Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

XP SecurityCenter

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

XP SecurityCenter

Unread postby johnl » July 12th, 2008, 5:33 pm

I'm trying to get rid of this. I downloaded and installed HJT v1.9.1 It won't run I double click and nothing happens? I'm running xp pro sp2.
johnl
Active Member
 
Posts: 9
Joined: July 12th, 2008, 5:02 pm
Advertisement
Register to Remove

Re: XP SecurityCenter

Unread postby Katana » July 16th, 2008, 4:29 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

I apologize for the delay in responding, but as you can probably see the forums are quite busy.
Unfortunately there are far more people needing help than there are helpers.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe


----------------------------------------------------------------------------------------


Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Click here to download HJTinstall.exe
  • Save HJTinstall.exe to your desktop.
  • Double click on the HJTinstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\Hijack This.
  • Click I accept
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.



Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: XP SecurityCenter

Unread postby johnl » July 16th, 2008, 6:09 am

Thanks for your help here are the log files you requested.

Malwarebytes' Anti-Malware 1.20
Database version: 957
Windows 5.1.2600 Service Pack 2

5:56:31 AM 7/16/2008
mbam-log-7-16-2008 (05-56-31).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 76471
Time elapsed: 9 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\XPSecurityCenter (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\data (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\XPSecurityCenter (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{1CA3444B-926B-42CD-A392-24D3FDC62563}\RP47\A0001684.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CA3444B-926B-42CD-A392-24D3FDC62563}\RP47\A0001685.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\cru629.dat (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cru629.dat (Trojan.Downloader) -> Quarantined and deleted successfully.
E:\BackUp\Software\Adobe Acrobat Professional 8\Adobe Acrobat 8 pro keygen.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
E:\Software\Adobe Acrobat Professional 8\Adobe Acrobat 8 pro keygen.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winivstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\s32.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ws386.ini (Malware.Trace) -> Quarantined and deleted successfully.

*************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:02:49 AM, on 7/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
D:\Red Chair Software\Anapod Explorer\anamgr.exe
D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Qucken\QWDLLS.EXE
D:\Remind-Me\RemindMe.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
D:\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [NoAdware5] "d:\NoAdware5.0\NoAdware5.exe" :Min:
O4 - Startup: Anapod Manager.lnk = D:\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: Billminder.lnk = D:\Qucken\BILLMIND.EXE
O4 - Startup: Quicken Startup.lnk = D:\Qucken\QWDLLS.EXE
O4 - Startup: RemindMe.lnk = D:\Remind-Me\RemindMe.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D83D16DC-A4A0-4A08-BD62-82214EF1FB23}: NameServer = 151.202.0.85,151.203.0.85
O20 - AppInit_DLLs: cru629.dat
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

--
End of file - 3089 bytes

******************************

ActiveHome(TM)
Adobe Acrobat 4.0
Adobe Photoshop Elements
Adobe SVG Viewer
Anapod Explorer (remove only)
Ant Movie Catalog
Convert
FastStone Image Viewer 3.2
FileZilla (remove only)
High Definition Audio Driver Package - KB888111
Hijackthis 1.99.1
HijackThis 2.0.2
HP Photo and Imaging 1.0 - HP Photosmart Printer Series
HP Precisionscan Pro 3.1
Malwarebytes' Anti-Malware
Marvell Miniport Driver
Microsoft Office 2000 Premium
Mozilla Firefox (2.0.0.15)
NVIDIA Drivers
Password Corral v4.0
Photosmart Printer 130,230,7150,7350,7550 (Remove only)
Quintessential Player
Realtek High Definition Audio Driver
Remind-Me
Tweak UI
UltraCompare Professional
UltraEdit v14.00+1
johnl
Active Member
 
Posts: 9
Joined: July 12th, 2008, 5:02 pm

Re: XP SecurityCenter

Unread postby Katana » July 16th, 2008, 7:14 am

The following program/s are regarded as either "Rogue", being bundled with "Adware" or having dubious reputations

NoAdware5.0 << Used to be listed as Rogue

I recommend that you remove Via Add/Remove Programs




Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: XP SecurityCenter

Unread postby johnl » July 17th, 2008, 5:56 am

Thanks for all your help.

I don't see NoAdware listed in add/remove. I had it installed but may have removed it before we started. I have downloaded ComboFix but have not done the install yet. Just wanted to make sure that the removal of NoAdware (or lack there of) is not a problem? As soon a I get the ok from you I will install ComboFix following the instructions on Bleeping Computer.
johnl
Active Member
 
Posts: 9
Joined: July 12th, 2008, 5:02 pm

Re: XP SecurityCenter

Unread postby Katana » July 17th, 2008, 6:07 am

Don't worry about NoAdware, ComboFix will show us if it is still there :)
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: XP SecurityCenter

Unread postby johnl » July 17th, 2008, 5:38 pm

ComboFix 08-07-15.4 - JohnL 2008-07-17 17:31:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1718 [GMT -4:00]
Running from: C:\Documents and Settings\JohnL\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\JohnL\Local Settings\Temporary Internet Files\cita.com
C:\Documents and Settings\JohnL\Local Settings\Temporary Internet Files\oluw._sy
C:\Documents and Settings\JohnL\Local Settings\Temporary Internet Files\ponaqy.bat
C:\Documents and Settings\JohnL\Local Settings\Temporary Internet Files\toho.db
C:\Documents and Settings\JohnL\Local Settings\Temporary Internet Files\upivajug.vbs
C:\WINDOWS\system32\mdm.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASPIMGR


((((((((((((((((((((((((( Files Created from 2008-06-17 to 2008-07-17 )))))))))))))))))))))))))))))))
.

2008-07-16 06:02 . 2008-07-16 06:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-16 05:26 . 2008-07-16 05:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-16 05:26 . 2008-07-16 05:26 <DIR> d-------- C:\Documents and Settings\JohnL\Application Data\Malwarebytes
2008-07-16 05:26 . 2008-07-16 05:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-16 05:26 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-16 05:26 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-03 16:00 . 2008-07-03 16:00 19,547 --a------ C:\WINDOWS\oqepilu.dll
2008-07-03 16:00 . 2008-07-03 16:00 19,418 --a------ C:\WINDOWS\tucaja.lib
2008-07-03 16:00 . 2008-07-03 16:00 18,711 --a------ C:\Documents and Settings\All Users\Application Data\egihajorar.com
2008-07-03 16:00 . 2008-07-03 16:00 18,523 --a------ C:\WINDOWS\system32\batys.bin
2008-07-03 16:00 . 2008-07-03 16:00 18,488 --a------ C:\WINDOWS\system32\uterecavy.scr
2008-07-03 16:00 . 2008-07-03 16:00 16,208 --a------ C:\WINDOWS\maweg.lib
2008-07-03 16:00 . 2008-07-03 16:00 15,306 --a------ C:\Documents and Settings\JohnL\Application Data\okenurexa.exe
2008-07-03 16:00 . 2008-07-03 16:00 14,916 --a------ C:\WINDOWS\system32\cadyf.dl
2008-07-03 16:00 . 2008-07-03 16:00 14,899 --a------ C:\WINDOWS\apelasevo.sys
2008-07-03 16:00 . 2008-07-03 16:00 14,394 --a------ C:\WINDOWS\system32\citexuz.bat
2008-07-03 16:00 . 2008-07-03 16:00 11,228 --a------ C:\Program Files\Common Files\zucu.pif
2008-07-03 16:00 . 2008-07-03 16:00 10,798 --a------ C:\WINDOWS\system32\ocybujupe.ban
2008-07-03 15:54 . 2008-07-03 15:54 19,963 --a------ C:\Documents and Settings\All Users\Application Data\myholezaca.bin
2008-07-03 15:54 . 2008-07-03 15:54 18,835 --a------ C:\Documents and Settings\All Users\Application Data\wohe.pif
2008-07-03 15:54 . 2008-07-03 15:54 10,619 --a------ C:\Documents and Settings\JohnL\Application Data\ysyse.scr
2008-07-03 15:54 . 2008-07-03 15:54 10,565 --a------ C:\Documents and Settings\All Users\Application Data\lytamax.dll
2008-07-03 15:54 . 2008-07-03 15:54 10,503 --a------ C:\Documents and Settings\All Users\Application Data\huxuz.dat
2008-07-03 15:54 . 2008-07-03 15:54 10,033 --a------ C:\Program Files\Common Files\guxeb.bin
2008-07-02 17:33 . 2008-07-02 17:33 18,420 --a------ C:\WINDOWS\system32\xace.lib
2008-07-02 17:33 . 2008-07-02 17:33 17,957 --a------ C:\WINDOWS\bylymeri.com
2008-07-02 17:33 . 2008-07-02 17:33 16,208 --a------ C:\WINDOWS\exolyxigi.dl
2008-07-02 17:33 . 2008-07-02 17:33 15,368 --a------ C:\Program Files\Common Files\tuzysuwov.pif
2008-07-02 17:33 . 2008-07-02 17:33 14,285 --a------ C:\WINDOWS\remamanefa.com
2008-07-02 17:33 . 2008-07-02 17:33 14,119 --a------ C:\Program Files\Common Files\qajidaxyfu.sys
2008-07-02 17:33 . 2008-07-02 17:33 14,064 --a------ C:\Documents and Settings\JohnL\Application Data\avopepahaq.pif
2008-07-02 17:33 . 2008-07-02 17:33 13,968 --a------ C:\Program Files\Common Files\socuxamyno.exe
2008-07-02 17:33 . 2008-07-02 17:33 13,443 --a------ C:\WINDOWS\ivikuq.lib
2008-07-02 17:33 . 2008-07-02 17:33 10,423 --a------ C:\WINDOWS\system32\dacyhexiko._sy
2008-06-22 19:15 . 2008-06-22 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pinnacle
2008-06-22 19:15 . 2005-02-09 12:59 14,165 --a------ C:\WINDOWS\system32\drivers\Pclepci.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-03 20:00 13,114 ----a-w C:\Program Files\Common Files\gexebopuri.inf
2008-07-03 19:54 19,063 ----a-w C:\WINDOWS\owajyf.bat
2008-07-03 19:54 18,120 ----a-w C:\WINDOWS\system32\tucyqo.scr
2008-07-03 19:54 16,002 ----a-w C:\WINDOWS\ykijih.vbs
2008-07-03 19:54 15,944 ----a-w C:\WINDOWS\system32\inune.scr
2008-07-03 19:54 13,873 ----a-w C:\WINDOWS\system32\sefesaman.sys
2008-07-03 19:54 13,108 ----a-w C:\WINDOWS\nocufexy.com
2008-07-03 19:54 12,289 ----a-w C:\WINDOWS\system32\hoze.dll
2008-07-02 21:33 17,833 ----a-w C:\Program Files\Common Files\amywa.ban
2008-07-02 21:33 12,855 ----a-w C:\Program Files\Common Files\dyvofodyz.db
2008-06-07 09:26 --------- d-----w C:\Program Files\JoshMadison
2008-06-01 00:27 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-31 21:14 --------- d-----w C:\Program Files\Snapshot Viewer
2008-05-31 21:13 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-31 21:13 --------- d-----w C:\Documents and Settings\JohnL\Application Data\Microsoft Web Folders
2008-05-27 23:43 --------- d-----w C:\Documents and Settings\JohnL\Application Data\IDMComp
2008-05-27 23:37 --------- d-----w C:\Program Files\IDM Computer Solutions
2008-05-27 23:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 23:19 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-05-26 23:43 82,380 ----a-w C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-05-26 23:43 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-26 23:43 --------- d-----w C:\Documents and Settings\JohnL\Application Data\Share-to-Web Upload Folder
2008-05-26 23:41 --------- d-----w C:\Program Files\HP Photosmart 11
2008-05-26 23:36 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-05-25 11:30 --------- d-----w C:\Documents and Settings\JohnL\Application Data\Remind-Me
2008-05-25 11:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\GrebleSoft
2008-05-25 11:13 --------- d-----w C:\Documents and Settings\JohnL\Application Data\FastStone
2008-05-25 10:58 --------- d-----w C:\Program Files\Red Chair Software
2008-05-25 10:58 --------- d-----w C:\Documents and Settings\JohnL\Application Data\Red Chair Software
2008-05-24 21:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-05-24 21:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-24 21:34 --------- d-----w C:\Program Files\Realtek
2008-05-24 21:33 --------- d-----w C:\Program Files\Marvell
2008-05-24 21:33 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-24 21:31 --------- d-----w C:\Program Files\Intel
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-12 00:43 7630848]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-12 00:43 86016]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-04-04 16:03 188416]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [2002-04-04 16:01 335872]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-04-04 16:04 49152]
"Share-to-Web Namespace Daemon"="D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19 69632]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-18 23:12 16062464 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 06:04 2879488 C:\WINDOWS\SkyTel.exe]
"nwiz"="nwiz.exe" [2006-08-12 00:43 1519616 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\JohnL\Start Menu\Programs\Startup\
Anapod Manager.lnk - D:\Red Chair Software\Anapod Explorer\anamgr.exe [2008-05-25 06:58:13 1076276]
Billminder.lnk - D:\Qucken\BILLMIND.EXE [2008-05-25 06:41:19 36864]
Quicken Startup.lnk - D:\Qucken\QWDLLS.EXE [2008-05-25 06:41:31 36864]
RemindMe.lnk - D:\Remind-Me\RemindMe.exe [2007-03-05 20:31:50 467456]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe [2008-05-31 17:59:07 43520]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-05-31 20:27:37 113664]
Microsoft Office.lnk - D:\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoUserNameInStartMenu"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"D:\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-NoAdware5 - d:\NoAdware5.0\NoAdware5.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-17 17:34:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
.
**************************************************************************
.
Completion time: 2008-07-17 17:34:43 - machine was rebooted [JohnL]
ComboFix-quarantined-files.txt 2008-07-17 21:34:40

Pre-Run: 15,134,064,640 bytes free
Post-Run: 15,188,324,352 bytes free

155
johnl
Active Member
 
Posts: 9
Joined: July 12th, 2008, 5:02 pm

Re: XP SecurityCenter

Unread postby Katana » July 17th, 2008, 6:10 pm

Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    http://malwareremoval.com/forum/viewtopic.php?f=11&t=32602&p=324788#p324788
    Comment:: Katana -- lots of scrap. Missed by MBAM as well
    
    Collect::[4]
    C:\WINDOWS\oqepilu.dll
    C:\WINDOWS\tucaja.lib
    C:\Documents and Settings\All Users\Application Data\egihajorar.com
    C:\WINDOWS\system32\batys.bin
    C:\WINDOWS\system32\uterecavy.scr
    C:\WINDOWS\maweg.lib
    C:\Documents and Settings\JohnL\Application Data\okenurexa.exe
    C:\WINDOWS\system32\cadyf.dl
    C:\WINDOWS\apelasevo.sys
    C:\WINDOWS\system32\citexuz.bat
    C:\Program Files\Common Files\zucu.pif
    C:\WINDOWS\system32\ocybujupe.ban
    C:\Documents and Settings\All Users\Application Data\myholezaca.bin
    C:\Documents and Settings\All Users\Application Data\wohe.pif
    C:\Documents and Settings\JohnL\Application Data\ysyse.scr
    C:\Documents and Settings\All Users\Application Data\lytamax.dll
    C:\Documents and Settings\All Users\Application Data\huxuz.dat
    C:\Program Files\Common Files\guxeb.bin
    C:\WINDOWS\system32\xace.lib
    C:\WINDOWS\bylymeri.com
    C:\WINDOWS\exolyxigi.dl
    C:\Program Files\Common Files\tuzysuwov.pif
    C:\WINDOWS\remamanefa.com
    C:\Program Files\Common Files\qajidaxyfu.sys
    C:\Documents and Settings\JohnL\Application Data\avopepahaq.pif
    C:\Program Files\Common Files\socuxamyno.exe
    C:\WINDOWS\ivikuq.lib
    C:\WINDOWS\system32\dacyhexiko._sy
    C:\Program Files\Common Files\gexebopuri.inf
    C:\WINDOWS\owajyf.bat
    C:\WINDOWS\system32\tucyqo.scr
    C:\WINDOWS\ykijih.vbs
    C:\WINDOWS\system32\inune.scr
    C:\WINDOWS\system32\sefesaman.sys
    C:\WINDOWS\nocufexy.com
    C:\WINDOWS\system32\hoze.dll
    C:\Program Files\Common Files\amywa.ban
    C:\Program Files\Common Files\dyvofodyz.db
    

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
  • A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis.
  • Click OK and follow the instructions to submit the file.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)

NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partne ... bscan.html

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary and let the database download.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.



Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • ComboFix Log
  • A fresh HJT Log
  • Kaspersky log
  • How are things running now ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: XP SecurityCenter

Unread postby johnl » July 18th, 2008, 5:20 pm

Things are running much better the icon for XP SecurityCenter is gone and The standard MS Security center icon is back.


ComboFix 08-07-15.4 - JohnL 2008-07-18 5:59:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1712 [GMT -4:00]
Running from: C:\Documents and Settings\JohnL\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\JohnL\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\egihajorar.com
C:\Documents and Settings\All Users\Application Data\huxuz.dat
C:\Documents and Settings\All Users\Application Data\lytamax.dll
C:\Documents and Settings\All Users\Application Data\myholezaca.bin
C:\Documents and Settings\All Users\Application Data\wohe.pif
C:\Documents and Settings\JohnL\Application Data\avopepahaq.pif
C:\Documents and Settings\JohnL\Application Data\okenurexa.exe
C:\Documents and Settings\JohnL\Application Data\ysyse.scr
C:\Program Files\Common Files\amywa.ban
C:\Program Files\Common Files\dyvofodyz.db
C:\Program Files\Common Files\gexebopuri.inf
C:\Program Files\Common Files\guxeb.bin
C:\Program Files\Common Files\qajidaxyfu.sys
C:\Program Files\Common Files\socuxamyno.exe
C:\Program Files\Common Files\tuzysuwov.pif
C:\Program Files\Common Files\zucu.pif
C:\WINDOWS\apelasevo.sys
C:\WINDOWS\bylymeri.com
C:\WINDOWS\exolyxigi.dl
C:\WINDOWS\ivikuq.lib
C:\WINDOWS\maweg.lib
C:\WINDOWS\nocufexy.com
C:\WINDOWS\oqepilu.dll
C:\WINDOWS\owajyf.bat
C:\WINDOWS\remamanefa.com
C:\WINDOWS\system32\batys.bin
C:\WINDOWS\system32\cadyf.dl
C:\WINDOWS\system32\citexuz.bat
C:\WINDOWS\system32\dacyhexiko._sy
C:\WINDOWS\system32\hoze.dll
C:\WINDOWS\system32\inune.scr
C:\WINDOWS\system32\ocybujupe.ban
C:\WINDOWS\system32\sefesaman.sys
C:\WINDOWS\system32\tucyqo.scr
C:\WINDOWS\system32\uterecavy.scr
C:\WINDOWS\system32\xace.lib
C:\WINDOWS\tucaja.lib
C:\WINDOWS\ykijih.vbs

.
((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 )))))))))))))))))))))))))))))))
.

2008-07-16 06:02 . 2008-07-16 06:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-16 05:26 . 2008-07-16 05:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-16 05:26 . 2008-07-16 05:26 <DIR> d-------- C:\Documents and Settings\JohnL\Application Data\Malwarebytes
2008-07-16 05:26 . 2008-07-16 05:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-16 05:26 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-16 05:26 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-03 15:54 . 2008-07-03 15:54 19,890 --a------ C:\WINDOWS\erypy.dat
2008-07-03 15:54 . 2008-07-03 15:54 18,651 --a------ C:\WINDOWS\voko.dl
2008-07-03 15:54 . 2008-07-03 15:54 17,756 --a------ C:\WINDOWS\ipigufidyl.db
2008-07-03 15:54 . 2008-07-03 15:54 12,348 --a------ C:\WINDOWS\system32\tijuxa.dl
2008-06-22 19:15 . 2008-06-22 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pinnacle
2008-06-22 19:15 . 2005-02-09 12:59 14,165 --a------ C:\WINDOWS\system32\drivers\Pclepci.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 09:26 --------- d-----w C:\Program Files\JoshMadison
2008-06-01 00:27 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-31 21:14 --------- d-----w C:\Program Files\Snapshot Viewer
2008-05-31 21:13 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-31 21:13 --------- d-----w C:\Documents and Settings\JohnL\Application Data\Microsoft Web Folders
2008-05-27 23:43 --------- d-----w C:\Documents and Settings\JohnL\Application Data\IDMComp
2008-05-27 23:37 --------- d-----w C:\Program Files\IDM Computer Solutions
2008-05-27 23:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 23:19 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-05-26 23:43 82,380 ----a-w C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-05-26 23:43 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-26 23:43 --------- d-----w C:\Documents and Settings\JohnL\Application Data\Share-to-Web Upload Folder
2008-05-26 23:41 --------- d-----w C:\Program Files\HP Photosmart 11
2008-05-26 23:36 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-05-25 11:30 --------- d-----w C:\Documents and Settings\JohnL\Application Data\Remind-Me
2008-05-25 11:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\GrebleSoft
2008-05-25 11:13 --------- d-----w C:\Documents and Settings\JohnL\Application Data\FastStone
2008-05-25 10:58 --------- d-----w C:\Program Files\Red Chair Software
2008-05-25 10:58 --------- d-----w C:\Documents and Settings\JohnL\Application Data\Red Chair Software
2008-05-24 21:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-05-24 21:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-24 21:34 --------- d-----w C:\Program Files\Realtek
2008-05-24 21:33 --------- d-----w C:\Program Files\Marvell
2008-05-24 21:33 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-24 21:31 --------- d-----w C:\Program Files\Intel
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-12 00:43 7630848]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-12 00:43 86016]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-04-04 16:03 188416]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [2002-04-04 16:01 335872]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-04-04 16:04 49152]
"Share-to-Web Namespace Daemon"="D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19 69632]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-18 23:12 16062464 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 06:04 2879488 C:\WINDOWS\SkyTel.exe]
"nwiz"="nwiz.exe" [2006-08-12 00:43 1519616 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\JohnL\Start Menu\Programs\Startup\
Anapod Manager.lnk - D:\Red Chair Software\Anapod Explorer\anamgr.exe [2008-05-25 06:58:13 1076276]
Billminder.lnk - D:\Qucken\BILLMIND.EXE [2008-05-25 06:41:19 36864]
Quicken Startup.lnk - D:\Qucken\QWDLLS.EXE [2008-05-25 06:41:31 36864]
RemindMe.lnk - D:\Remind-Me\RemindMe.exe [2007-03-05 20:31:50 467456]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe [2008-05-31 17:59:07 43520]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-05-31 20:27:37 113664]
Microsoft Office.lnk - D:\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoUserNameInStartMenu"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"D:\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-18 06:00:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-18 6:00:21
ComboFix-quarantined-files.txt 2008-07-18 10:00:19
ComboFix2.txt 2008-07-17 21:34:44

Pre-Run: 15,177,850,880 bytes free
Post-Run: 15,168,176,128 bytes free

141
*********************************
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, July 18, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, July 18, 2008 10:27:49
Records in database: 968157
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
B:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 37328
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 00:44:29


File name / Threat name / Threats count
E:\BackUp\Downloads\New\Symantec Norton Ghost 14.0.0.24815 incl.Serial\Norton Ghost v14_En.exe Infected: Trojan.Win32.Monder.gen 1
E:\Downloads\New\Symantec Norton Ghost 14.0.0.24815 incl.Serial\Norton Ghost v14_En.exe Infected: Trojan.Win32.Monder.gen 1

The selected area was scanned.
****************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:57 PM, on 7/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Qucken\QWDLLS.EXE
D:\Remind-Me\RemindMe.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - Startup: Anapod Manager.lnk = D:\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: Billminder.lnk = D:\Qucken\BILLMIND.EXE
O4 - Startup: Quicken Startup.lnk = D:\Qucken\QWDLLS.EXE
O4 - Startup: RemindMe.lnk = D:\Remind-Me\RemindMe.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D83D16DC-A4A0-4A08-BD62-82214EF1FB23}: NameServer = 151.202.0.85,151.203.0.85
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

--
End of file - 3572 bytes
johnl
Active Member
 
Posts: 9
Joined: July 12th, 2008, 5:02 pm

Re: XP SecurityCenter

Unread postby Katana » July 18th, 2008, 5:36 pm

No Antivirus

I can see no indication of any Antivirus software.

Use an AntiVirus Software - It is very important that you have anti-virus software running on your machine.
This alone can save you a lot of trouble with malware in the future.
Free AV list ( Home users only)
Avira AntiVir
Avast

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week.
If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Antivirus is a MUST


Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
C:\WINDOWS\erypy.dat
Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
C:\WINDOWS\voko.dl
C:\WINDOWS\ipigufidyl.db
C:\WINDOWS\system32\tijuxa.dl


If Virustotal is too busy please try Jotti

Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    
    File::
    C:\WINDOWS\erypy.dat
    C:\WINDOWS\voko.dl
    C:\WINDOWS\ipigufidyl.db
    C:\WINDOWS\system32\tijuxa.dl
    E:\BackUp\Downloads\New\Symantec Norton Ghost 14.0.0.24815 incl.Serial\Norton Ghost v14_En.exe
    E:\Downloads\New\Symantec Norton Ghost 14.0.0.24815 incl.Serial\Norton Ghost v14_En.exe
    

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper





Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Please go to this site Link >> ActiveScan << LINK
  • Click the Scan Now button
  • Follow the prompts to install the Active X if necessary
  • Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
  • When the scan is finished, a report will be generated
  • Next to Scan Details click the small Save button and save the report to your desktop.
  • Please post the report in your reply.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: XP SecurityCenter

Unread postby johnl » July 18th, 2008, 7:40 pm

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-07-18 19:36:09
PROTECTIONS: 0
MALWARE: 37
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.trafficmp.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.casalemedia.com/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.atdmt.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.247realmedia.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.247realmedia.com/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.fastclick.net/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.tribalfusion.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.mediaplex.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.mediaplex.com/]
00147824 Cookie/Clickbank TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.clickbank.net/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.statcounter.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[ad.yieldmanager.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.apmebf.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.apmebf.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.burstnet.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.burstnet.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.burstnet.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.bs.serving-sys.com/]
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[www.burstbeacon.com/]
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.adtech.de/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[server.iad.liveperson.net/hc/70307935]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[server.iad.liveperson.net/hc/51565057]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[server.iad.liveperson.net/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[server.iad.liveperson.net/hc/25420556]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[server.iad.liveperson.net/hc/18169525]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.advertising.com/]
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[statse.webtrendslive.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.ads.pointroll.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.overture.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.overture.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.overture.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.realmedia.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.questionmarket.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.zedo.com/]
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.bluestreak.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.adrevolver.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.go.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.did-it.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.atwola.com/]
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\JohnL\Application Data\Mozilla\Firefox\Profiles\fxobj0bb.default\cookies.txt[.ads.addynamix.com/]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{1CA3444B-926B-42CD-A392-24D3FDC62563}\RP62\A0001875.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{1CA3444B-926B-42CD-A392-24D3FDC62563}\RP62\A0001862.sys
02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{1CA3444B-926B-42CD-A392-24D3FDC62563}\RP60\A0001799.sys
02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{1CA3444B-926B-42CD-A392-24D3FDC62563}\RP39\A0000629.sys
02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{1CA3444B-926B-42CD-A392-24D3FDC62563}\RP60\A0001800.sys
03074987 Adware/XPSecurityCenter Adware No 0 Yes No C:\System Volume Information\_restore{1CA3444B-926B-42CD-A392-24D3FDC62563}\RP47\A0001676.exe
03074987 Adware/XPSecurityCenter Adware No 0 Yes No C:\System Volume Information\_restore{1CA3444B-926B-42CD-A392-24D3FDC62563}\RP47\A0001693.exe
03074987 Adware/XPSecurityCenter Adware No 0 Yes No C:\System Volume Information\_restore{1CA3444B-926B-42CD-A392-24D3FDC62563}\RP57\A0001768.exe
03150390 Adware/XPSecurityCenter Adware No 0 Yes No C:\System Volume Information\_restore{1CA3444B-926B-42CD-A392-24D3FDC62563}\RP47\A0001665.exe
03150390 Adware/XPSecurityCenter Adware No 0 Yes No C:\System Volume Information\_restore{1CA3444B-926B-42CD-A392-24D3FDC62563}\RP47\A0001666.exe
03150390 Adware/XPSecurityCenter Adware No 0 Yes No C:\System Volume Information\_restore{1CA3444B-926B-42CD-A392-24D3FDC62563}\RP47\A0001652.exe
03150390 Adware/XPSecurityCenter Adware No 0 Yes No C:\System Volume Information\_restore{1CA3444B-926B-42CD-A392-24D3FDC62563}\RP39\A0000628.exe
03150390 Adware/XPSecurityCenter Adware No 0 Yes No C:\System Volume Information\_restore{1CA3444B-926B-42CD-A392-24D3FDC62563}\RP47\A0001688.exe
03150390 Adware/XPSecurityCenter Adware No 0 Yes No C:\System Volume Information\_restore{1CA3444B-926B-42CD-A392-24D3FDC62563}\RP47\A0001629.exe
03150390 Adware/XPSecurityCenter Adware No 0 Yes No C:\System Volume Information\_restore{1CA3444B-926B-42CD-A392-24D3FDC62563}\RP47\A0001659.exe
03150390 Adware/XPSecurityCenter Adware No 0 Yes No C:\System Volume Information\_restore{1CA3444B-926B-42CD-A392-24D3FDC62563}\RP57\A0001760.exe
03150390 Adware/XPSecurityCenter Adware No 0 Yes No C:\System Volume Information\_restore{1CA3444B-926B-42CD-A392-24D3FDC62563}\RP47\A0001687.exe
03150390 Adware/XPSecurityCenter Adware No 0 Yes No C:\System Volume Information\_restore{1CA3444B-926B-42CD-A392-24D3FDC62563}\RP47\A0001628.exe
03150390 Adware/XPSecurityCenter Adware No 0 Yes No C:\System Volume Information\_restore{1CA3444B-926B-42CD-A392-24D3FDC62563}\RP47\A0001653.exe
03150390 Adware/XPSecurityCenter Adware No 0 Yes No C:\System Volume Information\_restore{1CA3444B-926B-42CD-A392-24D3FDC62563}\RP47\A0001660.exe
03150916 Trj/Asprox.C Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{1CA3444B-926B-42CD-A392-24D3FDC62563}\RP47\A0001689.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location lT
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description lT
;===================================================================================================================================================================================
184380 MEDIUM MS08-002 lT
184379 MEDIUM MS08-001 lT
182048 HIGH MS07-069 lT
182046 HIGH MS07-067 lT
182043 HIGH MS07-064 lT
179553 HIGH MS07-061 lT
176382 HIGH MS07-057 lT
176383 HIGH MS07-058 lT
170911 HIGH MS07-050 lT
170907 HIGH MS07-046 lT
170906 HIGH MS07-045 lT
170904 HIGH MS07-043 lT
164915 HIGH MS07-035 lT
164913 HIGH MS07-033 lT
164911 HIGH MS07-031 lT
160623 HIGH MS07-027 lT
157262 HIGH MS07-022 lT
157261 HIGH MS07-021 lT
157260 HIGH MS07-020 lT
157259 HIGH MS07-019 lT
156477 HIGH MS07-017 lT
150253 HIGH MS07-016 lT
150249 HIGH MS07-013 lT
150248 HIGH MS07-012 lT
150247 HIGH MS07-011 lT
150243 HIGH MS07-008 lT
150242 HIGH MS07-007 lT
150241 MEDIUM MS07-006 lT
141034 HIGH MS06-076 lT
141033 MEDIUM MS06-075 lT
141030 HIGH MS06-072 lT
137571 HIGH MS06-070 lT
137568 HIGH MS06-067 lT
133387 MEDIUM MS06-065 lT
133386 MEDIUM MS06-064 lT
133385 MEDIUM MS06-063 lT
133379 HIGH MS06-057 lT
131654 HIGH MS06-055 lT
129977 MEDIUM MS06-053 lT
129976 MEDIUM MS06-052 lT
126093 HIGH MS06-051 lT
126092 MEDIUM MS06-050 lT
126087 HIGH MS06-046 lT
126086 MEDIUM MS06-045 lT
126083 HIGH MS06-042 lT
126082 HIGH MS06-041 lT
126081 HIGH MS06-040 lT
123421 HIGH MS06-036 lT
123420 HIGH MS06-035 lT
120825 MEDIUM MS06-032 lT
120823 MEDIUM MS06-030 lT
120818 HIGH MS06-025 lT
120815 HIGH MS06-022 lT
120814 HIGH MS06-021 lT
117384 MEDIUM MS06-018 lT
114666 HIGH MS06-015 lT
114664 HIGH MS06-013 lT
108744 MEDIUM MS06-008 lT
108743 MEDIUM MS06-007 lT
108742 MEDIUM MS06-006 lT
104567 HIGH MS06-002 lT
104237 HIGH MS06-001 lT
96574 HIGH MS05-053 lT
93395 HIGH MS05-051 lT
93394 HIGH MS05-050 lT
93454 MEDIUM MS05-049 lT
;===================================================================================================================================================================================

Have no AntiVirus software never quite sure of what I'm getting. Will download one of the ones you suggested.
You do not have the required permissions to view the files attached to this post.
johnl
Active Member
 
Posts: 9
Joined: July 12th, 2008, 5:02 pm

Re: XP SecurityCenter

Unread postby Katana » July 19th, 2008, 2:41 am

Do you have the ComboFix log ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: XP SecurityCenter

Unread postby johnl » July 19th, 2008, 5:17 am

Sorry about that.

ComboFix 08-07-15.4 - JohnL 2008-07-18 18:45:21.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1605 [GMT -4:00]
Running from: C:\Documents and Settings\JohnL\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\JohnL\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\erypy.dat
C:\WINDOWS\ipigufidyl.db
C:\WINDOWS\system32\tijuxa.dl
C:\WINDOWS\voko.dl
E:\BackUp\Downloads\New\Symantec Norton Ghost 14.0.0.24815 incl.Serial\Norton Ghost v14_En.exe
E:\Downloads\New\Symantec Norton Ghost 14.0.0.24815 incl.Serial\Norton Ghost v14_En.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\erypy.dat
C:\WINDOWS\ipigufidyl.db
C:\WINDOWS\system32\tijuxa.dl
C:\WINDOWS\voko.dl

.
((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 )))))))))))))))))))))))))))))))
.

2008-07-18 06:13 . 2008-07-18 06:13 <DIR> d-------- C:\WINDOWS\Sun
2008-07-18 06:09 . 2008-07-18 06:09 <DIR> d-------- C:\Program Files\Java
2008-07-18 06:09 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-18 06:07 . 2008-07-18 06:07 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-16 06:02 . 2008-07-16 06:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-16 05:26 . 2008-07-16 05:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-16 05:26 . 2008-07-16 05:26 <DIR> d-------- C:\Documents and Settings\JohnL\Application Data\Malwarebytes
2008-07-16 05:26 . 2008-07-16 05:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-16 05:26 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-16 05:26 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-22 19:15 . 2008-06-22 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pinnacle
2008-06-22 19:15 . 2005-02-09 12:59 14,165 --a------ C:\WINDOWS\system32\drivers\Pclepci.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 09:26 --------- d-----w C:\Program Files\JoshMadison
2008-06-01 00:27 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-31 21:14 --------- d-----w C:\Program Files\Snapshot Viewer
2008-05-31 21:13 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-31 21:13 --------- d-----w C:\Documents and Settings\JohnL\Application Data\Microsoft Web Folders
2008-05-27 23:43 --------- d-----w C:\Documents and Settings\JohnL\Application Data\IDMComp
2008-05-27 23:37 --------- d-----w C:\Program Files\IDM Computer Solutions
2008-05-27 23:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 23:19 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-05-26 23:43 82,380 ----a-w C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-05-26 23:43 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-26 23:43 --------- d-----w C:\Documents and Settings\JohnL\Application Data\Share-to-Web Upload Folder
2008-05-26 23:41 --------- d-----w C:\Program Files\HP Photosmart 11
2008-05-26 23:36 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-05-25 11:30 --------- d-----w C:\Documents and Settings\JohnL\Application Data\Remind-Me
2008-05-25 11:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\GrebleSoft
2008-05-25 11:13 --------- d-----w C:\Documents and Settings\JohnL\Application Data\FastStone
2008-05-25 10:58 --------- d-----w C:\Program Files\Red Chair Software
2008-05-25 10:58 --------- d-----w C:\Documents and Settings\JohnL\Application Data\Red Chair Software
2008-05-24 21:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-05-24 21:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-24 21:34 --------- d-----w C:\Program Files\Realtek
2008-05-24 21:33 --------- d-----w C:\Program Files\Marvell
2008-05-24 21:33 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-24 21:31 --------- d-----w C:\Program Files\Intel
.

((((((((((((((((((((((((((((( snapshot@2008-07-17_17.34.31.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-10 05:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-12 00:43 7630848]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-12 00:43 86016]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-04-04 16:03 188416]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [2002-04-04 16:01 335872]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-04-04 16:04 49152]
"Share-to-Web Namespace Daemon"="D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19 69632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-18 23:12 16062464 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 06:04 2879488 C:\WINDOWS\SkyTel.exe]
"nwiz"="nwiz.exe" [2006-08-12 00:43 1519616 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\JohnL\Start Menu\Programs\Startup\
Anapod Manager.lnk - D:\Red Chair Software\Anapod Explorer\anamgr.exe [2008-05-25 06:58:13 1076276]
Billminder.lnk - D:\Qucken\BILLMIND.EXE [2008-05-25 06:41:19 36864]
Quicken Startup.lnk - D:\Qucken\QWDLLS.EXE [2008-05-25 06:41:31 36864]
RemindMe.lnk - D:\Remind-Me\RemindMe.exe [2007-03-05 20:31:50 467456]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe [2008-05-31 17:59:07 43520]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-05-31 20:27:37 113664]
Microsoft Office.lnk - D:\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoUserNameInStartMenu"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"D:\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-18 18:46:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-18 18:46:17
ComboFix-quarantined-files.txt 2008-07-18 22:46:15
ComboFix2.txt 2008-07-18 10:00:22
ComboFix3.txt 2008-07-17 21:34:44

Pre-Run: 14,992,404,480 bytes free
Post-Run: 15,028,224,000 bytes free

122
johnl
Active Member
 
Posts: 9
Joined: July 12th, 2008, 5:02 pm

Re: XP SecurityCenter

Unread postby Katana » July 19th, 2008, 5:36 am

That looks fine, how are things running now ?

Please post a fresh HJT log in your reply
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: XP SecurityCenter

Unread postby johnl » July 19th, 2008, 6:31 am

Running fine.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:36 AM, on 7/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Qucken\QWDLLS.EXE
D:\Remind-Me\RemindMe.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
D:\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - Startup: Anapod Manager.lnk = D:\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: Billminder.lnk = D:\Qucken\BILLMIND.EXE
O4 - Startup: Quicken Startup.lnk = D:\Qucken\QWDLLS.EXE
O4 - Startup: RemindMe.lnk = D:\Remind-Me\RemindMe.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D83D16DC-A4A0-4A08-BD62-82214EF1FB23}: NameServer = 151.202.0.85,151.203.0.85
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

--
End of file - 3680 bytes
johnl
Active Member
 
Posts: 9
Joined: July 12th, 2008, 5:02 pm
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 259 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware