Hijack this log

[officer_farva]

When I run MBAM, I get through the registry key section then the computer crashes and resets. I'm definitely infected with the Advanced Virus Remover program. Here's my log. Any advice would be awesome as I start back school in a week and need the computer to work.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:20:08 PM, on 8/12/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\lkcitdl.exe

C:\WINDOWS\system32\lkads.exe

C:\WINDOWS\system32\lktsrv.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\National Instruments\MAX\nimxs.exe

C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe

C:\WINDOWS\system32\nisvcloc.exe

C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe

C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\mqsvc.exe

C:\Program Files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe

C:\Program Files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\WINDOWS\system32\winupdate.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\AdvancedVirusRemover\PAVRM.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe

C:\Program Files\CASIO\Photo Loader\Plauto.exe

C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe

C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tacomacommunitycollege.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - (no file)

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

O4 - HKLM\..\Run: [NI Background Service] C:\Program Files\National Instruments\Shared\Update Service\BackgroundService.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [msupdate] msupdate.exe

O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - HKCU\..\Run: [Advanced Virus Remover] C:\Program Files\AdvancedVirusRemover\PAVRM.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')

O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe

O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe

O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper.dll

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop

O15 - Trusted Zone: http://download.windowsupdate.com

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Virtual%20Villagers%20-%20The%20Secret%20City/Images/stg_drm.ocx

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games

[miekiemoes]

Hi,

Please run the MalwareBytes scan from Windows safe mode, because your McAfee may interfere with it.

Then let it remove what it found , reboot, then post the log in your next reply together with a new HijackThislog.

[officer_farva]

Unfortunately, the same issue happens when I try to run MalwareBytes from safe mode. It will only run for about 2 minutes then crash. At the point of crash, it has yet to find anything anomalous.

Hi,

Please run the MalwareBytes scan from Windows safe mode, because your McAfee may interfere with it.

Then let it remove what it found , reboot, then post the log in your next reply together with a new HijackThislog.

[officer_farva]

Now I cannot get the computer to load in safe mode. It immediately restarts when I try this. Any advice?

Unfortunately, the same issue happens when I try to run MalwareBytes from safe mode. It will only run for about 2 minutes then crash. At the point of crash, it has yet to find anything anomalous.

[officer_farva]

Ok, I downloaded Avira and this is what I got:

Directories: 21536

Scanned files: 697731

alerts: 16

suspicious: 0

repaired: 0

deleted: 0

renamed: 0

quarantined: 0

warnings: 38

scan time: 01:07:49

possible threats found:

TR/Scrip.Agent.html.U

TR/Crypt.ZPACK.Gen

TR/Crypt.XPACK.Gen

TR/Dldr.FraudLoad.FEL.12

TR/Inject.ahoa

HTML/Malicious.PDF.Gen

Hi,

Please run the MalwareBytes scan from Windows safe mode, because your McAfee may interfere with it.

Then let it remove what it found , reboot, then post the log in your next reply together with a new HijackThislog.

[miekiemoes]

Hi,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Tools->Options->Main tab
     
   • Set to "Always ask me where to Save the files".
     

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  

  -----------------------------------------------------------

  
  

• Close any open browsers.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Extra note: The combofix tutorial recommends to disable your Antivirus, in your case McAfee. For McAfee, I rather recommend to temporary uninstall it, because Mcafee causes a lot of problems with Combofix after reboot, this because McAfee enables again after reboot. So please temporary uninstall McAfee first, then reboot and then scan with Combofix.

[officer_farva]

Ok, I downloaded ComboFix. I tried both downloading it as combo-fix and as iexplore.exe. Neither version made it farther than a minute into the process before resetting the computer. This was done in normal operation mode. The computer continues to not load the safe mode so I cannot try it out there.

[miekiemoes]

Hi,

First of all,

Go to start > run and type cmd

A dos Window will appear.

Type next in the dos window: netsh winsock reset catalog

hit enter.

Reboot.

Then,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - (no file)

O4 - HKLM\..\Run: [msupdate] msupdate.exe

O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe

O4 - HKCU\..\Run: [Advanced Virus Remover] C:\Program Files\AdvancedVirusRemover\PAVRM.exe

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab

O21 - SSODL: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - (no file)

O22 - SharedTaskScheduler: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - (no file)

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

Then, please try to run mbam.exe again, but before you do, please doublecheck if any of the following processes are running and end them:

msupdate.exe

winupdate.exe

PAVRM.exe

This is extremely important that these processes are ended, because it blocks programs from running.

[officer_farva]

Ok, so I did everything you asked but the computer still crashed while running MBAM. I also cannot load up in safe mode still. This is proving to be quite the difficult procedure.

[miekiemoes]

Ok, let's try to delete most of the malware first manually. But for that I'll need an extra log, so do next please..

Please download DDS and save it to your desktop.

• Disable any script blocking protection
  
• Double click dds.scr to run the tool.
  
• When done, DDS.txt will open.
  
• Click Yes at the next prompt for Optional Scan.
  
• Save both reports to your desktop.
  

---------------------------------------------------

Copy and paste the contents of DDS.txt in your next reply. Do not copy and paste the contents of Attach.txt, but attach it to your reply instead.

[miekiemoes]

Wait, before running DDS, it may be better to let a scanner (bootscan) remove some malware first. After all, what can be deleted already is gone..

But before you do, I suggest you back up important data first, this in case the damage the malware already caused is too big which may cause an unbootable pc. After all, this happens all the time with severly infected computers.

Then,

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

• Download the
  Avira AntiVir Rescue System
  from
  here
  
  
• Place a blank CD in your burner and double-click on the downloaded file.
  
  
• The program will automatically burn the CD for you.
  
  
• Place the burned CD into the affected computer and start the computer from this CD.
  
  
• On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
  
  
• Click on the
  Configuration
  button.
  
  
  • Select
    Scan all files
    
    
  • Select
    Try to repair infected files
    and
    Rename files, if they cannot be removed
    
    
  • Select
    Scan for dialers
    
    
  • Select
    Scan for joke programs (Jokes)
    
    
  • Select
    Scan for games
    
    
  • Select
    Scan for spyware (SPR)
    
    
  [*]
  Click on
  Virus scanner
  [*]
  Click on
  Start scanner
  at the bottom of the screen
  [*]
  Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Screen resolution problems

Please see the post

here

if you're unable to view the entire screen of Avira.

Then, AFTER you've done above, please scan with DDS. Don't scan with DDS before, because the log won't make sense anymore since malware will be listed there that was already removed by the rescuescanner previously.

[officer_farva]

Alright, here we go. Thanks gain for the help.

The dds:

DDS (Ver_09-07-30.01) - NTFSx86

Run by Owner at 12:00:30.20 on Tue 08/18/2009

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1500 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\lkcitdl.exe

C:\WINDOWS\system32\lkads.exe

C:\WINDOWS\system32\lktsrv.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\National Instruments\MAX\nimxs.exe

C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe

C:\WINDOWS\system32\nisvcloc.exe

C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe

C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe

C:\WINDOWS\system32\tcpsvcs.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\mqsvc.exe

C:\Program Files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe

C:\Program Files\CASIO\Photo Loader\Plauto.exe

C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe

C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.tacomacommunitycollege.com/

uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop

uInternet Connection Wizard,ShellNext = iexplore

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: {67982bb7-0f95-44c5-92dc-e3af3dc19d6d} -

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

TB: Protection Bar: {0d045baa-4bd3-4c94-be8b-21536bd6bd9f} -

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe

mRun: [RecGuard] c:\windows\sminst\RecGuard.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

mRun: [NI Background Service] c:\program files\national instruments\shared\update service\BackgroundService.exe

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgentLauncher.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet g series\bin\hpoavn07.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photol~1.lnk - c:\program files\casio\photo loader\Plauto.exe

uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)

uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

uPolicies-system: EnableProfileQuota = 1 (0x1)

uPolicies-system: DisableTaskMgr = 1 (0x1)

mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

Trusted Zone: microsoft.com\*.update

Trusted Zone: windowsupdate.com\download

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab

DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab

DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Virtual%20Villagers%20-%20The%20Secret%20City/Images/stg_drm.ocx

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab

DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Virtual%20Villagers%20-%20The%20Secret%20City/Images/armhelper.ocx

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab

Notify: igfxcui - igfxdev.dll

LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\n36akwqd.default\

FF - prefs.js: browser.startup.homepage - www.uah.edu

FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\n36akwqd.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll

FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll

FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll

FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll

FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll

FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll

FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll

FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPLV80Win32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPLV82Win32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\nplv85win32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\nplv86win32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [2007-7-10 15448]

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-10-6 31816]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-5-21 103744]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-10-6 144704]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-10-6 54608]

R2 niLXIDiscovery;National Instruments LXI Discovery Service;c:\program files\ivi foundation\visa\winnt\nivisa\niLxiDiscovery.exe [2008-6-20 129144]

R2 nimDNSResponder;National Instruments mDNS Responder Service;c:\program files\national instruments\shared\mdns responder\nimdnsResponder.exe [2008-6-18 192112]

R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [2008-6-20 11360]

R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\opencase\opencase media agent\MediaAgent.exe [2008-1-16 814728]

R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-5-21 72904]

R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-5-21 34344]

R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-5-21 177672]

S0 grtf0b9;grtf0b9;\SystemRoot\\SystemRoot\System32\drivers\grtf0b9.sys --> \SystemRoot\\SystemRoot\System32\drivers\grtf0b9.sys [?]

S1 65e3e33a.sys;65e3e33a.sys;\??\c:\windows\system32\drivers\65e3e33a.sys --> c:\windows\system32\drivers\65e3e33a.sys [?]

S2 sfx;sfx;c:\windows\system32\svchost.exe -k sfx [2006-3-15 14336]

S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-6-6 61952]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-7-9 38160]

S3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [2008-6-13 11360]

S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [2008-6-13 11904]

S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [2008-6-13 11896]

S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWKl.sys [2008-6-20 11384]

S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [2008-6-20 11360]

=============== Created Last 30 ================

2009-08-16 11:27 <DIR> --ds---- C:\iexplorer

2009-08-16 11:27 388,608 a------- c:\windows\system32\CF26433.exe

2009-08-16 11:19 216,064 a------- c:\windows\PEV.exe

2009-08-16 11:19 161,792 a------- c:\windows\SWREG.exe

2009-08-16 11:19 98,816 a------- c:\windows\sed.exe

2009-08-16 11:18 <DIR> --ds---- C:\Combo-Fix

2009-08-16 11:18 388,608 a------- c:\windows\system32\CF25042.exe

2009-08-15 11:37 0 a------- c:\windows\system32\AVR09.exe

2009-08-12 12:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware2

2009-08-12 12:47 <DIR> --d----- c:\program files\Trend Micro

2009-08-12 12:01 <DIR> --d----- C:\16338870d4c713fa56c3a5849cdf9c

2009-08-12 11:58 <DIR> --d----- C:\59b74f00b8882548754c

2009-08-09 01:10 0 a------- c:\windows\system32\winhelper.dll

2009-08-09 01:09 20,480 a------- c:\windows\system32\SKYNETkdfxtrav.dll

2009-08-09 01:09 45,344 a------- c:\windows\system32\drivers\grtf0b9.sys.XXX

2009-08-09 01:09 831 a------- c:\windows\system32\critical_warning.html.XXX

2009-08-09 01:09 <DIR> --dsh--- c:\windows\system32\lowsec

2009-08-09 01:09 43,520 a------- c:\windows\system32\winupdate.exe.XXX

2009-08-09 01:08 96,676 a------- c:\windows\system32\SKYNETsdrnwsqb.dat

2009-08-09 01:08 72,192 a------- c:\windows\system32\drivers\SKYNETvaakmjur.sys.XXX

2009-08-09 01:08 45,568 a------- c:\windows\system32\SKYNETnxhqkmkl.dll

==================== Find3M ====================

2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys

2009-06-16 09:55 119,808 a------- c:\windows\system32\t2embed.dll

2009-06-16 09:55 82,432 a------- c:\windows\system32\fontsub.dll

2009-06-16 09:55 119,808 -------- c:\windows\system32\dllcache\t2embed.dll

2009-06-16 09:55 82,432 -------- c:\windows\system32\dllcache\fontsub.dll

2007-01-15 18:48 288 a------- c:\docume~1\owner\applic~1\wklnhst.dat

============= FINISH: 12:01:21.26 ===============

Attach.txt

[miekiemoes]

Hi,

Please uninstall McAfee, because it may interfere with the modified version of Combofix.

Then redownload Combofix again from this link: http://download.bleepingcomputer.com/sUBs/...x++/sVchost.com

That's a renamed and modified version. Please run that one and post the log in your next reply.

[officer_farva]

McAfee has been uninstalled and here is the Combofix log:

ComboFix Beta_09-08-18.01 - Owner 08/18/2009 19:59.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1551 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\sVchost.com

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\sFX

c:\windows\Installer\19a6e.msi

c:\windows\kb913800.exe

c:\windows\system32\_000003_.tmp.dll

c:\windows\system32\_000006_.tmp.dll

c:\windows\system32\_000007_.tmp.dll

c:\windows\system32\_000008_.tmp.dll

c:\windows\system32\_000009_.tmp.dll

c:\windows\system32\_000011_.tmp.dll

c:\windows\system32\_000012_.tmp.dll

c:\windows\system32\_000013_.tmp.dll

c:\windows\system32\_000019_.tmp.dll

c:\windows\system32\drivers\SKYNETvaakmjur.sys.XXX

D:\Autorun.inf

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected

Restored copy from - c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll

c:\windows\system32\proquota.exe . . . is missing!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NWCWORKSTATION

-------\Legacy_SFX

-------\Legacy_SFXDRV

-------\Legacy_SKYNETdrmnepqe

-------\Service_NWCWorkstation

-------\Service_sfx

-------\Service_SKYNETdrmnepqe

((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))

.

2009-08-16 16:27 . 2009-08-16 16:28 -------- d-s---w- C:\iexplorer

2009-08-16 16:18 . 2009-08-16 16:19 -------- d-s---w- C:\Combo-Fix

2009-08-12 17:57 . 2009-08-19 00:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2

2009-08-12 17:47 . 2009-08-12 17:47 -------- d-----w- c:\program files\Trend Micro

2009-08-12 17:01 . 2009-08-12 17:01 -------- d-----w- C:\16338870d4c713fa56c3a5849cdf9c

2009-08-12 16:58 . 2009-08-12 16:58 -------- d-----w- C:\59b74f00b8882548754c

2009-08-09 06:09 . 2009-08-09 06:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\History

2009-08-09 06:09 . 2009-08-09 06:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\Temporary Internet Files

2009-08-03 02:47 . 2009-03-09 16:34 971776 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n36akwqd.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-19 01:08 . 2008-04-11 07:26 66560 --sha-w- c:\documents and settings\All Users\Application Data\ExtendMedia\Media Agent\ac.dll

2009-08-15 16:32 . 2007-06-20 02:00 -------- d-----w- c:\program files\BFG

2009-08-09 06:09 . 2009-08-09 06:09 45344 ----a-w- c:\windows\system32\drivers\grtf0b9.sys.XXX

2009-08-03 02:51 . 2008-09-10 04:48 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks

2009-07-15 17:21 . 2009-07-15 17:21 -------- d-----w- c:\program files\Cisco Systems

2009-07-10 02:33 . 2009-07-10 02:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-07-10 02:33 . 2009-07-10 02:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-10 02:33 . 2009-07-10 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-07-09 19:57 . 2007-10-20 17:34 -------- d-----w- c:\program files\Norton Security Scan

2009-06-16 14:55 . 2005-10-18 05:14 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:55 . 2005-10-18 05:14 119808 ----a-w- c:\windows\system32\t2embed.dll

2004-03-15 22:51 . 2004-03-15 22:51 114688 ----a-w- c:\program files\internet explorer\plugins\LV71ActiveXControl.dll

2006-01-23 15:32 . 2006-01-23 15:32 131072 ----a-w- c:\program files\internet explorer\plugins\LV80ActiveXControl.dll

2007-02-08 15:48 . 2007-02-08 15:48 133920 ----a-w- c:\program files\internet explorer\plugins\LV82ActiveXControl.dll

2007-07-24 23:03 . 2007-07-24 23:03 118784 ----a-w- c:\program files\internet explorer\plugins\LV85ActiveXControl.dll

2008-06-26 03:51 . 2008-06-26 03:51 118784 ----a-w- c:\program files\internet explorer\plugins\LV86ActiveXControl.dll

2009-04-01 03:47 . 2008-11-09 06:03 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]

"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]

"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]

"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-06 98304]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-06 114688]

"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-06 94208]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-02-13 185896]

"NI Background Service"="c:\program files\National Instruments\Shared\Update Service\BackgroundService.exe" [2008-04-03 77824]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-7 28672]

HPAiODevice(hp officejet g series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]

Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2007-1-22 229376]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\National Instruments\\Shared\\mDNS Responder\\nimdnsResponder.exe"=

R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [7/10/2007 8:08 PM 15448]

R2 niLXIDiscovery;National Instruments LXI Discovery Service;c:\program files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe [6/20/2008 4:53 PM 129144]

R2 nimDNSResponder;National Instruments mDNS Responder Service;c:\program files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe [6/18/2008 4:57 PM 192112]

R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [6/20/2008 5:54 PM 11360]

R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe [1/16/2008 5:57 PM 814728]

S0 grtf0b9;grtf0b9;\SystemRoot\\SystemRoot\System32\drivers\grtf0b9.sys --> \SystemRoot\\SystemRoot\System32\drivers\grtf0b9.sys [?]

S1 65e3e33a.sys;65e3e33a.sys;\??\c:\windows\System32\drivers\65e3e33a.sys --> c:\windows\System32\drivers\65e3e33a.sys [?]

S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [6/6/2006 3:39 PM 61952]

S3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [6/13/2008 3:51 PM 11360]

S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [6/13/2008 9:27 AM 11904]

S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [6/13/2008 9:27 AM 11896]

S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWKl.sys [6/20/2008 4:04 PM 11384]

S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [6/20/2008 5:54 PM 11360]

.

Contents of the 'Scheduled Tasks' folder

2009-05-14 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-LDM - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.tacomacommunitycollege.com/

uInternet Connection Wizard,ShellNext = iexplore

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

Trusted Zone: microsoft.com\*.update

Trusted Zone: windowsupdate.com\download

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n36akwqd.default\

FF - prefs.js: browser.startup.homepage - www.uah.edu

FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n36akwqd.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPLV80Win32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPLV82Win32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\nplv85win32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\nplv86win32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-18 20:24

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????f??????`?@?????L?@

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3408)

c:\windows\system32\mshtml.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\msdtc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\lkcitdl.exe

c:\windows\system32\lkads.exe

c:\windows\system32\lktsrv.exe

c:\program files\National Instruments\MAX\nimxs.exe

c:\program files\National Instruments\Shared\Security\nidmsrv.exe

c:\windows\system32\nisvcloc.exe

c:\program files\National Instruments\Shared\Tagger\tagsrv.exe

c:\windows\system32\tcpsvcs.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\mqsvc.exe

c:\windows\system32\mqtgsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\wscntfy.exe

c:\windows\ehome\ehmsas.exe

c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe

c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

c:\program files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe

c:\program files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe

.

**************************************************************************

.

Completion time: 2009-08-19 20:31 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-19 01:31

Pre-Run: 19,377,651,712 bytes free

Post-Run: 19,311,894,528 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6

218 --- E O F --- 2009-07-09 12:32

[miekiemoes]

Hi,

Go to start > run and copy and paste next commands one by one in the field and hit enter after each of them:

sc delete 65e3e33a.sys

sc delete grtf0b9

Then, navigate to and delete the following file:

c:\windows\system32\drivers\grtf0b9.sys.XXX

Then, * Go to start > run and copy and paste next command in the field:

sVchost.com /u

Make sure there's a space between sVchost.com and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, Open notepad and copy and paste next present in the quotebox in it:

DIR /a/s C:\proquota.exe >Look.txt

Start notepad Look.txt

Save this as look.bat , choose to save as *all files and place it on your desktop.

It should look like this:

Doubleclick on it and notepad should open.

Copy and paste the contents of it in your next reply.

[officer_farva]

Volume in drive C has no label.

Volume Serial Number is 34E6-B8E5

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 07:12 PM 50,176 proquota.exe

1 File(s) 50,176 bytes

Total Files Listed:

1 File(s) 50,176 bytes

0 Dir(s) 19,344,674,816 bytes free

[miekiemoes]

Hi,

Please copy the proquota.exe present in the C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e folder to your C:\Windows\system32 folder.

Then Let me know in your next reply how things are now.

[miekiemoes]

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.