Jump to content

Antivirus XP 2008 Can't remove


Recommended Posts

I have run Malware several time and it shows the Antivirus XP 2008 files but does not remove them on the reboot. Here is the log file:

Malwarebytes' Anti-Malware 1.24

Database version: 1028

Windows 5.1.2600 Service Pack 2

9:17:54 AM 8/6/2008

mbam-log-8-6-2008 (09-17-54).txt

Scan type: Quick Scan

Objects scanned: 43721

Time elapsed: 3 minute(s), 5 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 5

Registry Keys Infected: 6

Registry Values Infected: 6

Registry Data Items Infected: 2

Folders Infected: 13

Files Infected: 22

Memory Processes Infected:

C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe (Rogue.Multiple) -> Unloaded process successfully.

C:\WINDOWS\system32\pphcepfj0eg1t.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:

C:\Program Files\rhcapfj0eg1t\MFC71.dll (Rogue.Multiple) -> Delete on reboot.

C:\Program Files\rhcapfj0eg1t\MFC71ENU.DLL (Rogue.Multiple) -> Delete on reboot.

C:\Program Files\rhcapfj0eg1t\msvcp71.dll (Rogue.Multiple) -> Delete on reboot.

C:\Program Files\rhcapfj0eg1t\msvcr71.dll (Rogue.Multiple) -> Delete on reboot.

C:\WINDOWS\system32\blphcepfj0eg1t.scr (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcapfj0eg1t (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\rhcapfj0eg1t (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\uninstall (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhcapfj0eg1t (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcepfj0eg1t (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Program Files\rhcapfj0eg1t (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Files Infected:

C:\Program Files\rhcapfj0eg1t\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhcapfj0eg1t\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhcapfj0eg1t\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhcapfj0eg1t\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhcapfj0eg1t\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhcapfj0eg1t\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhcapfj0eg1t\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\blphcepfj0eg1t.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lphcepfj0eg1t.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\phcepfj0eg1t.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pphcepfj0eg1t.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk (Rogue.Antivirus) -> Quarantined and deleted successfully.

C:\Documents and Settings\j.collins\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

C:\Documents and Settings\j.collins\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Greetings coljim and Welcome to the Forums,

May we see the HijackThis log and Panda scan results please?

Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:07:07 PM, on 8/7/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\LANDesk\Shared Files\residentagent.exe

C:\Program Files\CutWorks\CutWorksLog.exe

C:\Program Files\LANDesk\LDClient\LocalSch.EXE

C:\WINDOWS\system32\CBA\pds.exe

C:\Program Files\LANDesk\LDClient\tmcsvc.exe

C:\PROGRA~1\LANDesk\LDClient\issuser.exe

C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\LANDesk\LDClient\collector.exe

C:\Program Files\Citrix\ICA Client\ssonsvr.exe

C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE

C:\Program Files\LANDesk\LDClient\softmon.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe

C:\PROGRA~1\LANDesk\LDClient\rcgui.exe

C:\Documents and Settings\All Users\Application Data\dgpyvybq\vujylwhm.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe

C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\fwvapwbw.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Citrix\ICA Client\pnagent.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\system32\qrktyzod.exe

C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.lectra.com/proxy/proxy.pac

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM\..\Run: [soundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [LANDeskCustomData] "C:\Program Files\LANDesk\LDClient\ldcstm32.exe" /s

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe

O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe

O4 - HKLM\..\Run: [lphcepfj0eg1t] C:\WINDOWS\system32\lphcepfj0eg1t.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DscUtilEn] C:\WINDOWS\system32\fwvapwbw.exe

O4 - HKCU\..\Run: [hlpcom] C:\WINDOWS\system32\ejylczkh.exe

O4 - HKCU\..\Run: [MsgShSrv] C:\WINDOWS\system32\hazsfuvg.exe

O4 - HKCU\..\Run: [HlpAct] C:\WINDOWS\system32\lopezufg.exe

O4 - HKCU\..\Run: [cfgchk] C:\WINDOWS\system32\qjahcdef.exe

O4 - HKCU\..\Run: [smartchk] C:\WINDOWS\system32\nwhkhkls.exe

O4 - HKCU\..\Run: [webapp] C:\WINDOWS\system32\folinyta.exe

O4 - HKCU\..\Run: [ProcEn] C:\WINDOWS\system32\pexinots.exe

O4 - HKCU\..\Run: [AplUi] C:\WINDOWS\system32\rmludode.exe

O4 - HKCU\..\Run: [gencmdmnt] C:\WINDOWS\system32\cfwrkled.exe

O4 - HKLM\..\Policies\Explorer\Run: [wjojIyJ1lg] C:\Documents and Settings\All Users\Application Data\dgpyvybq\vujylwhm.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com

O15 - Trusted Zone: http://sbeupowb.eu.lectra.com

O15 - Trusted Zone: http://sbeupowb.eu.lectra.com (HKLM)

O15 - ESC Trusted Zone: http://runonce.msn.com

O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://gateway-america.lectra.com/CitrixSe...AWEB/icaweb.cab

O16 - DPF: {EC0403E0-9158-4CF8-A2B6-3C62C3B9B6B7} (CCAOControl Object) - https://gateway-america.lectra.com/CitrixLo...t/EPAClient.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = am.lectra.com

O17 - HKLM\Software\..\Telephony: DomainName = am.lectra.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = am.lectra.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = am.lectra.com

O21 - SSODL: shmoncmd - {11EBA674-1CB0-F84F-2F91-099CEC9EC0D0} - C:\Program Files\ivodhcc\shmoncmd.dll

O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe

O23 - Service: CutWorksLog - Gerber

Link to post
Share on other sites

OK...did you not see that I also asked for the Panda scan log?

Here is the PandaScan:

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-08-08 11:17:11

PROTECTIONS: 0

MALWARE: 13

SUSPECTS: 4

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00145792 Cookie/SexList TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Cookies\j.collins@sexlist[2].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Local Settings\Temp\Cookies\j.collins@com[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Cookies\j.collins@com[1].txt

00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Local Settings\Temp\Cookies\j.collins@xiti[1].txt

00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Cookies\j.collins@toplist[1].txt

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Cookies\j.collins@apmebf[1].txt

00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Cookies\j.collins@burstnet[2].txt

00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Cookies\j.collins@www.burstbeacon[1].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Cookies\j.collins@ads.pointroll[1].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Local Settings\Temp\Cookies\j.collins@ads.pointroll[2].txt

00180246 Cookie/XXXCounter TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Cookies\j.collins@xxxcounter[2].txt

00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Cookies\j.collins@searchportal.information[2].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Cookies\j.collins@atwola[2].txt

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\j.collins\Local Settings\Temp\.tt12.tmp

03408118 Application/AntivirusXP2008 HackTools No 0 Yes No C:\WINDOWS\system32\pphcepfj0eg1t.exe

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location !

;===============================================================================

================================================================================

=

===================

No C:\WINDOWS\system32\lphcepfj0eg1t.exe !

No c:\windows\system32\lphcepfj0eg1t.exe !

No C:\WINDOWS\system32\qpoxypyn.exe !

No C:\WINDOWS\system32\lphcepfj0eg1t.exe !

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description !

;===============================================================================

================================================================================

=

===================

184380 MEDIUM MS08-002 !

184379 MEDIUM MS08-001 !

182048 HIGH MS07-069 !

182046 HIGH MS07-067 !

182043 HIGH MS07-064 !

179553 HIGH MS07-061 !

176382 HIGH MS07-057 !

176383 HIGH MS07-058 !

170911 HIGH MS07-050 !

170907 HIGH MS07-046 !

170906 HIGH MS07-045 !

170904 HIGH MS07-043 !

164915 HIGH MS07-035 !

164913 HIGH MS07-033 !

164911 HIGH MS07-031 !

160623 HIGH MS07-027 !

157262 HIGH MS07-022 !

157261 HIGH MS07-021 !

157260 HIGH MS07-020 !

157259 HIGH MS07-019 !

156477 HIGH MS07-017 !

150253 HIGH MS07-016 !

150249 HIGH MS07-013 !

150248 HIGH MS07-012 !

150247 HIGH MS07-011 !

150243 HIGH MS07-008 !

150242 HIGH MS07-007 !

150241 MEDIUM MS07-006 !

141034 HIGH MS06-076 !

141033 MEDIUM MS06-075 !

141030 HIGH MS06-072 !

137571 HIGH MS06-070 !

137568 HIGH MS06-067 !

133387 MEDIUM MS06-065 !

133386 MEDIUM MS06-064 !

133385 MEDIUM MS06-063 !

133379 HIGH MS06-057 !

131654 HIGH MS06-055 !

129977 MEDIUM MS06-053 !

129976 MEDIUM MS06-052 !

126093 HIGH MS06-051 !

126092 MEDIUM MS06-050 !

126087 HIGH MS06-046 !

126086 MEDIUM MS06-045 !

126083 HIGH MS06-042 !

126082 HIGH MS06-041 !

126081 HIGH MS06-040 !

123421 HIGH MS06-036 !

123420 HIGH MS06-035 !

120825 MEDIUM MS06-032 !

120823 MEDIUM MS06-030 !

120818 HIGH MS06-025 !

120815 HIGH MS06-022 !

120814 HIGH MS06-021 !

117384 MEDIUM MS06-018 !

114666 HIGH MS06-015 !

114664 HIGH MS06-013 !

96574 HIGH MS05-053 !

93395 HIGH MS05-051 !

93454 MEDIUM MS05-049 !

;===============================================================================

================================================================================

=

===================

Link to post
Share on other sites

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***

Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please post back the following on your next reply:

C:\ComboFix.txt

New HijackThis log.

Link to post
Share on other sites

  • 2 weeks later...
Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***

Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please post back the following on your next reply:

C:\ComboFix.txt

New HijackThis log.

Sorry for the delay here are the new ComboFix and HijackThis logs:

ComboFix 08-08-17.03 - j.collins 2008-08-17 19:04:49.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.207 [GMT -4:00]

Running from: C:\Documents and Settings\j.collins\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\j.collins\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk

C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t

C:\Documents and Settings\j.collins\Cookies\j.collins@careers.vurvexpress[2].txt

C:\Documents and Settings\j.collins\Cookies\j.collins@edge.ru4[2].txt

C:\Documents and Settings\j.collins\Cookies\j.collins@insightexpressai[2].txt

C:\Documents and Settings\j.collins\Cookies\j.collins@live[1].txt

C:\Documents and Settings\j.collins\Cookies\j.collins@revsci[2].txt

C:\Documents and Settings\j.collins\Cookies\j.collins@tracking.dsmmadvantage[1].txt

C:\Documents and Settings\j.collins\Cookies\j.collins@weatherbug[2].txt

C:\Documents and Settings\j.collins\Cookies\j.collins@webbanking.comerica[1].txt

C:\Documents and Settings\j.collins\Cookies\j.collins@www35.vzw[2].txt

C:\Documents and Settings\j.collins\UserData

C:\Documents and Settings\j.collins\UserData\9JFJ9P8E\k[1].xml

C:\Documents and Settings\j.collins\UserData\index.dat

C:\Documents and Settings\j.collins\UserData\U9PY7MLS\cfTag_DivPersistentData[1].xml

C:\Documents and Settings\j.collins\UserData\VQ0JB545\dmtstore[1].xml

C:\WINDOWS\system32\blphcepfj0eg1t.scr

C:\WINDOWS\system32\lphcepfj0eg1t.exe

C:\WINDOWS\system32\phcepfj0eg1t.bmp

C:\WINDOWS\system32\pphcepfj0eg1t.exe

E:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_SYSREST.SYS

-------\Service_sysrest.sys

((((((((((((((((((((((((( Files Created from 2008-07-17 to 2008-08-17 )))))))))))))))))))))))))))))))

.

2100-04-01 17:22 . 2008-06-24 14:37 194 --a------ C:\WINDOWS\X83_DS.ini

2100-02-24 14:15 . 2001-04-02 16:30 821 --a------ C:\WINDOWS\Lexmark_ICM.ini

2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ C:\WINDOWS\system32\LXASUSCI.INI

2008-08-17 19:09 . 2008-08-17 19:09 <DIR> d-------- C:\Program Files\rhcapfj0eg1t

2008-08-17 19:08 . 2008-08-17 19:08 118,784 --a------ C:\WINDOWS\system32\blphcepfj0eg1t.scr

2008-08-17 19:08 . 2008-08-17 19:08 98,304 --a------ C:\WINDOWS\system32\rqnqdmfa.exe

2008-08-15 07:33 . 2008-08-15 07:33 <DIR> d-------- C:\WINDOWS\Common

2008-08-10 07:45 . 2008-08-10 07:45 23,040 --a------ C:\WINDOWS\system32\sysrest32.exe

2008-08-10 07:45 . 2008-08-17 18:55 15,328 --a------ C:\WINDOWS\system32\sysrest.sys

2008-08-08 10:47 . 2008-08-08 10:47 <DIR> d-------- C:\Program Files\Panda Security

2008-08-08 10:47 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys

2008-08-07 16:16 . 2008-08-08 10:46 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2008-08-07 16:16 . 2005-11-21 18:22 27,006 --a------ C:\WINDOWS\system32\pavas.ico

2008-08-07 16:16 . 2005-07-29 13:43 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico

2008-08-07 16:16 . 2005-07-29 13:43 1,406 --a------ C:\WINDOWS\system32\Help.ico

2008-08-06 12:35 . 2008-08-06 12:35 <DIR> d-------- C:\!KillBox

2008-08-06 12:28 . 2008-08-06 12:28 133,632 --a------ C:\WINDOWS\system32\qpoxypyn.exe

2008-08-06 12:28 . 2008-08-06 12:28 86,016 --a------ C:\WINDOWS\system32\ofaxwrmt.exe

2008-08-05 17:27 . 2008-08-05 17:27 <DIR> d-------- C:\Program Files\Enigma Software Group

2008-08-05 15:18 . 2008-08-05 15:18 <DIR> d-------- C:\Program Files\ivodhcc

2008-08-05 15:17 . 2008-08-05 15:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\dgpyvybq

2008-08-04 10:46 . 2008-08-04 10:46 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\Malwarebytes

2008-08-04 10:45 . 2008-08-06 09:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-08-04 10:45 . 2008-08-04 10:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-08-04 10:45 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-08-04 10:45 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-08-04 09:52 . 2008-08-04 09:52 <DIR> d-------- C:\Program Files\IObit

2008-08-04 08:24 . 2008-08-12 21:07 0 --a------ C:\WINDOWS\system32\drivers\51f79f4e.sys

2008-08-01 16:44 . 2008-08-01 16:44 <DIR> d-------- C:\Program Files\Sun

2008-08-01 16:43 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-08-01 15:22 . 2008-07-24 09:37 22,512 --a------ C:\WINDOWS\system32\drivers\adwarealert.sys

2008-07-31 15:55 . 2008-08-01 13:48 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2008-07-31 15:54 . 2008-08-05 16:00 <DIR> d-------- C:\Program Files\Google

2008-07-31 09:54 . 2008-07-31 09:54 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\Netscape

2008-07-31 09:54 . 2008-07-31 09:54 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\Citrix

2008-07-28 15:27 . 2008-08-04 09:50 11 --a------ C:\WINDOWS\system32\uninstall.mybho

2008-07-28 14:42 . 2008-07-28 14:43 144 --ahs---- C:\WINDOWS\system32\2013847430.dat

2008-07-28 11:11 . 2008-07-28 11:12 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\webex

2008-07-28 11:05 . 2008-07-30 14:24 <DIR> d-------- C:\Program Files\WebEx

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-08 16:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\vulScan

2008-08-07 20:43 --------- d-----w C:\Program Files\MyApp

2008-08-07 20:06 --------- d-----w C:\Program Files\Trend Micro

2008-08-05 23:12 --------- d-----w C:\Program Files\Common Files\Sonic Shared

2008-08-01 20:43 --------- d-----w C:\Program Files\Java

2008-07-16 16:12 --------- d-----w C:\Program Files\CutWorks

2008-07-13 15:32 --------- d-----w C:\Program Files\CutWorks Designer 5.0

2008-07-13 15:26 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-07-13 15:20 --------- d-----w C:\Program Files\WexTech

2008-07-13 15:20 --------- d-----w C:\Program Files\Common Files\WexTech Shared

2008-07-13 15:20 --------- d-----w C:\Program Files\Common Files\LHSPF

2008-07-13 15:20 --------- d-----w C:\Program Files\Common Files\Autodesk Shared

2008-07-13 15:18 --------- d-----w C:\Program Files\MSXML 4.0

2008-07-12 13:55 --------- d-----w C:\Program Files\MSECache

2008-06-24 18:43 --------- d-----w C:\Documents and Settings\j.collins\Application Data\PDFCreator

2008-06-24 18:39 --------- d-----w C:\Documents and Settings\j.collins\Application Data\AdobeUM

2008-06-24 18:38 --------- d-----w C:\Program Files\LexmarkX83

2008-06-24 15:10 --------- d-----w C:\Program Files\Lexmark

2008-06-24 15:05 --------- d-----w C:\Program Files\Citrix

2008-06-24 15:05 --------- d-----w C:\Documents and Settings\j.collins\Application Data\ICAClient

2008-06-24 14:46 --------- d-----w C:\Documents and Settings\j.collins\Application Data\Smith Micro

2008-06-24 14:41 --------- d-----w C:\Program Files\Verizon Wireless

2008-06-24 14:41 --------- d-----w C:\Program Files\PANTECH

2008-06-23 20:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\LANDesk

2008-06-23 20:05 --------- d-----w C:\Program Files\LANDesk

.

------- Sigcheck -------

md5deep: C:\WINDOWS\system32\svchost.exe: error at offset 0: Permission denied

md5deep: C:\WINDOWS\system32\winlogon.exe: error at offset 0: Permission denied

md5deep: C:\WINDOWS\explorer.exe: error at offset 0: Permission denied

md5deep: C:\WINDOWS\system32\services.exe: error at offset 0: Permission denied

md5deep: C:\WINDOWS\system32\lsass.exe: error at offset 0: Permission denied

2005-06-10 20:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe

2004-08-04 04:00 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe

md5deep: C:\WINDOWS\system32\spoolsv.exe: error at offset 0: Permission denied

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

"AppCmd"="C:\WINDOWS\system32\rqnqdmfa.exe" [2008-08-17 19:08 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 12:46 761948]

"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-01-26 15:35 172094]

"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-20 19:51 1187840]

"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 04:11 925696]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 08:17 94208]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 08:13 77824]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 08:17 118784]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]

"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-08-31 06:20 122940]

"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 11:49 454656]

"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 12:59 184320]

"LANDeskCustomData"="C:\Program Files\LANDesk\LDClient\ldcstm32.exe" [2007-11-29 23:23 299008]

"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-25 14:20 36864]

"Lexmark X83 Button Monitor"="C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe" [2001-10-18 10:25 40960]

"Lexmark X83 Button Manager"="C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe" [2001-06-14 12:42 53248]

"SMrhcapfj0eg1t"="C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe" [2008-08-17 11:10 790528]

"mntsys"="C:\WINDOWS\Common\nwtkpsfi.exe" [2008-08-15 07:33 53248]

"MsmqIntCert"="mqrt.dll" [2004-08-04 04:00 177152 C:\WINDOWS\system32\mqrt.dll]

"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 16:00 88203 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

"wjojIyJ1lg"="C:\Documents and Settings\All Users\Application Data\dgpyvybq\vujylwhm.exe" [2008-08-05 15:17 61440]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]

Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-18 15:25:02 581693]

DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2006-11-03 17:47:31 184320]

Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [2006-11-08 18:33:12 233744]

WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-11-03 10:52:21 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"disablecad"= 0 (0x0)

"HideShutdownScripts"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"NoDispBackgroundPage"= 1 (0x1)

"NoDispScrSavPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWelcomeScreen"= 1 (0x1)

"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"shmoncmd"= {11EBA674-1CB0-F84F-2F91-099CEC9EC0D0} - C:\Program Files\ivodhcc\shmoncmd.dll [2008-08-05 15:18 110592]

"NlEyWWuXE"= {7808DF87-D2A2-752D-0120-6ABE859A7295} - C:\WINDOWS\system32\krpd.dll [2004-08-04 04:00 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]

2005-06-19 14:01 24669 C:\WINDOWS\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]

"Script"=ch_loc_adm_pass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]

"Script"=AddAdmin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\1]

"Script"=RemAdmin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\2]

"Script"=ch_loc_adm_pass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]

"Script"=add_dom_users.vbs

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\WINDOWS\\system32\\mqsvc.exe"=

"C:\\WINDOWS\\system32\\cba\\pds.exe"=

"C:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=

"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=

"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=

"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=

"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=

"C:\\WINDOWS\\system32\\sysrest32.exe"=

"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

R0 adwarealert;adwarealert;C:\WINDOWS\system32\DRIVERS\adwarealert.sys [2008-07-24 09:37]

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]

R2 agnwifi;AT&T Wi-Fi Support Driver;C:\WINDOWS\system32\DRIVERS\agnwifi.sys [2005-01-17 18:51]

R2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINDOWS\system32\Drivers\usbscan.sys [2004-08-03 22:58]

R2 CBA8;LANDesk® Management Agent;C:\Program Files\LANDesk\Shared Files\residentagent.exe [2007-11-29 21:32]

R2 CP_OMDRV;Check Point Office Mode Module;C:\WINDOWS\system32\drivers\omdrv.sys [2005-06-19 14:01]

R2 CutWorksLog;CutWorksLog;C:\Program Files\CutWorks\CutWorksLog.exe [2004-09-10 11:49]

R2 LANDesk Policy Invoker;LANDesk Policy Invoker;C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe [2007-11-29 23:37]

R2 Softmon;LANDesk® Software Monitoring Service;C:\Program Files\LANDesk\LDClient\softmon.exe [2007-12-06 09:35]

R2 VNASC;Check Point Virtual Network Adapter - SecureClient;C:\WINDOWS\system32\DRIVERS\vnasc.sys [2005-06-19 14:00]

R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2005-06-19 14:00]

R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2005-06-19 14:00]

R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-02-28 13:05]

R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-10-21 07:19]

R3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys [2007-05-30 10:23]

R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys [2007-05-30 10:23]

R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys [2007-05-30 10:23]

S1 51f79f4e;51f79f4e;C:\WINDOWS\system32\drivers\51f79f4e.sys [2008-08-12 21:07]

S3 PTDCBus;PANTECH PC Card Composite Device Driver (UDP);C:\WINDOWS\system32\DRIVERS\PTDCBus.sys [2007-04-01 06:45]

S3 PTDCMdm;PANTECH PC Card Drivers (UDP);C:\WINDOWS\system32\DRIVERS\PTDCMdm.sys [2007-04-01 06:45]

S3 PTDCVsp;PANTECH PC Card Diagnostic Serial Port (UDP);C:\WINDOWS\system32\DRIVERS\PTDCVsp.sys [2007-04-01 06:45]

S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;C:\WINDOWS\system32\DRIVERS\PTDCWWAN.sys [2007-04-30 20:30]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-DscUtilEn - C:\WINDOWS\system32\fwvapwbw.exe

HKCU-Run-hlpcom - C:\WINDOWS\system32\ejylczkh.exe

HKCU-Run-MsgShSrv - C:\WINDOWS\system32\hazsfuvg.exe

HKCU-Run-HlpAct - C:\WINDOWS\system32\lopezufg.exe

HKCU-Run-cfgchk - C:\WINDOWS\system32\qjahcdef.exe

HKCU-Run-smartchk - C:\WINDOWS\system32\nwhkhkls.exe

HKCU-Run-webapp - C:\WINDOWS\system32\folinyta.exe

HKCU-Run-ProcEn - C:\WINDOWS\system32\pexinots.exe

HKCU-Run-AplUi - C:\WINDOWS\system32\rmludode.exe

HKCU-Run-gencmdmnt - C:\WINDOWS\system32\cfwrkled.exe

HKLM-Run-lphcepfj0eg1t - C:\WINDOWS\system32\lphcepfj0eg1t.exe

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.google.com/ig?hl=en&source=iglk

R0 -: HKCU-Main,Default_Search_URL =

R0 -: HKLM-Main,Start Page = hxxp://www.google.com

R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s

O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: {EC0403E0-9158-4CF8-A2B6-3C62C3B9B6B7} - hxxps://gateway-america.lectra.com/CitrixLogonPoint/LectraExt/EPAClient/EPAClient.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-17 19:08:59

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????Z????g????|?????? ??4B??????????????hB? ????Z?

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe

C:\WINDOWS\system32\scardsvr.exe

C:\WINDOWS\system32\msdtc.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\LANDesk\LDClient\LocalSch.EXE

C:\WINDOWS\system32\cba\pds.exe

C:\Program Files\LANDesk\LDClient\tmcsvc.exe

C:\PROGRA~1\LANDesk\LDClient\issuser.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\LANDesk\LDClient\collector.exe

C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Citrix\ICA Client\ssonsvr.exe

C:\PROGRA~1\LANDesk\LDClient\rcgui.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Qoobox\Quarantine\C\WINDOWS\system32\lphcepfj0eg1t.exe.vir

C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE

C:\WINDOWS\system32\pphcepfj0eg1t.exe

.

**************************************************************************

.

Completion time: 2008-08-17 19:10:53 - machine was rebooted

ComboFix-quarantined-files.txt 2008-08-17 23:10:46

Pre-Run: 39,328,010,240 bytes free

Post-Run: 39,801,323,520 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

291

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:13, on 2008-08-17

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\LANDesk\Shared Files\residentagent.exe

C:\Program Files\CutWorks\CutWorksLog.exe

C:\Program Files\LANDesk\LDClient\LocalSch.EXE

C:\WINDOWS\system32\CBA\pds.exe

C:\Program Files\LANDesk\LDClient\tmcsvc.exe

C:\PROGRA~1\LANDesk\LDClient\issuser.exe

C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\LANDesk\LDClient\collector.exe

C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE

C:\Program Files\LANDesk\LDClient\softmon.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Citrix\ICA Client\ssonsvr.exe

C:\PROGRA~1\LANDesk\LDClient\rcgui.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe

C:\Documents and Settings\All Users\Application Data\dgpyvybq\vujylwhm.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe

C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe

C:\WINDOWS\Common\nwtkpsfi.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Citrix\ICA Client\pnagent.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\Common\nwtkpsfi.exe

C:\WINDOWS\system32\xedubglg.exe

C:\WINDOWS\system32\rqnqdmfa.exe

C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe

C:\WINDOWS\system32\pphcepfj0eg1t.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.lectra.com/proxy/proxy.pac

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [LANDeskCustomData] "C:\Program Files\LANDesk\LDClient\ldcstm32.exe" /s

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe

O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe

O4 - HKLM\..\Run: [sMrhcapfj0eg1t] C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe

O4 - HKLM\..\Run: [mntsys] C:\WINDOWS\Common\nwtkpsfi.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AppCmd] C:\WINDOWS\system32\rqnqdmfa.exe

O4 - HKLM\..\Policies\Explorer\Run: [wjojIyJ1lg] C:\Documents and Settings\All Users\Application Data\dgpyvybq\vujylwhm.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com

O15 - Trusted Zone: http://sbeupowb.eu.lectra.com

O15 - Trusted Zone: http://sbeupowb.eu.lectra.com (HKLM)

O15 - ESC Trusted Zone: http://runonce.msn.com

O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://gateway-america.lectra.com/CitrixSe...AWEB/icaweb.cab

O16 - DPF: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {EC0403E0-9158-4CF8-A2B6-3C62C3B9B6B7} (CCAOControl Object) - https://gateway-america.lectra.com/CitrixLo...t/EPAClient.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = am.lectra.com

O17 - HKLM\Software\..\Telephony: DomainName = am.lectra.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = am.lectra.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = am.lectra.com

O21 - SSODL: shmoncmd - {11EBA674-1CB0-F84F-2F91-099CEC9EC0D0} - C:\Program Files\ivodhcc\shmoncmd.dll

O21 - SSODL: NlEyWWuXE - {7808DF87-D2A2-752D-0120-6ABE859A7295} - C:\WINDOWS\system32\krpd.dll

O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe

O23 - Service: CutWorksLog - Gerber

Link to post
Share on other sites

Click start-->run...then type notepad.exe and click "OK" or hit your enter key.

Copy/paste the below text in Bold into the blank notepad:

File::

C:\WINDOWS\system32\blphcepfj0eg1t.scr

C:\WINDOWS\system32\rqnqdmfa.exe

C:\WINDOWS\system32\sysrest32.exe

C:\WINDOWS\system32\sysrest.sys

C:\WINDOWS\system32\qpoxypyn.exe

C:\WINDOWS\system32\ofaxwrmt.exe

C:\WINDOWS\system32\drivers\51f79f4e.sys

C:\WINDOWS\system32\2013847430.dat

C:\WINDOWS\system32\pphcepfj0eg1t.exe

C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe

C:\WINDOWS\Common\nwtkpsfi.exe

C:\Documents and Settings\All Users\Application Data\dgpyvybq\vujylwhm.exe

C:\Program Files\ivodhcc\shmoncmd.dll

C:\WINDOWS\system32\krpd.dll

Folder::

C:\Program Files\ivodhcc

C:\Documents and Settings\All Users\Application Data\dgpyvybq

C:\Program Files\rhcapfj0eg1t

Driver::

sysrest

51f79f4e

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AppCmd"=-

"SMrhcapfj0eg1t"=-

"mntsys"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

"wjojIyJ1lg"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"shmoncmd"=-

"NlEyWWuXE"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\WINDOWS\system32\sysrest32.exe"=-

FileLook::

C:\WINDOWS\system32\uninstall.mybho

DirLook::

C:\WINDOWS\Common

Save this as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop.

Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall

Link to post
Share on other sites

Click start-->run...then type notepad.exe and click "OK" or hit your enter key.

Copy/paste the below text in Bold into the blank notepad:

File::

C:\WINDOWS\system32\blphcepfj0eg1t.scr

C:\WINDOWS\system32\rqnqdmfa.exe

C:\WINDOWS\system32\sysrest32.exe

C:\WINDOWS\system32\sysrest.sys

C:\WINDOWS\system32\qpoxypyn.exe

C:\WINDOWS\system32\ofaxwrmt.exe

C:\WINDOWS\system32\drivers\51f79f4e.sys

C:\WINDOWS\system32\2013847430.dat

C:\WINDOWS\system32\pphcepfj0eg1t.exe

C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe

C:\WINDOWS\Common\nwtkpsfi.exe

C:\Documents and Settings\All Users\Application Data\dgpyvybq\vujylwhm.exe

C:\Program Files\ivodhcc\shmoncmd.dll

C:\WINDOWS\system32\krpd.dll

Folder::

C:\Program Files\ivodhcc

C:\Documents and Settings\All Users\Application Data\dgpyvybq

C:\Program Files\rhcapfj0eg1t

Driver::

sysrest

51f79f4e

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AppCmd"=-

"SMrhcapfj0eg1t"=-

"mntsys"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

"wjojIyJ1lg"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"shmoncmd"=-

"NlEyWWuXE"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\WINDOWS\system32\sysrest32.exe"=-

FileLook::

C:\WINDOWS\system32\uninstall.mybho

DirLook::

C:\WINDOWS\Common

Save this as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop.

Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall

Here is the latest ComboFix log after running the txt file.

ComboFix 08-08-17.03 - j.collins 2008-08-18 16:30:59.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.268 [GMT -4:00]

Running from: C:\Documents and Settings\j.collins\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\j.collins\Desktop\CFScript.txt

* Created a new restore point

FILE ::

C:\Documents and Settings\All Users\Application Data\dgpyvybq\vujylwhm.exe

C:\Program Files\ivodhcc\shmoncmd.dll

C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe

C:\WINDOWS\Common\nwtkpsfi.exe

C:\WINDOWS\system32\2013847430.dat

C:\WINDOWS\system32\blphcepfj0eg1t.scr

C:\WINDOWS\system32\drivers\51f79f4e.sys

C:\WINDOWS\system32\krpd.dll

C:\WINDOWS\system32\ofaxwrmt.exe

C:\WINDOWS\system32\pphcepfj0eg1t.exe

C:\WINDOWS\system32\qpoxypyn.exe

C:\WINDOWS\system32\rqnqdmfa.exe

C:\WINDOWS\system32\sysrest.sys

C:\WINDOWS\system32\sysrest32.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\All Users\Application Data\dgpyvybq

C:\Documents and Settings\All Users\Application Data\dgpyvybq\vujylwhm.exe

C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk

C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t

C:\Documents and Settings\j.collins\Cookies\j.collins@www35.vzw[1].txt

C:\Documents and Settings\j.collins\UserData

C:\Documents and Settings\j.collins\UserData\6NGN3CX0\dmtstore[1].xml

C:\Documents and Settings\j.collins\UserData\index.dat

C:\Program Files\ivodhcc

C:\Program Files\ivodhcc\shmoncmd.dll

C:\Program Files\rhcapfj0eg1t

C:\Program Files\rhcapfj0eg1t\database.dat

C:\Program Files\rhcapfj0eg1t\license.txt

C:\Program Files\rhcapfj0eg1t\MFC71.dll

C:\Program Files\rhcapfj0eg1t\MFC71ENU.DLL

C:\Program Files\rhcapfj0eg1t\msvcp71.dll

C:\Program Files\rhcapfj0eg1t\msvcr71.dll

C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe

C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe.local

C:\Program Files\rhcapfj0eg1t\Uninstall.exe

C:\WINDOWS\Common\nwtkpsfi.exe

C:\WINDOWS\system32\2013847430.dat

C:\WINDOWS\system32\blphcepfj0eg1t.scr

C:\WINDOWS\system32\drivers\51f79f4e.sys

C:\WINDOWS\system32\krpd.dll

C:\WINDOWS\system32\ofaxwrmt.exe

C:\WINDOWS\system32\pphcepfj0eg1t.exe

C:\WINDOWS\system32\qpoxypyn.exe

C:\WINDOWS\system32\rqnqdmfa.exe

C:\WINDOWS\system32\sysrest.sys

C:\WINDOWS\system32\sysrest32.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_51f79f4e

((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))

.

2100-04-01 17:22 . 2008-08-18 11:03 194 --a------ C:\WINDOWS\X83_DS.ini

2100-02-24 14:15 . 2001-04-02 16:30 821 --a------ C:\WINDOWS\Lexmark_ICM.ini

2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ C:\WINDOWS\system32\LXASUSCI.INI

2008-08-18 08:28 . 2008-08-18 08:28 86,016 --a------ C:\WINDOWS\system32\tezmnyto.exe

2008-08-18 08:27 . 2008-08-18 08:27 194,560 --a------ C:\WINDOWS\system32\benuxits.exe

2008-08-15 07:33 . 2008-08-18 16:31 <DIR> d-------- C:\WINDOWS\Common

2008-08-08 10:47 . 2008-08-08 10:47 <DIR> d-------- C:\Program Files\Panda Security

2008-08-08 10:47 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys

2008-08-07 16:16 . 2008-08-08 10:46 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2008-08-07 16:16 . 2005-11-21 18:22 27,006 --a------ C:\WINDOWS\system32\pavas.ico

2008-08-07 16:16 . 2005-07-29 13:43 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico

2008-08-07 16:16 . 2005-07-29 13:43 1,406 --a------ C:\WINDOWS\system32\Help.ico

2008-08-06 12:35 . 2008-08-06 12:35 <DIR> d-------- C:\!KillBox

2008-08-05 17:27 . 2008-08-05 17:27 <DIR> d-------- C:\Program Files\Enigma Software Group

2008-08-04 10:46 . 2008-08-04 10:46 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\Malwarebytes

2008-08-04 10:45 . 2008-08-06 09:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-08-04 10:45 . 2008-08-04 10:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-08-04 10:45 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-08-04 10:45 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-08-04 09:52 . 2008-08-04 09:52 <DIR> d-------- C:\Program Files\IObit

2008-08-01 16:44 . 2008-08-01 16:44 <DIR> d-------- C:\Program Files\Sun

2008-08-01 16:43 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-08-01 15:22 . 2008-07-24 09:37 22,512 --a------ C:\WINDOWS\system32\drivers\adwarealert.sys

2008-07-31 15:55 . 2008-08-01 13:48 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2008-07-31 15:54 . 2008-08-05 16:00 <DIR> d-------- C:\Program Files\Google

2008-07-31 09:54 . 2008-07-31 09:54 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\Netscape

2008-07-31 09:54 . 2008-07-31 09:54 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\Citrix

2008-07-28 15:27 . 2008-08-04 09:50 11 --a------ C:\WINDOWS\system32\uninstall.mybho

2008-07-28 11:11 . 2008-07-28 11:12 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\webex

2008-07-28 11:05 . 2008-07-30 14:24 <DIR> d-------- C:\Program Files\WebEx

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-18 16:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\vulScan

2008-08-07 20:43 --------- d-----w C:\Program Files\MyApp

2008-08-07 20:06 --------- d-----w C:\Program Files\Trend Micro

2008-08-05 23:12 --------- d-----w C:\Program Files\Common Files\Sonic Shared

2008-08-01 20:43 --------- d-----w C:\Program Files\Java

2008-07-16 16:12 --------- d-----w C:\Program Files\CutWorks

2008-07-13 15:32 --------- d-----w C:\Program Files\CutWorks Designer 5.0

2008-07-13 15:26 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-07-13 15:20 --------- d-----w C:\Program Files\WexTech

2008-07-13 15:20 --------- d-----w C:\Program Files\Common Files\WexTech Shared

2008-07-13 15:20 --------- d-----w C:\Program Files\Common Files\LHSPF

2008-07-13 15:20 --------- d-----w C:\Program Files\Common Files\Autodesk Shared

2008-07-13 15:18 --------- d-----w C:\Program Files\MSXML 4.0

2008-07-12 13:55 --------- d-----w C:\Program Files\MSECache

2008-06-24 18:43 --------- d-----w C:\Documents and Settings\j.collins\Application Data\PDFCreator

2008-06-24 18:39 --------- d-----w C:\Documents and Settings\j.collins\Application Data\AdobeUM

2008-06-24 18:38 --------- d-----w C:\Program Files\LexmarkX83

2008-06-24 15:10 --------- d-----w C:\Program Files\Lexmark

2008-06-24 15:05 --------- d-----w C:\Program Files\Citrix

2008-06-24 15:05 --------- d-----w C:\Documents and Settings\j.collins\Application Data\ICAClient

2008-06-24 14:46 --------- d-----w C:\Documents and Settings\j.collins\Application Data\Smith Micro

2008-06-24 14:41 --------- d-----w C:\Program Files\Verizon Wireless

2008-06-24 14:41 --------- d-----w C:\Program Files\PANTECH

2008-06-23 20:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\LANDesk

2008-06-23 20:05 --------- d-----w C:\Program Files\LANDesk

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\uninstall.mybho -- Not a PE file.

MD5: f9390a767e68e6f1619b63c785629f40

---- Directory of C:\WINDOWS\Common ----

2008-08-15 07:33 53248 --a------ C:\WINDOWS\Common\nwtkpsfi.exe

------- Sigcheck -------

2004-08-04 04:00 17408 f87bc2e69be15f6c36c86d3bc4ba20b3 C:\WINDOWS\system32\svchost.exe

2004-08-04 04:00 506368 a5425a5f2551d5c6b68bd38c23136654 C:\WINDOWS\system32\winlogon.exe

2004-08-04 04:00 1034752 0a38da2381e627af175788e6fa8deb5c C:\WINDOWS\explorer.exe

2004-08-04 04:00 110592 6620db49c57c5c20abd2482ad7fe8da9 C:\WINDOWS\system32\services.exe

2004-08-04 04:00 14848 09463bfd671d75844b71281f91f5967c C:\WINDOWS\system32\lsass.exe

2005-06-10 20:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe

2004-08-04 04:00 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe

2005-06-10 19:53 58880 df109a1298e62218fc20180baff39ade C:\WINDOWS\system32\spoolsv.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

"CmdGenSys"="C:\WINDOWS\system32\tezmnyto.exe" [2008-08-18 08:28 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 12:46 761948]

"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-01-26 15:35 172094]

"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-20 19:51 1187840]

"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 04:11 925696]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 08:17 94208]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 08:13 77824]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 08:17 118784]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]

"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-08-31 06:20 122940]

"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 11:49 454656]

"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 12:59 184320]

"LANDeskCustomData"="C:\Program Files\LANDesk\LDClient\ldcstm32.exe" [2007-11-29 23:23 299008]

"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-25 14:20 36864]

"Lexmark X83 Button Monitor"="C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe" [2001-10-18 10:25 40960]

"Lexmark X83 Button Manager"="C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe" [2001-06-14 12:42 53248]

"MsmqIntCert"="mqrt.dll" [2004-08-04 04:00 177152 C:\WINDOWS\system32\mqrt.dll]

"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 16:00 88203 C:\WINDOWS\AGRSMMSG.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]

Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-18 15:25:02 581693]

DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2006-11-03 17:47:31 184320]

Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [2006-11-08 18:33:12 233744]

WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-11-03 10:52:21 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"disablecad"= 0 (0x0)

"HideShutdownScripts"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWelcomeScreen"= 1 (0x1)

"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]

2005-06-19 14:01 24669 C:\WINDOWS\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]

"Script"=ch_loc_adm_pass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]

"Script"=AddAdmin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\1]

"Script"=RemAdmin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\2]

"Script"=ch_loc_adm_pass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]

"Script"=add_dom_users.vbs

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\WINDOWS\\system32\\mqsvc.exe"=

"C:\\WINDOWS\\system32\\cba\\pds.exe"=

"C:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=

"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=

"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=

"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=

"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=

"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

R0 adwarealert;adwarealert;C:\WINDOWS\system32\DRIVERS\adwarealert.sys [2008-07-24 09:37]

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]

R2 agnwifi;AT&T Wi-Fi Support Driver;C:\WINDOWS\system32\DRIVERS\agnwifi.sys [2005-01-17 18:51]

R2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINDOWS\system32\Drivers\usbscan.sys [2004-08-03 22:58]

R2 CBA8;LANDesk® Management Agent;C:\Program Files\LANDesk\Shared Files\residentagent.exe [2007-11-29 21:32]

R2 CP_OMDRV;Check Point Office Mode Module;C:\WINDOWS\system32\drivers\omdrv.sys [2005-06-19 14:01]

R2 CutWorksLog;CutWorksLog;C:\Program Files\CutWorks\CutWorksLog.exe [2004-09-10 11:49]

R2 LANDesk Policy Invoker;LANDesk Policy Invoker;C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe [2007-11-29 23:37]

R2 Softmon;LANDesk® Software Monitoring Service;C:\Program Files\LANDesk\LDClient\softmon.exe [2007-12-06 09:35]

R2 VNASC;Check Point Virtual Network Adapter - SecureClient;C:\WINDOWS\system32\DRIVERS\vnasc.sys [2005-06-19 14:00]

R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2005-06-19 14:00]

R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2005-06-19 14:00]

R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-02-28 13:05]

R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-10-21 07:19]

R3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys [2007-05-30 10:23]

R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys [2007-05-30 10:23]

R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys [2007-05-30 10:23]

S3 PTDCBus;PANTECH PC Card Composite Device Driver (UDP);C:\WINDOWS\system32\DRIVERS\PTDCBus.sys [2007-04-01 06:45]

S3 PTDCMdm;PANTECH PC Card Drivers (UDP);C:\WINDOWS\system32\DRIVERS\PTDCMdm.sys [2007-04-01 06:45]

S3 PTDCVsp;PANTECH PC Card Diagnostic Serial Port (UDP);C:\WINDOWS\system32\DRIVERS\PTDCVsp.sys [2007-04-01 06:45]

S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;C:\WINDOWS\system32\DRIVERS\PTDCWWAN.sys [2007-04-30 20:30]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-SMrhcapfj0eg1t - C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe

HKLM-Run-mntsys - C:\WINDOWS\Common\nwtkpsfi.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-18 16:36:18

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????Z????[????|?????? ??4B??????????????hB? ????Z?

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe

-> ?:\WINDOWS\System32\CSCDLL.dll

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe

C:\WINDOWS\system32\scardsvr.exe

C:\WINDOWS\system32\msdtc.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\LANDesk\LDClient\LocalSch.EXE

C:\WINDOWS\system32\cba\pds.exe

C:\Program Files\LANDesk\LDClient\tmcsvc.exe

C:\PROGRA~1\LANDesk\LDClient\issuser.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE

C:\PROGRA~1\LANDesk\LDClient\collector.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Citrix\ICA Client\ssonsvr.exe

C:\PROGRA~1\LANDesk\LDClient\rcgui.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE

C:\WINDOWS\system32\userinit.exe

.

**************************************************************************

.

Completion time: 2008-08-18 16:37:32 - machine was rebooted

ComboFix-quarantined-files.txt 2008-08-18 20:37:28

ComboFix2.txt 2008-08-17 23:10:53

Pre-Run: 39,484,944,384 bytes free

Post-Run: 39,744,614,400 bytes free

279

Link to post
Share on other sites

Please open another blank Notepad...Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

File::

C:\WINDOWS\system32\tezmnyto.exe

C:\WINDOWS\system32\benuxits.exe

C:\WINDOWS\system32\uninstall.mybho

Folder::

C:\WINDOWS\Common

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CmdGenSys"=-

Link to post
Share on other sites

Here you go. Thanks for your help!

ComboFix 08-08-18.05 - j.collins 2008-08-19 20:46:03.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.224 [GMT -4:00]

Running from: C:\Documents and Settings\j.collins\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\j.collins\Desktop\CFScript.txt

* Created a new restore point

FILE ::

C:\WINDOWS\system32\benuxits.exe

C:\WINDOWS\system32\tezmnyto.exe

C:\WINDOWS\system32\uninstall.mybho

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\Common

C:\WINDOWS\system32\benuxits.exe

C:\WINDOWS\system32\tezmnyto.exe

C:\WINDOWS\system32\uninstall.mybho

.

((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))

.

2100-04-01 17:22 . 2008-08-18 11:03 194 --a------ C:\WINDOWS\X83_DS.ini

2100-02-24 14:15 . 2001-04-02 16:30 821 --a------ C:\WINDOWS\Lexmark_ICM.ini

2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ C:\WINDOWS\system32\LXASUSCI.INI

2008-08-08 10:47 . 2008-08-08 10:47 <DIR> d-------- C:\Program Files\Panda Security

2008-08-08 10:47 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys

2008-08-07 16:16 . 2008-08-08 10:46 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2008-08-07 16:16 . 2005-11-21 18:22 27,006 --a------ C:\WINDOWS\system32\pavas.ico

2008-08-07 16:16 . 2005-07-29 13:43 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico

2008-08-07 16:16 . 2005-07-29 13:43 1,406 --a------ C:\WINDOWS\system32\Help.ico

2008-08-06 12:35 . 2008-08-06 12:35 <DIR> d-------- C:\!KillBox

2008-08-05 17:27 . 2008-08-05 17:27 <DIR> d-------- C:\Program Files\Enigma Software Group

2008-08-04 10:46 . 2008-08-04 10:46 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\Malwarebytes

2008-08-04 10:45 . 2008-08-06 09:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-08-04 10:45 . 2008-08-04 10:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-08-04 10:45 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-08-04 10:45 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-08-04 09:52 . 2008-08-04 09:52 <DIR> d-------- C:\Program Files\IObit

2008-08-01 16:44 . 2008-08-01 16:44 <DIR> d-------- C:\Program Files\Sun

2008-08-01 16:43 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-08-01 15:22 . 2008-07-24 09:37 22,512 --a------ C:\WINDOWS\system32\drivers\adwarealert.sys

2008-07-31 15:55 . 2008-08-01 13:48 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2008-07-31 15:54 . 2008-08-05 16:00 <DIR> d-------- C:\Program Files\Google

2008-07-31 09:54 . 2008-07-31 09:54 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\Netscape

2008-07-31 09:54 . 2008-07-31 09:54 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\Citrix

2008-07-28 11:11 . 2008-07-28 11:12 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\webex

2008-07-28 11:05 . 2008-07-30 14:24 <DIR> d-------- C:\Program Files\WebEx

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-18 16:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\vulScan

2008-08-07 20:43 --------- d-----w C:\Program Files\MyApp

2008-08-07 20:06 --------- d-----w C:\Program Files\Trend Micro

2008-08-05 23:12 --------- d-----w C:\Program Files\Common Files\Sonic Shared

2008-08-01 20:43 --------- d-----w C:\Program Files\Java

2008-07-16 16:12 --------- d-----w C:\Program Files\CutWorks

2008-07-13 15:32 --------- d-----w C:\Program Files\CutWorks Designer 5.0

2008-07-13 15:26 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-07-13 15:20 --------- d-----w C:\Program Files\WexTech

2008-07-13 15:20 --------- d-----w C:\Program Files\Common Files\WexTech Shared

2008-07-13 15:20 --------- d-----w C:\Program Files\Common Files\LHSPF

2008-07-13 15:20 --------- d-----w C:\Program Files\Common Files\Autodesk Shared

2008-07-13 15:18 --------- d-----w C:\Program Files\MSXML 4.0

2008-07-12 13:55 --------- d-----w C:\Program Files\MSECache

2008-06-24 18:43 --------- d-----w C:\Documents and Settings\j.collins\Application Data\PDFCreator

2008-06-24 18:39 --------- d-----w C:\Documents and Settings\j.collins\Application Data\AdobeUM

2008-06-24 18:38 --------- d-----w C:\Program Files\LexmarkX83

2008-06-24 15:10 --------- d-----w C:\Program Files\Lexmark

2008-06-24 15:05 --------- d-----w C:\Program Files\Citrix

2008-06-24 15:05 --------- d-----w C:\Documents and Settings\j.collins\Application Data\ICAClient

2008-06-24 14:46 --------- d-----w C:\Documents and Settings\j.collins\Application Data\Smith Micro

2008-06-24 14:41 --------- d-----w C:\Program Files\Verizon Wireless

2008-06-24 14:41 --------- d-----w C:\Program Files\PANTECH

2008-06-23 20:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\LANDesk

2008-06-23 20:05 --------- d-----w C:\Program Files\LANDesk

.

------- Sigcheck -------

2004-08-04 04:00 17408 f87bc2e69be15f6c36c86d3bc4ba20b3 C:\WINDOWS\system32\svchost.exe

2004-08-04 04:00 506368 a5425a5f2551d5c6b68bd38c23136654 C:\WINDOWS\system32\winlogon.exe

2004-08-04 04:00 1034752 0a38da2381e627af175788e6fa8deb5c C:\WINDOWS\explorer.exe

2004-08-04 04:00 110592 6620db49c57c5c20abd2482ad7fe8da9 C:\WINDOWS\system32\services.exe

2004-08-04 04:00 14848 09463bfd671d75844b71281f91f5967c C:\WINDOWS\system32\lsass.exe

2005-06-10 20:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe

2004-08-04 04:00 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe

2005-06-10 19:53 58880 df109a1298e62218fc20180baff39ade C:\WINDOWS\system32\spoolsv.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 12:46 761948]

"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-01-26 15:35 172094]

"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-20 19:51 1187840]

"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 04:11 925696]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 08:17 94208]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 08:13 77824]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 08:17 118784]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]

"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-08-31 06:20 122940]

"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 11:49 454656]

"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 12:59 184320]

"LANDeskCustomData"="C:\Program Files\LANDesk\LDClient\ldcstm32.exe" [2007-11-29 23:23 299008]

"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-25 14:20 36864]

"Lexmark X83 Button Monitor"="C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe" [2001-10-18 10:25 40960]

"Lexmark X83 Button Manager"="C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe" [2001-06-14 12:42 53248]

"MsmqIntCert"="mqrt.dll" [2004-08-04 04:00 177152 C:\WINDOWS\system32\mqrt.dll]

"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 16:00 88203 C:\WINDOWS\AGRSMMSG.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]

Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-18 15:25:02 581693]

DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2006-11-03 17:47:31 184320]

Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [2006-11-08 18:33:12 233744]

WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-11-03 10:52:21 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"disablecad"= 0 (0x0)

"HideShutdownScripts"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWelcomeScreen"= 1 (0x1)

"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]

2005-06-19 14:01 24669 C:\WINDOWS\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]

"Script"=ch_loc_adm_pass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]

"Script"=AddAdmin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\1]

"Script"=RemAdmin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\2]

"Script"=ch_loc_adm_pass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]

"Script"=add_dom_users.vbs

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\WINDOWS\\system32\\mqsvc.exe"=

"C:\\WINDOWS\\system32\\cba\\pds.exe"=

"C:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=

"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=

"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=

"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=

"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=

"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

R0 adwarealert;adwarealert;C:\WINDOWS\system32\DRIVERS\adwarealert.sys [2008-07-24 09:37]

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]

R2 agnwifi;AT&T Wi-Fi Support Driver;C:\WINDOWS\system32\DRIVERS\agnwifi.sys [2005-01-17 18:51]

R2 CBA8;LANDesk® Management Agent;C:\Program Files\LANDesk\Shared Files\residentagent.exe [2007-11-29 21:32]

R2 CP_OMDRV;Check Point Office Mode Module;C:\WINDOWS\system32\drivers\omdrv.sys [2005-06-19 14:01]

R2 CutWorksLog;CutWorksLog;C:\Program Files\CutWorks\CutWorksLog.exe [2004-09-10 11:49]

R2 LANDesk Policy Invoker;LANDesk Policy Invoker;C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe [2007-11-29 23:37]

R2 Softmon;LANDesk® Software Monitoring Service;C:\Program Files\LANDesk\LDClient\softmon.exe [2007-12-06 09:35]

R2 VNASC;Check Point Virtual Network Adapter - SecureClient;C:\WINDOWS\system32\DRIVERS\vnasc.sys [2005-06-19 14:00]

R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2005-06-19 14:00]

R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2005-06-19 14:00]

R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-02-28 13:05]

R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-10-21 07:19]

R3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys [2007-05-30 10:23]

R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys [2007-05-30 10:23]

R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys [2007-05-30 10:23]

R3 PTDCBus;PANTECH PC Card Composite Device Driver (UDP);C:\WINDOWS\system32\DRIVERS\PTDCBus.sys [2007-04-01 06:45]

R3 PTDCMdm;PANTECH PC Card Drivers (UDP);C:\WINDOWS\system32\DRIVERS\PTDCMdm.sys [2007-04-01 06:45]

R3 PTDCVsp;PANTECH PC Card Diagnostic Serial Port (UDP);C:\WINDOWS\system32\DRIVERS\PTDCVsp.sys [2007-04-01 06:45]

R3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;C:\WINDOWS\system32\DRIVERS\PTDCWWAN.sys [2007-04-30 20:30]

S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINDOWS\system32\Drivers\usbscan.sys [2004-08-03 22:58]

*Newly Created Service* - CATCHME

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-19 20:47:26

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????Z????Z????|?????? ??4B??????????????hB? ????Z?

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-08-19 20:47:59

ComboFix-quarantined-files.txt 2008-08-20 00:47:56

ComboFix2.txt 2008-08-18 20:37:33

ComboFix3.txt 2008-08-17 23:10:53

Pre-Run: 39,629,934,592 bytes free

Post-Run: 39,691,698,176 bytes free

189

Link to post
Share on other sites

Thanks! Here is the final log. The system has been working well since we did the combofix. I really appreciate your help and support through this.

Malwarebytes' Anti-Malware 1.24

Database version: 1031

Windows 5.1.2600 Service Pack 2

18:07:52 2008-08-20

mbam-log-8-20-2008 (18-07-52).txt

Scan type: Quick Scan

Objects scanned: 45297

Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcapfj0eg1t (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\rhcapfj0eg1t (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Your mbam could use another manual update. Remember to run an update each time before you run the application. I'm glad to see you've noticed an improvement in the performance of your system...but I'd like to see one more mbam log with the updated version and database. See my log below compared with yours on the same date:

Yours:

Malwarebytes' Anti-Malware 1.24

Database version: 1031

Windows 5.1.2600 Service Pack 2

18:07:52 2008-08-20

mbam-log-8-20-2008 (18-07-52).txt

Mine:

Malwarebytes' Anti-Malware 1.25

Database version: 1071

Windows 5.1.2600 Service Pack 3

8:01:49 AM 8/20/2008

mbam-log-08-20-2008 (08-01-49).txt

Link to post
Share on other sites

  • 3 weeks later...

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic.

Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.