Hijack.WindowsUpdates

kozmic · September 26, 2009

Recently acquired a computer.

Trying to clean it up. Malwarebytes took most of the garbage off but these two will not go away.

Malwarebytes' Anti-Malware 1.41

Database version: 2861

Windows 5.1.2600 Service Pack 2

9/26/2009 12:08:26 PM

mbam-log-2009-09-26 (12-08-26).txt

Scan type: Quick Scan

Objects scanned: 104061

Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:16:26 PM, on 9/26/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\NTMobileSyncService\NtSyncService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe

C:\Program Files\Common Files\Rockwell\RsvcHost.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\SMINST\Scheduler.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Microsoft ActiveSync\WCESMgr.exe

C:\Program Files\MyMobiler\MyMobiler.exe

C:\Program Files\NETGEAR\WG111v2\WG111v2.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle.org/cgi-bin/scraper.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...all&pf=cmdt

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...all&pf=cmdt

O2 - BHO: (no name) - {02478d38-c3f9-4efb-9b51-7695eca05670} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [setRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe

O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe

O4 - HKLM\..\Run: [scheduler] C:\WINDOWS\SMINST\Scheduler.exe

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [usbCipHelper] C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe

O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe

O4 - Global Startup: VPN Client.lnk = ?

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = workgroup.local

O17 - HKLM\Software\..\Telephony: DomainName = workgroup.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = workgroup.local

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Autodesk Licensing Service (autodesk licensing service) - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: dnWhoDisp - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe

O23 - Service: FactoryTalk Activation Helper (FTActivationBoost) - Rockwell Automation Inc. - C:\Program Files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Harmony - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: NtMobileSyncService - Unknown owner - C:\Program Files\NTMobileSyncService\NtSyncService.exe

O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe

O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe

O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Automation Inc. - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe

O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe

O23 - Service: RSLinx Classic (RSLinx) - Rockwell Automation, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE

O23 - Service: Rockwell Application Services (RsvcHost) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

O23 - Service: Yahoo! Updater (yahooauservice) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 11504 bytes

screen317 · September 27, 2009

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

kozmic · September 27, 2009

Thanks for the fast response.

ComboFix 09-09-25.01 - jkozloski 09/27/2009 14:09.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2021.1270 [GMT -4:00]

Running from: c:\documents and settings\jkozloski\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\proquota.exe . . . is missing!!

.

((((((((((((((((((((((((( Files Created from 2009-08-27 to 2009-09-27 )))))))))))))))))))))))))))))))

.

2009-09-26 13:31 . 2009-09-26 13:31 -------- d-----w- c:\documents and settings\jkozloski\Application Data\Malwarebytes

2009-09-26 13:30 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-26 13:30 . 2009-09-26 13:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-26 13:30 . 2009-09-26 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-26 13:30 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-18 19:46 . 2009-09-18 19:46 -------- d-----w- C:\Jump

2009-09-07 15:57 . 2009-09-07 15:57 -------- d-----w- c:\program files\ParetoLogic

2009-09-07 15:57 . 2009-09-07 15:57 -------- d-----w- c:\program files\Common Files\ParetoLogic

2009-09-07 07:25 . 2009-09-07 07:25 -------- d-----w- c:\documents and settings\jkozloski\Application Data\ParetoLogic

2009-09-05 15:17 . 2009-09-05 15:18 -------- d-----w- c:\documents and settings\jkozloski\Local Settings\Application Data\V-Safe 100

2009-09-05 15:17 . 2009-09-05 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic

2009-09-05 15:17 . 2009-09-18 04:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-26 16:16 . 2009-09-26 16:16 -------- d-----w- c:\program files\Trend Micro

2009-09-26 15:24 . 2009-06-12 14:08 94628 ----a-w- c:\program files\MobileSync.log

2009-09-18 15:12 . 2009-07-03 12:43 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-07 16:08 . 2009-06-17 12:13 -------- d-----w- c:\documents and settings\jkozloski\Application Data\uTorrent

2009-08-28 16:19 . 2008-12-23 05:44 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-28 16:07 . 2009-08-28 16:07 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys

2009-08-28 16:07 . 2009-08-28 16:07 -------- d-----w- c:\program files\NETGEAR

2009-08-28 13:32 . 2009-07-14 21:13 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-28 13:32 . 2009-07-14 21:13 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-28 13:32 . 2009-07-14 21:13 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-21 19:43 . 2009-07-31 16:23 -------- d-----w- c:\program files\Yahoo!

2009-08-21 19:43 . 2009-07-14 17:21 -------- d-----w- c:\program files\DAEMON Tools Lite

2009-08-06 19:33 . 2009-06-11 17:18 -------- d-----w- c:\program files\Microsoft ActiveSync

2009-07-31 16:25 . 2009-07-31 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!

2009-07-31 16:24 . 2009-07-31 16:24 -------- d-----w- c:\documents and settings\jkozloski\Application Data\Yahoo!

2009-07-31 11:23 . 2009-07-31 11:22 -------- d-----w- c:\program files\QuickTime

2009-07-31 11:22 . 2009-07-31 11:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2009-07-31 11:22 . 2009-07-31 11:22 -------- d-----w- c:\program files\Apple Software Update

2009-07-31 11:22 . 2009-07-31 11:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-07-23 14:47 . 2009-04-04 22:13 102496 ----a-w- c:\documents and settings\jkozloski\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-21 14:35 . 2009-06-16 19:55 179082 ----a-w- c:\windows\hpwins14.dat

2009-07-14 21:13 . 2009-07-14 21:13 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-07-08 19:56 . 2009-07-08 19:56 60744 ----a-w- c:\documents and settings\jkozloski\g2mdlhlpx.exe

2009-07-07 15:07 . 2009-07-07 15:07 721904 ----a-w- c:\windows\system32\drivers\sptd.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-09-26_15.24.43 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-06-11 17:44 . 2009-09-26 15:25 202558 c:\windows\system32\inetsrv\MetaBase.bin

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-07 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-07 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-07 137752]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-07-10 1036288]

"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]

"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856]

"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]

"UsbCipHelper"="c:\program files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe" [2008-05-27 434176]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-28 2007832]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-4-4 25214]

AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]

NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2009-8-28 1261568]

VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2009-4-4 6144]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-4-4 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"disablecad"= 1 (0x1)

"MaxGPOScriptWait"= 600 (0x258)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-28 13:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\WINDOWS\\SMINST\\Scheduler.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\WINDOWS\\system32\\OpcEnum.exe"=

"c:\\Program Files\\Rockwell Software\\RSLinx\\RSLINX.EXE"=

"c:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"135:TCP"= 135:TCP:Port 135 TCP

R1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/14/2009 5:13 PM 335240]

R1 avgtdix;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/14/2009 5:13 PM 108552]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/14/2009 5:12 PM 297752]

R2 FTActivationBoost;FactoryTalk Activation Helper;c:\program files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe [5/22/2008 5:50 PM 58664]

R2 msftesql$SQLEXPRESS;SQL Server FullText Search (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [8/28/2006 2:53 AM 92952]

R2 NtMobileSyncService;NtMobileSyncService;c:\program files\NTMobileSyncService\NtSyncService.exe [6/27/2008 1:35 PM 32768]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/23/2007 4:13 PM 36608]

S1 sbre;sbre;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\Drivers\VirtualBackplane.sys --> c:\windows\system32\Drivers\VirtualBackplane.sys [?]

S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [7/5/2008 6:19 PM 39067]

S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [7/5/2008 6:19 PM 155440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

.

Contents of the 'Scheduled Tasks' folder

2009-09-21 c:\windows\Tasks\ParetoLogic Privacy Controls_{9E1B9E4A-A40C-11DE-8221-00237D4913AE}.job

- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 15:28]

2009-09-27 c:\windows\Tasks\ParetoLogic Update Version2.job

- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 16:25]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.scroogle.org/cgi-bin/scraper.htm

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=all&pf=cmdt

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=all&pf=cmdt

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\jkozloski\Application Data\Mozilla\Firefox\Profiles\4x8qxacq.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.scroogle.org/cgi-bin/scraper.htm

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npsharedview.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-27 14:11

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

UsbCipHelper = c:\program files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe???????????Nj?w??????@???D?????&??|P?E????|????????????A??|????P?E?????????4???????????????????>?@?????T???<??????|?????????????$???? ???D??????>@????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$SQLEXPRESS]

"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SQLEXPRESS"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(404)

c:\windows\system32\msi.dll

.

Completion time: 2009-09-27 14:12

ComboFix-quarantined-files.txt 2009-09-27 18:12

Pre-Run: 93,899,407,360 bytes free

Post-Run: 93,867,634,688 bytes free

172 --- E O F --- 2009-06-17 07:00

kozmic · September 27, 2009

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:03:48 PM, on 9/27/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\NTMobileSyncService\NtSyncService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe

C:\Program Files\Common Files\Rockwell\RsvcHost.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\SMINST\Scheduler.exe

C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Microsoft ActiveSync\WCESMgr.exe

C:\Program Files\MyMobiler\MyMobiler.exe

C:\Program Files\NETGEAR\WG111v2\WG111v2.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe