Jump to content

Trojan.Agent Virtumonde.prx problems


Recommended Posts

I can't seem to get rid of a file called liyuwuviho in my registry which is calling a nesilifo.dll. There are probably hidden files that I am not catching.

Here is HJT:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:14:30 PM, on 11/29/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Smc.exe

C:\Program Files\Symantec AntiVirus\SNAC.EXE

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\ActivCard\acautoreg.exe

C:\Program Files\Common Files\ActivCard\accoca.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Sun\SDK\lib\appservService.exe

C:\PROGRA~1\HPAVAD~1\avChgSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Remote tools\msraLinkMonitor.exe

C:\Sun\SDK\jdk\bin\java.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe

C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe

C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec AntiVirus\SmcGui.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe

C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe

C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE

C:\Program Files\Hewlett-Packard\GetIT\GetIT.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Sonic Shared\CineTray.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Sun\SDK\jdk\bin\javaw.exe

C:\Program Files\Symantec AntiVirus\SymCorpUI.exe

C:\Program Files\Symantec AntiVirus\SavUI.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.compaq.com

O15 - Trusted Zone: *.cpqcorp.net

O15 - Trusted Zone: http://*.dcu.org

O15 - Trusted Zone: http://*.dec.com

O15 - Trusted Zone: *.hp.com

O15 - Trusted Zone: http://*.hpe-learning.com

O15 - Trusted Zone: *.hpqcorp.net

O15 - Trusted Zone: *.hpshopping.com

O15 - Trusted Zone: http://*.listen.com

O15 - Trusted Zone: http://*.llnwd.net

O15 - Trusted Zone: *.real.com

O15 - Trusted Zone: http://*.skillport.com

O15 - Trusted Zone: http://*.skillsoft.com

O15 - Trusted Zone: http://*.tandem.com

O15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)

O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)

O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)

O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)

O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)

O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)

O16 - DPF: {00000014-9593-4264-8B29-930B3E4EDCCD} - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall14.cab

O16 - DPF: {00000021-9593-4264-8B29-930B3E4EDCCD} - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall21.cab

O16 - DPF: {00000030-9593-4264-8B29-930B3E4EDCCD} - https://test.rooms.hp.com/vRoom_Cab/WebHPVCInstall30.cab

O16 - DPF: {00000032-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms32 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall32.cab

O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPITWeb/Customer...DataManager.CAB

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199561706073

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1220563491695

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {857ABA85-8AB2-4C9E-8FAA-D2A963739859} (HPPKI Control) - https://digitalbadge.external.hp.com/hp/HPPKI.cab

O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://digitalbadge.external.hp.com/hp/capicom.cab

O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://66.193.150.85/activex/AMC.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\Software\..\Telephony: DomainName = americas.hpqcorp.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - AppInit_DLLs: C:\WINDOWS\system32\yifiroso.dll

O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivIdentity - C:\Program Files\Common Files\ActivCard\acautoreg.exe

O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: SunJavaSystemAppserver9PE (AppServer9PE) - Unknown owner - C:\Sun\SDK\lib\appservService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: HP-AV Change Monitor Service (AvChgSvc) - Unknown owner - C:\PROGRA~1\HPAVAD~1\avChgSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Lan Discover Agent (magaService) - Unknown owner - C:\Program Files\Sygate\SSA\maga\maga.exe (file missing)

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: MSRA Link Monitor (msralinkmonitor) - Unknown owner - C:\Program Files\Remote tools\msraLinkMonitor.exe

O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe

O23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe

O23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe

O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe

O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE

O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--

End of file - 16584 bytes

Panda Active Scan:

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-11-29 15:42:04

PROTECTIONS: 1

MALWARE: 55

SUSPECTS: 1

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Windows Defender 1.1.3903.0 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00041904 adware/sidesearch Adware No 0 Yes No hkey_classes_root\sep.av.scandlgs

00041904 adware/sidesearch Adware No 0 Yes No hkey_local_machine\software\classes\sep.av.scandlgs

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@trafficmp[1].txt

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@casalemedia[1].txt

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@casalemedia[1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@doubleclick[1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@doubleclick[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@atdmt[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@atdmt[1].txt

00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@247realmedia[2].txt

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@fastclick[1].txt

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@fastclick[2].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@tribalfusion[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@tribalfusion[1].txt

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@mediaplex[1].txt

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@mediaplex[2].txt

00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@revenue[2].txt

00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@www.myaffiliateprogram[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@com[2].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@com[1].txt

00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@xiti[1].txt

00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@azjmp[2].txt

00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@statcounter[1].txt

00167795 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@club.cdfreaks[2].txt

00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@perf.overture[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@ad.yieldmanager[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@ad.yieldmanager[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@ad.yieldmanager[2].txt

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@apmebf[1].txt

00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@burstnet[1].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@serving-sys[1].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@serving-sys[5].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@serving-sys[2].txt

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@bs.serving-sys[1].txt

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@bs.serving-sys[2].txt

00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@www.burstbeacon[1].txt

00168105 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@cdfreaks[2].txt

00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@adtech[1].txt

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@server.iad.liveperson[1].txt

00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@stat.onestat[2].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@advertising[2].txt

00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@media.adrevolver[2].txt

00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@statse.webtrendslive[2].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@ads.pointroll[2].txt

00170549 Cookie/FortuneCity TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@fortunecity[2].txt

00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@overture[1].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@realmedia[2].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@questionmarket[2].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@questionmarket[1].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@questionmarket[1].txt

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@zedo[2].txt

00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@bluestreak[1].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@adrevolver[1].txt

00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@bravenet[1].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@go[1].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@go[1].txt

00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@searchportal.information[1].txt

00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@target[1].txt

00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@did-it[1].txt

00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@did-it[2].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@atwola[2].txt

00273339 Cookie/Smartadserver TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@smartadserver[1].txt

00286732 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@www3.addfreestats[2].txt

00286736 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@www6.addfreestats[1].txt

00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@ads.addynamix[1].txt

00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@citi.bridgetrack[1].txt

00444270 Adware/InternetSpeedMonitor Adware No 0 No No C:\Program Files\Common Files\Real\Update_OB\020a57bd.exe[iCheck.exe]

01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@enhance[1].txt

01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@adserver.easyad[2].txt

02897073 Cookie/Revenue TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\unpingco@adsrevenue[1].txt

02900551 Application/ProductKeyExplorer HackTools No 0 Yes No C:\Program Files\VisualStudio2005\productkeyexplorer_setup.exe

03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{40A9C770-9957-4CD1-8CA8-2B0B29CCF829}\RP378\A0087300.sys

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location ȕ

;===============================================================================

================================================================================

=

===================

No C:\Program Files\Common Files\Real\Update_OB\020a57bd.exe[GetModule20.exe] ȕ

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description ȕ

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

MBAM:

Malwarebytes' Anti-Malware 1.30

Database version: 1435

Windows 5.1.2600 Service Pack 3

11/29/2008 2:45:08 PM

mbam-log-2008-11-29 (14-44-54).txt

Scan type: Quick Scan

Objects scanned: 61698

Time elapsed: 9 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\liyuwuviho (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

SPYBOT S&D:

--- Search result list ---

Hint of the Day: Click the bar at the right of this to see more information! ()

Microsoft.Windows.Security.InternetExplorer: [sBI $A3433CBF] Settings (Registry change, nothing done)

HKEY_USERS\S-1-5-21-839522115-1383384898-515967899-1351697\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe

Microsoft.WindowsSecurityCenter.FirewallBypass: [sBI $D80580B5] Settings (Registry value, nothing done)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe

Microsoft.WindowsSecurityCenter.FirewallBypass: [sBI $B067B5B7] Settings (Registry value, nothing done)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe

Virtumonde.prx: [sBI $3F5CA9DA] Autorun settings (liyuwuviho) (Registry value, nothing done)

HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\liyuwuviho

Virtumonde.prx: [sBI $3F5CA9DA] Autorun settings (liyuwuviho) (Registry value, nothing done)

HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\liyuwuviho

Virtumonde.prx: [sBI $3F5CA9DA] Autorun settings (liyuwuviho) (Registry value, nothing done)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\liyuwuviho

AdRevolver: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

Omniture: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

HitBox: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

HitBox: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

Omniture: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

CasaleMedia: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

CoreMetrics: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

DoubleClick: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

AdRevolver: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

FastClick: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

Zedo: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

MediaPlex: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

AdRevolver: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

Right Media: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

MediaPlex: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

BurstMedia: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

HitBox: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

AdRevolver: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

HitBox: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

WebTrends live: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

HitBox: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

HitBox: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

BurstMedia: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

DoubleClick: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

HitBox: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

Statcounter: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

HitBox: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

DoubleClick: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

HitBox: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

BlueStreak: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

HitBox: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)

DoubleClick: Tracking cookie (Firefox: default) (Cookie, nothing done)

CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)

CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)

CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)

CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)

MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)

WebTrends live: Tracking cookie (Firefox: default) (Cookie, nothing done)

CoreMetrics: Tracking cookie (Firefox: default) (Cookie, nothing done)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)

DoubleClick: Tracking cookie (Firefox: default) (Cookie, nothing done)

CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)

CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)

CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)

HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)

FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)

FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)

FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)

FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)

MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)

Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)

Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)

Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)

Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)

Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)

Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)

BlueStreak: Tracking cookie (Firefox: default) (Cookie, nothing done)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)

Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)

FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)

FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)

Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)

HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)

FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)

HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)

HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)

HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)

Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)

Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)

FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)

Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)

BurstMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)

BurstMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)

BurstMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)

Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)

DirectTrack: Tracking cookie (Firefox: default) (Cookie, nothing done)

DirectTrack: Tracking cookie (Firefox: default) (Cookie, nothing done)

DoubleClick: Tracking cookie (Firefox: default) (Cookie, nothing done)

--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)

2008-07-07 SDFiles.exe (1.6.0.4)

2008-07-07 SDMain.exe (1.0.0.6)

2008-07-07 SDShred.exe (1.0.2.3)

2008-07-07 SDUpdate.exe (1.6.0.8)

2008-07-07 SDWinSec.exe (1.0.0.12)

2008-07-07 SpybotSD.exe (1.6.0.30)

2008-09-16 TeaTimer.exe (1.6.3.25)

2008-08-30 unins000.exe (51.49.0.0)

2008-07-07 Update.exe (1.6.0.7)

2008-10-22 advcheck.dll (1.6.2.13)

2007-04-02 aports.dll (2.1.0.0)

2008-06-14 DelZip179.dll (1.79.11.1)

2008-09-15 SDHelper.dll (1.6.2.14)

2008-06-19 sqlite3.dll

2008-07-07 Tools.dll (2.1.5.7)

2008-11-04 Includes\Adware.sbi (*)

2008-11-25 Includes\AdwareC.sbi (*)

2008-06-03 Includes\Cookies.sbi (*)

2008-09-02 Includes\Dialer.sbi (*)

2008-09-09 Includes\DialerC.sbi (*)

2008-07-23 Includes\HeavyDuty.sbi (*)

2008-11-18 Includes\Hijackers.sbi (*)

2008-11-18 Includes\HijackersC.sbi (*)

2008-09-09 Includes\Keyloggers.sbi (*)

2008-11-18 Includes\KeyloggersC.sbi (*)

2004-11-29 Includes\LSP.sbi (*)

2008-11-18 Includes\Malware.sbi (*)

2008-11-25 Includes\MalwareC.sbi (*)

2008-11-03 Includes\PUPS.sbi (*)

2008-11-25 Includes\PUPSC.sbi (*)

2007-11-07 Includes\Revision.sbi (*)

2008-06-17 Includes\Security.sbi (*)

2008-11-25 Includes\SecurityC.sbi (*)

2008-06-03 Includes\Spybots.sbi (*)

2008-06-03 Includes\SpybotsC.sbi (*)

2008-11-04 Includes\Spyware.sbi (*)

2008-11-11 Includes\SpywareC.sbi (*)

2008-06-03 Includes\Tracks.uti

2008-11-04 Includes\Trojans.sbi (*)

2008-11-26 Includes\TrojansC.sbi (*)

2008-03-04 Plugins\Chai.dll

2008-03-05 Plugins\Fennel.dll

2008-02-26 Plugins\Mate.dll

2007-12-24 Plugins\TCPIPAddress.dll

--- System information ---

Windows XP (Build: 2600) Service Pack 3 (5.1.2600)

/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Hotfix (KB928367)

/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Service Pack 3 (KB867461)

/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)

/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)

/ Microsoft Visual Studio 2005 Professional Edition - ENU: This service pack is for Microsoft Visual Studio 2005 Professional Edition - ENU. \n

If you later install a more recent service pack, this service pack will be uninstalled automatically. \n

For more information, visit http://support.microsoft.com/kb/926601

/ Microsoft Visual Studio 2005 Professional Edition - ENU: This Security Update is for Microsoft Visual Studio 2005 Professional Edition - ENU. \n

If you later install a more recent service pack, this Security Update will be uninstalled automatically. \n

For more information, visit http://support.microsoft.com/kb/937061

/ Microsoft Visual Studio 2005 Professional Edition - ENU: This Security Update is for Microsoft Visual Studio 2005 Professional Edition - ENU. \n

If you later install a more recent service pack, this Security Update will be uninstalled automatically. \n

For more information, visit http://support.microsoft.com/kb/947738

/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2

/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2

/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)

/ MSXML4SP2: Security update for MSXML4 SP2 (KB954430)

/ Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB923723)

/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs

/ Windows / SP1: Microsoft National Language Support Downlevel APIs

/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)

/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)

/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)

/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB954154)

/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)

/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)

/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB936782)

/ Windows XP: Security Update for Windows XP (KB923689)

/ Windows XP: Security Update for Windows XP (KB941569)

/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)

/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB942615)

/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB944533)

/ Windows XP / SP0: Hotfix for Windows Internet Explorer 7 (KB947864)

/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB950759)

/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB953838)

/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB956390)

/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP

/ Windows XP / SP3: Windows XP Service Pack 3

/ Windows XP / SP4: Security Update for Windows XP (KB938464)

/ Windows XP / SP4: Hotfix for Windows XP (KB944043-v3)

/ Windows XP / SP4: Security Update for Windows XP (KB946648)

/ Windows XP / SP4: Security Update for Windows XP (KB950760)

/ Windows XP / SP4: Security Update for Windows XP (KB950762)

/ Windows XP / SP4: Security Update for Windows XP (KB950974)

/ Windows XP / SP4: Security Update for Windows XP (KB951066)

/ Windows XP / SP4: Update for Windows XP (KB951072-v2)

/ Windows XP / SP4: Security Update for Windows XP (KB951376)

/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)

/ Windows XP / SP4: Security Update for Windows XP (KB951698)

/ Windows XP / SP4: Security Update for Windows XP (KB951748)

/ Windows XP / SP4: Update for Windows XP (KB951978)

/ Windows XP / SP4: Hotfix for Windows XP (KB952287)

/ Windows XP / SP4: Security Update for Windows XP (KB952954)

/ Windows XP / SP4: Security Update for Windows XP (KB953839)

/ Windows XP / SP4: Security Update for Windows XP (KB954211)

/ Windows XP / SP4: Security Update for Windows XP (KB954459)

/ Windows XP / SP4: Security Update for Windows XP (KB955069)

/ Windows XP / SP4: Security Update for Windows XP (KB956391)

/ Windows XP / SP4: Security Update for Windows XP (KB956803)

/ Windows XP / SP4: Security Update for Windows XP (KB956841)

/ Windows XP / SP4: Security Update for Windows XP (KB957095)

/ Windows XP / SP4: Security Update for Windows XP (KB957097)

/ Windows XP / SP4: Security Update for Windows XP (KB958644)

/ XML Paper Specification Shared Components Pack 1.0: XML Paper Specification Shared Components Pack 1.0

--- Startup entries list ---

Located: HK_LM:Run, Adobe Reader Speed Launcher

command: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

file: C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

size: 39792

MD5: 8B9145D229D4E89D15ACB820D4A3A90F

Located: HK_LM:Run, ATIPTA

command: "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

file: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

size: 344064

MD5: 8756D853A97FB6DD2A1571D7DF4F1146

Located: HK_LM:Run, ccApp

command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe

size: 115560

MD5: BF8EB12E412E02CD3C42CCF663324C5A

Located: HK_LM:Run, COEMsgDisplay

command: c:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe

file: c:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe

size: 26624

MD5: 6C96B7D32DC5D84A4EFACA63A259CAB6

Located: HK_LM:Run, Communicator

command: "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey

file: C:\Program Files\Microsoft Office Communicator\communicator.exe

size: 5720072

MD5: 834E4F1038FB0145D559C775E0EEEA8B

Located: HK_LM:Run, Corel Photo Downloader

command: "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup

file: C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

size: 531272

MD5: C9D4451B13578840134FB9F2A23F0A86

Located: HK_LM:Run, GetIT

command: "C:\Program Files\Hewlett-Packard\GetIT\GetIT.exe"

file: C:\Program Files\Hewlett-Packard\GetIT\GetIT.exe

size: 286720

MD5: B1AA54916858F0186FC0D175FD6C41B9

Located: HK_LM:Run, hpWirelessAssistant

command: C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

file: C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

size: 507904

MD5: 2DF07BC576F814D9122F338EAD4B4220

Located: HK_LM:Run, IDA

command: c:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

file: c:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

size: 176128

MD5: 24C6CA88F49012E7AC34AE02A350F2F1

Located: HK_LM:Run, iTunesHelper

command: "C:\Program Files\iTunes\iTunesHelper.exe"

file: C:\Program Files\iTunes\iTunesHelper.exe

size: 267048

MD5: 04A9F0C58B170F30445BCC0683EF9FFC

Located: HK_LM:Run, liyuwuviho

command: Rundll32.exe "C:\WINDOWS\system32\nesilifo.dll",s

file: C:\WINDOWS\system32\nesilifo.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: HK_LM:Run, QuickPassword

command: C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe

file: C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe

size: 225280

MD5: 5F824265FFFF698E8AB5B5BC841602DE

Located: HK_LM:Run, QuickTime Task

command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime

file: C:\Program Files\QuickTime\QTTask.exe

size: 413696

MD5: 6CD5C3276C83F72677D647F27EE14ABD

Located: HK_LM:Run, SunJavaUpdateSched

command: "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

file: C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

size: 132496

MD5: D4F0F7437327DBAA264338BAAFB5E5AF

Located: HK_LM:Run, TkBellExe

command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe

size: 185896

MD5: 89D583FC41D48328128A974C25AFAEB7

Located: HK_LM:Run, T-Mobile Connection Manager

command: "C:\Program Files\T-Mobile\Connection Manager\TMobileCM.exe" -a

file: C:\Program Files\T-Mobile\Connection Manager\TMobileCM.exe

size: 18968

MD5: EB620DC31EE482EB24DC7CD4985C83E0

Located: HK_LM:Run, Windows Defender

command: "C:\Program Files\Windows Defender\MSASCui.exe" -hide

file: C:\Program Files\Windows Defender\MSASCui.exe

size: 866584

MD5: 77C03BF23AE56B0A31AE4D5BB4B3D0AC

Located: HK_LM:RunOnce, Malwarebytes' Anti-Malware

command: C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

file: C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

size: 399504

MD5: 7D45E5C4D5F76DA84DD04EDE6C5C109B

Located: HK_CU:Run, swg

where: PE_C_HPADMIN...

command: C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

file: C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: HK_CU:Run, liyuwuviho

where: S-1-5-19...

command: Rundll32.exe "C:\WINDOWS\system32\nesilifo.dll",s

file: C:\WINDOWS\system32\nesilifo.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: HK_CU:Run, liyuwuviho

where: S-1-5-20...

command: Rundll32.exe "C:\WINDOWS\system32\nesilifo.dll",s

file: C:\WINDOWS\system32\nesilifo.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: HK_CU:Run, ctfmon.exe

where: S-1-5-21-839522115-1383384898-515967899-1351697...

command: C:\WINDOWS\system32\ctfmon.exe

file: C:\WINDOWS\system32\ctfmon.exe

size: 15360

MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, HP Virtual Rooms

where: S-1-5-21-839522115-1383384898-515967899-1351697...

command: C:\PROGRA~1\HEWLET~1\HPVIRT~1.0\\HPVIRT~1.EXE

file: C:\PROGRA~1\HEWLET~1\HPVIRT~1.0\\HPVIRT~1.EXE

size: 10294616

MD5: 3351F5D89615619FAA125BF9BCE19B8C

Located: HK_CU:Run, MSMSGS

where: S-1-5-21-839522115-1383384898-515967899-1351697...

command: "C:\Program Files\Messenger\msmsgs.exe" /background

file: C:\Program Files\Messenger\msmsgs.exe

size: 1695232

MD5: 3E930C641079443D4DE036167A69CAA2

Located: HK_CU:Run, swg

where: S-1-5-21-839522115-1383384898-515967899-1351697...

command: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

file: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

size: 68856

MD5: E616A6A6E91B0A86F2F6217CDE835FFE

Located: HK_CU:RunOnce, FlashPlayerUpdate

where: S-1-5-21-839522115-1383384898-515967899-1351697...

command: C:\Program Files\Mozilla Firefox\plugins\NPSWF32_FlashUtil.exe -p

file: C:\Program Files\Mozilla Firefox\plugins\NPSWF32_FlashUtil.exe

size: 218496

MD5: 8F9BDC7695F4DAAE45DBF23BE59BE0C8

Located: Startup (common), Adobe Gamma Loader.lnk

where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...

command: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

size: 113664

MD5: C2FF17734176CD15221C10044EF0BA1A

Located: Startup (common), Sonic CinePlayer Quick Launch.lnk

where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...

command: C:\Program Files\Common Files\Sonic Shared\CineTray.exe

file: C:\Program Files\Common Files\Sonic Shared\CineTray.exe

size: 114688

MD5: BA0B29A846FC42ABAE57945F7BA76901

Located: Startup (common), Windows Desktop Search.lnk

where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...

command: C:\Program Files\Windows Desktop Search\WindowsSearch.exe

file: C:\Program Files\Windows Desktop Search\WindowsSearch.exe

size: 118784

MD5: 946467B375D696FA073A6B9370A4C6CE

Located: Startup (common), WinZip Quick Pick.lnk

where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...

command: C:\Program Files\Windows Desktop Search\WindowsSearch.exe

file: C:\Program Files\Windows Desktop Search\WindowsSearch.exe

size: 118784

MD5: 946467B375D696FA073A6B9370A4C6CE

Located: Startup (user), SDK Tray Menu.lnk

where: C:\Documents and Settings\unpingco\Start Menu\Programs\Startup...

command: C:\Sun\SDK\jdk\bin\javaw.exe

file: C:\Sun\SDK\jdk\bin\javaw.exe

size: 135168

MD5: 80D62C1F4C24794FF54CFE2F98BB307E

Located: WinLogon, AtiExtEvent

command: Ati2evxx.dll

file: Ati2evxx.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, crypt32chain

command: crypt32.dll

file: crypt32.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, cryptnet

command: cryptnet.dll

file: cryptnet.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, cscdll

command: cscdll.dll

file: cscdll.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, ScCertProp

command: wlnotify.dll

file: wlnotify.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, Schedule

command: wlnotify.dll

file: wlnotify.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, sclgntfy

command: sclgntfy.dll

file: sclgntfy.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, SensLogn

command: WlNotify.dll

file: WlNotify.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, termsrv

command: wlnotify.dll

file: wlnotify.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, WgaLogon

command: WgaLogon.dll

file: WgaLogon.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, wlballoon

command: wlnotify.dll

file: wlnotify.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

--- Browser helper object list ---

{02478D38-C3F9-4efb-9B51-7695ECA05670} ()

location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

BHO name:

CLSID name:

description: Yahoo Companion!

classification: Legitimate

known filename: Ycomp*_*_*_*.dll

info link: http://companion.yahoo.com/

info source: TonyKlein

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)

location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

BHO name:

CLSID name: Adobe PDF Reader Link Helper

description: Adobe Acrobat reader

classification: Legitimate

known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll

info link: http://www.adobe.com/products/acrobat/readstep2.html

info source: TonyKlein

Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\

Long name: AcroIEHelper.dll

Short name: ACROIE~1.DLL

Date (created): 2/15/2008 5:54:16 PM

Date (last access): 11/29/2008 12:45:32 PM

Date (last write): 2/15/2008 5:54:16 PM

Filesize: 62080

Attributes: archive

MD5: C11F6A1F61481E24BE3FDC06EA6F7D2A

CRC32: E388508F

Version: 8.0.0.456

{3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)

location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

BHO name:

CLSID name: RealPlayer Download and Record Plugin for Internet Explorer

Path: C:\Program Files\Real\RealPlayer\

Long name: rpbrowserrecordplugin.dll

Short name: RPBROW~1.DLL

Date (created): 1/3/2008 4:35:16 PM

Date (last access): 11/29/2008 1:29:42 PM

Date (last write): 1/18/2008 1:01:42 PM

Filesize: 370296

Attributes: archive

MD5: 6E032715A135D156645D0548B90FEC6D

CRC32: 51F09C16

Version: 1.0.1.45

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)

location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

BHO name:

CLSID name: Spybot-S&D IE Protection

description: Spybot-S&D IE Browser plugin

classification: Legitimate

known filename: SDhelper.dll

info link: http://spybot.eon.net.au/

info source: Patrick M. Kolla

Path: C:\PROGRA~1\SPYBOT~1\

Long name: SDHelper.dll

Short name:

Date (created): 8/30/2008 9:24:56 PM

Date (last access): 11/29/2008 3:23:42 PM

Date (last write): 9/15/2008 2:25:44 PM

Filesize: 1562960

Attributes: readonly hidden sysfile archive

MD5: 35F73F1936BDE91F1B6995510A61E7A8

CRC32: BE6A5D15

Version: 1.6.2.14

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)

location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

BHO name:

CLSID name: Yahoo! IE Services Button

Path: C:\Program Files\Yahoo!\Common\

Long name: yiesrvc.dll

Short name:

Date (created): 12/12/2007 2:09:42 PM

Date (last access): 11/29/2008 1:52:16 PM

Date (last write): 12/12/2007 2:09:42 PM

Filesize: 222448

Attributes: archive

MD5: BBDE3B4ACB928F30A35DBA4DD11564E1

CRC32: F07520BB

Version: 2007.12.12.1

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)

location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

BHO name:

CLSID name: SSVHelper Class

Path: C:\Program Files\Java\jre1.6.0_03\bin\

Long name: ssv.dll

Short name:

Date (created): 1/8/2008 12:33:46 PM

Date (last access): 11/29/2008 1:02:08 PM

Date (last write): 9/25/2007 1:11:34 AM

Filesize: 501136

Attributes: archive

MD5: D787E3123FAD2BD58AB45B9A5C360ACD

CRC32: DDC625C2

Version: 6.0.30.5

{7c65880c-643b-4724-890f-4d191275a79e} ()

location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

BHO name:

CLSID name:

Path: C:\WINDOWS\system32\

Long name: vupowose.dll

Short name:

Date (created): 8/28/2008 12:10:40 PM

Date (last access): 11/29/2008 2:35:12 PM

Date (last write): 8/28/2008 12:10:40 PM

Filesize: 61952

Attributes: hidden sysfile archive

MD5: 240C379881BCB5A96B32809DF51314C7

CRC32: 3E734432

Version: 9.0.0.3250

{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)

location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

BHO name:

CLSID name: Google Toolbar Helper

description: Google toolbar

classification: Open for discussion

known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll

info link: http://toolbar.google.com/

info source: TonyKlein

Path: c:\program files\google\

Long name: GoogleToolbar1.dll

Short name: GOOGLE~1.DLL

Date (created): 1/3/2008 4:34:06 PM

Date (last access): 11/29/2008 12:11:44 PM

Date (last write): 1/3/2008 4:34:06 PM

Filesize: 2403392

Attributes: readonly archive

MD5: 6319F2D4708DBCAE37CFA03DA10782C0

CRC32: D51D8296

Version: 4.0.1601.4978

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)

location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

BHO name:

CLSID name: Google Toolbar Notifier BHO

Path: C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\

Long name: swg.dll

Short name:

Date (created): 9/9/2008 9:27:54 PM

Date (last access): 11/29/2008 12:51:26 PM

Date (last write): 9/9/2008 9:27:56 PM

Filesize: 737776

Attributes: archive

MD5: AB32387A8F8C696A0739768B6B913714

CRC32: F4E76414

Version: 3.1.807.1746

{B164E929-A1B6-4A06-B104-2CD0E90A88FF} (McAfee SiteAdvisor BHO)

location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

BHO name:

CLSID name: McAfee SiteAdvisor BHO

Path: c:\PROGRA~1\mcafee\SITEAD~1\

Long name: McIEPlg.dll

Short name:

Date (created): 7/31/2008 10:16:54 AM

Date (last access): 11/29/2008 1:05:44 PM

Date (last write): 9/30/2008 12:05:24 PM

Filesize: 145424

Attributes: archive

MD5: 1B23DA47D1A3CB73B3909E320C1671D8

CRC32: EA0E7DA3

Version: 1.0.1.203

--- ActiveX list ---

Microsoft XML Parser for Java (Microsoft XML Parser for Java)

DPF name: Microsoft XML Parser for Java

CLSID name:

Installer:

Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab

description:

classification: Legitimate

known filename: %WINDIR%\Java\classes\xmldso.cab

info link:

info source: Patrick M. Kolla

{00000014-9593-4264-8B29-930B3E4EDCCD} ()

DPF name:

CLSID name:

Installer: C:\WINDOWS\Downloaded Program Files\WebInstall.inf

Codebase: https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall14.cab

{00000021-9593-4264-8B29-930B3E4EDCCD} ()

DPF name:

CLSID name:

Installer: C:\WINDOWS\Downloaded Program Files\WebInstall.inf

Codebase: https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall21.cab

{00000030-9593-4264-8B29-930B3E4EDCCD} ()

DPF name:

CLSID name:

Installer: C:\WINDOWS\Downloaded Program Files\WebInstall.inf

Codebase: https://test.rooms.hp.com/vRoom_Cab/WebHPVCInstall30.cab

{00000032-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms32 Class)

DPF name:

CLSID name: HPVirtualRooms32 Class

Installer: C:\WINDOWS\Downloaded Program Files\WebInstall.inf

Codebase: https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall32.cab

Path: C:\WINDOWS\Downloaded Program Files\

Long name: HPVirtualRooms32.dll

Short name: HPVIRT~4.DLL

Date (created): 1/23/2008 12:49:12 PM

Date (last access): 11/29/2008 2:19:28 PM

Date (last write): 1/23/2008 12:49:12 PM

Filesize: 409600

Attributes: archive

MD5: 6AB718E5A04B1FF4A93008DC580AB205

CRC32: DD343A82

Version: 1.0.0.100

{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)

DPF name:

CLSID name: Shockwave ActiveX Control

Installer: C:\WINDOWS\Downloaded Program Files\swdir.inf

Codebase: http://fpdownload.macromedia.com/get/shock...director/sw.cab

description: Macromedia ShockWave Flash Player 7

classification: Legitimate

known filename: SWDIR.DLL

info link:

info source: Patrick M. Kolla

Path: C:\WINDOWS\system32\macromed\Director\

Long name: swdir.dll

Short name:

Date (created): 3/14/2008 10:40:48 AM

Date (last access): 11/29/2008 3:00:50 PM

Date (last write): 1/7/2008 10:26:46 AM

Filesize: 181672

Attributes: archive

MD5: B9360F674059276D5D3E8420216F8191

CRC32: B7DC4223

Version: 10.3.0.24

{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)

DPF name:

CLSID name: Windows Genuine Advantage Validation Tool

Installer: C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf

Codebase: http://download.microsoft.com/download/8/b...heckControl.cab

description:

classification: Legitimate

known filename: LegitCheckControl.DLL

info link:

info source: Safer Networking Ltd.

Path: C:\WINDOWS\system32\

Long name: LegitCheckControl.dll

Short name: LEGITC~1.DLL

Date (created): 5/17/2006 2:23:38 AM

Date (last access): 11/29/2008 2:40:42 PM

Date (last write): 9/5/2008 10:30:06 PM

Filesize: 1480232

Attributes: archive

MD5: D0E44C9C8BD85350828458EAD715BD30

CRC32: 1F5F2366

Version: 1.8.31.9

{1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services)

DPF name:

CLSID name: Hewlett-Packard Online Support Services

Installer: C:\WINDOWS\Downloaded Program Files\HPISDataManager.inf

Codebase: http://h50203.www5.hp.com/HPITWeb/Customer...DataManager.CAB

Path: C:\WINDOWS\Downloaded Program Files\

Long name: HPISDataManager.dll

Short name: HPISDA~1.DLL

Date (created): 1/22/2008 11:41:40 AM

Date (last access): 11/29/2008 2:19:28 PM

Date (last write): 1/22/2008 11:41:40 AM

Filesize: 206208

Attributes: archive

MD5: F8F4BEAAA78B3DAEE48C0F26063864A1

CRC32: 46DAD22F

Version: 1.0.0.24

{2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class)

DPF name:

CLSID name: ActiveScan 2.0 Installer Class

Installer: C:\WINDOWS\Downloaded Program Files\as2stubie.inf

Codebase: http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

Path: C:\WINDOWS\Downloaded Program Files\

Long name: as2stubie.dll

Short name: AS2STU~1.DLL

Date (created): 6/30/2008 10:39:58 AM

Date (last access): 11/29/2008 2:19:28 PM

Date (last write): 6/30/2008 10:39:58 AM

Filesize: 128256

Attributes: archive

MD5: BB482DD127289F0FAD474610F5A4C3E3

CRC32: 1CF0CB03

Version: 1.0.0.10

{48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control)

DPF name:

CLSID name: MySpace Uploader Control

Installer: C:\WINDOWS\Downloaded Program Files\MySpaceUploader.inf

Codebase: http://lads.myspace.com/upload/MySpaceUploader1006.cab

Path: C:\WINDOWS\Downloaded Program Files\

Long name: MySpaceUploader.ocx

Short name: MYSPAC~1.OCX

Date (created): 2/1/2008 2:17:04 AM

Date (last access): 11/29/2008 2:19:30 PM

Date (last write): 2/1/2008 2:17:04 AM

Filesize: 2637440

Attributes: archive

MD5: 2245B3CAE09AF148D983F88F62153628

CRC32: A47295FA

Version: 1.0.0.6

{49232000-16E4-426C-A231-62846947304B} (SysData Class)

DPF name:

CLSID name: SysData Class

Installer: C:\WINDOWS\Downloaded Program Files\sysinfo.inf

Codebase: http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab

description:

classification: Legitimate

known filename: SysInfo.dll

info link:

info source: Safer Networking Ltd.

Path: C:\WINDOWS\DOWNLO~1\

Long name: SysInfo.dll

Short name:

Date (created): 5/15/2007 4:33:20 PM

Date (last access): 11/29/2008 2:19:30 PM

Date (last write): 5/15/2007 4:33:20 PM

Filesize: 251448

Attributes: archive

MD5: 55E8A05DDA26E8C455A7730721DCAF60

CRC32: 38BB3B52

Version: 2.4.0.0

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

DPF name:

CLSID name: WUWebControl Class

Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf

Codebase: http://www.update.microsoft.com/windowsupd...b?1199561706073

description:

classification: Legitimate

known filename: wuweb.dll

info link:

info source: Safer Networking Ltd.

Path: C:\WINDOWS\system32\

Long name: wuweb.dll

Short name:

Date (created): 1/26/2007 2:44:16 AM

Date (last access): 11/29/2008 2:42:08 PM

Date (last write): 7/18/2008 9:09:44 PM

Filesize: 205000

Attributes: archive

MD5: 4889720E56E85E1FE4659039BB5F6E3F

CRC32: EE278BD5

Version: 7.2.6001.784

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)

DPF name:

CLSID name: MUWebControl Class

Installer: C:\WINDOWS\Downloaded Program Files\muweb.inf

Codebase: http://update.microsoft.com/microsoftupdat...b?1220563491695

description:

classification: Legitimate

known filename: muweb.dll

info link:

info source: Safer Networking Ltd.

Path: C:\WINDOWS\system32\

Long name: muweb.dll

Short name:

Date (created): 7/30/2007 7:18:34 PM

Date (last access): 11/29/2008 2:41:06 PM

Date (last write): 7/18/2008 9:07:54 PM

Filesize: 210976

Attributes: archive

MD5: 5D5DE96F10C6ACDFBEF06125D0EC5890

CRC32: 8B6B8748

Version: 7.2.6001.784

{6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager)

DPF name:

CLSID name: HP Download Manager

Installer: C:\WINDOWS\Downloaded Program Files\HPDEXAXO.inf

Codebase: https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

Path: C:\WINDOWS\Downloaded Program Files\

Long name: HPDEXAXO.dll

Short name:

Date (created): 10/18/2007 10:04:16 AM

Date (last access): 11/29/2008 2:19:28 PM

Date (last write): 10/18/2007 10:04:16 AM

Filesize: 341296

Attributes: archive

MD5: CDE357CD3FC047F5C7D8B8345B6A42BF

CRC32: 7ABDC22F

Version: 1.0.5.1

{857ABA85-8AB2-4C9E-8FAA-D2A963739859} (HPPKI Control)

DPF name:

CLSID name: HPPKI Control

Installer: C:\WINDOWS\Downloaded Program Files\HPPKI.inf

Codebase: https://digitalbadge.external.hp.com/hp/HPPKI.cab

description:

classification: Open for discussion

known filename: HPPKI.ocx

info link:

info source: Safer Networking Ltd.

Path: C:\WINDOWS\DOWNLO~1\

Long name: HPPKI.ocx

Short name:

Date (created): 11/12/2007 9:06:28 AM

Date (last access): 11/29/2008 2:19:28 PM

Date (last write): 11/12/2007 9:06:28 AM

Filesize: 475136

Attributes: archive

MD5: 742BEF26AC2DE4D4B1567B70C94D60A1

CRC32: 0FE5217F

Version: 1.0.0.12

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)

DPF name: Java Runtime Environment 1.6.0

CLSID name: Java Plug-in 1.6.0_03

Installer:

Codebase: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

description: Sun Java

classification: Legitimate

known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll

info link:

info source: Patrick M. Kolla

Path: C:\Program Files\Java\jre1.6.0_03\bin\

Long name: npjpi160_03.dll

Short name: NPJPI1~1.DLL

Date (created): 9/24/2007 11:31:44 PM

Date (last access): 11/29/2008 1:02:08 PM

Date (last write): 9/25/2007 1:11:34 AM

Filesize: 132496

Attributes: archive

MD5: D6A4682A6FF41832A3F1A7AB9AE08199

CRC32: 9080B537

Version: 6.0.30.5

{A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class)

DPF name:

CLSID name: Settings Class

Installer: C:\WINDOWS\Downloaded Program Files\capicom.inf

Codebase: https://digitalbadge.external.hp.com/hp/capicom.cab

description:

classification: Legitimate

known filename: capicom.dll

info link:

info source: Safer Networking Ltd.

Path: C:\WINDOWS\System32\

Long name: capicom.dll

Short name:

Date (created): 1/26/2007 8:18:42 AM

Date (last access): 11/29/2008 2:39:54 PM

Date (last write): 4/11/2007 11:11:20 AM

Filesize: 511328

Attributes: archive

MD5: 9130CCE19B5DB3D2E31F9F789263FC4A

CRC32: 8E32474C

Version: 2.1.0.2

{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)

DPF name: Java Runtime Environment 1.5.0

CLSID name: Java Plug-in 1.5.0_10

Installer:

Codebase: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

description:

classification: Legitimate

known filename: npjpi150_10.dll

info link:

info source: Safer Networking Ltd.

Path: C:\Program Files\Java\jre1.5.0_10\bin\

Long name: NPJPI150_10.dll

Short name: NPJPI1~1.DLL

Date (created): 11/9/2006 6:07:34 AM

Date (last access): 11/29/2008 1:01:22 PM

Date (last write): 11/9/2006 6:21:54 AM

Filesize: 75528

Attributes: archive

MD5: 635F4B3A0F1C661B5CEDE628BA85E46B

CRC32: 0C9B7145

Version: 5.0.100.3

{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)

DPF name: Java Runtime Environment 1.5.0

CLSID name: Java Plug-in 1.5.0_15

Installer:

Codebase: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

Path: C:\Program Files\Java\jre1.5.0_15\bin\

Long name: NPJPI150_15.dll

Short name: NPJPI1~1.DLL

Date (created): 2/9/2008 2:05:04 AM

Date (last access): 11/29/2008 1:01:44 PM

Date (last write): 2/9/2008 2:19:44 AM

Filesize: 75264

Attributes: archive

MD5: E4868D23B38819DC25A911C750880485

CRC32: E048A7D1

Version: 5.0.150.4

{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)

DPF name: Java Runtime Environment 1.6.0

CLSID name: Java Plug-in 1.6.0_03

Installer:

Codebase: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

Path: C:\Program Files\Java\jre1.6.0_03\bin\

Long name: npjpi160_03.dll

Short name: NPJPI1~1.DLL

Date (created): 9/24/2007 11:31:44 PM

Date (last access): 11/29/2008 3:23:48 PM

Date (last write): 9/25/2007 1:11:34 AM

Filesize: 132496

Attributes: archive

MD5: D6A4682A6FF41832A3F1A7AB9AE08199

CRC32: 9080B537

Version: 6.0.30.5

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)

DPF name: Java Runtime Environment 1.6.0

CLSID name: Java Plug-in 1.6.0_03

Installer:

Codebase: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

description:

classification: Legitimate

known filename: npjpi150_06.dll

info link:

info source: Safer Networking Ltd.

Path: C:\Program Files\Java\jre1.6.0_03\bin\

Long name: npjpi160_03.dll

Short name: NPJPI1~1.DLL

Date (created): 9/24/2007 11:31:44 PM

Date (last access): 11/29/2008 3:23:48 PM

Date (last write): 9/25/2007 1:11:34 AM

Filesize: 132496

Attributes: archive

MD5: D6A4682A6FF41832A3F1A7AB9AE08199

CRC32: 9080B537

Version: 6.0.30.5

{DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class)

DPF name:

CLSID name: AxisMediaControlEmb Class

Installer: C:\WINDOWS\Downloaded Program Files\setup.inf

Codebase: http://66.193.150.85/activex/AMC.cab

description:

classification: Open for discussion

known filename: AxisMediaControlEmb.dll

info link:

info source: Safer Networking Ltd.

Path: C:\Program Files\Axis Communications\AXIS Media Control Embedded\

Long name: AxisMediaControlEmb.dll

Short name: AXISME~1.DLL

Date (created): 8/31/2008 1:02:16 PM

Date (last access): 11/29/2008 11:56:06 AM

Date (last write): 9/2/2005 7:37:30 AM

Filesize: 589824

Attributes: archive

MD5: 8F23C100DCB7FC2960EF25F71A8E42E2

CRC32: 2EFA37F1

Version: 3.32.14.0

--- Process list ---

PID: 0 ( 0) [system]

PID: 888 ( 4) \SystemRoot\System32\smss.exe

size: 50688

PID: 944 ( 888) \??\C:\WINDOWS\system32\csrss.exe

size: 6144

PID: 968 ( 888) \??\C:\WINDOWS\system32\winlogon.exe

size: 507904

PID: 1016 ( 968) C:\WINDOWS\system32\services.exe

size: 108544

MD5: 0E776ED5F7CC9F94299E70461B7B8185

PID: 1028 ( 968) C:\WINDOWS\system32\lsass.exe

size: 13312

MD5: BF2466B3E18E970D8A976FB95FC1CA85

PID: 1184 (1016) C:\WINDOWS\system32\svchost.exe

size: 14336

MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18

PID: 1268 (1016) C:\WINDOWS\system32\svchost.exe

size: 14336

MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18

PID: 1480 (1016) C:\Program Files\Symantec AntiVirus\Smc.exe

size: 2479488

MD5: 848591D563FF6A996B6BCCFCC7FE88BA

PID: 1528 (1016) C:\WINDOWS\system32\svchost.exe

size: 14336

MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18

PID: 1552 (1016) C:\WINDOWS\system32\svchost.exe

size: 14336

MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18

PID: 1588 (1016) C:\WINDOWS\system32\svchost.exe

size: 14336

MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18

PID: 1876 (1016) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

size: 108392

MD5: 673D6DE6D6E9D50CD5E9C78F0C916CB8

PID: 1416 (1016) C:\Program Files\Symantec AntiVirus\Rtvscan.exe

size: 2240944

MD5: 3EF7AA62C2AE7ACF940C316C0158E3D2

PID: 780 (1400) C:\WINDOWS\Explorer.EXE

size: 1033728

MD5: 12896823FB95BFB3DC9B46BCAEDC9923

PID: 728 (1480) C:\Program Files\Symantec AntiVirus\SmcGui.exe

size: 1660288

MD5: A7565C8515EF819284E5B8C9D685401B

PID: 428 ( 728) C:\Program Files\Symantec AntiVirus\SymCorpUI.exe

size: 624048

MD5: CEC5A49E0B04E6927C61648685D34ACC

PID: 3504 (3484) C:\WINDOWS\system32\ctfmon.exe

size: 15360

MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

PID: 2756 ( 780) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

size: 4891472

MD5: 3B1B5D09D3C9C4CD39D4DB06ED7A0855

PID: 4 ( 0) System

PID: 2908 ( 780) C:\Program Files\Internet Explorer\iexplore.exe

size: 635848

MD5: 1F03216084447F990AE797317D0A6E70

PID: 3416 ( 780) C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

size: 396288

MD5: C4CA7416A6DF6D95075F81D9E3B41AD1

PID: 2052 (3416) C:\WINDOWS\system32\NOTEPAD.EXE

size: 69120

MD5: 5E28284F9B5F9097640D58A73D38AD4C

PID: 3604 (3484) C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

size: 1261200

MD5: AABD7AA2B9EC0D0802002E028F8E9A81

PID: 3304 ( 780) C:\WINDOWS\system32\NOTEPAD.EXE

size: 69120

MD5: 5E28284F9B5F9097640D58A73D38AD4C

PID: 2408 (2756) C:\WINDOWS\hh.exe

size: 10752

MD5: 6BA0A833DCABF3E28622143689E2C92E

--- Browser start & search pages list ---

Spybot - Search & Destroy browser pages report, 11/29/2008 3:23:48 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page

C:\WINDOWS\system32\blank.htm

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page

http://www.google.com

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar

http://www.google.com/ie

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

http://www.yahoo.com/

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant

http://www.google.com/ie

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@

http://www.google.com/search?q=%s

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page

%SystemRoot%\system32\blank.htm

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page

http://go.microsoft.com/fwlink/?LinkId=54896

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page

http://go.microsoft.com/fwlink/?LinkId=69157

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL

http://go.microsoft.com/fwlink/?LinkId=69157

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL

http://go.microsoft.com/fwlink/?LinkId=54896

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant

http://www.google.com/ie

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch

http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

--- Winsock Layered Service Provider list ---

Protocol 0: MSAFD Tcpip [TCP/IP]

GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP IP protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [uDP/IP]

GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP IP protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]

GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP IP protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider

GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}

Filename: %SystemRoot%\system32\rsvpsp.dll

Description: Microsoft Windows NT/2k/XP RVSP

DB filename: %SystemRoot%\system32\rsvpsp.dll

DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider

GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}

Filename: %SystemRoot%\system32\rsvpsp.dll

Description: Microsoft Windows NT/2k/XP RVSP

DB filename: %SystemRoot%\system32\rsvpsp.dll

DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{194F5AE1-0FA8-4322-8B98-16054A09E6AC}] SEQPACKET 4

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{194F5AE1-0FA8-4322-8B98-16054A09E6AC}] DATAGRAM 4

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{73D9B310-54B3-41B5-A42F-21193AD21572}] SEQPACKET 0

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{73D9B310-54B3-41B5-A42F-21193AD21572}] DATAGRAM 0

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0A52FE8B-3467-4DDD-BB9A-0B5FE70B6EBB}] SEQPACKET 3

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0A52FE8B-3467-4DDD-BB9A-0B5FE70B6EBB}] DATAGRAM 3

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C86402F7-FD94-40BA-BE9C-59FBD61A7714}] SEQPACKET 1

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C86402F7-FD94-40BA-BE9C-59FBD61A7714}] DATAGRAM 1

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CAA2E763-2E14-4800-B60F-ADD1888C41D3}] SEQPACKET 2

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CAA2E763-2E14-4800-B60F-ADD1888C41D3}] DATAGRAM 2

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2C7924E0-07A5-4F94-B2E8-79173BD47B95}] SEQPACKET 5

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2C7924E0-07A5-4F94-B2E8-79173BD47B95}] DATAGRAM 5

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AA947764-93F7-46CC-A062-30F0503850C9}] SEQPACKET 6

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AA947764-93F7-46CC-A062-30F0503850C9}] DATAGRAM 6

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip

GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}

Filename: %SystemRoot%\System32\mswsock.dll

Description: Microsoft Windows NT/2k/XP TCP/IP name space provider

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: TCP/IP

Namespace Provider 1: NTDS

GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}

Filename: %SystemRoot%\System32\winrnr.dll

Description: Microsoft Windows NT/2k/XP name space provider

DB filename: %SystemRoot%\system32\winrnr.dll

DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace

GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}

Filename: %SystemRoot%\System32\mswsock.dll

Description: Microsoft Windows NT/2k/XP name space provider

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: NLA-Namespace

Namespace Provider 3: mdnsNSP

GUID: {B600E6E9-553B-4A19-8696-335E5C896153}

Filename: C:\Program Files\Bonjour\mdnsNSP.dll

Description: Apple Rendezvous protocol

DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll

DB protocol: mdnsNSP

Thanks in advance for your help! It is greatly appreciated.

Link to post
Share on other sites

The situation has gotten worse. Here is the latest HJT:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:29:27 PM, on 12/1/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Smc.exe

C:\Program Files\Symantec AntiVirus\SNAC.EXE

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\ActivCard\acautoreg.exe

C:\Program Files\Common Files\ActivCard\accoca.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Sun\SDK\lib\appservService.exe

C:\PROGRA~1\HPAVAD~1\avChgSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Remote tools\msraLinkMonitor.exe

C:\WINDOWS\system32\PSIService.exe

C:\Sun\SDK\jdk\bin\java.exe

C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe

C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe

C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec AntiVirus\SmcGui.exe

C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe

C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe

C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Microsoft Office Communicator\communicator.exe

C:\Program Files\Hewlett-Packard\GetIT\GetIT.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Sonic Shared\CineTray.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Sun\SDK\jdk\bin\javaw.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\CMMON32.EXE

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\SpywareBlaster\spywareblaster.exe

C:\Program Files\SpywareBlaster\spywareblaster.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.compaq.com

O15 - Trusted Zone: *.cpqcorp.net

O15 - Trusted Zone: http://*.dcu.org

O15 - Trusted Zone: http://*.dec.com

O15 - Trusted Zone: *.hp.com

O15 - Trusted Zone: http://*.hpe-learning.com

O15 - Trusted Zone: *.hpqcorp.net

O15 - Trusted Zone: *.hpshopping.com

O15 - Trusted Zone: http://*.listen.com

O15 - Trusted Zone: http://*.llnwd.net

O15 - Trusted Zone: *.real.com

O15 - Trusted Zone: http://*.skillport.com

O15 - Trusted Zone: http://*.skillsoft.com

O15 - Trusted Zone: http://*.tandem.com

O15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)

O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)

O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)

O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)

O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)

O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)

O16 - DPF: {00000014-9593-4264-8B29-930B3E4EDCCD} - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall14.cab

O16 - DPF: {00000021-9593-4264-8B29-930B3E4EDCCD} - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall21.cab

O16 - DPF: {00000030-9593-4264-8B29-930B3E4EDCCD} - https://test.rooms.hp.com/vRoom_Cab/WebHPVCInstall30.cab

O16 - DPF: {00000032-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms32 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall32.cab

O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPITWeb/Customer...DataManager.CAB

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199561706073

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1220563491695

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {857ABA85-8AB2-4C9E-8FAA-D2A963739859} (HPPKI Control) - https://digitalbadge.external.hp.com/hp/HPPKI.cab

O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://digitalbadge.external.hp.com/hp/capicom.cab

O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://66.193.150.85/activex/AMC.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\Software\..\Telephony: DomainName = americas.hpqcorp.net

O17 - HKLM\System\CCS\Services\Tcpip\..\{AA947764-93F7-46CC-A062-30F0503850C9}: NameServer = 16.110.135.51 16.110.135.52

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - AppInit_DLLs: C:\WINDOWS\system32\yifiroso.dll

O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivIdentity - C:\Program Files\Common Files\ActivCard\acautoreg.exe

O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: SunJavaSystemAppserver9PE (AppServer9PE) - Unknown owner - C:\Sun\SDK\lib\appservService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: HP-AV Change Monitor Service (AvChgSvc) - Unknown owner - C:\PROGRA~1\HPAVAD~1\avChgSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Lan Discover Agent (magaService) - Unknown owner - C:\Program Files\Sygate\SSA\maga\maga.exe (file missing)

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: MSRA Link Monitor (msralinkmonitor) - Unknown owner - C:\Program Files\Remote tools\msraLinkMonitor.exe

O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe

O23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe

O23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe

O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe

O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE

O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--

End of file - 16725 bytes

Link to post
Share on other sites

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

  1. Please Read All Instructions Carefully

  2. If you don't understand something, stop and ask! Don't keep going on.

  3. Please do not run any other tools or scans whilst I am helping you

  4. Please continue to respond until I give you the "All Clear"

    (Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly laechel.gif

Please Note, your security programs may give warnings for some of the tools I will ask you to use.

Be assured, any links I give are safe

----------------------------------------------------------------------------------------

I apologize for the delay in responding, but as you can probably see the forums are quite busy

and helpers look for posts with zero replies.

Unfortunately there are far more people needing help than there are helpers.

If you still require help please do the following

I will be notified and I will get back to you ASAP.

Download and Run RSIT

  • Please download Random's System Information Tool by random/random from here and save it to your desktop.

  • Double click on RSIT.exe to run RSIT.

  • Click Continue at the disclaimer screen.

  • Once it has finished, two logs will open:

    • log.txt will be opened maximized.

    • info.txt will be opened minimized.

    [*]Please post the contents of both log.txt and info.txt.

Link to post
Share on other sites

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

  1. Please Read All Instructions Carefully

  2. If you don't understand something, stop and ask! Don't keep going on.

  3. Please do not run any other tools or scans whilst I am helping you

  4. Please continue to respond until I give you the "All Clear"

    (Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly laechel.gif

Please Note, your security programs may give warnings for some of the tools I will ask you to use.

Be assured, any links I give are safe

----------------------------------------------------------------------------------------

I apologize for the delay in responding, but as you can probably see the forums are quite busy

and helpers look for posts with zero replies.

Unfortunately there are far more people needing help than there are helpers.

If you still require help please do the following

I will be notified and I will get back to you ASAP.

Download and Run RSIT

  • Please download Random's System Information Tool by random/random from here and save it to your desktop.

  • Double click on RSIT.exe to run RSIT.

  • Click Continue at the disclaimer screen.

  • Once it has finished, two logs will open:

    • log.txt will be opened maximized.

    • info.txt will be opened minimized.

    [*]Please post the contents of both log.txt and info.txt.

Link to post
Share on other sites

Hi Katana:

Thanks for your response. I have a couple of questions. Since I last posted I went to another forum and they helped me clean up my last issue. However, tonight I ran a scan on spybot s&d and two trojan.vundo issues came up again, similar to last time. These were detected by my Symantec Endpoint Protection.

So should I start over again, and then do as you ask, or do I just proceed as you have instructed in your last email?

Thanks in advance for your help.

Regards,

matua105

Link to post
Share on other sites

Download and Run ComboFix (by sUBs)

Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.

This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

Link to post
Share on other sites

Download and Run ComboFix (by sUBs)

Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.

This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

Link to post
Share on other sites

Hi Katana:

Here is the combofix log:

ComboFix 08-12-11.04 - unpingco 2008-12-11 20:52:50.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.465 [GMT -8:00]

Running from: c:\documents and settings\unpingco\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\unpingco\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

.

((((((((((((((((((((((((( Files Created from 2008-11-12 to 2008-12-12 )))))))))))))))))))))))))))))))

.

2008-12-11 12:25 . 2008-12-11 12:25 <DIR> d-------- c:\windows\LastGood

2008-12-11 04:51 . 2008-12-11 04:51 <DIR> d-------- C:\rsit

2008-12-10 18:12 . 2008-12-11 09:02 <DIR> d-------- c:\program files\RA2HP

2008-12-03 20:46 . 2008-12-03 20:47 <DIR> d-------- c:\program files\SpywareBlaster

2008-12-03 19:57 . 2008-12-03 19:58 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS

2008-12-03 19:57 . 2008-12-03 19:58 60,800 --a------ c:\windows\system32\S32EVNT1.DLL

2008-12-03 19:57 . 2008-12-03 19:58 10,563 --a------ c:\windows\system32\drivers\SYMEVENT.CAT

2008-12-03 19:57 . 2008-12-03 19:58 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF

2008-12-03 09:20 . 2008-12-03 09:20 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\SACore

2008-12-03 08:51 . 2008-12-03 08:51 249,592 --a------ c:\windows\system32\cssdll32.dll

2008-12-03 08:49 . 2008-12-03 09:59 <DIR> d-------- c:\program files\COMODO

2008-12-03 08:49 . 2008-12-03 09:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\comodo

2008-12-02 17:04 . 2008-12-02 17:03 410,984 --a------ c:\windows\system32\deploytk.dll

2008-12-02 02:38 . 2008-12-02 02:38 221,184 --a------ c:\windows\SnoopFreeUI.exe

2008-12-02 02:38 . 2008-12-02 02:38 90,112 --a------ c:\windows\system32\SnoopFreeSvc.exe

2008-12-02 02:38 . 2008-12-02 02:38 45,056 --a------ c:\windows\SnoopFreeDll.dll

2008-12-02 02:38 . 2008-12-02 02:38 9,472 --a------ c:\windows\system32\drivers\SnopFree.sys

2008-12-02 02:35 . 2008-12-02 02:36 <DIR> d-------- C:\Snoopfree

2008-12-01 11:50 . 2008-12-01 12:04 <DIR> d-------- c:\documents and settings\unpingco\.SunDownloadManager

2008-12-01 11:22 . 2008-12-01 11:22 <DIR> d-------- c:\program files\Gmer

2008-12-01 11:17 . 2008-12-01 16:16 250 --a------ c:\windows\gmer.ini

2008-11-30 16:50 . 2008-11-30 16:50 1,281,506 --a------ C:\Sym_LoadPointDiag.zip

2008-11-30 16:43 . 2008-11-30 16:50 <DIR> d-------- C:\Sym_LoadPointDiag

2008-11-30 15:11 . 2008-11-30 15:11 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll

2008-11-30 15:04 . 2008-11-30 15:04 <DIR> d-------- c:\windows\ERUNT

2008-11-30 01:26 . 2008-11-30 01:26 0 --a------ C:\AVScript26.js

2008-11-29 12:06 . 2008-11-29 12:06 <DIR> d-------- c:\program files\Panda Security

2008-11-29 12:06 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-11-13 17:19 . 2008-11-13 17:19 1,138,869 --a------ C:\ESUGLPDU_2.01.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-12 04:47 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2008-12-05 17:23 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore

2008-12-04 05:33 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-04 05:01 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-12-04 04:06 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2008-12-04 04:01 --------- d-----w c:\program files\Common Files\Symantec Shared

2008-12-04 03:58 --------- d-----w c:\program files\Symantec

2008-12-03 17:06 --------- d-----w c:\program files\McAfee

2008-12-03 16:59 --------- d-----w c:\program files\symantec antivirus

2008-12-03 01:03 --------- d-----w c:\program files\Java

2008-12-02 00:11 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2008-11-26 06:22 --------- d-----w c:\program files\LimeWire

2008-11-26 06:21 --------- d-----w c:\documents and settings\unpingco\Application Data\LimeWire

2008-11-18 16:14 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2008-11-03 20:58 --------- d-----w c:\documents and settings\unpingco\Application Data\FileZilla

2008-11-02 04:24 --------- d-----w c:\program files\QuickTime

2008-11-02 04:23 --------- d-----w c:\program files\Common Files\Apple

2008-11-02 04:08 --------- d-----w c:\program files\Bonjour

2008-10-29 21:29 --------- d-----w c:\program files\FileZilla FTP Client

2008-10-29 21:28 3,696,811 ----a-w c:\program files\FileZilla_3.1.5_win32-setup.exe

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-22 13:21 --------- d-----w c:\program files\Microsoft Silverlight

2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-16 14:36 --------- d-----w c:\program files\HPAVAdminScan

2008-10-14 15:54 --------- d-----w c:\documents and settings\unpingco\Application Data\Apple Computer

2008-10-14 15:51 349,880 ----a-w c:\windows\adminScanInstall.EXE

2008-10-07 15:01 3,659,444 ----a-w c:\program files\FileZilla_3.1.3.1_win32-setup.exe

2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys

2008-09-02 23:38 3,648,871 ----a-w c:\program files\FileZilla_3.1.2_win32-setup.exe

2008-09-02 15:52 380,416 ----a-w c:\program files\CommunicatorPoliciesDocumentation.msi

2008-08-26 19:01 5,249,122 ----a-w c:\program files\FileZilla_3.1.1.1_win32.zip

2008-06-06 19:37 31,356,640 ----a-w c:\documents and settings\unpingco\symcdefsi32.exe

2008-03-07 23:31 260,608 ----a-w c:\program files\WordMailSupport.msi

2007-04-02 10:46 13,248 ----a-w c:\windows\system32\config\systemprofile\createprof.vbs

2007-04-02 10:46 13,248 ----a-w c:\documents and settings\hpadmin\createprof.vbs

2007-04-02 10:46 13,248 ----a-w c:\documents and settings\Default User\createprof.vbs

2007-02-23 14:43 851 ----a-w c:\windows\system32\config\systemprofile\enablecoe.vbs

2007-02-23 14:43 851 ----a-w c:\documents and settings\hpadmin\enablecoe.vbs

2006-10-28 05:06 2,480 ----a-w c:\program files\README.HTM

2008-02-01 19:05 88 --sh--r c:\windows\system32\9999CCE4CD.sys

2008-02-01 19:05 2,828 --sha-w c:\windows\system32\KGyGaAvL.sys

2008-09-04 16:33 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090420080905\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-09 68856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"HP Virtual Rooms"="c:\progra~1\HEWLET~1\HPVIRT~1.0\\HPVIRT~1.EXE" [2008-02-24 10294616]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"COEMsgDisplay"="c:\program files\Hewlett-Packard\PC COE\COEMsgDisplay.exe" [2007-04-11 26624]

"QuickPassword"="c:\program files\ActivCard\ActivCard Gold\agquickp.exe" [2007-06-26 225280]

"IDA"="c:\program files\Hewlett-Packard\PC COE\IDA.EXE" [2008-08-12 176128]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-13 344064]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-18 185896]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-02-15 39792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"T-Mobile Connection Manager"="c:\program files\T-Mobile\Connection Manager\TMobileCM.exe" [2007-07-23 18968]

"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-08-19 5720072]

"GetIT"="c:\program files\Hewlett-Packard\GetIT\GetIT.exe" [2007-12-03 286720]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-02 136600]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-07-08 115560]

"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272]

"SnoopFreeUI"="SnoopFreeUI.exe" [2008-12-02 c:\windows\SnoopFreeUI.exe]

c:\documents and settings\unpingco\Start Menu\Programs\Startup\

SDK Tray Menu.lnk - c:\sun\SDK\jdk\bin\javaw.exe [2008-01-09 135168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-05 113664]

Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\CineTray.exe [2006-07-25 114688]

Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"SynchronousMachineGroupPolicy"= 0 (0x0)

"SynchronousUserGroupPolicy"= 0 (0x0)

"DisableNT4Policy"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoMSAppLogo5ChannelNotify"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radexecd.exe"=

"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RADUISHELL.exe"=

"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RadTray.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Hewlett-Packard\\PC COE\\Ida.exe"=

"c:\\Program Files\\ActivCard\\ActivCard Gold\\agutils.exe"=

"c:\\Program Files\\ActivCard\\ActivCard Initialization Utility\\ResetUtil.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Rhapsody\\rhapsody.exe"=

"c:\\Program Files\\Hewlett-Packard\\PC COE\\AboutCOE.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-11-29 28544]

R2 acautoreg;ActivCard Gold Autoregister;c:\program files\Common Files\ActivCard\acautoreg.exe [2007-06-26 53248]

R2 Accoca;ActivCard Gold service;c:\program files\Common Files\ActivCard\accoca.exe [2004-05-12 143360]

R2 AppServer9PE;SunJavaSystemAppserver9PE;c:\sun\SDK\lib\appservService.exe "\"c:\sun\SDK\bin\asadmin.bat\" start-domain --user admin domain1" "\"c:\sun\SDK\bin\asadmin.bat\" stop-domain domain1\" []

R2 AvChgSvc;HP-AV Change Monitor Service;c:\progra~1\HPAVAD~1\avChgSvc.exe [2008-10-07 238080]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-07-31 206096]

R2 radexecd;HP OVCM Notify Daemon;"c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe" [2007-02-20 270510]

R2 radsched;HP OVCM Scheduler Daemon;"c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe" [2007-03-22 172205]

R2 Radstgms;HP OVCM MSI Redirector;"c:\program files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe" [2008-07-03 315570]

R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\DRIVERS\akbus.sys [2007-01-26 13619]

R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\DRIVERS\akpcsc.sys [2007-01-26 9493]

R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\DRIVERS\aksbus.sys [2007-04-06 13647]

R3 AKSIM;ActivKey Sim;c:\windows\system32\drivers\aksim.sys [2007-06-28 27008]

R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\DRIVERS\akspcsc.sys [2007-06-28 10161]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-03 99376]

R3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2005-08-23 231424]

R3 RadiaMsi;RadiaMsi;c:\windows\system32\DRIVERS\radiamsi.sys [2007-08-03 23424]

S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2008-01-03 114016]

S2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]

S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-07-08 23888]

S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\maga\maga.exe []

S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2006-12-02 2805000]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C99D666B-62E4-461B-A346-9375D55AB9BC}]

"c:\program files\Common Files\Hewlett-Packard\ActSet\HpActSet.exe"

.

Contents of the 'Scheduled Tasks' folder

2008-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-12-11 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}000.job

- c:\windows\system32\rundll32.exe [2008-04-13 16:12]

2008-12-11 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}001.job

- c:\windows\system32\rundll32.exe [2008-04-13 16:12]

2008-12-11 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.job

- c:\windows\system32\rundll32.exe [2008-04-13 16:12]

2008-12-12 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job

- c:\program files\Hewlett-Packard\PC COE\coetl32.exe [2007-06-24 00:27]

2008-12-12 c:\windows\Tasks\IDA{E1B2A4DD-AE06-4B97-9B55-8E8F1348E7FB}000.job

- c:\windows\system32\rundll32.exe [2008-04-13 16:12]

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-Symantec Antvirus

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: {{E270AB82-96D5-45DB-ABE3-0BC038B92334} - c:\program files\Hewlett-Packard\IEToolBar\HP IE Fix.exe

IE: {{E270AB82-96D5-45DB-ABE3-0BC038B92334} - c:\program files\Hewlett-Packard\IEToolBar\HP IE Fix.exe -

Trusted Zone: *.cpqcorp.net

Trusted Zone: *.hp.com

Trusted Zone: *.hpqcorp.net

Trusted Zone: *.hpshopping.com

Trusted Zone: *.real.com

TCP: {AA947764-93F7-46CC-A062-30F0503850C9} = 16.110.135.51 16.110.135.52

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://66.193.150.85/activex/AMC.cab

c:\windows\Downloaded Program Files\setup.inf

FF - ProfilePath - c:\documents and settings\unpingco\Application Data\Mozilla\Firefox\Profiles\ccvwf14m.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com

FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npjp2.dll

FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll

FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll

FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll

FF - plugin: c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll

FF - plugin: c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-11 20:59:31

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1040)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\accsp.dll

c:\windows\system32\acerrmes.dll

c:\windows\system32\asphat32.dll

c:\windows\system32\acpinto.dll

c:\windows\system32\aspcom.dll

c:\program files\ActivCard\ActivCard Gold\resources\acerrmrc.dll

c:\program files\ActivCard\ActivCard Gold\resources\asphatrc.dll

c:\program files\ActivCard\ActivCard Gold\resources\accsprc.dll

c:\windows\system32\acgnd.dll

c:\program files\ActivCard\ActivCard Gold\resources\acgndrc.dll

- - - - - - - > 'lsass.exe'(1096)

c:\program files\Bonjour\mdnsNSP.dll

.

Completion time: 2008-12-11 21:03:22

ComboFix-quarantined-files.txt 2008-12-12 05:02:04

ComboFix2.txt 2008-12-02 20:44:33

Pre-Run: 23,258,411,008 bytes free

Post-Run: 23,417,651,200 bytes free

272 --- E O F --- 2008-12-04 04:13:05

Link to post
Share on other sites

OTMoveIt

Please download OTMoveIt3 by OldTimer and save it to your desktop

  • Double-click OTMoveIt3.exe to run it.
  • Copy the lines in the codebox below. ( Make sure you include :Processes )
:Processesexplorer:Services:Reg[-hkey_classes_root\sep.av.scandlgs][-hkey_local_machine\software\classes\sep.av.scandlgs]:Filesc:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}000.jobc:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}001.jobc:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.jobc:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.jobc:\windows\Tasks\IDA{E1B2A4DD-AE06-4B97-9B55-8E8F1348E7FB}000.job:Commands[Purity][EmptyTemp][start Explorer]
  • Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • - Close ALL open windows (especially Internet Explorer!)-
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Kaspersky Online Scanner .

Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal

NOTE:- This scan is best done from IE (Internet Explorer)

NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin

Go Here http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

Read the Requirements and limitations before you click Accept.

Once the database has downloaded, click My Computer in the left pane

Now go and put the kettle on !

When the scan has completed, click Save Report As...

Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)

Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Logs/Information to Post in Reply

Please post the following logs/Information in your reply

  • C:\Qoobox\Combofix2.txt
  • OTMI Log
  • Kaspersky Log
  • How are things running now, any problems still ?
Link to post
Share on other sites

OTMoveIt

Please download OTMoveIt3 by OldTimer and save it to your desktop

  • Double-click OTMoveIt3.exe to run it.

  • Copy the lines in the codebox below. ( Make sure you include :Processes )

:Processes

explorer

:Services

:Reg

[-hkey_classes_root\sep.av.scandlgs]

[-hkey_local_machine\software\classes\sep.av.scandlgs]

:Files

c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}000.job

c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}001.job

c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.job

c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job

c:\windows\Tasks\IDA{E1B2A4DD-AE06-4B97-9B55-8E8F1348E7FB}000.job

:Commands

[Purity]

[EmptyTemp]

[start Explorer]

  • Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

  • - Close ALL open windows (especially Internet Explorer!)-

  • Click the red Moveit! button.

  • Copy everything in the Results window (under the green bar), and paste it in your next reply.

  • Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Kaspersky Online Scanner .

Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal

NOTE:- This scan is best done from IE (Internet Explorer)

NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin

Go Here http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

Read the Requirements and limitations before you click Accept.

Once the database has downloaded, click My Computer in the left pane

Now go and put the kettle on !

When the scan has completed, click Save Report As...

Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)

Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.

  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Logs/Information to Post in Reply

Please post the following logs/Information in your reply

  • C:\Qoobox\Combofix2.txt

  • OTMI Log

  • Kaspersky Log

  • How are things running now, any problems still ?

Link to post
Share on other sites

Don't worry, just run the Kaspersky scan :)

Hi Katana. Here is the Kaspersky scan report

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Saturday, December 13, 2008

Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Saturday, December 13, 2008 17:01:50

Records in database: 1458249

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

Y:\

Scan statistics:

Files scanned: 232865

Threat name: 0

Infected objects: 0

Suspicious objects: 0

Duration of the scan: 00:06:54

No malware has been detected. The scan area is clean.

The selected area was scanned.

Link to post
Share on other sites

Congratulations your logs look clean :)

Let's see if I can help you keep it that way

First lets tidy up

Please delete RSIT.exe and C:\RSIT (entire folder)

You can also delete any logs we have produced, and empty your Recycle bin.

  • Uninstall Combofix
  • This will clear your System Volume Information restore points and remove all the infected files that were quarantined
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    • CF_Cleanup.png

Open OTMoveIt Click Cleanup,

it will now connect to the internet and get a list of files to delete.

When a box pops up click YES.

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.

( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners

I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan

http://www.kaspersky.com/kos/eng/partner/7...kavwebscan.html

!!! Make sure that all your programs are updated !!!

Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

  • AntiSpyware is not the same thing as Antivirus.
    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
    Most of the programs in this list have a free (for Home Users ) and paid versions,
    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites

    [*] MalwareBytes Anti-malware <<< A New and effective program

    [*]a-squared Free <<< A good "realtime" or "on demand" scanner

    [*]superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

  • These programs don't detect malware, they help stop it getting on your machine in the first place.
    Each does a different job, so you can have more than one
  • Winpatrol
    • An excellent startup manager and then some !!
    • Notifies you if programs are added to startup
    • Allows delayed startup
    • A must have addition

    [*]SpywareBlaster 4.0

    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.

    [*]SpywareGuard 2.2

    • SpywareGuard provides real-time protection against spyware.
    • Not required if you have other "realtime" antispyware or Winpatrol

    [*]ZonedOut

    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.

    [*]MVPS HOSTS

    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    • For information on how to download and install, please read this tutorial by WinHelp2002.
    • Not required if you are using other host file protections

Internet Browsers

  • Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
    Using a different web browser can help stop malware getting on your machine.
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialise and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.

      [*]Next press the Apply button and then the OK to exit the Internet Properties page.

If you are still using IE6 then either update, or get one of the following.

  • FireFox
    • With many addons available that make customization easy this is a very popular choice
    • NoScript and AdBlockPlus addons are essential

    [*]Opera

    • Another popular alternative

    [*]Netscape

    • Another popular alternative
    • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

  • Temporary Internet Files are mainly the files that are downloaded when you open a web page.
    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
    It is a good idea to empty the Temporary Internet Files folder on a regular basis.
    Tracking Cookies are files that websites use to monitor which sites you visit and how often.
    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
    Both of these can be cleaned manually, but a quicker option is to use a program
  • ATF Cleaner
    • Free and very simple to use

    [*]CCleaner

    • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.

If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.

Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :)

If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

Link to post
Share on other sites

Congratulations your logs look clean :)

Let's see if I can help you keep it that way

First lets tidy up

Please delete RSIT.exe and C:\RSIT (entire folder)

You can also delete any logs we have produced, and empty your Recycle bin.

  • Uninstall Combofix

  • This will clear your System Volume Information restore points and remove all the infected files that were quarantined

  • Click START then RUN

  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

    • CF_Cleanup.png

Open OTMoveIt Click Cleanup,

it will now connect to the internet and get a list of files to delete.

When a box pops up click YES.

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.

( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners

I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan

http://www.kaspersky.com/kos/eng/partner/7...kavwebscan.html

!!! Make sure that all your programs are updated !!!

Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

  • AntiSpyware is not the same thing as Antivirus.

    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.

    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.

    Most of the programs in this list have a free (for Home Users ) and paid versions,

    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.

  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection

    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites

    [*] MalwareBytes Anti-malware <<< A New and effective program

    [*]a-squared Free <<< A good "realtime" or "on demand" scanner

    [*]superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

  • These programs don't detect malware, they help stop it getting on your machine in the first place.

    Each does a different job, so you can have more than one

  • Winpatrol
    • An excellent startup manager and then some !!

    • Notifies you if programs are added to startup

    • Allows delayed startup

    • A must have addition

    [*]SpywareBlaster 4.0

    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.

    [*]SpywareGuard 2.2

    • SpywareGuard provides real-time protection against spyware.

    • Not required if you have other "realtime" antispyware or Winpatrol

    [*]ZonedOut

    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.

    [*]MVPS HOSTS

    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.

    • For information on how to download and install, please read this tutorial by WinHelp2002.

    • Not required if you are using other host file protections

Internet Browsers

  • Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.

    Using a different web browser can help stop malware getting on your machine.

    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.

      2. Click once on the Security tab

      3. Click once on the Internet icon so it becomes highlighted.

      4. Click once on the Custom Level button.

        • Change the Download signed ActiveX controls to Prompt

        • Change the Download unsigned ActiveX controls to Disable

        • Change the Initialise and script ActiveX controls not marked as safe to Disable

        • Change the Installation of desktop items to Prompt

        • Change the Launching programs and files in an IFRAME to Prompt

        • Change the Navigate sub-frames across different domains to Prompt

        • When all these settings have been made, click on the OK button.

        • If it prompts you as to whether or not you want to save the settings, press the Yes button.

      [*]Next press the Apply button and then the OK to exit the Internet Properties page.

If you are still using IE6 then either update, or get one of the following.

  • FireFox
    • With many addons available that make customization easy this is a very popular choice

    • NoScript and AdBlockPlus addons are essential

    [*]Opera

    • Another popular alternative

    [*]Netscape

    • Another popular alternative

    • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

  • Temporary Internet Files are mainly the files that are downloaded when you open a web page.

    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.

    It is a good idea to empty the Temporary Internet Files folder on a regular basis.

    Tracking Cookies are files that websites use to monitor which sites you visit and how often.

    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.

    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

    Both of these can be cleaned manually, but a quicker option is to use a program

  • ATF Cleaner
    • Free and very simple to use

    [*]CCleaner

    • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.

If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.

Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :)

If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

Hi Katana:

I ran a scan using A2 free 3.5 and I found the following that Kaspersky missed:

a-squared Free - Version 3.5

Last update: 12/14/08 7:36:56 PM

Scan settings:

Objects: Memory, Traces, Cookies, C:\WINDOWS\, C:\Program Files

Scan archives: On

Heuristics: On

ADS Scan: On

Scan start: 12/15/08 8:31:44 AM

C:\Documents and Settings\unpingco\Cookies\unpingco@com[1].txt detected: Trace.TrackingCookie.com!A2

C:\Documents and Settings\unpingco\Application Data\Mozilla\Firefox\Profiles\ccvwf14m.default\cookies.sqlite:1229315842674129 detected: Trace.TrackingCookie.coremetrics!A2

C:\Documents and Settings\unpingco\Application Data\Mozilla\Firefox\Profiles\ccvwf14m.default\cookies.sqlite:1229315842674130 detected: Trace.TrackingCookie.coremetrics!A2

C:\Documents and Settings\unpingco\Application Data\Mozilla\Firefox\Profiles\ccvwf14m.default\cookies.sqlite:1229315842674131 detected: Trace.TrackingCookie.coremetrics!A2

C:\Program Files\RA2HP\rasHost.exe detected: Heuristic.Dialer.RAS!A2

C:\Program Files\Remote Tools OTP\MSRATroubleShooter.exe detected: Heuristic.Dialer.RAS!A2

Scanned

Files: 447439

Traces: 550194

Cookies: 1063

Processes: 73

Found

Files: 2

Traces: 0

Cookies: 4

Processes: 0

Registry keys: 0

Scan end: 12/15/08 1:07:12 PM

Scan time: 4:35:28

C:\Program Files\RA2HP\rasHost.exe Deleted Heuristic.Dialer.RAS!A2

C:\Program Files\Remote Tools OTP\MSRATroubleShooter.exe Deleted Heuristic.Dialer.RAS!A2

C:\Documents and Settings\unpingco\Application Data\Mozilla\Firefox\Profiles\ccvwf14m.default\cookies.sqlite:1229315842674129 Deleted Trace.TrackingCookie.coremetrics!A2

C:\Documents and Settings\unpingco\Application Data\Mozilla\Firefox\Profiles\ccvwf14m.default\cookies.sqlite:1229315842674130 Deleted Trace.TrackingCookie.coremetrics!A2

C:\Documents and Settings\unpingco\Application Data\Mozilla\Firefox\Profiles\ccvwf14m.default\cookies.sqlite:1229315842674131 Deleted Trace.TrackingCookie.coremetrics!A2

C:\Documents and Settings\unpingco\Cookies\unpingco@com[1].txt Deleted Trace.TrackingCookie.com!A2

Deleted

Files: 2

Traces: 0

Cookies: 4

I deleted them, and I will scan again later.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.