Sign In
Create Account
1
I have run Malware several time and it shows the Antivirus XP 2008 files but does not remove them on the reboot. Here is the log file:
Malwarebytes' Anti-Malware 1.24
Database version: 1028
Windows 5.1.2600 Service Pack 2
9:17:54 AM 8/6/2008
mbam-log-8-6-2008 (09-17-54).txt
Scan type: Quick Scan
Objects scanned: 43721
Time elapsed: 3 minute(s), 5 second(s)
Memory Processes Infected: 2
Memory Modules Infected: 5
Registry Keys Infected: 6
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 13
Files Infected: 22
Memory Processes Infected:
C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe (Rogue.Multiple) -> Unloaded process successfully.
C:\WINDOWS\system32\pphcepfj0eg1t.exe (Trojan.FakeAlert) -> Unloaded process successfully.
Memory Modules Infected:
C:\Program Files\rhcapfj0eg1t\MFC71.dll (Rogue.Multiple) -> Delete on reboot.
C:\Program Files\rhcapfj0eg1t\MFC71ENU.DLL (Rogue.Multiple) -> Delete on reboot.
C:\Program Files\rhcapfj0eg1t\msvcp71.dll (Rogue.Multiple) -> Delete on reboot.
C:\Program Files\rhcapfj0eg1t\msvcr71.dll (Rogue.Multiple) -> Delete on reboot.
C:\WINDOWS\system32\blphcepfj0eg1t.scr (Trojan.FakeAlert) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcapfj0eg1t (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcapfj0eg1t (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\uninstall (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhcapfj0eg1t (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcepfj0eg1t (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\rhcapfj0eg1t (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\rhcapfj0eg1t\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcapfj0eg1t\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcapfj0eg1t\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcapfj0eg1t\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcapfj0eg1t\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcapfj0eg1t\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcapfj0eg1t\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphcepfj0eg1t.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcepfj0eg1t.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcepfj0eg1t.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pphcepfj0eg1t.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk (Rogue.Antivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\j.collins\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\j.collins\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
-
This topic is locked
Back to top
#2
Posted 07 August 2008 - 01:06 AM
-
- Moderators
-
- 1,158 posts
Elite Member
- Gender:Male
-
Interests:Computer security/malware
World history
Law enforcement
Greetings coljim and Welcome to the Forums,
May we see the HijackThis log and Panda scan results please?
May we see the HijackThis log and Panda scan results please?
Disabled Veteran, U.S.C.G. 1972 - 1978
Member: U.N.I.T.E., A.S.A.P.
Windows XP Performance and Maintenance
Windows Vista Performance and Maintenance
Member: U.N.I.T.E., A.S.A.P.
Windows XP Performance and Maintenance
Windows Vista Performance and Maintenance
#3
Posted 07 August 2008 - 08:12 PM
-
- Members
-
- 7 posts
New Member
1972vet, on Aug 6 2008, 09:06 PM, said:
Greetings coljim and Welcome to the Forums,
May we see the HijackThis log and Panda scan results please?
May we see the HijackThis log and Panda scan results please?
Here is the HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:07 PM, on 8/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\CutWorks\CutWorksLog.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\Documents and Settings\All Users\Application Data\dgpyvybq\vujylwhm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\fwvapwbw.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\qrktyzod.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.lectra....proxy/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [LANDeskCustomData] "C:\Program Files\LANDesk\LDClient\ldcstm32.exe" /s
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [lphcepfj0eg1t] C:\WINDOWS\system32\lphcepfj0eg1t.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DscUtilEn] C:\WINDOWS\system32\fwvapwbw.exe
O4 - HKCU\..\Run: [hlpcom] C:\WINDOWS\system32\ejylczkh.exe
O4 - HKCU\..\Run: [MsgShSrv] C:\WINDOWS\system32\hazsfuvg.exe
O4 - HKCU\..\Run: [HlpAct] C:\WINDOWS\system32\lopezufg.exe
O4 - HKCU\..\Run: [cfgchk] C:\WINDOWS\system32\qjahcdef.exe
O4 - HKCU\..\Run: [smartchk] C:\WINDOWS\system32\nwhkhkls.exe
O4 - HKCU\..\Run: [webapp] C:\WINDOWS\system32\folinyta.exe
O4 - HKCU\..\Run: [ProcEn] C:\WINDOWS\system32\pexinots.exe
O4 - HKCU\..\Run: [AplUi] C:\WINDOWS\system32\rmludode.exe
O4 - HKCU\..\Run: [gencmdmnt] C:\WINDOWS\system32\cfwrkled.exe
O4 - HKLM\..\Policies\Explorer\Run: [wjojIyJ1lg] C:\Documents and Settings\All Users\Application Data\dgpyvybq\vujylwhm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: http://sbeupowb.eu.lectra.com
O15 - Trusted Zone: http://sbeupowb.eu.lectra.com (HKLM)
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://gateway-america.lectra.com/CitrixSe...AWEB/icaweb.cab
O16 - DPF: {EC0403E0-9158-4CF8-A2B6-3C62C3B9B6B7} (CCAOControl Object) - https://gateway-america.lectra.com/CitrixLo...t/EPAClient.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = am.lectra.com
O17 - HKLM\Software\..\Telephony: DomainName = am.lectra.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = am.lectra.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = am.lectra.com
O21 - SSODL: shmoncmd - {11EBA674-1CB0-F84F-2F91-099CEC9EC0D0} - C:\Program Files\ivodhcc\shmoncmd.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: CutWorksLog - GerberŪ Technology, Inc. - C:\Program Files\CutWorks\CutWorksLog.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: LANDesk Policy Invoker - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
--
End of file - 9940 bytes
#4
Posted 08 August 2008 - 02:54 AM
-
- Moderators
-
- 1,158 posts
Elite Member
- Gender:Male
-
Interests:Computer security/malware
World history
Law enforcement
OK...did you not see that I also asked for the Panda scan log?
Disabled Veteran, U.S.C.G. 1972 - 1978
Member: U.N.I.T.E., A.S.A.P.
Windows XP Performance and Maintenance
Windows Vista Performance and Maintenance
Member: U.N.I.T.E., A.S.A.P.
Windows XP Performance and Maintenance
Windows Vista Performance and Maintenance
#5
Posted 08 August 2008 - 03:18 PM
-
- Members
-
- 7 posts
New Member
1972vet, on Aug 7 2008, 10:54 PM, said:
OK...did you not see that I also asked for the Panda scan log?
Here is the PandaScan:
;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-08-08 11:17:11
PROTECTIONS: 0
MALWARE: 13
SUSPECTS: 4
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00145792 Cookie/SexList TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Cookies\j.collins@sexlist[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Local Settings\Temp\Cookies\j.collins@com[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Cookies\j.collins@com[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Local Settings\Temp\Cookies\j.collins@xiti[1].txt
00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Cookies\j.collins@toplist[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Cookies\j.collins@apmebf[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Cookies\j.collins@burstnet[2].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Cookies\j.collins@www.burstbeacon[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Cookies\j.collins@ads.pointroll[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Local Settings\Temp\Cookies\j.collins@ads.pointroll[2].txt
00180246 Cookie/XXXCounter TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Cookies\j.collins@xxxcounter[2].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Cookies\j.collins@searchportal.information[2].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\j.collins\Cookies\j.collins@atwola[2].txt
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\j.collins\Local Settings\Temp\.tt12.tmp
03408118 Application/AntivirusXP2008 HackTools No 0 Yes No C:\WINDOWS\system32\pphcepfj0eg1t.exe
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location !
;===============================================================================
================================================================================
=
===================
No C:\WINDOWS\system32\lphcepfj0eg1t.exe !
No c:\windows\system32\lphcepfj0eg1t.exe !
No C:\WINDOWS\system32\qpoxypyn.exe !
No C:\WINDOWS\system32\lphcepfj0eg1t.exe !
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description !
;===============================================================================
================================================================================
=
===================
184380 MEDIUM MS08-002 !
184379 MEDIUM MS08-001 !
182048 HIGH MS07-069 !
182046 HIGH MS07-067 !
182043 HIGH MS07-064 !
179553 HIGH MS07-061 !
176382 HIGH MS07-057 !
176383 HIGH MS07-058 !
170911 HIGH MS07-050 !
170907 HIGH MS07-046 !
170906 HIGH MS07-045 !
170904 HIGH MS07-043 !
164915 HIGH MS07-035 !
164913 HIGH MS07-033 !
164911 HIGH MS07-031 !
160623 HIGH MS07-027 !
157262 HIGH MS07-022 !
157261 HIGH MS07-021 !
157260 HIGH MS07-020 !
157259 HIGH MS07-019 !
156477 HIGH MS07-017 !
150253 HIGH MS07-016 !
150249 HIGH MS07-013 !
150248 HIGH MS07-012 !
150247 HIGH MS07-011 !
150243 HIGH MS07-008 !
150242 HIGH MS07-007 !
150241 MEDIUM MS07-006 !
141034 HIGH MS06-076 !
141033 MEDIUM MS06-075 !
141030 HIGH MS06-072 !
137571 HIGH MS06-070 !
137568 HIGH MS06-067 !
133387 MEDIUM MS06-065 !
133386 MEDIUM MS06-064 !
133385 MEDIUM MS06-063 !
133379 HIGH MS06-057 !
131654 HIGH MS06-055 !
129977 MEDIUM MS06-053 !
129976 MEDIUM MS06-052 !
126093 HIGH MS06-051 !
126092 MEDIUM MS06-050 !
126087 HIGH MS06-046 !
126086 MEDIUM MS06-045 !
126083 HIGH MS06-042 !
126082 HIGH MS06-041 !
126081 HIGH MS06-040 !
123421 HIGH MS06-036 !
123420 HIGH MS06-035 !
120825 MEDIUM MS06-032 !
120823 MEDIUM MS06-030 !
120818 HIGH MS06-025 !
120815 HIGH MS06-022 !
120814 HIGH MS06-021 !
117384 MEDIUM MS06-018 !
114666 HIGH MS06-015 !
114664 HIGH MS06-013 !
96574 HIGH MS05-053 !
93395 HIGH MS05-051 !
93454 MEDIUM MS05-049 !
;===============================================================================
================================================================================
=
===================
#6
Posted 09 August 2008 - 03:31 AM
-
- Moderators
-
- 1,158 posts
Elite Member
- Gender:Male
-
Interests:Computer security/malware
World history
Law enforcement
Please download combofix from This Webpage...and read through the instructions there for running the tool.
***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.
The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.
Once installed, a blue screen prompt should appear that reads as follows:
The Recovery Console was successfully installed.
When you see that screen, please continue as follows:
When the tool is finished, it will produce a report for you.
Please post back the following on your next reply:
C:\ComboFix.txt
New HijackThis log.
***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.
The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.
Once installed, a blue screen prompt should appear that reads as follows:
The Recovery Console was successfully installed.
When you see that screen, please continue as follows:
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please post back the following on your next reply:
C:\ComboFix.txt
New HijackThis log.
Disabled Veteran, U.S.C.G. 1972 - 1978
Member: U.N.I.T.E., A.S.A.P.
Windows XP Performance and Maintenance
Windows Vista Performance and Maintenance
Member: U.N.I.T.E., A.S.A.P.
Windows XP Performance and Maintenance
Windows Vista Performance and Maintenance
#7
Posted 17 August 2008 - 11:13 PM
-
- Members
-
- 7 posts
New Member
1972vet, on Aug 8 2008, 11:31 PM, said:
Please download combofix from This Webpage...and read through the instructions there for running the tool.
***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.
The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.
Once installed, a blue screen prompt should appear that reads as follows:
The Recovery Console was successfully installed.
When you see that screen, please continue as follows:
When the tool is finished, it will produce a report for you.
Please post back the following on your next reply:
C:\ComboFix.txt
New HijackThis log.
***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.
The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.
Once installed, a blue screen prompt should appear that reads as follows:
The Recovery Console was successfully installed.
When you see that screen, please continue as follows:
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please post back the following on your next reply:
C:\ComboFix.txt
New HijackThis log.
Sorry for the delay here are the new ComboFix and HijackThis logs:
ComboFix 08-08-17.03 - j.collins 2008-08-17 19:04:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.207 [GMT -4:00]
Running from: C:\Documents and Settings\j.collins\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\j.collins\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t
C:\Documents and Settings\j.collins\Cookies\j.collins@careers.vurvexpress[2].txt
C:\Documents and Settings\j.collins\Cookies\j.collins@edge.ru4[2].txt
C:\Documents and Settings\j.collins\Cookies\j.collins@insightexpressai[2].txt
C:\Documents and Settings\j.collins\Cookies\j.collins@live[1].txt
C:\Documents and Settings\j.collins\Cookies\j.collins@revsci[2].txt
C:\Documents and Settings\j.collins\Cookies\j.collins@tracking.dsmmadvantage[1].txt
C:\Documents and Settings\j.collins\Cookies\j.collins@weatherbug[2].txt
C:\Documents and Settings\j.collins\Cookies\j.collins@webbanking.comerica[1].txt
C:\Documents and Settings\j.collins\Cookies\j.collins@www35.vzw[2].txt
C:\Documents and Settings\j.collins\UserData
C:\Documents and Settings\j.collins\UserData\9JFJ9P8E\k[1].xml
C:\Documents and Settings\j.collins\UserData\index.dat
C:\Documents and Settings\j.collins\UserData\U9PY7MLS\cfTag_DivPersistentData[1].xml
C:\Documents and Settings\j.collins\UserData\VQ0JB545\dmtstore[1].xml
C:\WINDOWS\system32\blphcepfj0eg1t.scr
C:\WINDOWS\system32\lphcepfj0eg1t.exe
C:\WINDOWS\system32\phcepfj0eg1t.bmp
C:\WINDOWS\system32\pphcepfj0eg1t.exe
E:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SYSREST.SYS
-------\Service_sysrest.sys
((((((((((((((((((((((((( Files Created from 2008-07-17 to 2008-08-17 )))))))))))))))))))))))))))))))
.
2100-04-01 17:22 . 2008-06-24 14:37 194 --a------ C:\WINDOWS\X83_DS.ini
2100-02-24 14:15 . 2001-04-02 16:30 821 --a------ C:\WINDOWS\Lexmark_ICM.ini
2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ C:\WINDOWS\system32\LXASUSCI.INI
2008-08-17 19:09 . 2008-08-17 19:09 <DIR> d-------- C:\Program Files\rhcapfj0eg1t
2008-08-17 19:08 . 2008-08-17 19:08 118,784 --a------ C:\WINDOWS\system32\blphcepfj0eg1t.scr
2008-08-17 19:08 . 2008-08-17 19:08 98,304 --a------ C:\WINDOWS\system32\rqnqdmfa.exe
2008-08-15 07:33 . 2008-08-15 07:33 <DIR> d-------- C:\WINDOWS\Common
2008-08-10 07:45 . 2008-08-10 07:45 23,040 --a------ C:\WINDOWS\system32\sysrest32.exe
2008-08-10 07:45 . 2008-08-17 18:55 15,328 --a------ C:\WINDOWS\system32\sysrest.sys
2008-08-08 10:47 . 2008-08-08 10:47 <DIR> d-------- C:\Program Files\Panda Security
2008-08-08 10:47 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-07 16:16 . 2008-08-08 10:46 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-08-07 16:16 . 2005-11-21 18:22 27,006 --a------ C:\WINDOWS\system32\pavas.ico
2008-08-07 16:16 . 2005-07-29 13:43 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-08-07 16:16 . 2005-07-29 13:43 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-08-06 12:35 . 2008-08-06 12:35 <DIR> d-------- C:\!KillBox
2008-08-06 12:28 . 2008-08-06 12:28 133,632 --a------ C:\WINDOWS\system32\qpoxypyn.exe
2008-08-06 12:28 . 2008-08-06 12:28 86,016 --a------ C:\WINDOWS\system32\ofaxwrmt.exe
2008-08-05 17:27 . 2008-08-05 17:27 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-05 15:18 . 2008-08-05 15:18 <DIR> d-------- C:\Program Files\ivodhcc
2008-08-05 15:17 . 2008-08-05 15:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\dgpyvybq
2008-08-04 10:46 . 2008-08-04 10:46 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\Malwarebytes
2008-08-04 10:45 . 2008-08-06 09:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-04 10:45 . 2008-08-04 10:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-04 10:45 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-04 10:45 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-04 09:52 . 2008-08-04 09:52 <DIR> d-------- C:\Program Files\IObit
2008-08-04 08:24 . 2008-08-12 21:07 0 --a------ C:\WINDOWS\system32\drivers\51f79f4e.sys
2008-08-01 16:44 . 2008-08-01 16:44 <DIR> d-------- C:\Program Files\Sun
2008-08-01 16:43 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-01 15:22 . 2008-07-24 09:37 22,512 --a------ C:\WINDOWS\system32\drivers\adwarealert.sys
2008-07-31 15:55 . 2008-08-01 13:48 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-31 15:54 . 2008-08-05 16:00 <DIR> d-------- C:\Program Files\Google
2008-07-31 09:54 . 2008-07-31 09:54 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\Netscape
2008-07-31 09:54 . 2008-07-31 09:54 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\Citrix
2008-07-28 15:27 . 2008-08-04 09:50 11 --a------ C:\WINDOWS\system32\uninstall.mybho
2008-07-28 14:42 . 2008-07-28 14:43 144 --ahs---- C:\WINDOWS\system32\2013847430.dat
2008-07-28 11:11 . 2008-07-28 11:12 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\webex
2008-07-28 11:05 . 2008-07-30 14:24 <DIR> d-------- C:\Program Files\WebEx
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 16:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\vulScan
2008-08-07 20:43 --------- d-----w C:\Program Files\MyApp
2008-08-07 20:06 --------- d-----w C:\Program Files\Trend Micro
2008-08-05 23:12 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-08-01 20:43 --------- d-----w C:\Program Files\Java
2008-07-16 16:12 --------- d-----w C:\Program Files\CutWorks
2008-07-13 15:32 --------- d-----w C:\Program Files\CutWorks Designer 5.0
2008-07-13 15:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-13 15:20 --------- d-----w C:\Program Files\WexTech
2008-07-13 15:20 --------- d-----w C:\Program Files\Common Files\WexTech Shared
2008-07-13 15:20 --------- d-----w C:\Program Files\Common Files\LHSPF
2008-07-13 15:20 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-07-13 15:18 --------- d-----w C:\Program Files\MSXML 4.0
2008-07-12 13:55 --------- d-----w C:\Program Files\MSECache
2008-06-24 18:43 --------- d-----w C:\Documents and Settings\j.collins\Application Data\PDFCreator
2008-06-24 18:39 --------- d-----w C:\Documents and Settings\j.collins\Application Data\AdobeUM
2008-06-24 18:38 --------- d-----w C:\Program Files\LexmarkX83
2008-06-24 15:10 --------- d-----w C:\Program Files\Lexmark
2008-06-24 15:05 --------- d-----w C:\Program Files\Citrix
2008-06-24 15:05 --------- d-----w C:\Documents and Settings\j.collins\Application Data\ICAClient
2008-06-24 14:46 --------- d-----w C:\Documents and Settings\j.collins\Application Data\Smith Micro
2008-06-24 14:41 --------- d-----w C:\Program Files\Verizon Wireless
2008-06-24 14:41 --------- d-----w C:\Program Files\PANTECH
2008-06-23 20:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\LANDesk
2008-06-23 20:05 --------- d-----w C:\Program Files\LANDesk
.
------- Sigcheck -------
md5deep: C:\WINDOWS\system32\svchost.exe: error at offset 0: Permission denied
md5deep: C:\WINDOWS\system32\winlogon.exe: error at offset 0: Permission denied
md5deep: C:\WINDOWS\explorer.exe: error at offset 0: Permission denied
md5deep: C:\WINDOWS\system32\services.exe: error at offset 0: Permission denied
md5deep: C:\WINDOWS\system32\lsass.exe: error at offset 0: Permission denied
2005-06-10 20:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 04:00 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
md5deep: C:\WINDOWS\system32\spoolsv.exe: error at offset 0: Permission denied
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"AppCmd"="C:\WINDOWS\system32\rqnqdmfa.exe" [2008-08-17 19:08 98304]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 12:46 761948]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-01-26 15:35 172094]
"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-20 19:51 1187840]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 04:11 925696]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 08:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 08:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 08:17 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-08-31 06:20 122940]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 11:49 454656]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 12:59 184320]
"LANDeskCustomData"="C:\Program Files\LANDesk\LDClient\ldcstm32.exe" [2007-11-29 23:23 299008]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-25 14:20 36864]
"Lexmark X83 Button Monitor"="C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe" [2001-10-18 10:25 40960]
"Lexmark X83 Button Manager"="C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe" [2001-06-14 12:42 53248]
"SMrhcapfj0eg1t"="C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe" [2008-08-17 11:10 790528]
"mntsys"="C:\WINDOWS\Common\nwtkpsfi.exe" [2008-08-15 07:33 53248]
"MsmqIntCert"="mqrt.dll" [2004-08-04 04:00 177152 C:\WINDOWS\system32\mqrt.dll]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 16:00 88203 C:\WINDOWS\AGRSMMSG.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"wjojIyJ1lg"="C:\Documents and Settings\All Users\Application Data\dgpyvybq\vujylwhm.exe" [2008-08-05 15:17 61440]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-18 15:25:02 581693]
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2006-11-03 17:47:31 184320]
Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [2006-11-08 18:33:12 233744]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-11-03 10:52:21 106560]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
"HideShutdownScripts"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"shmoncmd"= {11EBA674-1CB0-F84F-2F91-099CEC9EC0D0} - C:\Program Files\ivodhcc\shmoncmd.dll [2008-08-05 15:18 110592]
"NlEyWWuXE"= {7808DF87-D2A2-752D-0120-6ABE859A7295} - C:\WINDOWS\system32\krpd.dll [2004-08-04 04:00 32768]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2005-06-19 14:01 24669 C:\WINDOWS\system32\ckpNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]
"Script"=ch_loc_adm_pass.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=AddAdmin.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\1]
"Script"=RemAdmin.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\2]
"Script"=ch_loc_adm_pass.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=add_dom_users.vbs
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\WINDOWS\\system32\\cba\\pds.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"C:\\WINDOWS\\system32\\sysrest32.exe"=
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
R0 adwarealert;adwarealert;C:\WINDOWS\system32\DRIVERS\adwarealert.sys [2008-07-24 09:37]
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 agnwifi;AT&T Wi-Fi Support Driver;C:\WINDOWS\system32\DRIVERS\agnwifi.sys [2005-01-17 18:51]
R2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINDOWS\system32\Drivers\usbscan.sys [2004-08-03 22:58]
R2 CBA8;LANDesk® Management Agent;C:\Program Files\LANDesk\Shared Files\residentagent.exe [2007-11-29 21:32]
R2 CP_OMDRV;Check Point Office Mode Module;C:\WINDOWS\system32\drivers\omdrv.sys [2005-06-19 14:01]
R2 CutWorksLog;CutWorksLog;C:\Program Files\CutWorks\CutWorksLog.exe [2004-09-10 11:49]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe [2007-11-29 23:37]
R2 Softmon;LANDesk® Software Monitoring Service;C:\Program Files\LANDesk\LDClient\softmon.exe [2007-12-06 09:35]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;C:\WINDOWS\system32\DRIVERS\vnasc.sys [2005-06-19 14:00]
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2005-06-19 14:00]
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2005-06-19 14:00]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-02-28 13:05]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-10-21 07:19]
R3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys [2007-05-30 10:23]
R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys [2007-05-30 10:23]
R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys [2007-05-30 10:23]
S1 51f79f4e;51f79f4e;C:\WINDOWS\system32\drivers\51f79f4e.sys [2008-08-12 21:07]
S3 PTDCBus;PANTECH PC Card Composite Device Driver (UDP);C:\WINDOWS\system32\DRIVERS\PTDCBus.sys [2007-04-01 06:45]
S3 PTDCMdm;PANTECH PC Card Drivers (UDP);C:\WINDOWS\system32\DRIVERS\PTDCMdm.sys [2007-04-01 06:45]
S3 PTDCVsp;PANTECH PC Card Diagnostic Serial Port (UDP);C:\WINDOWS\system32\DRIVERS\PTDCVsp.sys [2007-04-01 06:45]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;C:\WINDOWS\system32\DRIVERS\PTDCWWAN.sys [2007-04-30 20:30]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-DscUtilEn - C:\WINDOWS\system32\fwvapwbw.exe
HKCU-Run-hlpcom - C:\WINDOWS\system32\ejylczkh.exe
HKCU-Run-MsgShSrv - C:\WINDOWS\system32\hazsfuvg.exe
HKCU-Run-HlpAct - C:\WINDOWS\system32\lopezufg.exe
HKCU-Run-cfgchk - C:\WINDOWS\system32\qjahcdef.exe
HKCU-Run-smartchk - C:\WINDOWS\system32\nwhkhkls.exe
HKCU-Run-webapp - C:\WINDOWS\system32\folinyta.exe
HKCU-Run-ProcEn - C:\WINDOWS\system32\pexinots.exe
HKCU-Run-AplUi - C:\WINDOWS\system32\rmludode.exe
HKCU-Run-gencmdmnt - C:\WINDOWS\system32\cfwrkled.exe
HKLM-Run-lphcepfj0eg1t - C:\WINDOWS\system32\lphcepfj0eg1t.exe
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/ig?hl=en&source=iglk
R0 -: HKCU-Main,Default_Search_URL =
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 -: {EC0403E0-9158-4CF8-A2B6-3C62C3B9B6B7} - hxxps://gateway-america.lectra.com/CitrixLogonPoint/LectraExt/EPAClient/EPAClient.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-17 19:08:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????Z????g????|?????? ??4B??????????????hB? ????Z?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Qoobox\Quarantine\C\WINDOWS\system32\lphcepfj0eg1t.exe.vir
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\pphcepfj0eg1t.exe
.
**************************************************************************
.
Completion time: 2008-08-17 19:10:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-17 23:10:46
Pre-Run: 39,328,010,240 bytes free
Post-Run: 39,801,323,520 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
291
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:13, on 2008-08-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\CutWorks\CutWorksLog.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Documents and Settings\All Users\Application Data\dgpyvybq\vujylwhm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\Common\nwtkpsfi.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\Common\nwtkpsfi.exe
C:\WINDOWS\system32\xedubglg.exe
C:\WINDOWS\system32\rqnqdmfa.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe
C:\WINDOWS\system32\pphcepfj0eg1t.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.lectra....proxy/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [LANDeskCustomData] "C:\Program Files\LANDesk\LDClient\ldcstm32.exe" /s
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [SMrhcapfj0eg1t] C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe
O4 - HKLM\..\Run: [mntsys] C:\WINDOWS\Common\nwtkpsfi.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AppCmd] C:\WINDOWS\system32\rqnqdmfa.exe
O4 - HKLM\..\Policies\Explorer\Run: [wjojIyJ1lg] C:\Documents and Settings\All Users\Application Data\dgpyvybq\vujylwhm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: http://sbeupowb.eu.lectra.com
O15 - Trusted Zone: http://sbeupowb.eu.lectra.com (HKLM)
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://gateway-america.lectra.com/CitrixSe...AWEB/icaweb.cab
O16 - DPF: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {EC0403E0-9158-4CF8-A2B6-3C62C3B9B6B7} (CCAOControl Object) - https://gateway-america.lectra.com/CitrixLo...t/EPAClient.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = am.lectra.com
O17 - HKLM\Software\..\Telephony: DomainName = am.lectra.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = am.lectra.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = am.lectra.com
O21 - SSODL: shmoncmd - {11EBA674-1CB0-F84F-2F91-099CEC9EC0D0} - C:\Program Files\ivodhcc\shmoncmd.dll
O21 - SSODL: NlEyWWuXE - {7808DF87-D2A2-752D-0120-6ABE859A7295} - C:\WINDOWS\system32\krpd.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: CutWorksLog - GerberŪ Technology, Inc. - C:\Program Files\CutWorks\CutWorksLog.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: LANDesk Policy Invoker - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
--
End of file - 9932 bytes
#8
Posted 18 August 2008 - 05:30 PM
-
- Moderators
-
- 1,158 posts
Elite Member
- Gender:Male
-
Interests:Computer security/malware
World history
Law enforcement
Click start-->run...then type notepad.exe and click "OK" or hit your enter key.
Copy/paste the below text in Bold into the blank notepad:
File::
C:\WINDOWS\system32\blphcepfj0eg1t.scr
C:\WINDOWS\system32\rqnqdmfa.exe
C:\WINDOWS\system32\sysrest32.exe
C:\WINDOWS\system32\sysrest.sys
C:\WINDOWS\system32\qpoxypyn.exe
C:\WINDOWS\system32\ofaxwrmt.exe
C:\WINDOWS\system32\drivers\51f79f4e.sys
C:\WINDOWS\system32\2013847430.dat
C:\WINDOWS\system32\pphcepfj0eg1t.exe
C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe
C:\WINDOWS\Common\nwtkpsfi.exe
C:\Documents and Settings\All Users\Application Data\dgpyvybq\vujylwhm.exe
C:\Program Files\ivodhcc\shmoncmd.dll
C:\WINDOWS\system32\krpd.dll
Folder::
C:\Program Files\ivodhcc
C:\Documents and Settings\All Users\Application Data\dgpyvybq
C:\Program Files\rhcapfj0eg1t
Driver::
sysrest
51f79f4e
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppCmd"=-
"SMrhcapfj0eg1t"=-
"mntsys"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"wjojIyJ1lg"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"shmoncmd"=-
"NlEyWWuXE"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\WINDOWS\system32\sysrest32.exe"=-
FileLook::
C:\WINDOWS\system32\uninstall.mybho
DirLook::
C:\WINDOWS\Common
Save this as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop.
Now drag the text document over to your Combofix.exe
Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall
Copy/paste the below text in Bold into the blank notepad:
File::
C:\WINDOWS\system32\blphcepfj0eg1t.scr
C:\WINDOWS\system32\rqnqdmfa.exe
C:\WINDOWS\system32\sysrest32.exe
C:\WINDOWS\system32\sysrest.sys
C:\WINDOWS\system32\qpoxypyn.exe
C:\WINDOWS\system32\ofaxwrmt.exe
C:\WINDOWS\system32\drivers\51f79f4e.sys
C:\WINDOWS\system32\2013847430.dat
C:\WINDOWS\system32\pphcepfj0eg1t.exe
C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe
C:\WINDOWS\Common\nwtkpsfi.exe
C:\Documents and Settings\All Users\Application Data\dgpyvybq\vujylwhm.exe
C:\Program Files\ivodhcc\shmoncmd.dll
C:\WINDOWS\system32\krpd.dll
Folder::
C:\Program Files\ivodhcc
C:\Documents and Settings\All Users\Application Data\dgpyvybq
C:\Program Files\rhcapfj0eg1t
Driver::
sysrest
51f79f4e
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppCmd"=-
"SMrhcapfj0eg1t"=-
"mntsys"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"wjojIyJ1lg"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"shmoncmd"=-
"NlEyWWuXE"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\WINDOWS\system32\sysrest32.exe"=-
FileLook::
C:\WINDOWS\system32\uninstall.mybho
DirLook::
C:\WINDOWS\Common
Save this as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop.
Now drag the text document over to your Combofix.exe
Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall
Disabled Veteran, U.S.C.G. 1972 - 1978
Member: U.N.I.T.E., A.S.A.P.
Windows XP Performance and Maintenance
Windows Vista Performance and Maintenance
Member: U.N.I.T.E., A.S.A.P.
Windows XP Performance and Maintenance
Windows Vista Performance and Maintenance
#9
Posted 18 August 2008 - 08:39 PM
-
- Members
-
- 7 posts
New Member
1972vet, on Aug 18 2008, 01:30 PM, said:
Click start-->run...then type notepad.exe and click "OK" or hit your enter key.
Copy/paste the below text in Bold into the blank notepad:
File::
C:\WINDOWS\system32\blphcepfj0eg1t.scr
C:\WINDOWS\system32\rqnqdmfa.exe
C:\WINDOWS\system32\sysrest32.exe
C:\WINDOWS\system32\sysrest.sys
C:\WINDOWS\system32\qpoxypyn.exe
C:\WINDOWS\system32\ofaxwrmt.exe
C:\WINDOWS\system32\drivers\51f79f4e.sys
C:\WINDOWS\system32\2013847430.dat
C:\WINDOWS\system32\pphcepfj0eg1t.exe
C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe
C:\WINDOWS\Common\nwtkpsfi.exe
C:\Documents and Settings\All Users\Application Data\dgpyvybq\vujylwhm.exe
C:\Program Files\ivodhcc\shmoncmd.dll
C:\WINDOWS\system32\krpd.dll
Folder::
C:\Program Files\ivodhcc
C:\Documents and Settings\All Users\Application Data\dgpyvybq
C:\Program Files\rhcapfj0eg1t
Driver::
sysrest
51f79f4e
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppCmd"=-
"SMrhcapfj0eg1t"=-
"mntsys"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"wjojIyJ1lg"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"shmoncmd"=-
"NlEyWWuXE"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\WINDOWS\system32\sysrest32.exe"=-
FileLook::
C:\WINDOWS\system32\uninstall.mybho
DirLook::
C:\WINDOWS\Common
Save this as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop.
Now drag the text document over to your Combofix.exe
Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall
Copy/paste the below text in Bold into the blank notepad:
File::
C:\WINDOWS\system32\blphcepfj0eg1t.scr
C:\WINDOWS\system32\rqnqdmfa.exe
C:\WINDOWS\system32\sysrest32.exe
C:\WINDOWS\system32\sysrest.sys
C:\WINDOWS\system32\qpoxypyn.exe
C:\WINDOWS\system32\ofaxwrmt.exe
C:\WINDOWS\system32\drivers\51f79f4e.sys
C:\WINDOWS\system32\2013847430.dat
C:\WINDOWS\system32\pphcepfj0eg1t.exe
C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe
C:\WINDOWS\Common\nwtkpsfi.exe
C:\Documents and Settings\All Users\Application Data\dgpyvybq\vujylwhm.exe
C:\Program Files\ivodhcc\shmoncmd.dll
C:\WINDOWS\system32\krpd.dll
Folder::
C:\Program Files\ivodhcc
C:\Documents and Settings\All Users\Application Data\dgpyvybq
C:\Program Files\rhcapfj0eg1t
Driver::
sysrest
51f79f4e
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppCmd"=-
"SMrhcapfj0eg1t"=-
"mntsys"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"wjojIyJ1lg"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"shmoncmd"=-
"NlEyWWuXE"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\WINDOWS\system32\sysrest32.exe"=-
FileLook::
C:\WINDOWS\system32\uninstall.mybho
DirLook::
C:\WINDOWS\Common
Save this as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop.
Now drag the text document over to your Combofix.exe
Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall
Here is the latest ComboFix log after running the txt file.
ComboFix 08-08-17.03 - j.collins 2008-08-18 16:30:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.268 [GMT -4:00]
Running from: C:\Documents and Settings\j.collins\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\j.collins\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Documents and Settings\All Users\Application Data\dgpyvybq\vujylwhm.exe
C:\Program Files\ivodhcc\shmoncmd.dll
C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe
C:\WINDOWS\Common\nwtkpsfi.exe
C:\WINDOWS\system32\2013847430.dat
C:\WINDOWS\system32\blphcepfj0eg1t.scr
C:\WINDOWS\system32\drivers\51f79f4e.sys
C:\WINDOWS\system32\krpd.dll
C:\WINDOWS\system32\ofaxwrmt.exe
C:\WINDOWS\system32\pphcepfj0eg1t.exe
C:\WINDOWS\system32\qpoxypyn.exe
C:\WINDOWS\system32\rqnqdmfa.exe
C:\WINDOWS\system32\sysrest.sys
C:\WINDOWS\system32\sysrest32.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\dgpyvybq
C:\Documents and Settings\All Users\Application Data\dgpyvybq\vujylwhm.exe
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\j.collins\Application Data\rhcapfj0eg1t
C:\Documents and Settings\j.collins\Cookies\j.collins@www35.vzw[1].txt
C:\Documents and Settings\j.collins\UserData
C:\Documents and Settings\j.collins\UserData\6NGN3CX0\dmtstore[1].xml
C:\Documents and Settings\j.collins\UserData\index.dat
C:\Program Files\ivodhcc
C:\Program Files\ivodhcc\shmoncmd.dll
C:\Program Files\rhcapfj0eg1t
C:\Program Files\rhcapfj0eg1t\database.dat
C:\Program Files\rhcapfj0eg1t\license.txt
C:\Program Files\rhcapfj0eg1t\MFC71.dll
C:\Program Files\rhcapfj0eg1t\MFC71ENU.DLL
C:\Program Files\rhcapfj0eg1t\msvcp71.dll
C:\Program Files\rhcapfj0eg1t\msvcr71.dll
C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe
C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe.local
C:\Program Files\rhcapfj0eg1t\Uninstall.exe
C:\WINDOWS\Common\nwtkpsfi.exe
C:\WINDOWS\system32\2013847430.dat
C:\WINDOWS\system32\blphcepfj0eg1t.scr
C:\WINDOWS\system32\drivers\51f79f4e.sys
C:\WINDOWS\system32\krpd.dll
C:\WINDOWS\system32\ofaxwrmt.exe
C:\WINDOWS\system32\pphcepfj0eg1t.exe
C:\WINDOWS\system32\qpoxypyn.exe
C:\WINDOWS\system32\rqnqdmfa.exe
C:\WINDOWS\system32\sysrest.sys
C:\WINDOWS\system32\sysrest32.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_51f79f4e
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.
2100-04-01 17:22 . 2008-08-18 11:03 194 --a------ C:\WINDOWS\X83_DS.ini
2100-02-24 14:15 . 2001-04-02 16:30 821 --a------ C:\WINDOWS\Lexmark_ICM.ini
2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ C:\WINDOWS\system32\LXASUSCI.INI
2008-08-18 08:28 . 2008-08-18 08:28 86,016 --a------ C:\WINDOWS\system32\tezmnyto.exe
2008-08-18 08:27 . 2008-08-18 08:27 194,560 --a------ C:\WINDOWS\system32\benuxits.exe
2008-08-15 07:33 . 2008-08-18 16:31 <DIR> d-------- C:\WINDOWS\Common
2008-08-08 10:47 . 2008-08-08 10:47 <DIR> d-------- C:\Program Files\Panda Security
2008-08-08 10:47 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-07 16:16 . 2008-08-08 10:46 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-08-07 16:16 . 2005-11-21 18:22 27,006 --a------ C:\WINDOWS\system32\pavas.ico
2008-08-07 16:16 . 2005-07-29 13:43 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-08-07 16:16 . 2005-07-29 13:43 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-08-06 12:35 . 2008-08-06 12:35 <DIR> d-------- C:\!KillBox
2008-08-05 17:27 . 2008-08-05 17:27 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-04 10:46 . 2008-08-04 10:46 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\Malwarebytes
2008-08-04 10:45 . 2008-08-06 09:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-04 10:45 . 2008-08-04 10:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-04 10:45 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-04 10:45 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-04 09:52 . 2008-08-04 09:52 <DIR> d-------- C:\Program Files\IObit
2008-08-01 16:44 . 2008-08-01 16:44 <DIR> d-------- C:\Program Files\Sun
2008-08-01 16:43 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-01 15:22 . 2008-07-24 09:37 22,512 --a------ C:\WINDOWS\system32\drivers\adwarealert.sys
2008-07-31 15:55 . 2008-08-01 13:48 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-31 15:54 . 2008-08-05 16:00 <DIR> d-------- C:\Program Files\Google
2008-07-31 09:54 . 2008-07-31 09:54 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\Netscape
2008-07-31 09:54 . 2008-07-31 09:54 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\Citrix
2008-07-28 15:27 . 2008-08-04 09:50 11 --a------ C:\WINDOWS\system32\uninstall.mybho
2008-07-28 11:11 . 2008-07-28 11:12 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\webex
2008-07-28 11:05 . 2008-07-30 14:24 <DIR> d-------- C:\Program Files\WebEx
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-18 16:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\vulScan
2008-08-07 20:43 --------- d-----w C:\Program Files\MyApp
2008-08-07 20:06 --------- d-----w C:\Program Files\Trend Micro
2008-08-05 23:12 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-08-01 20:43 --------- d-----w C:\Program Files\Java
2008-07-16 16:12 --------- d-----w C:\Program Files\CutWorks
2008-07-13 15:32 --------- d-----w C:\Program Files\CutWorks Designer 5.0
2008-07-13 15:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-13 15:20 --------- d-----w C:\Program Files\WexTech
2008-07-13 15:20 --------- d-----w C:\Program Files\Common Files\WexTech Shared
2008-07-13 15:20 --------- d-----w C:\Program Files\Common Files\LHSPF
2008-07-13 15:20 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-07-13 15:18 --------- d-----w C:\Program Files\MSXML 4.0
2008-07-12 13:55 --------- d-----w C:\Program Files\MSECache
2008-06-24 18:43 --------- d-----w C:\Documents and Settings\j.collins\Application Data\PDFCreator
2008-06-24 18:39 --------- d-----w C:\Documents and Settings\j.collins\Application Data\AdobeUM
2008-06-24 18:38 --------- d-----w C:\Program Files\LexmarkX83
2008-06-24 15:10 --------- d-----w C:\Program Files\Lexmark
2008-06-24 15:05 --------- d-----w C:\Program Files\Citrix
2008-06-24 15:05 --------- d-----w C:\Documents and Settings\j.collins\Application Data\ICAClient
2008-06-24 14:46 --------- d-----w C:\Documents and Settings\j.collins\Application Data\Smith Micro
2008-06-24 14:41 --------- d-----w C:\Program Files\Verizon Wireless
2008-06-24 14:41 --------- d-----w C:\Program Files\PANTECH
2008-06-23 20:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\LANDesk
2008-06-23 20:05 --------- d-----w C:\Program Files\LANDesk
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\uninstall.mybho -- Not a PE file.
MD5: f9390a767e68e6f1619b63c785629f40
---- Directory of C:\WINDOWS\Common ----
2008-08-15 07:33 53248 --a------ C:\WINDOWS\Common\nwtkpsfi.exe
------- Sigcheck -------
2004-08-04 04:00 17408 f87bc2e69be15f6c36c86d3bc4ba20b3 C:\WINDOWS\system32\svchost.exe
2004-08-04 04:00 506368 a5425a5f2551d5c6b68bd38c23136654 C:\WINDOWS\system32\winlogon.exe
2004-08-04 04:00 1034752 0a38da2381e627af175788e6fa8deb5c C:\WINDOWS\explorer.exe
2004-08-04 04:00 110592 6620db49c57c5c20abd2482ad7fe8da9 C:\WINDOWS\system32\services.exe
2004-08-04 04:00 14848 09463bfd671d75844b71281f91f5967c C:\WINDOWS\system32\lsass.exe
2005-06-10 20:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 04:00 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2005-06-10 19:53 58880 df109a1298e62218fc20180baff39ade C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"CmdGenSys"="C:\WINDOWS\system32\tezmnyto.exe" [2008-08-18 08:28 86016]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 12:46 761948]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-01-26 15:35 172094]
"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-20 19:51 1187840]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 04:11 925696]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 08:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 08:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 08:17 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-08-31 06:20 122940]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 11:49 454656]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 12:59 184320]
"LANDeskCustomData"="C:\Program Files\LANDesk\LDClient\ldcstm32.exe" [2007-11-29 23:23 299008]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-25 14:20 36864]
"Lexmark X83 Button Monitor"="C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe" [2001-10-18 10:25 40960]
"Lexmark X83 Button Manager"="C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe" [2001-06-14 12:42 53248]
"MsmqIntCert"="mqrt.dll" [2004-08-04 04:00 177152 C:\WINDOWS\system32\mqrt.dll]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 16:00 88203 C:\WINDOWS\AGRSMMSG.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-18 15:25:02 581693]
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2006-11-03 17:47:31 184320]
Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [2006-11-08 18:33:12 233744]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-11-03 10:52:21 106560]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
"HideShutdownScripts"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2005-06-19 14:01 24669 C:\WINDOWS\system32\ckpNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]
"Script"=ch_loc_adm_pass.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=AddAdmin.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\1]
"Script"=RemAdmin.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\2]
"Script"=ch_loc_adm_pass.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=add_dom_users.vbs
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\WINDOWS\\system32\\cba\\pds.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
R0 adwarealert;adwarealert;C:\WINDOWS\system32\DRIVERS\adwarealert.sys [2008-07-24 09:37]
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 agnwifi;AT&T Wi-Fi Support Driver;C:\WINDOWS\system32\DRIVERS\agnwifi.sys [2005-01-17 18:51]
R2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINDOWS\system32\Drivers\usbscan.sys [2004-08-03 22:58]
R2 CBA8;LANDesk® Management Agent;C:\Program Files\LANDesk\Shared Files\residentagent.exe [2007-11-29 21:32]
R2 CP_OMDRV;Check Point Office Mode Module;C:\WINDOWS\system32\drivers\omdrv.sys [2005-06-19 14:01]
R2 CutWorksLog;CutWorksLog;C:\Program Files\CutWorks\CutWorksLog.exe [2004-09-10 11:49]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe [2007-11-29 23:37]
R2 Softmon;LANDesk® Software Monitoring Service;C:\Program Files\LANDesk\LDClient\softmon.exe [2007-12-06 09:35]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;C:\WINDOWS\system32\DRIVERS\vnasc.sys [2005-06-19 14:00]
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2005-06-19 14:00]
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2005-06-19 14:00]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-02-28 13:05]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-10-21 07:19]
R3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys [2007-05-30 10:23]
R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys [2007-05-30 10:23]
R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys [2007-05-30 10:23]
S3 PTDCBus;PANTECH PC Card Composite Device Driver (UDP);C:\WINDOWS\system32\DRIVERS\PTDCBus.sys [2007-04-01 06:45]
S3 PTDCMdm;PANTECH PC Card Drivers (UDP);C:\WINDOWS\system32\DRIVERS\PTDCMdm.sys [2007-04-01 06:45]
S3 PTDCVsp;PANTECH PC Card Diagnostic Serial Port (UDP);C:\WINDOWS\system32\DRIVERS\PTDCVsp.sys [2007-04-01 06:45]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;C:\WINDOWS\system32\DRIVERS\PTDCWWAN.sys [2007-04-30 20:30]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-SMrhcapfj0eg1t - C:\Program Files\rhcapfj0eg1t\rhcapfj0eg1t.exe
HKLM-Run-mntsys - C:\WINDOWS\Common\nwtkpsfi.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 16:36:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????Z????[????|?????? ??4B??????????????hB? ????Z?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\System32\CSCDLL.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\userinit.exe
.
**************************************************************************
.
Completion time: 2008-08-18 16:37:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-18 20:37:28
ComboFix2.txt 2008-08-17 23:10:53
Pre-Run: 39,484,944,384 bytes free
Post-Run: 39,744,614,400 bytes free
279
#10
Posted 18 August 2008 - 10:37 PM
-
- Moderators
-
- 1,158 posts
Elite Member
- Gender:Male
-
Interests:Computer security/malware
World history
Law enforcement
Please open another blank Notepad...Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe
Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
File::
C:\WINDOWS\system32\tezmnyto.exe
C:\WINDOWS\system32\benuxits.exe
C:\WINDOWS\system32\uninstall.mybho
Folder::
C:\WINDOWS\Common
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CmdGenSys"=-
Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
File::
C:\WINDOWS\system32\tezmnyto.exe
C:\WINDOWS\system32\benuxits.exe
C:\WINDOWS\system32\uninstall.mybho
Folder::
C:\WINDOWS\Common
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CmdGenSys"=-
Disabled Veteran, U.S.C.G. 1972 - 1978
Member: U.N.I.T.E., A.S.A.P.
Windows XP Performance and Maintenance
Windows Vista Performance and Maintenance
Member: U.N.I.T.E., A.S.A.P.
Windows XP Performance and Maintenance
Windows Vista Performance and Maintenance
#11
Posted 20 August 2008 - 12:50 AM
-
- Members
-
- 7 posts
New Member
Here you go. Thanks for your help!
ComboFix 08-08-18.05 - j.collins 2008-08-19 20:46:03.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.224 [GMT -4:00]
Running from: C:\Documents and Settings\j.collins\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\j.collins\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\benuxits.exe
C:\WINDOWS\system32\tezmnyto.exe
C:\WINDOWS\system32\uninstall.mybho
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\Common
C:\WINDOWS\system32\benuxits.exe
C:\WINDOWS\system32\tezmnyto.exe
C:\WINDOWS\system32\uninstall.mybho
.
((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.
2100-04-01 17:22 . 2008-08-18 11:03 194 --a------ C:\WINDOWS\X83_DS.ini
2100-02-24 14:15 . 2001-04-02 16:30 821 --a------ C:\WINDOWS\Lexmark_ICM.ini
2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ C:\WINDOWS\system32\LXASUSCI.INI
2008-08-08 10:47 . 2008-08-08 10:47 <DIR> d-------- C:\Program Files\Panda Security
2008-08-08 10:47 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-07 16:16 . 2008-08-08 10:46 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-08-07 16:16 . 2005-11-21 18:22 27,006 --a------ C:\WINDOWS\system32\pavas.ico
2008-08-07 16:16 . 2005-07-29 13:43 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-08-07 16:16 . 2005-07-29 13:43 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-08-06 12:35 . 2008-08-06 12:35 <DIR> d-------- C:\!KillBox
2008-08-05 17:27 . 2008-08-05 17:27 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-04 10:46 . 2008-08-04 10:46 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\Malwarebytes
2008-08-04 10:45 . 2008-08-06 09:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-04 10:45 . 2008-08-04 10:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-04 10:45 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-04 10:45 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-04 09:52 . 2008-08-04 09:52 <DIR> d-------- C:\Program Files\IObit
2008-08-01 16:44 . 2008-08-01 16:44 <DIR> d-------- C:\Program Files\Sun
2008-08-01 16:43 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-01 15:22 . 2008-07-24 09:37 22,512 --a------ C:\WINDOWS\system32\drivers\adwarealert.sys
2008-07-31 15:55 . 2008-08-01 13:48 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-31 15:54 . 2008-08-05 16:00 <DIR> d-------- C:\Program Files\Google
2008-07-31 09:54 . 2008-07-31 09:54 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\Netscape
2008-07-31 09:54 . 2008-07-31 09:54 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\Citrix
2008-07-28 11:11 . 2008-07-28 11:12 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\webex
2008-07-28 11:05 . 2008-07-30 14:24 <DIR> d-------- C:\Program Files\WebEx
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-18 16:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\vulScan
2008-08-07 20:43 --------- d-----w C:\Program Files\MyApp
2008-08-07 20:06 --------- d-----w C:\Program Files\Trend Micro
2008-08-05 23:12 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-08-01 20:43 --------- d-----w C:\Program Files\Java
2008-07-16 16:12 --------- d-----w C:\Program Files\CutWorks
2008-07-13 15:32 --------- d-----w C:\Program Files\CutWorks Designer 5.0
2008-07-13 15:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-13 15:20 --------- d-----w C:\Program Files\WexTech
2008-07-13 15:20 --------- d-----w C:\Program Files\Common Files\WexTech Shared
2008-07-13 15:20 --------- d-----w C:\Program Files\Common Files\LHSPF
2008-07-13 15:20 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-07-13 15:18 --------- d-----w C:\Program Files\MSXML 4.0
2008-07-12 13:55 --------- d-----w C:\Program Files\MSECache
2008-06-24 18:43 --------- d-----w C:\Documents and Settings\j.collins\Application Data\PDFCreator
2008-06-24 18:39 --------- d-----w C:\Documents and Settings\j.collins\Application Data\AdobeUM
2008-06-24 18:38 --------- d-----w C:\Program Files\LexmarkX83
2008-06-24 15:10 --------- d-----w C:\Program Files\Lexmark
2008-06-24 15:05 --------- d-----w C:\Program Files\Citrix
2008-06-24 15:05 --------- d-----w C:\Documents and Settings\j.collins\Application Data\ICAClient
2008-06-24 14:46 --------- d-----w C:\Documents and Settings\j.collins\Application Data\Smith Micro
2008-06-24 14:41 --------- d-----w C:\Program Files\Verizon Wireless
2008-06-24 14:41 --------- d-----w C:\Program Files\PANTECH
2008-06-23 20:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\LANDesk
2008-06-23 20:05 --------- d-----w C:\Program Files\LANDesk
.
------- Sigcheck -------
2004-08-04 04:00 17408 f87bc2e69be15f6c36c86d3bc4ba20b3 C:\WINDOWS\system32\svchost.exe
2004-08-04 04:00 506368 a5425a5f2551d5c6b68bd38c23136654 C:\WINDOWS\system32\winlogon.exe
2004-08-04 04:00 1034752 0a38da2381e627af175788e6fa8deb5c C:\WINDOWS\explorer.exe
2004-08-04 04:00 110592 6620db49c57c5c20abd2482ad7fe8da9 C:\WINDOWS\system32\services.exe
2004-08-04 04:00 14848 09463bfd671d75844b71281f91f5967c C:\WINDOWS\system32\lsass.exe
2005-06-10 20:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 04:00 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2005-06-10 19:53 58880 df109a1298e62218fc20180baff39ade C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 12:46 761948]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-01-26 15:35 172094]
"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-20 19:51 1187840]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 04:11 925696]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 08:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 08:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 08:17 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-08-31 06:20 122940]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 11:49 454656]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 12:59 184320]
"LANDeskCustomData"="C:\Program Files\LANDesk\LDClient\ldcstm32.exe" [2007-11-29 23:23 299008]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-25 14:20 36864]
"Lexmark X83 Button Monitor"="C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe" [2001-10-18 10:25 40960]
"Lexmark X83 Button Manager"="C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe" [2001-06-14 12:42 53248]
"MsmqIntCert"="mqrt.dll" [2004-08-04 04:00 177152 C:\WINDOWS\system32\mqrt.dll]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 16:00 88203 C:\WINDOWS\AGRSMMSG.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-18 15:25:02 581693]
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2006-11-03 17:47:31 184320]
Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [2006-11-08 18:33:12 233744]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-11-03 10:52:21 106560]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
"HideShutdownScripts"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2005-06-19 14:01 24669 C:\WINDOWS\system32\ckpNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]
"Script"=ch_loc_adm_pass.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=AddAdmin.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\1]
"Script"=RemAdmin.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\2]
"Script"=ch_loc_adm_pass.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=add_dom_users.vbs
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\WINDOWS\\system32\\cba\\pds.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
R0 adwarealert;adwarealert;C:\WINDOWS\system32\DRIVERS\adwarealert.sys [2008-07-24 09:37]
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 agnwifi;AT&T Wi-Fi Support Driver;C:\WINDOWS\system32\DRIVERS\agnwifi.sys [2005-01-17 18:51]
R2 CBA8;LANDesk® Management Agent;C:\Program Files\LANDesk\Shared Files\residentagent.exe [2007-11-29 21:32]
R2 CP_OMDRV;Check Point Office Mode Module;C:\WINDOWS\system32\drivers\omdrv.sys [2005-06-19 14:01]
R2 CutWorksLog;CutWorksLog;C:\Program Files\CutWorks\CutWorksLog.exe [2004-09-10 11:49]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe [2007-11-29 23:37]
R2 Softmon;LANDesk® Software Monitoring Service;C:\Program Files\LANDesk\LDClient\softmon.exe [2007-12-06 09:35]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;C:\WINDOWS\system32\DRIVERS\vnasc.sys [2005-06-19 14:00]
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2005-06-19 14:00]
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2005-06-19 14:00]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-02-28 13:05]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-10-21 07:19]
R3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys [2007-05-30 10:23]
R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys [2007-05-30 10:23]
R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys [2007-05-30 10:23]
R3 PTDCBus;PANTECH PC Card Composite Device Driver (UDP);C:\WINDOWS\system32\DRIVERS\PTDCBus.sys [2007-04-01 06:45]
R3 PTDCMdm;PANTECH PC Card Drivers (UDP);C:\WINDOWS\system32\DRIVERS\PTDCMdm.sys [2007-04-01 06:45]
R3 PTDCVsp;PANTECH PC Card Diagnostic Serial Port (UDP);C:\WINDOWS\system32\DRIVERS\PTDCVsp.sys [2007-04-01 06:45]
R3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;C:\WINDOWS\system32\DRIVERS\PTDCWWAN.sys [2007-04-30 20:30]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINDOWS\system32\Drivers\usbscan.sys [2004-08-03 22:58]
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-19 20:47:26
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????Z????Z????|?????? ??4B??????????????hB? ????Z?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-19 20:47:59
ComboFix-quarantined-files.txt 2008-08-20 00:47:56
ComboFix2.txt 2008-08-18 20:37:33
ComboFix3.txt 2008-08-17 23:10:53
Pre-Run: 39,629,934,592 bytes free
Post-Run: 39,691,698,176 bytes free
189
ComboFix 08-08-18.05 - j.collins 2008-08-19 20:46:03.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.224 [GMT -4:00]
Running from: C:\Documents and Settings\j.collins\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\j.collins\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\benuxits.exe
C:\WINDOWS\system32\tezmnyto.exe
C:\WINDOWS\system32\uninstall.mybho
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\Common
C:\WINDOWS\system32\benuxits.exe
C:\WINDOWS\system32\tezmnyto.exe
C:\WINDOWS\system32\uninstall.mybho
.
((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.
2100-04-01 17:22 . 2008-08-18 11:03 194 --a------ C:\WINDOWS\X83_DS.ini
2100-02-24 14:15 . 2001-04-02 16:30 821 --a------ C:\WINDOWS\Lexmark_ICM.ini
2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ C:\WINDOWS\system32\LXASUSCI.INI
2008-08-08 10:47 . 2008-08-08 10:47 <DIR> d-------- C:\Program Files\Panda Security
2008-08-08 10:47 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-07 16:16 . 2008-08-08 10:46 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-08-07 16:16 . 2005-11-21 18:22 27,006 --a------ C:\WINDOWS\system32\pavas.ico
2008-08-07 16:16 . 2005-07-29 13:43 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-08-07 16:16 . 2005-07-29 13:43 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-08-06 12:35 . 2008-08-06 12:35 <DIR> d-------- C:\!KillBox
2008-08-05 17:27 . 2008-08-05 17:27 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-04 10:46 . 2008-08-04 10:46 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\Malwarebytes
2008-08-04 10:45 . 2008-08-06 09:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-04 10:45 . 2008-08-04 10:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-04 10:45 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-04 10:45 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-04 09:52 . 2008-08-04 09:52 <DIR> d-------- C:\Program Files\IObit
2008-08-01 16:44 . 2008-08-01 16:44 <DIR> d-------- C:\Program Files\Sun
2008-08-01 16:43 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-01 15:22 . 2008-07-24 09:37 22,512 --a------ C:\WINDOWS\system32\drivers\adwarealert.sys
2008-07-31 15:55 . 2008-08-01 13:48 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-31 15:54 . 2008-08-05 16:00 <DIR> d-------- C:\Program Files\Google
2008-07-31 09:54 . 2008-07-31 09:54 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\Netscape
2008-07-31 09:54 . 2008-07-31 09:54 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\Citrix
2008-07-28 11:11 . 2008-07-28 11:12 <DIR> d-------- C:\Documents and Settings\j.collins\Application Data\webex
2008-07-28 11:05 . 2008-07-30 14:24 <DIR> d-------- C:\Program Files\WebEx
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-18 16:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\vulScan
2008-08-07 20:43 --------- d-----w C:\Program Files\MyApp
2008-08-07 20:06 --------- d-----w C:\Program Files\Trend Micro
2008-08-05 23:12 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-08-01 20:43 --------- d-----w C:\Program Files\Java
2008-07-16 16:12 --------- d-----w C:\Program Files\CutWorks
2008-07-13 15:32 --------- d-----w C:\Program Files\CutWorks Designer 5.0
2008-07-13 15:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-13 15:20 --------- d-----w C:\Program Files\WexTech
2008-07-13 15:20 --------- d-----w C:\Program Files\Common Files\WexTech Shared
2008-07-13 15:20 --------- d-----w C:\Program Files\Common Files\LHSPF
2008-07-13 15:20 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-07-13 15:18 --------- d-----w C:\Program Files\MSXML 4.0
2008-07-12 13:55 --------- d-----w C:\Program Files\MSECache
2008-06-24 18:43 --------- d-----w C:\Documents and Settings\j.collins\Application Data\PDFCreator
2008-06-24 18:39 --------- d-----w C:\Documents and Settings\j.collins\Application Data\AdobeUM
2008-06-24 18:38 --------- d-----w C:\Program Files\LexmarkX83
2008-06-24 15:10 --------- d-----w C:\Program Files\Lexmark
2008-06-24 15:05 --------- d-----w C:\Program Files\Citrix
2008-06-24 15:05 --------- d-----w C:\Documents and Settings\j.collins\Application Data\ICAClient
2008-06-24 14:46 --------- d-----w C:\Documents and Settings\j.collins\Application Data\Smith Micro
2008-06-24 14:41 --------- d-----w C:\Program Files\Verizon Wireless
2008-06-24 14:41 --------- d-----w C:\Program Files\PANTECH
2008-06-23 20:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\LANDesk
2008-06-23 20:05 --------- d-----w C:\Program Files\LANDesk
.
------- Sigcheck -------
2004-08-04 04:00 17408 f87bc2e69be15f6c36c86d3bc4ba20b3 C:\WINDOWS\system32\svchost.exe
2004-08-04 04:00 506368 a5425a5f2551d5c6b68bd38c23136654 C:\WINDOWS\system32\winlogon.exe
2004-08-04 04:00 1034752 0a38da2381e627af175788e6fa8deb5c C:\WINDOWS\explorer.exe
2004-08-04 04:00 110592 6620db49c57c5c20abd2482ad7fe8da9 C:\WINDOWS\system32\services.exe
2004-08-04 04:00 14848 09463bfd671d75844b71281f91f5967c C:\WINDOWS\system32\lsass.exe
2005-06-10 20:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 04:00 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2005-06-10 19:53 58880 df109a1298e62218fc20180baff39ade C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 12:46 761948]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-01-26 15:35 172094]
"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-20 19:51 1187840]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 04:11 925696]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 08:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 08:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 08:17 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-08-31 06:20 122940]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 11:49 454656]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 12:59 184320]
"LANDeskCustomData"="C:\Program Files\LANDesk\LDClient\ldcstm32.exe" [2007-11-29 23:23 299008]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-25 14:20 36864]
"Lexmark X83 Button Monitor"="C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe" [2001-10-18 10:25 40960]
"Lexmark X83 Button Manager"="C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe" [2001-06-14 12:42 53248]
"MsmqIntCert"="mqrt.dll" [2004-08-04 04:00 177152 C:\WINDOWS\system32\mqrt.dll]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 16:00 88203 C:\WINDOWS\AGRSMMSG.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-18 15:25:02 581693]
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2006-11-03 17:47:31 184320]
Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [2006-11-08 18:33:12 233744]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-11-03 10:52:21 106560]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
"HideShutdownScripts"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2005-06-19 14:01 24669 C:\WINDOWS\system32\ckpNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]
"Script"=ch_loc_adm_pass.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=AddAdmin.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\1]
"Script"=RemAdmin.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\2]
"Script"=ch_loc_adm_pass.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=add_dom_users.vbs
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\WINDOWS\\system32\\cba\\pds.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
R0 adwarealert;adwarealert;C:\WINDOWS\system32\DRIVERS\adwarealert.sys [2008-07-24 09:37]
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 agnwifi;AT&T Wi-Fi Support Driver;C:\WINDOWS\system32\DRIVERS\agnwifi.sys [2005-01-17 18:51]
R2 CBA8;LANDesk® Management Agent;C:\Program Files\LANDesk\Shared Files\residentagent.exe [2007-11-29 21:32]
R2 CP_OMDRV;Check Point Office Mode Module;C:\WINDOWS\system32\drivers\omdrv.sys [2005-06-19 14:01]
R2 CutWorksLog;CutWorksLog;C:\Program Files\CutWorks\CutWorksLog.exe [2004-09-10 11:49]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe [2007-11-29 23:37]
R2 Softmon;LANDesk® Software Monitoring Service;C:\Program Files\LANDesk\LDClient\softmon.exe [2007-12-06 09:35]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;C:\WINDOWS\system32\DRIVERS\vnasc.sys [2005-06-19 14:00]
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2005-06-19 14:00]
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2005-06-19 14:00]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-02-28 13:05]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-10-21 07:19]
R3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys [2007-05-30 10:23]
R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys [2007-05-30 10:23]
R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys [2007-05-30 10:23]
R3 PTDCBus;PANTECH PC Card Composite Device Driver (UDP);C:\WINDOWS\system32\DRIVERS\PTDCBus.sys [2007-04-01 06:45]
R3 PTDCMdm;PANTECH PC Card Drivers (UDP);C:\WINDOWS\system32\DRIVERS\PTDCMdm.sys [2007-04-01 06:45]
R3 PTDCVsp;PANTECH PC Card Diagnostic Serial Port (UDP);C:\WINDOWS\system32\DRIVERS\PTDCVsp.sys [2007-04-01 06:45]
R3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;C:\WINDOWS\system32\DRIVERS\PTDCWWAN.sys [2007-04-30 20:30]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINDOWS\system32\Drivers\usbscan.sys [2004-08-03 22:58]
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-19 20:47:26
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????Z????Z????|?????? ??4B??????????????hB? ????Z?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-19 20:47:59
ComboFix-quarantined-files.txt 2008-08-20 00:47:56
ComboFix2.txt 2008-08-18 20:37:33
ComboFix3.txt 2008-08-17 23:10:53
Pre-Run: 39,629,934,592 bytes free
Post-Run: 39,691,698,176 bytes free
189
#12
Posted 20 August 2008 - 05:09 PM
-
- Moderators
-
- 1,158 posts
Elite Member
- Gender:Male
-
Interests:Computer security/malware
World history
Law enforcement
Please open mbam and run an update. When the update completes, run a scan and post back THAT log. Also, please advise how the system behaves for you now. Thanks!
Disabled Veteran, U.S.C.G. 1972 - 1978
Member: U.N.I.T.E., A.S.A.P.
Windows XP Performance and Maintenance
Windows Vista Performance and Maintenance
Member: U.N.I.T.E., A.S.A.P.
Windows XP Performance and Maintenance
Windows Vista Performance and Maintenance
#13
Posted 20 August 2008 - 10:09 PM
-
- Members
-
- 7 posts
New Member
Thanks! Here is the final log. The system has been working well since we did the combofix. I really appreciate your help and support through this.
Malwarebytes' Anti-Malware 1.24
Database version: 1031
Windows 5.1.2600 Service Pack 2
18:07:52 2008-08-20
mbam-log-8-20-2008 (18-07-52).txt
Scan type: Quick Scan
Objects scanned: 45297
Time elapsed: 4 minute(s), 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcapfj0eg1t (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcapfj0eg1t (Rogue.Multiple) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.24
Database version: 1031
Windows 5.1.2600 Service Pack 2
18:07:52 2008-08-20
mbam-log-8-20-2008 (18-07-52).txt
Scan type: Quick Scan
Objects scanned: 45297
Time elapsed: 4 minute(s), 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcapfj0eg1t (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcapfj0eg1t (Rogue.Multiple) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
#14
Posted 21 August 2008 - 12:49 AM
-
- Moderators
-
- 1,158 posts
Elite Member
- Gender:Male
-
Interests:Computer security/malware
World history
Law enforcement
Your mbam could use another manual update. Remember to run an update each time before you run the application. I'm glad to see you've noticed an improvement in the performance of your system...but I'd like to see one more mbam log with the updated version and database. See my log below compared with yours on the same date:
Yours:
Malwarebytes' Anti-Malware 1.24
Database version: 1031
Windows 5.1.2600 Service Pack 2
18:07:52 2008-08-20
mbam-log-8-20-2008 (18-07-52).txt
Mine:
Malwarebytes' Anti-Malware 1.25
Database version: 1071
Windows 5.1.2600 Service Pack 3
8:01:49 AM 8/20/2008
mbam-log-08-20-2008 (08-01-49).txt
Yours:
Malwarebytes' Anti-Malware 1.24
Database version: 1031
Windows 5.1.2600 Service Pack 2
18:07:52 2008-08-20
mbam-log-8-20-2008 (18-07-52).txt
Mine:
Malwarebytes' Anti-Malware 1.25
Database version: 1071
Windows 5.1.2600 Service Pack 3
8:01:49 AM 8/20/2008
mbam-log-08-20-2008 (08-01-49).txt
Disabled Veteran, U.S.C.G. 1972 - 1978
Member: U.N.I.T.E., A.S.A.P.
Windows XP Performance and Maintenance
Windows Vista Performance and Maintenance
Member: U.N.I.T.E., A.S.A.P.
Windows XP Performance and Maintenance
Windows Vista Performance and Maintenance
#15
Posted 05 September 2008 - 06:55 PM
-
- Honorary Members
-
- 3,867 posts
Delete this account!!
- Interests:would love to see some honesty around this site.
Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic.
Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.
Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
