joj02a2r.exe). I plugged the Internet back in so I could post the results. About 30 secs after I did that the fake antivirus application had downloaded again and most of the tasks were back.

    I was curious to know where the program came from so I re-ran SDFix and this time before I re-connected the network I started a network packet sniffer. The Trogen contacted "www . avpx2008 . com" using HTTP and downloaded enough data to install the fake virus and associated tasks, then they showed up in the Task Manager. I have the etherreal logs if you want them.

    Next I ran combofix.exe (which I didn't need to rename) by dropping the XP Boot disk image onto ComboFix.exe as per the instructions.

    Now all the offending tasks appear to have been cleaned and my computer is back to peace and quiet free from nasties. :)

    I have attached the Logs in the following posts. Hopefully it is now all clean.

    If so thanks for the help (y), If not what next?
     
  8. robin.alden

    robin.alden Thread Starter

    Joined:
    Jul 29, 2008
    Messages:
    16
    SDFix: Version 1.213
    Run by Administrator on Wed 06/08/2008 at 10:09 p.m.
    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix
    Checking Services :

    Restoring Default Security Values
    Restoring Default Hosts File
    Restoring Default Desktop Wallpaper
    Resetting AppInit_DLLs value

    Rebooting

    Infected beep.sys Found!
    beep.sys File Locations:
    "C:\WINDOWS\system32\dllcache\beep.sys" 27648 29/07/2008 10:24 a.m.
    "C:\WINDOWS\system32\drivers\beep.sys" 27648 29/07/2008 10:24 a.m.
    Infected File Listed Below:
    C:\WINDOWS\system32\dllcache\beep.sys
    C:\WINDOWS\system32\drivers\beep.sys
    File copied to Backups Folder
    Attempting to replace beep.sys with original version

    Original beep.sys Restored
    "C:\WINDOWS\system32\dllcache\beep.sys" 4224 03/08/2008 04:05 a.m.
    "C:\WINDOWS\system32\drivers\beep.sys" 4224 03/08/2008 04:05 a.m.

    Checking Files :
    Trojan Files Found:
    C:\Program Files\rhc1joj0ea2r\database.dat - Deleted
    C:\Program Files\rhc1joj0ea2r\license.txt - Deleted
    C:\Program Files\rhc1joj0ea2r\MFC71.dll - Deleted
    C:\Program Files\rhc1joj0ea2r\MFC71ENU.DLL - Deleted
    C:\Program Files\rhc1joj0ea2r\msvcp71.dll - Deleted
    C:\Program Files\rhc1joj0ea2r\msvcr71.dll - Deleted
    C:\Program Files\rhc1joj0ea2r\rhc1joj0ea2r.exe - Deleted
    C:\Program Files\rhc1joj0ea2r\rhc1joj0ea2r.exe.local - Deleted
    C:\Program Files\rhc1joj0ea2r\Uninstall.exe - Deleted
    C:\WINDOWS\SYSTEM32\PPHC5J~1.EXE - Deleted
    C:\WINDOWS\SYSTEM32\PHC5JO~1.BMP - Deleted
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk - Deleted
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk - Deleted
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk - Deleted
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk - Deleted
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk - Deleted
    C:\WINDOWS\system32\12.tmp - Deleted
    C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk - Deleted
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk - Deleted
    C:\WINDOWS\buritos.exe - Deleted
    C:\WINDOWS\cru629.dat - Deleted
    C:\WINDOWS\karina.dat - Deleted
    C:\WINDOWS\system32\braviax.exe - Deleted
    C:\WINDOWS\system32\buritos.exe - Deleted
    C:\WINDOWS\system32\cru629.dat - Deleted
    C:\WINDOWS\system32\crypts.dll - Deleted
    C:\WINDOWS\system32\delself.bat - Deleted
    C:\WINDOWS\system32\karina.dat - Deleted
    C:\WINDOWS\system32\winivstr.exe - Deleted
    C:\WINDOWS\system32\ntos.exe - Deleted
    C:\Documents and Settings\Limited User\Application Data\wsnpoem\audio.dll.cla - Deleted
    C:\WINDOWS\system32\wsnpoem\audio.dll.cla - Deleted
    C:\Documents and Settings\Limited User\Application Data\wsnpoem\video.dll - Deleted
    C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
    C:\Documents and Settings\Limited User\Application Data\wsnpoem\audio.dll - Deleted
    C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted

    Folder C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 - Removed
    Folder C:\WINDOWS\system32\wsnpoem - Removed

    Removing Temp Files
    ADS Check :


    Final Check :
    catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-06 23:29:52
    Windows 5.1.2600 Service Pack 2 NTFS
    scanning hidden processes ...
    scanning hidden services & system hive ...
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a3a639c7c]
    "000d3aa752e4"=hex:0a,1d,d7,f7,6d,12,df,ac,66,9b,65,02,fd,b8,55,b6
    "0007a4b64478"=hex:23,ed,1b,2d,4b,a0,1b,49,d9,7e,63,e3,93,75,71,5d
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000d3aa7bc1d]
    "00092d04f89f"=hex:7f,f2,26,2c,be,7a,12,3f,44,32,90,b5,3b,e2,cf,a9
    "000d3aa752e4"=hex:7b,27,c6,07,44,65,ee,28,73,32,c0,0f,17,60,59,dc
    "001e3a7cd256"=hex:c6,33,d1,3a,a8,62,8c,fc,51,fa,3f,0a,01,81,6e,1e
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
    "Epoch"=dword:00008bea
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
    "s0"=dword:d71ec9a2
    "s1"=dword:a8020f67
    "s2"=dword:7152433a
    "h0"=dword:00000001
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
    "p0"="C:\Program Files\Alcohol Soft\Alcohol 52\"
    "h0"=dword:00000000
    "ujdew"=hex:e7,6d,ed,bc,5d,89,93,fd,62,47,1b,9a,6c,e8,14,e3,44,c7,09,49,45,..
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3D7F9281-6AFB-4AC3-A2C0-D117C80816FC}]
    "LeaseObtainedTime"=dword:48998ab3
    "T1"=dword:48998b32
    "T2"=dword:48998b92
    "LeaseTerminatesTime"=dword:48998bb2
    "DhcpRetryTime"=dword:0000007e
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{3D7F9281-6AFB-4AC3-A2C0-D117C80816FC}\Parameters\Tcpip]
    "LeaseObtainedTime"=dword:48998ab3
    "T1"=dword:48998b32
    "T2"=dword:48998b92
    "LeaseTerminatesTime"=dword:48998bb2
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000a3a639c7c]
    "000d3aa752e4"=hex:0a,1d,d7,f7,6d,12,df,ac,66,9b,65,02,fd,b8,55,b6
    "0007a4b64478"=hex:23,ed,1b,2d,4b,a0,1b,49,d9,7e,63,e3,93,75,71,5d
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000d3aa7bc1d]
    "00092d04f89f"=hex:7f,f2,26,2c,be,7a,12,3f,44,32,90,b5,3b,e2,cf,a9
    "000d3aa752e4"=hex:7b,27,c6,07,44,65,ee,28,73,32,c0,0f,17,60,59,dc
    "001e3a7cd256"=hex:c6,33,d1,3a,a8,62,8c,fc,51,fa,3f,0a,01,81,6e,1e
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
    "p0"="C:\Program Files\Alcohol Soft\Alcohol 52\"
    "h0"=dword:00000000
    "ujdew"=hex:e7,6d,ed,bc,5d,89,93,fd,62,47,1b,9a,6c,e8,14,e3,44,c7,09,49,45,..
    scanning hidden registry entries ...
    scanning hidden files ...
    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0

    Remaining Services :


    Authorized Application Key Export:
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe:*:Disabled:WinDVD"
    "O:\\Games\\UT2003\\System\\UT2003.exe"="O:\\Games\\UT2003\\System\\UT2003.exe:*:Enabled:UT2003"
    "C:\\Program Files\\EA GAMES\\Battlefield 2\\bf2_w32ded.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\bf2_w32ded.exe:*:Enabled:bf2_w32ded"
    "C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\sandra.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\sandra.exe:*:Enabled:SiSoftware Sandra Lite"
    "C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\RpcSandraSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Lite"
    "C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\Win32\\RpcDataSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\Win32\\RpcDataSrv.exe:*:Enabled:SiSoftware Sandra Lite"
    "C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
    "C:\\Program Files\\TOCA III\\RD3.exe"="C:\\Program Files\\TOCA III\\RD3.exe:*:Enabled:Launch ToCA Race Driver 3."
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
    "C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
    "C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe:*:Enabled:Sid Meier's Civilization 4 Warlords"
    "C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Pitboss"
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
    "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
    "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
    "O:\\Games\\World In Conflict\\Installed\\wic.exe"="O:\\Games\\World In Conflict\\Installed\\wic.exe:*:Enabled:World in Conflict"
    "O:\\Games\\World In Conflict\\Installed\\wic_online.exe"="O:\\Games\\World In Conflict\\Installed\\wic_online.exe:*:Enabled:World in Conflict - Online Only"
    "O:\\Games\\World In Conflict\\Installed\\wic_ds.exe"="O:\\Games\\World In Conflict\\Installed\\wic_ds.exe:*:Enabled:World in Conflict - Dedicated Server"
    "C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"="C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe:*:Enabled:tvprunner"
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
    "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
    "O:\\Programs\\Autodesk\\Backburner\\monitor.exe"="O:\\Programs\\Autodesk\\Backburner\\monitor.exe:*:Enabled:backburner 2.3 monitor"
    "O:\\Programs\\Autodesk\\Backburner\\manager.exe"="O:\\Programs\\Autodesk\\Backburner\\manager.exe:*:Enabled:backburner 2.3 manager"
    "O:\\Programs\\Autodesk\\Backburner\\server.exe"="O:\\Programs\\Autodesk\\Backburner\\server.exe:*:Enabled:backburner 2.3 server"
    "O:\\Programs\\Autodesk\\3D Studio Max\\3dsmax.exe"="O:\\Programs\\Autodesk\\3D Studio Max\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 2008 32-bit"
    "C:\\Documents and Settings\\MediaCenter\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"="C:\\Documents and Settings\\MediaCenter\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe:*:Enabled:Live Mesh"
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\sandra.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\sandra.exe:*:Enabled:SiSoftware Sandra Lite"
    "C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\RpcSandraSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Lite"
    "C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\Win32\\RpcDataSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\Win32\\RpcDataSrv.exe:*:Enabled:SiSoftware Sandra Lite"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    Remaining Files :

    File Backups: - C:\SDFix\backups\backups.zip
    Files with Hidden Attributes :
    Tue 1 Jan 2008 56 A.SH. --- "C:\Documents and Settings\All Users\Application Data\dc64vg9.sys"
    Sun 4 Jun 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
    Sun 4 Jun 2006 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv13.bak"
    Mon 18 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
    Wed 19 Apr 2006 4,348 A..H. --- "C:\Documents and Settings\MediaCenter\My Documents\License Backup\drmv1key.bak"
    Wed 19 Apr 2006 401 A..H. --- "C:\Documents and Settings\MediaCenter\My Documents\License Backup\drmv1lic.bak"
    Mon 6 Feb 2006 312 A.SH. --- "C:\Documents and Settings\MediaCenter\My Documents\License Backup\drmv2key.bak"
    Fri 14 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT7.tmp"
    Fri 14 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT5.tmp"
    Fri 14 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BIT9.tmp"
    Mon 28 Apr 2008 7,134,072 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\932c84dd1bf7c1257fcc650981219d45\BIT6A0.tmp"
    Fri 14 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BIT8.tmp"
    Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc066f3f60df1b38218903dd0d40ce98\BIT6.tmp"
    Tue 29 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\be9cebb68dd8282073067488451b3f0b\BIT8.tmp"
    Fri 14 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BITA.tmp"
    Mon 28 Apr 2008 13,293,000 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e598a7d762acb3677048798428b92f3f\BIT6A1.tmp"
    Fri 14 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916bb150f8a929e7a4ffdfbc120f\BIT6.tmp"
    Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT5.tmp"
    Sun 6 Jul 2008 77,312 ...H. --- "C:\Documents and Settings\MediaCenter\Application Data\Microsoft\Word\~WRL0003.tmp"
    Sat 6 Oct 2007 888 ...HR --- "C:\Documents and Settings\MediaCenter\Application Data\SecuROM\UserData\securom_v7_01.bak"
    Sat 3 May 2008 79,872 ...H. --- "C:\Documents and Settings\MediaCenter\Local Settings\Temporary Internet Files\Content.MSO\~WRL0005.tmp"
    Wed 6 Aug 2008 5,946 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE4.tmp"
    Wed 6 Aug 2008 5,946 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE5.tmp"
    Finished!
     
  9. robin.alden

    robin.alden Thread Starter

    Joined:
    Jul 29, 2008
    Messages:
    16
    ComboFix 08-08-06.02 - tempadmin 2008-08-07 20:44:55.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1531 [GMT 12:00]
    Running from: C:\Documents and Settings\tempadmin\Desktop\Kill Bits\ComboFix.exe
    Command switches used :: C:\Documents and Settings\tempadmin\Desktop\Kill Bits\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    * Created a new restore point
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    C:\Documents and Settings\All Users\Application Data\Starware353
    C:\Documents and Settings\All Users\Application Data\Starware353\buttons\FindIt.bmp
    C:\Documents and Settings\All Users\Application Data\Starware353\buttons\FindItHot.bmp
    C:\Documents and Settings\All Users\Application Data\Starware353\buttons\findithotxp.png
    C:\Documents and Settings\All Users\Application Data\Starware353\buttons\finditxp.png
    C:\Documents and Settings\All Users\Application Data\Starware353\buttons\Highlight.bmp
    C:\Documents and Settings\All Users\Application Data\Starware353\buttons\HighlightHot.bmp
    C:\Documents and Settings\All Users\Application Data\Starware353\buttons\highlighthotxp.png
    C:\Documents and Settings\All Users\Application Data\Starware353\buttons\highlightxp.png
    C:\Documents and Settings\All Users\Application Data\Starware353\buttons\recipes.bmp
    C:\Documents and Settings\All Users\Application Data\Starware353\buttons\recipes.png
    C:\Documents and Settings\All Users\Application Data\Starware353\buttons\recipes_foreign_feed.bmp
    C:\Documents and Settings\All Users\Application Data\Starware353\buttons\recipes_foreign_feed.png
    C:\Documents and Settings\All Users\Application Data\Starware353\buttons\Reference.bmp
    C:\Documents and Settings\All Users\Application Data\Starware353\buttons\ReferenceHot.bmp
    C:\Documents and Settings\All Users\Application Data\Starware353\buttons\referencehotxp.png
    C:\Documents and Settings\All Users\Application Data\Starware353\buttons\referencexp.png
    C:\Documents and Settings\All Users\Application Data\Starware353\buttons\starware_toolbar_icon.bmp
    C:\Documents and Settings\All Users\Application Data\Starware353\buttons\Weather.bmp
    C:\Documents and Settings\All Users\Application Data\Starware353\buttons\weatherhotxp.png
    C:\Documents and Settings\All Users\Application Data\Starware353\buttons\weatherxp.png
    C:\Documents and Settings\All Users\Application Data\Starware353\contexts\error.xml
    C:\Documents and Settings\All Users\Application Data\Starware353\contexts\Related.xml
    C:\Documents and Settings\All Users\Application Data\Starware353\contexts\Travel.xml
    C:\Documents and Settings\All Users\Application Data\Starware353\images\walertXP.bmp
    C:\Documents and Settings\All Users\Application Data\Starware353\SimpleUpdate\ProductMessagingConfig.xml
    C:\Documents and Settings\All Users\Application Data\Starware353\SimpleUpdate\ProductMessagingConfig.xml.backup
    C:\Documents and Settings\All Users\Application Data\Starware353\SimpleUpdate\SimpleUpdateConfig.xml
    C:\Documents and Settings\All Users\Application Data\Starware353\SimpleUpdate\SimpleUpdateConfig.xml.backup
    C:\Documents and Settings\All Users\Application Data\Starware353\SimpleUpdate\TimerManagerConfig.xml
    C:\Documents and Settings\All Users\Application Data\Starware353\SimpleUpdate\TimerManagerConfig.xml.backup
    C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
    C:\Documents and Settings\Limited User\Application Data\rhc1joj0ea2r
    C:\Documents and Settings\Limited User\Application Data\wsnpoem
    C:\Documents and Settings\MediaCenter\Application Data\Starware353
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\BrowserSearch\BrowserSearch.xml
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\BrowserSearch\BrowserSearch.xml.backup
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\Configurator\Configurator.xml
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\Configurator\Configurator.xml.backup
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\ErrorSearch\ErrorSearchOptions.xml
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\ErrorSearch\ErrorSearchOptions.xml.backup
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\Games\GamesOptions.xml
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\Games\GamesOptions.xml.backup
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\Games\images\active\Games0.bmp
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\Layouts\ToolbarLayout.xml
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\Layouts\ToolbarLayout.xml.backup
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\Manager\ManagerOptions.xml
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\Manager\ManagerOptions.xml.backup
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\Movies\images\active\Movies0.bmp
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\Movies\MoviesOptions.xml
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\Movies\MoviesOptions.xml.backup
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\Recipes_Foreign\Recipes_ForeignOptions.xml
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\Recipes_Foreign\Recipes_ForeignOptions.xml.backup
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\RecipeSearch_Foreign\RecipeSearch_ForeignOptions.xml
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\RecipeSearch_Foreign\RecipeSearch_ForeignOptions.xml.backup
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\Reference\ReferenceOptions.xml
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\Reference\ReferenceOptions.xml.backup
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\RelatedSearch\RelatedSearchOptions.xml
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\RelatedSearch\RelatedSearchOptions.xml.backup
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\Toolbar\TBProductsOptions.xml
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\Toolbar\TBProductsOptions.xml.backup
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\ToolbarLogo\ToolbarLogoOptions.xml
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\ToolbarLogo\ToolbarLogoOptions.xml.backup
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\ToolbarSearch\ToolbarSearchOptions.xml
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\ToolbarSearch\ToolbarSearchOptions.xml.backup
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\TravelSearch\TravelSearchOptions.xml
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\TravelSearch\TravelSearchOptions.xml.backup
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\Weather\AlertArchive.xml
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\Weather\WeatherOptions.xml
    C:\Documents and Settings\MediaCenter\Application Data\Starware353\Weather\WeatherOptions.xml.backup
    C:\Documents and Settings\tempadmin\Application Data\rhc1joj0ea2r
    C:\Program Files\rhc1joj0ea2r
    C:\WINDOWS\system32\blphc5joj0ea2r.scr
    C:\WINDOWS\system32\C.tmp
    C:\WINDOWS\system32\lphc5joj0ea2r.exe
    C:\WINDOWS\system32\phc5joj0ea2r.bmp
    C:\WINDOWS\system32\pphc5joj0ea2r.exe
    .
    ((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
    .
    2008-08-07 20:17 . 2008-08-07 20:17 <DIR> d-------- C:\Documents and Settings\tempadmin\Application Data\Ethereal
    2008-08-07 20:16 . 2008-08-07 20:16 <DIR> d--h----- C:\WINDOWS\PIF
    2008-08-06 21:55 . 2008-08-06 21:55 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-08-06 21:51 . 2008-08-06 21:51 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-08-06 21:42 . 2008-08-07 19:53 <DIR> d-------- C:\SDFix
    2008-08-03 09:27 . 2008-08-03 09:27 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-03 09:27 . 2008-08-03 09:27 <DIR> d-------- C:\Documents and Settings\tempadmin\Application Data\Malwarebytes
    2008-08-03 09:27 . 2008-08-03 09:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-03 09:27 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-08-03 09:27 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-08-02 12:22 . 2008-08-02 12:23 <DIR> d-------- C:\Program Files\Trend Micros
    2008-07-29 21:10 . 2008-07-29 21:10 <DIR> d-------- C:\Documents and Settings\tempadmin
    2008-07-29 10:46 . 2008-07-29 10:46 144 --a------ C:\Documents and Settings\Limited User\delself.bat
    2008-07-29 10:40 . 2008-07-29 10:46 <DIR> d-------- C:\Documents and Settings\Limited User
    2008-07-24 19:13 . 2008-07-24 19:13 118 --a------ C:\WINDOWS\system32\MRT.INI
    2008-07-24 19:04 . 2008-07-24 19:04 <DIR> d-------- C:\WINDOWS\SQLTools9_KB948109_ENU
    2008-07-24 18:23 . 2008-07-24 18:23 <DIR> d-------- C:\WINDOWS\SQL9_KB948109_ENU
    2008-07-22 20:17 . 2008-07-22 20:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-02 16:05 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
    2008-07-26 23:48 --------- d-----w C:\Documents and Settings\MediaCenter\Application Data\Skype
    2008-07-26 19:56 --------- d-----w C:\Program Files\DynDNS Updater
    2008-07-25 20:32 --------- d-----w C:\Program Files\Google
    2008-07-24 07:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-07-24 07:04 --------- d-----w C:\Program Files\Microsoft SQL Server
    2008-07-22 21:12 --------- d-----w C:\Documents and Settings\MediaCenter\Application Data\SOUNDGRAPH
    2008-07-22 08:18 --------- d-----w C:\Program Files\Lavasoft
    2008-07-22 08:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-06-26 08:22 --------- d-----w C:\Documents and Settings\MediaCenter\Application Data\Autodesk
    2008-06-26 08:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
    2008-06-26 08:18 --------- d-----w C:\Program Files\turbo squid tentacles
    2008-06-26 08:16 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
    2008-06-26 08:16 --------- d-----w C:\Program Files\Autodesk
    2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
    2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
    2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
    2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
    2008-06-12 08:56 --------- d-----w C:\Documents and Settings\MediaCenter\Application Data\Hamachi
    2008-01-01 00:01 56 --sha-w C:\Documents and Settings\All Users\Application Data\dc64vg9.sys
    2004-08-10 12:00 621,056 ----a-r C:\Documents and Settings\Limited User\Application Data\ntos.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-11 00:00 15360]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 18:41 1232896]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{93994DE8-8239-4655-B1D1-5F4E91300429}"= "C:\PROGRA~1\DVDREG~2\DVDShell.dll" [2004-10-09 14:18 49152]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 15:39 294400]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]
    2008-07-16 09:04 23552 C:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.ffds"= ffdshow.ax
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
    backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
    backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
    backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
    backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^MediaCenter^Start Menu^Programs^Startup^Hamachi.lnk]
    path=C:\Documents and Settings\MediaCenter\Start Menu\Programs\Startup\Hamachi.lnk
    backup=C:\WINDOWS\pss\Hamachi.lnkStartup
    [HKLM\~\startupfolder\C:^Documents and Settings^MediaCenter^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=C:\Documents and Settings\MediaCenter\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-11 00:00 15360 C:\WINDOWS\system32\ctfmon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]
    --a------ 2005-11-23 14:04 1544192 C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    --a------ 2005-08-05 13:56 64512 C:\WINDOWS\ehome\ehtray.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iMON]
    --a------ 2007-03-06 07:33 2179072 C:\Program Files\SOUNDGRAPH\iMON\iMON.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MRT]
    --a------ 2008-06-25 09:15 17972344 C:\WINDOWS\system32\MRT.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
    --a------ 2008-03-26 18:41 1232896 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    --a------ 2006-03-10 17:38 7557120 C:\WINDOWS\system32\nvcpl.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
    --a------ 2008-03-28 11:20 1079296 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    --a------ 2006-12-18 16:32 25365032 C:\Program Files\Skype\Phone\Skype.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    --a------ 2008-03-30 14:20 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
    --a------ 2004-08-11 00:00 110592 C:\WINDOWS\system32\bthprops.cpl
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    -ra------ 2005-08-17 22:39 90112 C:\WINDOWS\SOUNDMAN.EXE
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Viewpoint Manager Service"=3 (0x3)
    "rpcapd"=3 (0x3)
    "PnkBstrA"=3 (0x3)
    "Pml Driver HPZ12"=3 (0x3)
    "ose"=3 (0x3)
    "odserv"=3 (0x3)
    "Norton Ghost"=3 (0x3)
    "Microsoft Office Groove Audit Service"=3 (0x3)
    "mi-raysat_3dsMax2008_32"=3 (0x3)
    "iPod Service"=3 (0x3)
    "idsvc"=3 (0x3)
    "gusvc"=3 (0x3)
    "gupdate1c8d8c839b4ffe2"=3 (0x3)
    "Autodesk Licensing Service"=3 (0x3)
    "Apple Mobile Device"=3 (0x3)
    "WMPNetworkSvc"=2 (0x2)
    "StarWindService"=2 (0x2)
    "SQLWriter"=2 (0x2)
    "SQLBrowser"=2 (0x2)
    "ServiceLayer"=3 (0x3)
    "NVSvc"=2 (0x2)
    "MSSQL$SQLEXPRESS"=2 (0x2)
    "MSSQL$MSSMLBIZ"=2 (0x2)
    "GEARSecurity"=2 (0x2)
    "DynDNS_Updater_Service"=2 (0x2)
    "Bonjour Service"=2 (0x2)
    "ANIWZCSdService"=2 (0x2)
    "aawservice"=2 (0x2)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
    "C:\\Program Files\\EA GAMES\\Battlefield 2\\bf2_w32ded.exe"=
    "C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\sandra.exe"=
    "C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\RpcSandraSrv.exe"=
    "C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\Win32\\RpcDataSrv.exe"=
    "C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
    "C:\\Program Files\\TOCA III\\RD3.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
    "C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
    "C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Documents and Settings\\MediaCenter\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    R0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [2004-11-10 10:30]
    R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-07 03:11]
    R0 Si3132r5;SiI-3132 SoftRaid 5 Controller;C:\WINDOWS\system32\DRIVERS\Si3132r5.sys [2006-04-12 09:15]
    R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [2004-11-10 10:49]
    R2 npdrv;npdrv;C:\WINDOWS\system32\drivers\npdrv.sys [2007-02-03 20:23]
    R2 wlcrasvc;Live Mesh Remote Desktop;C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe [2008-07-16 09:04]
    R3 RDPDISPM;RDPDISPM;C:\WINDOWS\system32\DRIVERS\rdpdispm.sys [2008-05-31 11:41]
    R3 RDPVDD;RDPVDD;C:\WINDOWS\system32\DRIVERS\rdpvmp.sys [2008-05-31 11:41]
    S2 gupdate1c8d8c839b4ffe2;Google Update Service (gupdate1c8d8c839b4ffe2);C:\Program Files\Google\Update\GoogleUpdate.exe [2008-07-12 15:59]
    S3 HVWINDR.SYS;HVWINDR.SYS;O:\Downloads\Software\Sky Decoder\HVWINDR.SYS []
    S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-07-30 20:07]
    S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-03 09:10]
    S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-24 14:12]
    S3 PciCon;PciCon;D:\PciCon.sys []
    S3 V0080Dev;Creative Camera VF0080 Driver;C:\WINDOWS\system32\DRIVERS\V0080Dev.sys [2005-05-06 15:11]
    S4 DynDNS_Updater_Service;DynDNS Updater Service;C:\Program Files\DynDNS Updater\DynDNS.exe [2006-09-17 10:32]
    S4 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 22:08]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;o:\Programs\Visual Studio 2005\Common7\IDE\Remote Debugger\x86\msvsmon.exe []
    S4 msvsmon90;Visual Studio 2008 Remote Debugger;O:\Programs\Microsoft Visual Studio 2008\Common7\IDE\Remote Debugger\x86\msvsmon.exe []
    S4 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-05 09:38]
    .
    Contents of the 'Scheduled Tasks' folder
    2007-03-16 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1166225828.job
    - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 16:56]
    2008-08-02 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1170790141.job
    - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 16:56]
    2008-08-07 C:\WINDOWS\Tasks\GoogleUpdateTask.job
    - C:\Program Files\Google\Update\GoogleUpdate.exe [2008-07-12 15:59]
    .
    - - - - ORPHANS REMOVED - - - -
    HKLM-Run-lphc5joj0ea2r - C:\WINDOWS\system32\lphc5joj0ea2r.exe
    HKLM-Run-SMrhc1joj0ea2r - C:\Program Files\rhc1joj0ea2r\rhc1joj0ea2r.exe
    MSConfigStartUp-lphc5joj0ea2r - C:\WINDOWS\system32\lphc5joj0ea2r.exe
    MSConfigStartUp-SMrhc1joj0ea2r - C:\Program Files\rhc1joj0ea2r\rhc1joj0ea2r.exe
    MSConfigStartUp-buritos - buritos.exe

    .
    ------- Supplementary Scan -------
    .
    R0 -: HKCU-Main,Start Page = hxxp://www.google.com
    R0 -: HKLM-Main,Start Page = hxxp://www.google.com
    O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
    C:\WINDOWS\Downloaded Program Files\DownloadManagerV2.inf
    C:\WINDOWS\Downloaded Program Files\Manager.exe
    C:\WINDOWS\Downloaded Program Files\DownloadManagerV2.ocx

    **************************************************************************
    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-07 20:48:37
    Windows 5.1.2600 Service Pack 2 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\ehome\ehrecvr.exe
    C:\WINDOWS\ehome\ehSched.exe
    C:\WINDOWS\system32\searchindexer.exe
    C:\WINDOWS\ehome\mcrdsvc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\rsvp.exe
    .
    **************************************************************************
    .
    Completion time: 2008-08-07 20:53:37 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-08-07 08:53:33
    Pre-Run: 2,743,607,296 bytes free
    Post-Run: 3,785,506,816 bytes free
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    343 --- E O F --- 2008-07-24 07:14:20
     
  10. robin.alden

    robin.alden Thread Starter

    Joined:
    Jul 29, 2008
    Messages:
    16
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:03:25 p.m., on 7/08/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\rsvp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Trend Micros\aHijackThis\Temp.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www4.snapfish.co.nz/SnapfishActivia.cab
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: wlcrdplauncher - C:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll
    O23 - Service: Google Update Service (gupdate1c8d8c839b4ffe2) (gupdate1c8d8c839b4ffe2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    --
    End of file - 4798 bytes
     
  11. cybertech

    cybertech Moderator

    Joined:
    Apr 16, 2002
    Messages:
    69,451
    Print these instructions or save them to Notepad!
    • Close any open browsers.
    • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the quotebox below into it:

    Save this as CFScript.txt in the same location as ComboFix.exe


    [​IMG]

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.



    [​IMG] Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

    Upgrading Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
    • Click on Continue.
    • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.



    I don't see any anti-virus software running.
    Go >>here<< and select one of the free anti-virus programs to load.


    Run Malwarebytes and post the resulting log with a new Hijackthis log and the ComboFix log.
     
  12. robin.alden

    robin.alden Thread Starter

    Joined:
    Jul 29, 2008
    Messages:
    16
    Hi cybertech,

    Sorry it took so long to get back to you, life seams to have taken on a new level of busy these last few weeks.

    Everything went to plan, except I was unable to post a log for malware bytes. I went to the logs tab when it finished and there was no log. I did read the log on screen and there were 4 threats found and removed. They were the buritos.exe and UPS.zip files that outlook put in its temp folder when I ran them.

    Logs follow...

    NOTE: the combofix log is approx 7 days older than the hijack this log. In the meantime I had installed the Windows Media Centre Extender for my xbox.
     
  13. robin.alden

    robin.alden Thread Starter

    Joined:
    Jul 29, 2008
    Messages:
    16
    ComboFix 08-08-08.06 - MediaCenter 2008-08-09 11:02:12.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1604 [GMT 12:00]
    Running from: O:\Admin\Kill Bits\ComboFix.exe
    Command switches used :: O:\Admin\Kill Bits\CFScript.txt
    * Created a new restore point
    FILE ::
    C:\Documents and Settings\Limited User\Application Data\ntos.exe
    C:\WINDOWS\system32\lphc5joj0ea2r.exe
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    C:\Documents and Settings\Limited User\Application Data\ntos.exe
    C:\Documents and Settings\Limited User\Application Data\wsnpoem
    C:\Documents and Settings\Limited User\Application Data\wsnpoem\audio.dll
    C:\Documents and Settings\Limited User\Application Data\wsnpoem\video.dll
    .
    ((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 )))))))))))))))))))))))))))))))
    .
    2008-08-07 22:34 . 2008-08-07 22:34 <DIR> d-------- C:\Documents and Settings\MediaCenter\Application Data\Malwarebytes
    2008-08-07 20:17 . 2008-08-07 20:17 <DIR> d-------- C:\Documents and Settings\tempadmin\Application Data\Ethereal
    2008-08-07 20:16 . 2008-08-07 20:16 <DIR> d--h----- C:\WINDOWS\PIF
    2008-08-06 21:55 . 2008-08-06 21:55 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-08-06 21:51 . 2008-08-06 21:51 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-08-06 21:42 . 2008-08-07 19:53 <DIR> d-------- C:\SDFix
    2008-08-03 09:27 . 2008-08-03 09:27 <DIR> d-------- C:\Documents and Settings\tempadmin\Application Data\Malwarebytes
    2008-08-03 09:27 . 2008-08-03 09:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-02 12:22 . 2008-08-02 12:23 <DIR> d-------- C:\Program Files\Trend Micros
    2008-07-29 21:10 . 2008-07-29 21:10 <DIR> d-------- C:\Documents and Settings\tempadmin
    2008-07-29 10:46 . 2008-07-29 10:46 144 --a------ C:\Documents and Settings\Limited User\delself.bat
    2008-07-29 10:40 . 2008-07-29 10:46 <DIR> d-------- C:\Documents and Settings\Limited User
    2008-07-24 19:13 . 2008-07-24 19:13 118 --a------ C:\WINDOWS\system32\MRT.INI
    2008-07-24 19:04 . 2008-07-24 19:04 <DIR> d-------- C:\WINDOWS\SQLTools9_KB948109_ENU
    2008-07-24 18:23 . 2008-07-24 18:23 <DIR> d-------- C:\WINDOWS\SQL9_KB948109_ENU
    2008-07-22 20:17 . 2008-07-22 20:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-02 16:05 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
    2008-07-26 23:48 --------- d-----w C:\Documents and Settings\MediaCenter\Application Data\Skype
    2008-07-26 19:56 --------- d-----w C:\Program Files\DynDNS Updater
    2008-07-25 20:32 --------- d-----w C:\Program Files\Google
    2008-07-24 07:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-07-24 07:04 --------- d-----w C:\Program Files\Microsoft SQL Server
    2008-07-22 21:12 --------- d-----w C:\Documents and Settings\MediaCenter\Application Data\SOUNDGRAPH
    2008-07-22 08:18 --------- d-----w C:\Program Files\Lavasoft
    2008-07-22 08:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-06-26 08:22 --------- d-----w C:\Documents and Settings\MediaCenter\Application Data\Autodesk
    2008-06-26 08:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
    2008-06-26 08:18 --------- d-----w C:\Program Files\turbo squid tentacles
    2008-06-26 08:16 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
    2008-06-26 08:16 --------- d-----w C:\Program Files\Autodesk
    2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
    2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
    2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
    2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
    2008-06-12 08:56 --------- d-----w C:\Documents and Settings\MediaCenter\Application Data\Hamachi
    2008-06-09 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
    2008-01-01 00:01 56 --sha-w C:\Documents and Settings\All Users\Application Data\dc64vg9.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MoeMonitor.exe"="C:\Documents and Settings\MediaCenter\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.3103.2\MoeMonitor.exe" [2008-07-16 09:04 1188864]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-11 00:00 15360]
    "PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-03-28 11:20 1079296]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-30 14:20 68856]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 18:41 1232896]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{93994DE8-8239-4655-B1D1-5F4E91300429}"= "C:\PROGRA~1\DVDREG~2\DVDShell.dll" [2004-10-09 14:18 49152]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 15:39 294400]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]
    2008-07-16 09:04 23552 C:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.ffds"= ffdshow.ax
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
    backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
    backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
    backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
    backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^MediaCenter^Start Menu^Programs^Startup^Hamachi.lnk]
    path=C:\Documents and Settings\MediaCenter\Start Menu\Programs\Startup\Hamachi.lnk
    backup=C:\WINDOWS\pss\Hamachi.lnkStartup
    [HKLM\~\startupfolder\C:^Documents and Settings^MediaCenter^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=C:\Documents and Settings\MediaCenter\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-11 00:00 15360 C:\WINDOWS\system32\ctfmon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]
    --a------ 2005-11-23 14:04 1544192 C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    --a------ 2005-08-05 13:56 64512 C:\WINDOWS\ehome\ehtray.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iMON]
    --a------ 2007-03-06 07:33 2179072 C:\Program Files\SOUNDGRAPH\iMON\iMON.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MRT]
    --a------ 2008-06-25 09:15 17972344 C:\WINDOWS\system32\MRT.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
    --a------ 2008-03-26 18:41 1232896 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    --a------ 2006-03-10 17:38 7557120 C:\WINDOWS\system32\nvcpl.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
    --a------ 2008-03-28 11:20 1079296 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    --a------ 2006-12-18 16:32 25365032 C:\Program Files\Skype\Phone\Skype.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    --a------ 2008-03-30 14:20 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
    --a------ 2004-08-11 00:00 110592 C:\WINDOWS\system32\bthprops.cpl
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    -ra------ 2005-08-17 22:39 90112 C:\WINDOWS\SOUNDMAN.EXE
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Viewpoint Manager Service"=3 (0x3)
    "rpcapd"=3 (0x3)
    "PnkBstrA"=3 (0x3)
    "Pml Driver HPZ12"=3 (0x3)
    "ose"=3 (0x3)
    "odserv"=3 (0x3)
    "Norton Ghost"=3 (0x3)
    "Microsoft Office Groove Audit Service"=3 (0x3)
    "mi-raysat_3dsMax2008_32"=3 (0x3)
    "iPod Service"=3 (0x3)
    "idsvc"=3 (0x3)
    "gusvc"=3 (0x3)
    "gupdate1c8d8c839b4ffe2"=3 (0x3)
    "Autodesk Licensing Service"=3 (0x3)
    "Apple Mobile Device"=3 (0x3)
    "WMPNetworkSvc"=2 (0x2)
    "StarWindService"=2 (0x2)
    "SQLWriter"=2 (0x2)
    "SQLBrowser"=2 (0x2)
    "ServiceLayer"=3 (0x3)
    "NVSvc"=2 (0x2)
    "MSSQL$SQLEXPRESS"=2 (0x2)
    "MSSQL$MSSMLBIZ"=2 (0x2)
    "GEARSecurity"=2 (0x2)
    "DynDNS_Updater_Service"=2 (0x2)
    "Bonjour Service"=2 (0x2)
    "ANIWZCSdService"=2 (0x2)
    "aawservice"=2 (0x2)
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
    "C:\\Program Files\\EA GAMES\\Battlefield 2\\bf2_w32ded.exe"=
    "C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\sandra.exe"=
    "C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\RpcSandraSrv.exe"=
    "C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\Win32\\RpcDataSrv.exe"=
    "C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
    "C:\\Program Files\\TOCA III\\RD3.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
    "C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
    "C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Documents and Settings\\MediaCenter\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    R0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [2004-11-10 10:30]
    R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-07 03:11]
    R0 Si3132r5;SiI-3132 SoftRaid 5 Controller;C:\WINDOWS\system32\DRIVERS\Si3132r5.sys [2006-04-12 09:15]
    R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [2004-11-10 10:49]
    R2 npdrv;npdrv;C:\WINDOWS\system32\drivers\npdrv.sys [2007-02-03 20:23]
    R2 wlcrasvc;Live Mesh Remote Desktop;C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe [2008-07-16 09:04]
    R3 RDPDISPM;RDPDISPM;C:\WINDOWS\system32\DRIVERS\rdpdispm.sys [2008-05-31 11:41]
    R3 RDPVDD;RDPVDD;C:\WINDOWS\system32\DRIVERS\rdpvmp.sys [2008-05-31 11:41]
    S2 gupdate1c8d8c839b4ffe2;Google Update Service (gupdate1c8d8c839b4ffe2);C:\Program Files\Google\Update\GoogleUpdate.exe [2008-07-12 15:59]
    S3 HVWINDR.SYS;HVWINDR.SYS;O:\Downloads\Software\Sky Decoder\HVWINDR.SYS [2003-02-21 19:28]
    S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys []
    S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-03 09:10]
    S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-24 14:12]
    S3 PciCon;PciCon;D:\PciCon.sys []
    S3 V0080Dev;Creative Camera VF0080 Driver;C:\WINDOWS\system32\DRIVERS\V0080Dev.sys [2005-05-06 15:11]
    S4 DynDNS_Updater_Service;DynDNS Updater Service;C:\Program Files\DynDNS Updater\DynDNS.exe [2006-09-17 10:32]
    S4 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 22:08]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;o:\Programs\Visual Studio 2005\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 06:17]
    S4 msvsmon90;Visual Studio 2008 Remote Debugger;O:\Programs\Microsoft Visual Studio 2008\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-11-07 08:58]
    S4 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-05 09:38]
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
    \Shell\AutoRun\command - F:\Vault\Setup.exe
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
    \Shell\AutoRun\command - G:\Setup.exe
    .
    Contents of the 'Scheduled Tasks' folder
    2007-03-16 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1166225828.job
    - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 16:56]
    2008-08-02 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1170790141.job
    - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 16:56]
    2008-08-08 C:\WINDOWS\Tasks\GoogleUpdateTask.job
    - C:\Program Files\Google\Update\GoogleUpdate.exe [2008-07-12 15:59]
    .
    **************************************************************************
    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-09 11:08:36
    Windows 5.1.2600 Service Pack 2 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\ehome\ehrecvr.exe
    C:\WINDOWS\ehome\ehSched.exe
    C:\WINDOWS\system32\searchindexer.exe
    C:\WINDOWS\ehome\mcrdsvc.exe
    C:\Documents and Settings\MediaCenter\Local Settings\Application Data\Microsoft\Live Mesh\GacBase\Moe.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\rsvp.exe
    .
    **************************************************************************
    .
    Completion time: 2008-08-09 11:14:42 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-08-08 23:14:40
    ComboFix2.txt 2008-08-07 08:53:37
    Pre-Run: 3,684,438,016 bytes free
    Post-Run: 3,719,585,792 bytes free
    246 --- E O F --- 2008-07-24 07:14:20
     
  14. robin.alden

    robin.alden Thread Starter

    Joined:
    Jul 29, 2008
    Messages:
    16
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:03:51 p.m., on 16/08/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\ehome\RMSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\rsvp.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Documents and Settings\MediaCenter\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.3103.2\MoeMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\ehome\RMSysTry.exe
    C:\Documents and Settings\MediaCenter\Local Settings\Application Data\Microsoft\Live Mesh\GacBase\Moe.exe
    C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
    C:\PROGRA~1\AVG\AVG8\avgscanx.exe
    C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micros\aHijackThis\Temp.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
    O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [MoeMonitor.exe] "C:\Documents and Settings\MediaCenter\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.3103.2\MoeMonitor.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
    O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www4.snapfish.co.nz/SnapfishActivia.cab
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: avgrsstx.dll
    O20 - Winlogon Notify: wlcrdplauncher - C:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Google Update Service (gupdate1c8d8c839b4ffe2) (gupdate1c8d8c839b4ffe2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O24 - Desktop Component 0: (no name) - http://upload.wikimedia.org/wikipedia/en/0/0d/TopGearClarksonVeyronRace.jpg
    --
    End of file - 7153 bytes
     
  15. cybertech

    cybertech Moderator

    Joined:
    Apr 16, 2002
    Messages:
    69,451
    How is it running now? Any problems?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/735607