Things are running much better the icon for XP SecurityCenter is gone and The standard MS Security center icon is back.
ComboFix 08-07-15.4 - JohnL 2008-07-18 5:59:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1712 [GMT -4:00]
Running from: C:\Documents and Settings\JohnL\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\JohnL\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\egihajorar.com
C:\Documents and Settings\All Users\Application Data\huxuz.dat
C:\Documents and Settings\All Users\Application Data\lytamax.dll
C:\Documents and Settings\All Users\Application Data\myholezaca.bin
C:\Documents and Settings\All Users\Application Data\wohe.pif
C:\Documents and Settings\JohnL\Application Data\avopepahaq.pif
C:\Documents and Settings\JohnL\Application Data\okenurexa.exe
C:\Documents and Settings\JohnL\Application Data\ysyse.scr
C:\Program Files\Common Files\amywa.ban
C:\Program Files\Common Files\dyvofodyz.db
C:\Program Files\Common Files\gexebopuri.inf
C:\Program Files\Common Files\guxeb.bin
C:\Program Files\Common Files\qajidaxyfu.sys
C:\Program Files\Common Files\socuxamyno.exe
C:\Program Files\Common Files\tuzysuwov.pif
C:\Program Files\Common Files\zucu.pif
C:\WINDOWS\apelasevo.sys
C:\WINDOWS\bylymeri.com
C:\WINDOWS\exolyxigi.dl
C:\WINDOWS\ivikuq.lib
C:\WINDOWS\maweg.lib
C:\WINDOWS\nocufexy.com
C:\WINDOWS\oqepilu.dll
C:\WINDOWS\owajyf.bat
C:\WINDOWS\remamanefa.com
C:\WINDOWS\system32\batys.bin
C:\WINDOWS\system32\cadyf.dl
C:\WINDOWS\system32\citexuz.bat
C:\WINDOWS\system32\dacyhexiko._sy
C:\WINDOWS\system32\hoze.dll
C:\WINDOWS\system32\inune.scr
C:\WINDOWS\system32\ocybujupe.ban
C:\WINDOWS\system32\sefesaman.sys
C:\WINDOWS\system32\tucyqo.scr
C:\WINDOWS\system32\uterecavy.scr
C:\WINDOWS\system32\xace.lib
C:\WINDOWS\tucaja.lib
C:\WINDOWS\ykijih.vbs
.
((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 )))))))))))))))))))))))))))))))
.
2008-07-16 06:02 . 2008-07-16 06:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-16 05:26 . 2008-07-16 05:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-16 05:26 . 2008-07-16 05:26 <DIR> d-------- C:\Documents and Settings\JohnL\Application Data\Malwarebytes
2008-07-16 05:26 . 2008-07-16 05:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-16 05:26 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-16 05:26 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-03 15:54 . 2008-07-03 15:54 19,890 --a------ C:\WINDOWS\erypy.dat
2008-07-03 15:54 . 2008-07-03 15:54 18,651 --a------ C:\WINDOWS\voko.dl
2008-07-03 15:54 . 2008-07-03 15:54 17,756 --a------ C:\WINDOWS\ipigufidyl.db
2008-07-03 15:54 . 2008-07-03 15:54 12,348 --a------ C:\WINDOWS\system32\tijuxa.dl
2008-06-22 19:15 . 2008-06-22 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pinnacle
2008-06-22 19:15 . 2005-02-09 12:59 14,165 --a------ C:\WINDOWS\system32\drivers\Pclepci.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 09:26 --------- d-----w C:\Program Files\JoshMadison
2008-06-01 00:27 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-31 21:14 --------- d-----w C:\Program Files\Snapshot Viewer
2008-05-31 21:13 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-31 21:13 --------- d-----w C:\Documents and Settings\JohnL\Application Data\Microsoft Web Folders
2008-05-27 23:43 --------- d-----w C:\Documents and Settings\JohnL\Application Data\IDMComp
2008-05-27 23:37 --------- d-----w C:\Program Files\IDM Computer Solutions
2008-05-27 23:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 23:19 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-05-26 23:43 82,380 ----a-w C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-05-26 23:43 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-26 23:43 --------- d-----w C:\Documents and Settings\JohnL\Application Data\Share-to-Web Upload Folder
2008-05-26 23:41 --------- d-----w C:\Program Files\HP Photosmart 11
2008-05-26 23:36 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-05-25 11:30 --------- d-----w C:\Documents and Settings\JohnL\Application Data\Remind-Me
2008-05-25 11:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\GrebleSoft
2008-05-25 11:13 --------- d-----w C:\Documents and Settings\JohnL\Application Data\FastStone
2008-05-25 10:58 --------- d-----w C:\Program Files\Red Chair Software
2008-05-25 10:58 --------- d-----w C:\Documents and Settings\JohnL\Application Data\Red Chair Software
2008-05-24 21:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-05-24 21:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-24 21:34 --------- d-----w C:\Program Files\Realtek
2008-05-24 21:33 --------- d-----w C:\Program Files\Marvell
2008-05-24 21:33 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-24 21:31 --------- d-----w C:\Program Files\Intel
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-12 00:43 7630848]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-12 00:43 86016]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-04-04 16:03 188416]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [2002-04-04 16:01 335872]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-04-04 16:04 49152]
"Share-to-Web Namespace Daemon"="D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19 69632]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-18 23:12 16062464 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 06:04 2879488 C:\WINDOWS\SkyTel.exe]
"nwiz"="nwiz.exe" [2006-08-12 00:43 1519616 C:\WINDOWS\system32\nwiz.exe]
C:\Documents and Settings\JohnL\Start Menu\Programs\Startup\
Anapod Manager.lnk - D:\Red Chair Software\Anapod Explorer\anamgr.exe [2008-05-25 06:58:13 1076276]
Billminder.lnk - D:\Qucken\BILLMIND.EXE [2008-05-25 06:41:19 36864]
Quicken Startup.lnk - D:\Qucken\QWDLLS.EXE [2008-05-25 06:41:31 36864]
RemindMe.lnk - D:\Remind-Me\RemindMe.exe [2007-03-05 20:31:50 467456]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe [2008-05-31 17:59:07 43520]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-05-31 20:27:37 113664]
Microsoft Office.lnk - D:\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoUserNameInStartMenu"= 01000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"D:\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-07-18 06:00:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-18 6:00:21
ComboFix-quarantined-files.txt 2008-07-18 10:00:19
ComboFix2.txt 2008-07-17 21:34:44
Pre-Run: 15,177,850,880 bytes free
Post-Run: 15,168,176,128 bytes free
141
*********************************
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, July 18, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, July 18, 2008 10:27:49
Records in database: 968157
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
B:\
C:\
D:\
E:\
F:\
G:\
Scan statistics:
Files scanned: 37328
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 00:44:29
File name / Threat name / Threats count
E:\BackUp\Downloads\New\Symantec Norton Ghost 14.0.0.24815 incl.Serial\Norton Ghost v14_En.exe Infected: Trojan.Win32.Monder.gen 1
E:\Downloads\New\Symantec Norton Ghost 14.0.0.24815 incl.Serial\Norton Ghost v14_En.exe Infected: Trojan.Win32.Monder.gen 1
The selected area was scanned.
****************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:57 PM, on 7/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Qucken\QWDLLS.EXE
D:\Remind-Me\RemindMe.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - Startup: Anapod Manager.lnk = D:\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: Billminder.lnk = D:\Qucken\BILLMIND.EXE
O4 - Startup: Quicken Startup.lnk = D:\Qucken\QWDLLS.EXE
O4 - Startup: RemindMe.lnk = D:\Remind-Me\RemindMe.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D83D16DC-A4A0-4A08-BD62-82214EF1FB23}: NameServer = 151.202.0.85,151.203.0.85
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
--
End of file - 3572 bytes