Free Malware Removal Forum

by **michaelbaxter** » January 24th, 2008, 7:07 pm

Hello, I need help with a co-worker's home computer with a Vundo like infection.

OS is WinXP SP1 even though Automatic Updates is/was turned-on.

The computer has/had an up-to-date ISP version of McAfee A/V running.

Ad-Aware has been run until clean. Trend's Housecall was unsuccessfull. Vundofix.exe was also unsuccessful. I booted with a DOS/NTFS capable CD and removed some files...the malware just came back. I'm not even sure what the culprit(s) are exactly. It has been reported as:

Zlob
W32.Trats
AdClicker-FK
Generic Dropper

Thank you

Here is the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:56 PM, on 1/24/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\WINDOWS\System32\ctfmon .exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://att.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [483def24] rundll32.exe "C:\WINDOWS\System32\aifpvxno.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: SEAGULL J Walk Java Client 4_0C5-E474 - http://207.228.41.46/jwalk/jwalk/jwalk_ie.cab
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://nnrmls.fnismls.com/Paragon/Codeb ... ontrol.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6523108890
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 7168 bytes

by **ndmmxiaomayi** » January 27th, 2008, 4:54 am

Hi,

Please download this tool from Microsoft.
Double click on MGADiag.exe to run it.
Click Continue.
The program will run. It takes a while to finish the diagnosis, please be patient.
Once done, click on Copy.
Open Notepad and paste the contents in. Save this file and post it in your next reply.

by **michaelbaxter** » January 27th, 2008, 4:15 pm

Hi ndmmxiaomayi, Thank you for your assistance. Attached is the MGADiag report requested.

Michael Baxter

by **ndmmxiaomayi** » January 27th, 2008, 8:05 pm

Hi,

Do not attach files here. Please post it as a reply.

Thanks.

by **michaelbaxter** » January 27th, 2008, 8:30 pm

Here it is:

Diagnostic Report (1.7.0066.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-T6DFB-Y934T-YD4YT
Windows Product Key Hash: 3g4CZGFEDgbKmn/oB4pa2FZsssU=
Windows Product ID: 55274-OEM-2211906-00102
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010100.1.0.pro
CSVLK Server: N/A
CSVLK PID: N/A
ID: {7CD10300-C7C8-4D6C-9CCB-B54E9D223F48}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.4.389.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1
Resolution Status: N/A

Notifications Data-->
Cached Result: N/A
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: FCEE394C-2989-80070002_025D1FF3-171-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control:
Active scripting:
Script ActiveX controls marked as safe for scripting:

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{7CD10300-C7C8-4D6C-9CCB-B54E9D223F48}</UGUID><Version>1.7.0066.0</Version><OS>5.1.2600.2.00010100.1.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-YD4YT</PKey><PID>55274-OEM-2211906-00102</PID><PIDType>2</PIDType><SID>S-1-5-21-823518204-329068152-839522115</SID><SYSTEM><Manufacturer>Dell Computer Corporation</Manufacturer><Model>Dimension 2400 </Model></SYSTEM><BIOS><Manufacturer>Dell Computer Corporation</Manufacturer><Version>A03</Version><SMBIOSVersion major="2" minor="3"/><Date>20030919******.******+***</Date><SLPBIOS>Dell System,Dell Computer,Dell System,Dell System</SLPBIOS></BIOS><HWID>919E344F01842042</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>100</Result><Products><Product GUID="{91CA0409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Small Business Edition 2003</Name><Ver>11</Ver><Val>4D670E42674870A</Val><Hash>C97ss1ximecSzdlQSJm/jka2NqE=</Hash><Pid>70160-OEM-5690125-08579</Pid><PidType>6</PidType></Product></Products></Office></Software></GenuineResults>

by **ndmmxiaomayi** » January 27th, 2008, 10:04 pm

Please download and install CCleaner Slim.
Once installed, double click on the desktop shortcut created.
On the leftmost column, click on Tools.
On the middle column, click on Uninstall.
At the bottom right hand corner, click on the Save to text file... button.
By default, it saves this file to C:\Program Files\CCleaner named install.txt. You may want to save it to your desktop to find it easily. Click Save.
Close CCleaner.

In your next reply, please post:

CCleaner install.txt file
A new HijackThis log

by **michaelbaxter** » January 27th, 2008, 10:41 pm

Hi ndmmxiaomayi, Here is the CCleaner report:

Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.9
AT&T Yahoo! Applications
Broadcom 440x 10/100 Integrated Controller
CCleaner (remove only)
Conexant D850 56K V.9x DFVc Modem
Dell ResourceCD
Google SketchUp 6
HijackThis 2.0.2
hp instant support
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 2170 series
hp psc 2170 series
Intel(R) Extreme Graphics Driver
Java(TM) 6 Update 2
Java(TM) 6 Update 3
LimeWire 4.14.10
McAfee SecurityCenter
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office Small Business Edition 2003
OMAX Software
OMAX_Layout_and_Make
Puzzle Master 3
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Sony Ericsson Device Data
Sony Ericsson Drivers
Sony Ericsson PC Suite
Spybot - Search & Destroy 1.4
Total 3D Home and Landscape Design Suite
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Vivicam 3330
Vivicam 3340
WebFldrs XP
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB905915
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
ZipForm Desktop

-END

And here is a fresh hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:53 PM, on 1/27/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon .exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://att.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [483def24] rundll32.exe "C:\WINDOWS\System32\qaehhfed.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: SEAGULL J Walk Java Client 4_0C5-E474 - http://207.228.41.46/jwalk/jwalk/jwalk_ie.cab
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://nnrmls.fnismls.com/Paragon/Codeb ... ontrol.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6523108890
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\System32\windows
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 7328 bytes

I appreciate your expert help, Michael Baxter

by **ndmmxiaomayi** » January 28th, 2008, 12:45 am

Hi,

Limewire is installed on your computer and I see that it's running. While Limewire is a clean P2P program, there's no guarantee that the files downloaded are. Please refrain from using it while cleaning your computer to prevent getting more infections.

A list of clean and infected P2P programs can be found at Malware Removal and Spyware Info.

The risks of using a P2P program are stated in this Sourceforge website and Information Week article.

Please also read Malware Removal's Guide on P2P Programs.

If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Please download Combofix from Bleeping Computer. Save it to your desktop.

If you can't download it, please try these 2 alternative sites:

Forospyware
Geeks to Go

Double click to run it. Follow the prompts. Once done, it will reboot and a log will be produced. Please post that log and a new HijackThis log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

In your next reply, please post:

Combofix log (C:\Combofix.txt)
A new HijackThis log

by **michaelbaxter** » January 28th, 2008, 3:54 am

ndmmxiaomayi, Thanks for the info. on Limewire. I didn't know what it was. The computer's owner authorized me to remove anything "bad" and Limewire is gone. I'll put the shortcuts you provided on the desktop before I return it to her.

Combofix ran successfully. Here is the log, however I'm going to snip it since there were a lot of .tmp files in the root and <user>.my documents folders:

ComboFix 08-01-23.1D - Heath Bernard 2008-01-27 21:34:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.80 [GMT -8:00]
Running from: C:\Documents and Settings\Heath Bernard\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\My Documents\pos1000.tmp
C:\Documents and Settings\Administrator\My Documents\pos1001.tmp
C:\Documents and Settings\Administrator\My Documents\pos1002.tmp
C:\Documents and Settings\Administrator\My Documents\pos1003.tmp
C:\Documents and Settings\Administrator\My Documents\pos1004.tmp
C:\Documents and Settings\Administrator\My Documents\pos1005.tmp

-snip about 16,000 files-

C:\pos10.tmp
C:\pos100.tmp
C:\pos1000.tmp
C:\pos1001.tmp
C:\pos1002.tmp
C:\pos1003.tmp
C:\pos1004.tmp
C:\pos1005.tmp
C:\pos1006.tmp
C:\pos1007.tmp
C:\pos1008.tmp
C:\pos1009.tmp
C:\pos100A.tmp
C:\pos100B.tmp
C:\pos100C.tmp
C:\pos100D.tmp
C:\pos100E.tmp
C:\pos100F.tmp
C:\pos101.tmp
C:\pos1010.tmp
C:\pos1011.tmp

-snip another approx. 16,000 files-

C:\posFFC.tmp
C:\posFFD.tmp
C:\posFFE.tmp
C:\posFFF.tmp
C:\Program Files\Common Files\ssembl~1
C:\Program Files\Common Files\ssembl~1\?racle\
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aifpvxno.dll
C:\WINDOWS\system32\aohrwtfv.dll
C:\WINDOWS\system32\cjmzdfwx.dll
C:\WINDOWS\system32\cjmzdfwx.dllbox
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\defhheaq.ini
C:\WINDOWS\system32\dinputf.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\cvamcgxa.dat
C:\WINDOWS\system32\fdypkpav.dll
C:\WINDOWS\system32\ijjlm.ini
C:\WINDOWS\system32\ijjlm.ini2
C:\WINDOWS\system32\MLJJI.DLL
C:\WINDOWS\system32\onxvpfia.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pipmhmnh.dll
C:\WINDOWS\system32\qaehhfed.dll
C:\WINDOWS\system32\tauokjor.dll
C:\WINDOWS\system32\uklsvgxh.dll
C:\WINDOWS\system32\umdkdmwd.dll
C:\WINDOWS\system32\z1
C:\WINDOWS\system32\z9

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_GQTYOCCQ
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\core
-------\gqtyoccq

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-28 )))))))))))))))))))))))))))))))
.

2008-01-27 21:32 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-27 18:32 . 2008-01-27 18:32 <DIR> d-------- C:\Utils
2008-01-20 22:36 . 2008-01-20 22:36 <DIR> d-------- C:\WINDOWS\system32\Logs
2008-01-18 16:15 . 2008-01-18 16:51 <DIR> d-------- C:\VundoFix Backups
2008-01-18 04:04 . 2008-01-18 04:04 117 --a------ C:\WINDOWS\system32\8
2008-01-18 01:54 . 2008-01-18 01:54 0 --------- C:\RQDFUTSY.SAV
2008-01-18 01:41 . 2008-01-18 01:41 0 --------- C:\ZQUARANT
2008-01-15 17:21 . 2008-01-20 14:41 1,061,514 --ahs---- C:\WINDOWS\system32\ystufdqr.ini
2008-01-12 18:32 . 2008-01-27 21:27 3,366 --a------ C:\WINDOWS\system32\Config.MPF
2008-01-12 18:12 . 2008-01-12 18:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-12 17:47 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-01-12 17:44 . 2007-06-25 10:57 171,240 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-12 17:44 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-01-12 17:44 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-01-12 17:44 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-01-12 17:44 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-01-12 17:44 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-01-12 17:30 . 2008-01-12 17:31 <DIR> d-------- C:\Program Files\McAfee.com
2008-01-12 17:30 . 2008-01-12 17:47 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-12 17:29 . 2008-01-12 17:48 <DIR> d-------- C:\Program Files\McAfee
2008-01-12 17:21 . 2008-01-12 18:12 <DIR> d-------- C:\Downloaded programs
2008-01-11 19:34 . 2008-01-12 09:58 1,060,736 --ahs---- C:\WINDOWS\system32\opbqhxsg.ini
2008-01-10 21:46 . 2008-01-10 21:46 <DIR> d-------- C:\Program Files\CONEXANT
2008-01-10 21:46 . 2001-08-17 13:57 16,128 --a------ C:\WINDOWS\system32\drivers\MODEMCSA.sys
2008-01-10 21:46 . 2001-08-17 13:57 16,128 --a--c--- C:\WINDOWS\system32\dllcache\modemcsa.sys
2008-01-10 21:17 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-10 21:17 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-10 21:17 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-10 21:17 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-10 19:21 . 2008-01-11 19:22 1,060,502 --ahs---- C:\WINDOWS\system32\afnayxsr.ini
2008-01-09 17:34 . 2008-01-09 17:35 1,048,981 --ahs---- C:\WINDOWS\system32\xakryxes.ini
2008-01-08 17:34 . 2008-01-08 17:35 1,054,902 --ahs---- C:\WINDOWS\system32\gcnaroaq.ini
2008-01-07 17:35 . 2008-01-07 17:46 1,043,804 --ahs---- C:\WINDOWS\system32\xduwwoyo.ini
2008-01-05 17:38 . 2008-01-05 17:38 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-05 17:07 . 2008-01-27 18:20 13,312 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-05 11:33 . 2008-01-12 09:08 155,648 --a------ C:\WINDOWS\system32\igfxtray .exe
2008-01-05 11:33 . 2008-01-12 09:08 114,688 --a------ C:\WINDOWS\system32\hkcmd .exe
2008-01-05 10:33 . 2008-01-12 21:52 481 --a------ C:\WINDOWS\wininit.ini
2008-01-05 09:19 . 2008-01-06 10:17 <DIR> d-------- C:\WINDOWS\system32\mr9
2008-01-05 09:19 . 2008-01-13 11:07 <DIR> d-------- C:\WINDOWS\system32\ardCo01
2008-01-05 09:19 . 2008-01-06 10:17 <DIR> d-------- C:\WINDOWS\system32\aj2
2008-01-05 09:19 . 2008-01-17 13:20 <DIR> d--hs---- C:\WINDOWS\SGVhdGggQmVybmFyZA
2008-01-05 09:19 . 2008-01-05 09:19 <DIR> d-------- C:\Temp\cEeer12
2008-01-05 09:14 . 2008-01-05 09:14 <DIR> d-------- C:\WINDOWS\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 05:35 --------- d-----w C:\Program Files\QuickTime
2008-01-13 19:21 --------- d-----w C:\Program Files\ZipForm Desktop
2008-01-13 01:28 --------- d-----w C:\Program Files\Yahoo!
2008-01-13 01:28 --------- d-----w C:\Program Files\Common Files\Scanner
2008-01-06 01:21 --------- d-----w C:\Program Files\ATT
2008-01-06 01:20 --------- d-----w C:\Program Files\Common Files\Motive
2008-01-06 01:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-06 00:58 --------- d-----w C:\Program Files\BroadJump
2007-12-28 04:38 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-27 04:54 --------- d-----w C:\Program Files\Google
2007-12-27 04:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-23 23:24 --------- d-----w C:\Program Files\Java
.

Code: Select all

<pre>
----a-w           132,496 2008-01-12 17:09:17  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w           282,624 2008-01-13 06:56:22  C:\Program Files\QuickTime\qttask        .exe
----a-w           282,624 2008-01-13 06:56:22  C:\Program Files\QuickTime\qttask       .exe
----a-w           282,624 2008-01-13 06:56:22  C:\Program Files\QuickTime\qttask      .exe
----a-w           282,624 2008-01-13 06:56:22  C:\Program Files\QuickTime\qttask     .exe
----a-w           282,624 2008-01-13 06:56:23  C:\Program Files\QuickTime\qttask    .exe
----a-w           282,624 2008-01-13 06:56:23  C:\Program Files\QuickTime\qttask   .exe
----a-w           282,624 2008-01-13 06:56:23  C:\Program Files\QuickTime\qttask  .exe
----a-w           282,624 2008-01-13 06:56:23  C:\Program Files\QuickTime\qttask .exe
----a-w           528,384 2008-01-12 17:09:15  C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher .exe
----a-w           129,536 2008-01-12 17:08:58  C:\Program Files\Yahoo!\browser\ybrwicon .exe
----a-w         4,662,776 2008-01-11 03:18:34  C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
----a-w           407,032 2008-01-12 17:09:10  C:\Program Files\Yahoo!\YOP\yop .exe
----a-w            13,312 2008-01-28 02:20:45  C:\WINDOWS\system32\ctfmon .exe
----a-w           114,688 2008-01-12 17:08:55  C:\WINDOWS\system32\hkcmd .exe
----a-w           155,648 2008-01-12 17:08:53  C:\WINDOWS\system32\igfxtray .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8449e388-7274-4ec3-bc0a-00672fe4e715}]
C:\WINDOWS\System32\fdypkpav.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4A02E7A-A42E-484A-894D-2656C7C5445B}]
C:\WINDOWS\System32\mljji.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5B7120C-5523-4530-8610-059C3AF31397}]
C:\WINDOWS\System32\dinputf.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-03 11:35 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [ ]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [ ]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"483def24"="C:\WINDOWS\System32\qaehhfed.dll" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2002-09-03 11:34 375808]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-09 17:41:38 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"SFCDisable"=dword:00000004

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cjmzdfwx]
cjmzdfwx.dll

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys [2002-08-28 14:59]
S0 gqtyoccq;gqtyoccq;C:\WINDOWS\System32\drivers\cvamcgxa.da_ []

.
Contents of the 'Scheduled Tasks' folder
"2006-04-14 05:15:13 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1137011108.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-01-13 02:22:56 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-13 02:22:56 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 23:08:44
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 23:15:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-28 07:14:59
.
2008-01-27 18:42:14 --- E O F ---

Here is the new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:52:33 PM, on 1/27/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://att.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: SEAGULL J Walk Java Client 4_0C5-E474 - http://207.228.41.46/jwalk/jwalk/jwalk_ie.cab
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://nnrmls.fnismls.com/Paragon/Codeb ... ontrol.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6523108890
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 7495 bytes

Thanks, Michael Baxter

by **ndmmxiaomayi** » January 28th, 2008, 5:52 am

Hi,

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Download the file & save it as it's originally named, next to ComboFix.exe.

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

by **michaelbaxter** » January 28th, 2008, 1:35 pm

Good morning ndmmxiaomayi, Below is the CF-RC log. The computer is running:

winxpsp1_en_pro_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

-END-

Michael Baxter

by **ndmmxiaomayi** » January 28th, 2008, 9:36 pm

Hi,

Please restart your computer.

After restarting your computer, please do the following:

Open Notepad and copy and paste the following in the Code box into Notepad:

Code: Select all

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"SFCDisable"=dword:00000000

Click on File > Save As....

In the File Name field, copy and paste in WFPFix.reg

In the Save As Type field, select All Files from the drop-down list.

Click Save.

Double click on WFPFix.reg. Windows will prompt you to merge this file with the registry. Click Yes.

Please go to Virus Total or Jotti and upload C:\WINDOWS\system32\drivers\MODEMCSA.sys for scanning.

For Virus Total

Please copy and paste C:\WINDOWS\system32\drivers\MODEMCSA.sys in the text box next to the Browse button.
Click on Send File.

For Jotti

Please copy and paste C:\WINDOWS\system32\drivers\MODEMCSA.sys in the text box next to the Browse button.
Click on Submit.

Repeat for these files:

C:\WINDOWS\system32\dllcache\modemcsa.sys
C:\WINDOWS\system32\wucltui.dll.mui
C:\WINDOWS\system32\wuaucpl.cpl.mui
C:\WINDOWS\system32\wuapi.dll.mui
C:\WINDOWS\system32\wuaueng.dll.mui

Please post back the scan results of these files.

by **michaelbaxter** » January 29th, 2008, 12:01 am

Hi ndmmxiaomayi, I added/mod'd the key you requested in the regsitry. Here are the file scanning results:

For C:\WINDOWS\system32\drivers\MODEMCSA.sys:

File MODEMCSA.sys received on 01.29.2008 03:50:56 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 47 and 68 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.1.29.10 2008.01.28 -
AntiVir 7.6.0.56 2008.01.28 -
Authentium 4.93.8 2008.01.26 -
Avast 4.7.1098.0 2008.01.28 -
AVG 7.5.0.516 2008.01.29 -
BitDefender 7.2 2008.01.29 -
CAT-QuickHeal 9.00 2008.01.28 -
ClamAV 0.91.2 2008.01.29 -
DrWeb 4.44.0.09170 2008.01.28 -
eSafe 7.0.15.0 2008.01.28 -
eTrust-Vet 31.3.5493 2008.01.28 -
Ewido 4.0 2008.01.29 -
FileAdvisor 1 2008.01.29 -
Fortinet 3.14.0.0 2008.01.29 -
F-Prot 4.4.2.54 2008.01.28 -
F-Secure 6.70.13260.0 2008.01.29 -
Ikarus T3.1.1.20 2008.01.29 -
Kaspersky 7.0.0.125 2008.01.29 -
McAfee 5217 2008.01.28 -
Microsoft 1.3109 2008.01.28 -
NOD32v2 2830 2008.01.29 -
Norman 5.80.02 2008.01.28 -
Panda 9.0.0.4 2008.01.28 -
Prevx1 V2 2008.01.29 -
Rising 20.29.01.00 2008.01.28 -
Sophos 4.25.0 2008.01.29 -
Sunbelt 2.2.907.0 2008.01.29 -
Symantec 10 2008.01.29 -
TheHacker 6.2.9.201 2008.01.28 -
VBA32 3.12.2.5 2008.01.21 -
VirusBuster 4.3.26:9 2008.01.28 -
Webwasher-Gateway 6.6.2 2008.01.29 -
Additional information
File size: 16128 bytes
MD5: 1992e0d143b09653ab0f9c5e04b0fd65
SHA1: 113849b14a85db169c018dd9bd45c8e6e2975542
PEiD: -

For C:\WINDOWS\system32\dllcache\modemcsa.sys
VirusTotal reported this as the same file as above. I rescanned using above path for upload:

File modemcsa.sys received on 01.29.2008 03:59:34 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 6.
Estimated start time is between 54 and 77 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.1.29.10 2008.01.28 -
AntiVir 7.6.0.56 2008.01.28 -
Authentium 4.93.8 2008.01.26 -
Avast 4.7.1098.0 2008.01.28 -
AVG 7.5.0.516 2008.01.29 -
BitDefender 7.2 2008.01.29 -
CAT-QuickHeal 9.00 2008.01.28 -
ClamAV 0.91.2 2008.01.29 -
DrWeb 4.44.0.09170 2008.01.28 -
eSafe 7.0.15.0 2008.01.28 -
eTrust-Vet 31.3.5493 2008.01.28 -
Ewido 4.0 2008.01.29 -
FileAdvisor 1 2008.01.29 -
Fortinet 3.14.0.0 2008.01.29 -
F-Prot 4.4.2.54 2008.01.28 -
F-Secure 6.70.13260.0 2008.01.29 -
Ikarus T3.1.1.20 2008.01.29 -
Kaspersky 7.0.0.125 2008.01.29 -
McAfee 5217 2008.01.28 -
Microsoft 1.3109 2008.01.28 -
NOD32v2 2830 2008.01.29 -
Norman 5.80.02 2008.01.28 -
Panda 9.0.0.4 2008.01.28 -
Prevx1 V2 2008.01.29 -
Rising 20.29.01.00 2008.01.28 -
Sophos 4.25.0 2008.01.29 -
Sunbelt 2.2.907.0 2008.01.29 -
Symantec 10 2008.01.29 -
TheHacker 6.2.9.201 2008.01.28 -
VBA32 3.12.2.5 2008.01.21 -
VirusBuster 4.3.26:9 2008.01.28 -
Webwasher-Gateway 6.6.2 2008.01.29 -
Additional information
File size: 16128 bytes
MD5: 1992e0d143b09653ab0f9c5e04b0fd65
SHA1: 113849b14a85db169c018dd9bd45c8e6e2975542
PEiD: -

For C:\WINDOWS\system32\wucltui.dll.mui:

File wucltui.dll.mui received on 01.29.2008 04:07:38 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 47 and 68 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.1.29.10 2008.01.28 -
AntiVir 7.6.0.56 2008.01.28 -
Authentium 4.93.8 2008.01.26 -
Avast 4.7.1098.0 2008.01.28 -
AVG 7.5.0.516 2008.01.29 -
BitDefender 7.2 2008.01.29 -
CAT-QuickHeal 9.00 2008.01.28 -
ClamAV 0.91.2 2008.01.29 -
DrWeb 4.44.0.09170 2008.01.28 -
eSafe 7.0.15.0 2008.01.28 -
eTrust-Vet 31.3.5493 2008.01.28 -
Ewido 4.0 2008.01.29 -
FileAdvisor 1 2008.01.29 -
Fortinet 3.14.0.0 2008.01.29 -
F-Prot 4.4.2.54 2008.01.28 -
F-Secure 6.70.13260.0 2008.01.29 -
Ikarus T3.1.1.20 2008.01.29 -
Kaspersky 7.0.0.125 2008.01.29 -
McAfee 5217 2008.01.28 -
Microsoft 1.3109 2008.01.28 -
NOD32v2 2830 2008.01.29 -
Norman 5.80.02 2008.01.28 -
Panda 9.0.0.4 2008.01.28 -
Prevx1 V2 2008.01.29 -
Rising 20.29.01.00 2008.01.28 -
Sophos 4.25.0 2008.01.29 -
Sunbelt 2.2.907.0 2008.01.29 -
Symantec 10 2008.01.29 -
TheHacker 6.2.9.201 2008.01.28 -
VBA32 3.12.2.5 2008.01.21 -
VirusBuster 4.3.26:9 2008.01.28 -
Webwasher-Gateway 6.6.2 2008.01.29 -
Additional information
File size: 34136 bytes
MD5: 8c5bc4f077501e0baf72b849c572dff3
SHA1: c479a6e9e6bc9881244c14886ebe8fbc9aa18a8b
PEiD: -

For C:\WINDOWS\system32\wuaucpl.cpl.mui

File wuaucpl.cpl.mui received on 01.29.2008 04:15:52 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 47 and 68 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.1.29.10 2008.01.28 -
AntiVir 7.6.0.56 2008.01.28 -
Authentium 4.93.8 2008.01.26 -
Avast 4.7.1098.0 2008.01.28 -
AVG 7.5.0.516 2008.01.29 -
BitDefender 7.2 2008.01.29 -
CAT-QuickHeal 9.00 2008.01.28 -
ClamAV 0.91.2 2008.01.29 -
DrWeb 4.44.0.09170 2008.01.28 -
eSafe 7.0.15.0 2008.01.28 -
eTrust-Vet 31.3.5493 2008.01.28 -
Ewido 4.0 2008.01.29 -
FileAdvisor 1 2008.01.29 -
Fortinet 3.14.0.0 2008.01.29 -
F-Prot 4.4.2.54 2008.01.28 -
F-Secure 6.70.13260.0 2008.01.29 -
Ikarus T3.1.1.20 2008.01.29 -
Kaspersky 7.0.0.125 2008.01.29 -
McAfee 5217 2008.01.28 -
Microsoft 1.3109 2008.01.28 -
NOD32v2 2830 2008.01.29 -
Norman 5.80.02 2008.01.28 -
Panda 9.0.0.4 2008.01.28 -
Prevx1 V2 2008.01.29 -
Rising 20.29.01.00 2008.01.28 -
Sophos 4.25.0 2008.01.29 -
Sunbelt 2.2.907.0 2008.01.29 -
Symantec 10 2008.01.29 -
TheHacker 6.2.9.201 2008.01.28 -
VBA32 3.12.2.5 2008.01.21 -
VirusBuster 4.3.26:9 2008.01.28 -
Webwasher-Gateway 6.6.2 2008.01.29 -
Additional information
File size: 25944 bytes
MD5: 13f9012d1b9a2b09d6c59935fbc80781
SHA1: 00b18f566d909c7e284bb300094f7307e23a123f
PEiD: -

For C:\WINDOWS\system32\wuapi.dll.mui

File wuapi.dll.mui received on 01.29.2008 04:31:44 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 6.
Estimated start time is between 54 and 77 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.1.29.10 2008.01.28 -
AntiVir 7.6.0.56 2008.01.28 -
Authentium 4.93.8 2008.01.26 -
Avast 4.7.1098.0 2008.01.28 -
AVG 7.5.0.516 2008.01.29 -
BitDefender 7.2 2008.01.29 -
CAT-QuickHeal 9.00 2008.01.28 -
ClamAV 0.91.2 2008.01.29 -
DrWeb 4.44.0.09170 2008.01.28 -
eSafe 7.0.15.0 2008.01.28 -
eTrust-Vet 31.3.5493 2008.01.28 -
Ewido 4.0 2008.01.29 -
FileAdvisor 1 2008.01.29 -
Fortinet 3.14.0.0 2008.01.29 -
F-Prot 4.4.2.54 2008.01.28 -
F-Secure 6.70.13260.0 2008.01.29 -
Ikarus T3.1.1.20 2008.01.29 -
Kaspersky 7.0.0.125 2008.01.29 -
McAfee 5217 2008.01.28 -
Microsoft 1.3109 2008.01.28 -
NOD32v2 2830 2008.01.29 -
Norman 5.80.02 2008.01.28 -
Panda 9.0.0.4 2008.01.28 -
Prevx1 V2 2008.01.29 -
Rising 20.29.10.00 2008.01.29 -
Sophos 4.25.0 2008.01.29 -
Sunbelt 2.2.907.0 2008.01.29 -
Symantec 10 2008.01.29 -
TheHacker 6.2.9.201 2008.01.28 -
VBA32 3.12.2.5 2008.01.21 -
VirusBuster 4.3.26:9 2008.01.28 -
Webwasher-Gateway 6.6.2 2008.01.29 -
Additional information
File size: 25944 bytes
MD5: 1aa9dce407877e18447c8f8faba9f888
SHA1: 39e78bc5d262d338a88d84ec868c62155b9e58de
PEiD: -

For C:\WINDOWS\system32\wuaueng.dll.mui

File wuaueng.dll.mui received on 01.29.2008 04:46:04 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 5.
Estimated start time is between 50 and 72 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.1.29.10 2008.01.28 -
AntiVir 7.6.0.56 2008.01.28 -
Authentium 4.93.8 2008.01.26 -
Avast 4.7.1098.0 2008.01.28 -
AVG 7.5.0.516 2008.01.29 -
BitDefender 7.2 2008.01.29 -
CAT-QuickHeal 9.00 2008.01.28 -
ClamAV 0.91.2 2008.01.29 -
DrWeb 4.44.0.09170 2008.01.28 -
eSafe 7.0.15.0 2008.01.28 -
eTrust-Vet 31.3.5493 2008.01.28 -
Ewido 4.0 2008.01.29 -
FileAdvisor 1 2008.01.29 -
Fortinet 3.14.0.0 2008.01.29 -
F-Prot 4.4.2.54 2008.01.28 -
F-Secure 6.70.13260.0 2008.01.29 -
Ikarus T3.1.1.20 2008.01.29 -
Kaspersky 7.0.0.125 2008.01.29 -
McAfee 5217 2008.01.28 -
Microsoft 1.3109 2008.01.28 -
NOD32v2 2830 2008.01.29 -
Norman 5.80.02 2008.01.28 -
Panda 9.0.0.4 2008.01.28 -
Prevx1 V2 2008.01.29 -
Rising 20.29.10.00 2008.01.29 -
Sophos 4.25.0 2008.01.29 -
Sunbelt 2.2.907.0 2008.01.29 -
Symantec 10 2008.01.29 -
TheHacker 6.2.9.201 2008.01.28 -
VBA32 3.12.2.5 2008.01.21 -
VirusBuster 4.3.26:9 2008.01.28 -
Webwasher-Gateway 6.6.2 2008.01.29 -
Additional information
File size: 20312 bytes
MD5: 7685d52bd413085c9d5ce2e698e34ea1
SHA1: 6978590e4572ff29755b2476087fe7ed66d9ce59
PEiD: -

Thanks, Michael Baxter

by **ndmmxiaomayi** » January 29th, 2008, 1:18 am

Hi,

Looks like these files are not infected.

Restart your computer again.

After this, open Notepad and copy and paste the following in the Code box into Notepad:

Code: Select all

RenV::
----a-w           132,496 2008-01-12 17:09:17  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w           282,624 2008-01-13 06:56:22  C:\Program Files\QuickTime\qttask        .exe
----a-w           528,384 2008-01-12 17:09:15  C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher .exe
----a-w           129,536 2008-01-12 17:08:58  C:\Program Files\Yahoo!\browser\ybrwicon .exe
----a-w         4,662,776 2008-01-11 03:18:34  C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
----a-w           407,032 2008-01-12 17:09:10  C:\Program Files\Yahoo!\YOP\yop .exe
----a-w            13,312 2008-01-28 02:20:45  C:\WINDOWS\system32\ctfmon .exe
----a-w           114,688 2008-01-12 17:08:55  C:\WINDOWS\system32\hkcmd .exe
----a-w           155,648 2008-01-12 17:08:53  C:\WINDOWS\system32\igfxtray .exe

File::
C:\Program Files\QuickTime\qttask       .exe
C:\Program Files\QuickTime\qttask      .exe
C:\Program Files\QuickTime\qttask     .exe
C:\Program Files\QuickTime\qttask    .exe
C:\Program Files\QuickTime\qttask   .exe
C:\Program Files\QuickTime\qttask  .exe
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\system32\ystufdqr.ini
C:\WINDOWS\system32\opbqhxsg.ini
C:\WINDOWS\system32\afnayxsr.ini
C:\WINDOWS\system32\xakryxes.ini
C:\WINDOWS\system32\gcnaroaq.ini
C:\WINDOWS\system32\xduwwoyo.ini
C:\WINDOWS\system32\afnayxsr.ini
C:\WINDOWS\system32\xakryxes.ini
C:\WINDOWS\system32\gcnaroaq.ini
C:\WINDOWS\system32\xduwwoyo.ini

DirLook::
C:\Utils
C:\WINDOWS\system32\Logs
C:\WINDOWS\system32\8
C:\ZQUARANT
C:\WINDOWS\system32\mr9
C:\WINDOWS\system32\ardCo01
C:\WINDOWS\system32\aj2
C:\WINDOWS\SGVhdGggQmVybmFyZA
C:\Temp\cEeer12
C:\WINDOWS\Sun

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8449e388-7274-4ec3-bc0a-00672fe4e715}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4A02E7A-A42E-484A-894D-2656C7C5445B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5B7120C-5523-4530-8610-059C3AF31397}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"483def24"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cjmzdfwx]

Driver::
gqtyoccq

Click on File > Save As....

In the File Name field, copy and paste in CFScript.txt. Do not change the file name.

Referring to the picture below, drag CFScript into Combofix.

Combofix will start running. When done, a log will be produced. Please post this log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

In your next reply, please post:

Combofix log (C:\Combofix.txt)
A new HijackThis log

by **michaelbaxter** » January 29th, 2008, 1:50 am

ndmmxiaomayi, Rebooted and ran the ComboFix script. Here is the log:

ComboFix 08-01-23.1D - Heath Bernard 2008-01-28 21:30:26.2 - NTFSx86
Running from: C:\Documents and Settings\Heath Bernard\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Heath Bernard\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\system32\afnayxsr.ini
C:\WINDOWS\system32\gcnaroaq.ini
C:\WINDOWS\system32\opbqhxsg.ini
C:\WINDOWS\system32\xakryxes.ini
C:\WINDOWS\system32\xduwwoyo.ini
C:\WINDOWS\system32\ystufdqr.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\system32\afnayxsr.ini
C:\WINDOWS\system32\gcnaroaq.ini
C:\WINDOWS\system32\opbqhxsg.ini
C:\WINDOWS\system32\xakryxes.ini
C:\WINDOWS\system32\xduwwoyo.ini
C:\WINDOWS\system32\ystufdqr.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-28 09:29 . 2002-08-29 01:05 245,920 --a------ C:\cmldr
2008-01-28 09:29 . 2006-01-05 19:58 287 --a------ C:\Boot.bak
2008-01-27 21:32 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-27 18:32 . 2008-01-27 18:32 <DIR> d-------- C:\Utils
2008-01-20 22:36 . 2008-01-20 22:36 <DIR> d-------- C:\WINDOWS\system32\Logs
2008-01-18 16:15 . 2008-01-18 16:51 <DIR> d-------- C:\VundoFix Backups
2008-01-18 04:04 . 2008-01-18 04:04 117 --a------ C:\WINDOWS\system32\8
2008-01-18 01:54 . 2008-01-18 01:54 0 --------- C:\RQDFUTSY.SAV
2008-01-18 01:41 . 2008-01-18 01:41 0 --------- C:\ZQUARANT
2008-01-12 18:32 . 2008-01-28 21:26 3,802 --a------ C:\WINDOWS\system32\Config.MPF
2008-01-12 18:12 . 2008-01-12 18:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-12 17:47 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-01-12 17:44 . 2007-06-25 10:57 171,240 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-12 17:44 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-01-12 17:44 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-01-12 17:44 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-01-12 17:44 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-01-12 17:44 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-01-12 17:30 . 2008-01-12 17:31 <DIR> d-------- C:\Program Files\McAfee.com
2008-01-12 17:30 . 2008-01-12 17:47 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-12 17:29 . 2008-01-12 17:48 <DIR> d-------- C:\Program Files\McAfee
2008-01-12 17:21 . 2008-01-12 18:12 <DIR> d-------- C:\Downloaded programs
2008-01-10 21:46 . 2008-01-10 21:46 <DIR> d-------- C:\Program Files\CONEXANT
2008-01-10 21:46 . 2001-08-17 13:57 16,128 --a------ C:\WINDOWS\system32\drivers\MODEMCSA.sys
2008-01-10 21:46 . 2001-08-17 13:57 16,128 --a--c--- C:\WINDOWS\system32\dllcache\modemcsa.sys
2008-01-10 21:17 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-10 21:17 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-10 21:17 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-10 21:17 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-05 17:38 . 2008-01-05 17:38 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-05 17:07 . 2008-01-27 18:20 13,312 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-05 17:07 . 2008-01-27 18:20 13,312 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-05 11:33 . 2008-01-12 09:08 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-05 11:33 . 2008-01-12 09:08 114,688 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-05 10:33 . 2008-01-12 21:52 481 --a------ C:\WINDOWS\wininit.ini
2008-01-05 09:19 . 2008-01-06 10:17 <DIR> d-------- C:\WINDOWS\system32\mr9
2008-01-05 09:19 . 2008-01-13 11:07 <DIR> d-------- C:\WINDOWS\system32\ardCo01
2008-01-05 09:19 . 2008-01-06 10:17 <DIR> d-------- C:\WINDOWS\system32\aj2
2008-01-05 09:19 . 2008-01-17 13:20 <DIR> d--hs---- C:\WINDOWS\SGVhdGggQmVybmFyZA
2008-01-05 09:19 . 2008-01-05 09:19 <DIR> d-------- C:\Temp\cEeer12
2008-01-05 09:14 . 2008-01-05 09:14 <DIR> d-------- C:\WINDOWS\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 05:36 --------- d-----w C:\Program Files\QuickTime
2008-01-13 19:21 --------- d-----w C:\Program Files\ZipForm Desktop
2008-01-13 01:28 --------- d-----w C:\Program Files\Yahoo!
2008-01-13 01:28 --------- d-----w C:\Program Files\Common Files\Scanner
2008-01-06 01:21 --------- d-----w C:\Program Files\ATT
2008-01-06 01:20 --------- d-----w C:\Program Files\Common Files\Motive
2008-01-06 01:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-06 00:58 --------- d-----w C:\Program Files\BroadJump
2007-12-28 04:38 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-27 04:54 --------- d-----w C:\Program Files\Google
2007-12-27 04:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-23 23:24 --------- d-----w C:\Program Files\Java
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Temp\cEeer12 ----

2008-01-05 09:19 1858 --a------ C:\Temp\cEeer12\skAt.log

---- Directory of C:\Utils ----

2008-01-27 18:32 110843 --a------ C:\Utils\CCleaner\uninst.exe
2008-01-17 01:40 816368 --a------ C:\Utils\CCleaner\CCleaner.exe
2008-01-16 07:27 764 --a------ C:\Utils\CCleaner\history.txt
2008-01-16 07:17 39945 --a------ C:\Utils\CCleaner\winapp.ini

---- Directory of C:\WINDOWS\SGVhdGggQmVybmFyZA ----

---- Directory of C:\WINDOWS\Sun ----

---- Directory of C:\WINDOWS\system32\8 ----

C:\WINDOWS\system32\8\

---- Directory of C:\WINDOWS\system32\aj2 ----

---- Directory of C:\WINDOWS\system32\ardCo01 ----

---- Directory of C:\WINDOWS\system32\Logs ----

2008-01-20 22:36 512 --a------ C:\WINDOWS\system32\Logs\Events.dat-journal
2008-01-20 22:36 2048 --a------ C:\WINDOWS\system32\Logs\Events.dat

---- Directory of C:\WINDOWS\system32\mr9 ----

---- Directory of C:\ZQUARANT ----

C:\ZQUARANT\

((((((((((((((((((((((((((((( snapshot@2008-01-27_23.11.59.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-28 05:33:43 1,159,168 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-29 05:29:49 1,159,168 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-28 05:33:43 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-29 05:29:49 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-28 05:33:43 958,464 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-29 05:29:49 1,155,072 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-28 05:33:43 143,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-29 05:29:49 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-28 05:33:44 1,155,072 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-29 05:29:50 958,464 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-28 05:33:44 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-29 05:29:50 143,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-28 05:20:43 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-29 05:25:20 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-28 05:20:43 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-29 05:25:20 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-28 05:20:43 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-29 05:25:20 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-11 05:47:21 40,836 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-28 17:20:27 40,836 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-11 05:47:21 314,508 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-28 17:20:27 314,508 ----a-w C:\WINDOWS\system32\perfh009.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2008-01-27 18:20 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-01-12 09:08 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-01-12 09:08 114688]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2008-01-12 09:08 129536]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2008-01-12 09:09 407032]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2008-01-12 09:09 528384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-12 09:09 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-12 22:56 282624]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-09 17:41:38 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12 28672]

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys [2002-08-28 14:59]

.
Contents of the 'Scheduled Tasks' folder
"2006-04-14 05:15:13 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1137011108.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-01-13 02:22:56 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-13 02:22:56 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-28 21:36:53
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-28 21:41:54
ComboFix-quarantined-files.txt 2008-01-29 05:41:50
ComboFix2.txt 2008-01-28 07:15:06
.
2008-01-28 17:21:09 --- E O F ---

Here is a fresh hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:23 PM, on 1/28/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://att.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: SEAGULL J Walk Java Client 4_0C5-E474 - http://207.228.41.46/jwalk/jwalk/jwalk_ie.cab
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://nnrmls.fnismls.com/Paragon/Codeb ... ontrol.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6523108890
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 7425 bytes

Thanks again, Michael Baxter

Free Malware Removal Forum

Interactive help with Vundo like Malware

Interactive help with Vundo like Malware

Re: Interactive help with Vundo like Malware

Re: Interactive help with Vundo like Malware

Re: Interactive help with Vundo like Malware

Re: Interactive help with Vundo like Malware

Re: Interactive help with Vundo like Malware

Re: Interactive help with Vundo like Malware

Re: Interactive help with Vundo like Malware

Re: Interactive help with Vundo like Malware

Re: Interactive help with Vundo like Malware

Re: Interactive help with Vundo like Malware

Re: Interactive help with Vundo like Malware

Re: Interactive help with Vundo like Malware

Re: Interactive help with Vundo like Malware

Re: Interactive help with Vundo like Malware

Who is online