Solved Help me get rid of this Trojan please, HJT log included

[Resolved]Help me get rid of this Trojan please, HJT log included

One of the computers here keeps coming up with a Macafee alert that it is infected with a file called __c00A56A1.dat but it fails whenever I try to clean, move, or delete it. Here is the HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:45 AM, on 8/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\NALNTSRV.EXE
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wm.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\PatchLink\Update Agent\pddm.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PFU\Error Recovery Guide\FTErGuid.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 32.82.41.119 coqn08
O1 - Hosts: 32.82.41.120 coqn09
O1 - Hosts: 32.91.113.24 c1r4u33 c1qies-tng-app1 c1r4u33-app.sdps.org c1qies-tng-app1.sdps.org
O1 - Hosts: 32.90.90.98 web web.qiesnet.org
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [PDDM] C:\Program Files\PatchLink\Update Agent\pddm.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [FtLnSOP_setup] C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
O4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe /Station
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Error Recovery Guide.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\MSOFF2K\Office\OSA9.EXE
O4 - Global Startup: Notify.lnk = C:\NOVELL\GroupWise\notify.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1175709720614
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dphe.local
O17 - HKLM\Software\..\Telephony: DomainName = dphe.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dphe.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dphe.local
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O20 - Winlogon Notify: __c00A56A1 - C:\WINDOWS\system32\__c00A56A1.dat
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\system32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: Active Directory Migration Agent (OnePointDomainAdminService) - Unknown owner - C:\WINDOWS\OnePointDomainAgent\DCTAgentService.exe (file missing)
O23 - Service: PatchLink Update - PatchLink Corporation - C:\Program Files\PatchLink\Update Agent\GravitixService.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\system32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

--
End of file - 12397 bytes

 

Hi wbrumfiel
Welcome to Windowsbbs.

Is this a work computer?

If so, I suggest you contact your IT person and have it fix by him/her.

Some information and/or data on the machine may not be suitable to post on a public forum.

Let me know.

Geri

 

It is a work computer and I would be the local IT guy. I'm at my wits end with this one though and I'd prefer it to be fixed instead of wiped out and rebuilt so I was looking for some help. Not sure what I've posted that would make us vulnerable but you're probably right. I guess I'll just have to end up rebuilding it.

 

Hi
OK, the choice is yours, we can attempt to clean it, you would need to look through the logs and see if anything may be work related that you should not post and delete it before posting it on the forum

Let me know what you want to do.

Geri

 

I'd love to have the help. I'll try and delete anything that is work related. Not sure if its against the rules or anything but we could also maybe do it via PM??? Sorry, I'm not much of a software or security guy and our security person is out of the office for 6-8 weeks.

 

Hi wbrumfiel

That is frowned upon here also the logs could be to long to send via PM.

If I see anything after you post the logs I will delete them so at least they will not be hanging around very long.

OK lets start this way.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Post the combofix log and a new HJT log.

Thanks
Geri

 

Ok, Here is the Combofix log

ComboFix 08-08-21.02 - Administrator 2008-08-22 13:29:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1352 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Mail4\Application Data\macromedia\Flash Player\#SharedObjects\WT3FK5R9\interclick.com
C:\Documents and Settings\Mail4\Application Data\macromedia\Flash Player\#SharedObjects\WT3FK5R9\interclick.com\ud.sol
C:\Documents and Settings\Mail4\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Mail4\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\rjwebb.000\Application Data\macromedia\Flash Player\#SharedObjects\WT3FK5R9\interclick.com
C:\Documents and Settings\rjwebb.000\Application Data\macromedia\Flash Player\#SharedObjects\WT3FK5R9\interclick.com\ud.sol
C:\Documents and Settings\rjwebb.000\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\rjwebb.000\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Rjwebb\Application Data\macromedia\Flash Player\#SharedObjects\WT3FK5R9\interclick.com
C:\Documents and Settings\Rjwebb\Application Data\macromedia\Flash Player\#SharedObjects\WT3FK5R9\interclick.com\ud.sol
C:\Documents and Settings\Rjwebb\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Rjwebb\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\__c00A56A1.dat
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\x64
D:\Autorun.inf

----- BITS: Possible infected sites -----

http://DPHEMS68.DPHE.LOCAL:80
.
((((((((((((((((((((((((( Files Created from 2008-07-22 to 2008-08-22 )))))))))))))))))))))))))))))))
.

2008-08-22 13:32 . 2008-08-22 13:32 118,784 --a------ C:\WINDOWS\system32\chg.exe
2008-08-21 10:50 . 2008-08-21 10:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-19 14:37 . 2008-08-21 09:29 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-08-19 14:22 . 2008-08-19 14:37 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-19 11:40 . 2008-08-22 13:26 <DIR> d-------- C:\quarantine
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\HODObjs
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\HODData
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\HODCC158.73.207.36
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\Application Data\Sonic
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\Application Data\Leadertech
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\Application Data\Kensington
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\Application Data\AdobeUM
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\.housecall6.6
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\HODObjs
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\HODData
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\HODCC158.73.207.36
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\Application Data\Sonic
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\Application Data\OfficeUpdate12
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\Application Data\Leadertech
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\Application Data\Kensington
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\Application Data\Fujitsu
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\Application Data\AdobeUM
2008-08-08 11:04 . 2008-08-19 14:22 <DIR> d-------- C:\Documents and Settings\rjwebb.000\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 16:23 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-20 21:42 --------- d-----w C:\Program Files\DYMO Label
2008-07-11 21:04 --------- d-----w C:\Documents and Settings\Rjwebb\Application Data\OfficeUpdate12
2008-07-11 16:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-25 23:18 --------- d-----w C:\Program Files\Windows Imaging
2008-06-25 23:18 --------- d-----w C:\Program Files\MSXML 6.0
2008-06-23 16:18 --------- d-----w C:\Program Files\Avery Dennison
2008-06-23 16:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avery
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 18:12 15360]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 09:21 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2006-07-21 04:48 98304]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2006-07-21 04:50 86016]
"Persistence "= "C:\WINDOWS\system32\igfxpers.exe" [2006-07-21 04:47 81920]
"PTHOSTTR "= "C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-06-08 15:02 131072]
"SetRefresh "= "C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 12:01 525824]
"CognizanceTS "= "C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 13:12 17920]
"Recguard "= "C:\WINDOWS\Sminst\Recguard.exe" [2006-05-12 13:50 1138688]
"Reminder "= "C:\WINDOWS\Creator\Remind_XP.exe" [2006-03-31 15:44 761856]
"Scheduler "= "C:\WINDOWS\SMINST\Scheduler.exe" [2006-04-24 11:42 888832]
"NDPS "= "C:\WINDOWS\system32\dpmw32.exe" [2004-05-17 14:27 32859]
"PDDM "= "C:\Program Files\PatchLink\Update Agent\pddm.exe" [2007-01-25 16:32 421888]
"McAfeeUpdaterUI "= "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-03-27 15:06 136768]
"DLA "= "C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-09-21 05:20 127036]
"ISUSPM Startup "= "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"Acrobat Assistant 7.0 "= "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"FtLnSOP_setup "= "C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe" [2005-01-06 02:16 212992]
"FJTWAIN Setup "= "C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe" [2004-09-01 11:45 126976]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23 75520]
"RTHDCPL "= "RTHDCPL.EXE" [2006-07-04 09:26 16250880 C:\WINDOWS\RTHDCPL.exe]
"ZENRC Tray Icon "= "zentray.exe" [2001-06-15 13:21 28672 C:\WINDOWS\system32\zentray.exe]
"NWTRAY "= "NWTRAY.EXE" [2002-03-12 10:37 28672 C:\WINDOWS\system32\nwtray.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat.exe [2007-04-05 14:11:29 25214]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
Error Recovery Guide.lnk - C:\Program Files\PFU\Error Recovery Guide\FTErGuid.exe [2007-04-05 14:13:52 225280]
Microsoft Office.lnk - C:\MSOFF2K\Office\OSA9.EXE [2000-01-21 01:15:54 65588]
Notify.lnk - C:\NOVELL\GroupWise\notify.exe [2007-04-06 01:49:17 192570]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2006-06-07 13:26 40448 C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-04-06 22:00 434176 C:\WINDOWS\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script "=addtechs4.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1241729245-301937640-312552118-3612\Scripts\Logon\0\0]
"Script "=Mapper111604v2.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1241729245-301937640-312552118-3909\Scripts\Logon\0\0]
"Script "=Mapper111604v2.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-963015747-1144427478-2257763956-4440\Scripts\Logon\0\0]
"Script "=Mapper111604v2.vbs

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\WINDOWS\\SMINST\\Scheduler.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

R1 PersonalSecureDrive;PersonalSecureDrive;C:\WINDOWS\system32\drivers\psd.sys [2006-04-06 22:46]
R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe [2008-04-13 18:12]
R2 BlankScreen;HBDevice;C:\WINDOWS\system32\drivers\BlankScreen.sys [2001-07-10 11:02]
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2008-05-20 04:00]
R2 Kblock;Kblock;C:\WINDOWS\system32\drivers\Kblock.sys [2001-06-15 13:01]
R2 Mouslock;Mouslock;C:\WINDOWS\system32\drivers\Mouslock.sys [2001-06-15 13:01]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2006-04-25 10:26]
R3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2008-05-20 04:00]
R3 smsmdd;smsmdd;C:\WINDOWS\system32\DRIVERS\smsmdm.sys [2008-04-08 17:27]
S3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys []
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 04:39]
S3 OnePointDomainAdminService;Active Directory Migration Agent;C:\WINDOWS\OnePointDomainAgent\DCTAgentService.exe []
S3 smstsmgr;SMS Task Sequence Agent;C:\WINDOWS\system32\CCM\TSManager.exe [2008-05-20 04:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
- - - - ORPHANS REMOVED - - - -

Notify-__c00A56A1 - C:\WINDOWS\system32\__c00A56A1.dat


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.hp.com
O8 -: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 -: &Translate English Word - C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 -: Backward Links - C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 -: Cached Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Similar Pages - C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 -: Translate Page into English - C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-22 13:35:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\nalntsrv.exe
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\system32\wm.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HPQ\IAM\Bin\asghost.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrodist.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
.
**************************************************************************
.
Completion time: 2008-08-22 13:37:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-22 19:37:29

Pre-Run: 50,997,448,704 bytes free
Post-Run: 51,100,192,768 bytes free

205

 

Sorry for the delay, I was having problems posting to the site, here is the HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:16 PM, on 8/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\NALNTSRV.EXE
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wm.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\PatchLink\Update Agent\pddm.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroDist.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\PFU\Error Recovery Guide\FTErGuid.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [PDDM] C:\Program Files\PatchLink\Update Agent\pddm.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [FtLnSOP_setup] C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
O4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe /Station
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Error Recovery Guide.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\MSOFF2K\Office\OSA9.EXE
O4 - Global Startup: Notify.lnk = C:\NOVELL\GroupWise\notify.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175709720614
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dphe.local
O17 - HKLM\Software\..\Telephony: DomainName = dphe.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dphe.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dphe.local
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\system32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: Active Directory Migration Agent (OnePointDomainAdminService) - Unknown owner - C:\WINDOWS\OnePointDomainAgent\DCTAgentService.exe (file missing)
O23 - Service: PatchLink Update - PatchLink Corporation - C:\Program Files\PatchLink\Update Agent\GravitixService.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\system32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

--
End of file - 11726 bytes

 

Hi
OK everything is looking good. one little fix.
That could be from a flash drive or usb thumb drive, if you use these they will need to be cleaned.
Let me know if you use them.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\D] 

Now post the Combofix log and let me know how things are.

Geri

 

I'll have to run that on Monday when I get back to work. I did use a thumb drive on the machine to get the combofix and HJT programs copied to the PC because the PC was unable to get on the internet. What do I need to do to clean it? Can I put it in any PC or does it have to be this specific PC so as not to spread anything?

 

Hi
Was that the only things on the thumb drive?

You can run the cleaner on your computer if you want to make sure it is clean, make sure you follow the instruction cafefully.

Here is how.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop:

http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.

Hold down the Shift key and insert your flash drive. (USB thumb drives)
It is important to hold the shift key while plugging in flash drive so the virus does not run and re-infect system.

• Double-click Flash_Disinfector.exe to run it.
  Follow any prompts that may appear.
  Your desktop will vanish for a while, and then reappear. This is normal.
  Wait until the program has finished scanning, then please exit the program.

Repeat this step if you have more than one flash drives.

Once that is done, delete Flash_Disinfector.exe from your desktop.

Geri

 

OK, here is the new combolog
ComboFix 08-08-24.03 - administrator 2008-08-25 9:38:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1337 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\cfscript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

http://DPHEMS68.DPHE.LOCAL:80
.
((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.

2008-08-22 13:40 . 2008-08-22 13:40 <DIR> d-------- C:\Program Files\Network Associates
2008-08-22 13:40 . 2008-08-22 13:40 <DIR> d-------- C:\Program Files\Common Files\Network Associates
2008-08-22 13:40 . 2007-01-18 20:00 117,024 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2008-08-22 13:40 . 2007-01-18 20:00 59,904 --a------ C:\WINDOWS\system32\drivers\mvstdi5x.sys
2008-08-21 10:50 . 2008-08-21 10:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-19 14:37 . 2008-08-21 09:29 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-08-19 14:22 . 2008-08-19 14:37 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-19 11:40 . 2008-08-25 09:38 <DIR> d-------- C:\quarantine
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\HODObjs
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\HODData
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\HODCC158.73.207.36
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\Application Data\Sonic
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\Application Data\Leadertech
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\Application Data\Kensington
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\Application Data\AdobeUM
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\.housecall6.6
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\HODObjs
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\HODData
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\HODCC158.73.207.36
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\Application Data\Sonic
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\Application Data\OfficeUpdate12
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\Application Data\Leadertech
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\Application Data\Kensington
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\Application Data\Fujitsu
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\Application Data\AdobeUM
2008-08-08 11:04 . 2008-08-19 14:22 <DIR> d-------- C:\Documents and Settings\rjwebb.000\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 16:23 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-20 21:42 --------- d-----w C:\Program Files\DYMO Label
2008-07-11 21:04 --------- d-----w C:\Documents and Settings\Rjwebb\Application Data\OfficeUpdate12
2008-07-11 16:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-25 23:18 --------- d-----w C:\Program Files\Windows Imaging
2008-06-25 23:18 --------- d-----w C:\Program Files\MSXML 6.0
.

((((((((((((((((((((((((((((( snapshot@2008-08-22_13.37.11.62 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 00:12:01 343,040 ----a-w C:\WINDOWS\system32\dllcache\msvcrt.dll
+ 2007-01-19 02:00:00 8,320 ----a-w C:\WINDOWS\system32\drivers\EntDrv51.sys
+ 2004-09-22 14:00:00 11,264 ----a-w C:\WINDOWS\system32\dssdata.dll
+ 2007-01-19 02:00:00 36,922 ----a-w C:\WINDOWS\system32\EntAPI.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 18:12 15360]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 09:21 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2006-07-21 04:48 98304]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2006-07-21 04:50 86016]
"Persistence "= "C:\WINDOWS\system32\igfxpers.exe" [2006-07-21 04:47 81920]
"PTHOSTTR "= "C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-06-08 15:02 131072]
"SetRefresh "= "C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 12:01 525824]
"CognizanceTS "= "C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 13:12 17920]
"Recguard "= "C:\WINDOWS\Sminst\Recguard.exe" [2006-05-12 13:50 1138688]
"Reminder "= "C:\WINDOWS\Creator\Remind_XP.exe" [2006-03-31 15:44 761856]
"Scheduler "= "C:\WINDOWS\SMINST\Scheduler.exe" [2006-04-24 11:42 888832]
"NDPS "= "C:\WINDOWS\system32\dpmw32.exe" [2004-05-17 14:27 32859]
"PDDM "= "C:\Program Files\PatchLink\Update Agent\pddm.exe" [2007-01-25 16:32 421888]
"McAfeeUpdaterUI "= "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-03-27 15:06 136768]
"DLA "= "C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-09-21 05:20 127036]
"ISUSPM Startup "= "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"Acrobat Assistant 7.0 "= "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"FtLnSOP_setup "= "C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe" [2005-01-06 02:16 212992]
"FJTWAIN Setup "= "C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe" [2004-09-01 11:45 126976]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23 75520]
"ShStatEXE "= "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 08:00 98304]
"RTHDCPL "= "RTHDCPL.EXE" [2006-07-04 09:26 16250880 C:\WINDOWS\RTHDCPL.exe]
"ZENRC Tray Icon "= "zentray.exe" [2001-06-15 13:21 28672 C:\WINDOWS\system32\zentray.exe]
"NWTRAY "= "NWTRAY.EXE" [2002-03-12 10:37 28672 C:\WINDOWS\system32\nwtray.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat.exe [2007-04-05 14:11:29 25214]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
Error Recovery Guide.lnk - C:\Program Files\PFU\Error Recovery Guide\FTErGuid.exe [2007-04-05 14:13:52 225280]
Microsoft Office.lnk - C:\MSOFF2K\Office\OSA9.EXE [2000-01-21 01:15:54 65588]
Notify.lnk - C:\NOVELL\GroupWise\notify.exe [2007-04-06 01:49:17 192570]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2006-06-07 13:26 40448 C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-04-06 22:00 434176 C:\WINDOWS\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script "=addtechs4.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1241729245-301937640-312552118-3612\Scripts\Logon\0\0]
"Script "=Mapper111604v2.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1241729245-301937640-312552118-3909\Scripts\Logon\0\0]
"Script "=Mapper111604v2.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-963015747-1144427478-2257763956-4440\Scripts\Logon\0\0]
"Script "=Mapper111604v2.vbs

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\WINDOWS\\SMINST\\Scheduler.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

R1 PersonalSecureDrive;PersonalSecureDrive;C:\WINDOWS\system32\drivers\psd.sys [2006-04-06 22:46]
R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe [2008-04-13 18:12]
R2 BlankScreen;HBDevice;C:\WINDOWS\system32\drivers\BlankScreen.sys [2001-07-10 11:02]
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2008-05-20 04:00]
R2 Kblock;Kblock;C:\WINDOWS\system32\drivers\Kblock.sys [2001-06-15 13:01]
R2 Mouslock;Mouslock;C:\WINDOWS\system32\drivers\Mouslock.sys [2001-06-15 13:01]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2006-04-25 10:26]
R3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2008-05-20 04:00]
R3 smsmdd;smsmdd;C:\WINDOWS\system32\DRIVERS\smsmdm.sys [2008-04-08 17:27]
S3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys []
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 04:39]
S3 OnePointDomainAdminService;Active Directory Migration Agent;C:\WINDOWS\OnePointDomainAgent\DCTAgentService.exe []
S3 smstsmgr;SMS Task Sequence Agent;C:\WINDOWS\system32\CCM\TSManager.exe [2008-05-20 04:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 09:43:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nalntsrv.exe
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\system32\wm.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HPQ\IAM\Bin\asghost.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrodist.exe
.
**************************************************************************
.
Completion time: 2008-08-25 9:46:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-25 15:46:38
ComboFix2.txt 2008-08-22 19:37:34

Pre-Run: 50,992,427,008 bytes free
Post-Run: 50,983,206,912 bytes free

181

 

And the new HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:25 AM, on 8/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\NALNTSRV.EXE
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wm.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\PatchLink\Update Agent\pddm.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PFU\Error Recovery Guide\FTErGuid.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [PDDM] C:\Program Files\PatchLink\Update Agent\pddm.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [FtLnSOP_setup] C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
O4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe /Station
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Error Recovery Guide.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\MSOFF2K\Office\OSA9.EXE
O4 - Global Startup: Notify.lnk = C:\NOVELL\GroupWise\notify.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175709720614
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dphe.local
O17 - HKLM\Software\..\Telephony: DomainName = dphe.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dphe.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dphe.local
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\system32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: Active Directory Migration Agent (OnePointDomainAdminService) - Unknown owner - C:\WINDOWS\OnePointDomainAgent\DCTAgentService.exe (file missing)
O23 - Service: PatchLink Update - PatchLink Corporation - C:\Program Files\PatchLink\Update Agent\GravitixService.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\system32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

--
End of file - 12167 bytes

 

Hi
OK we need to do this again, the boards software left a space in the fix so it did not work.
Delete the CFScript on your desktop.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] 

Now post the Combofix log and let me know how things are.

Geri

 

Lets try this again, I got an error posting it last time.

ComboFix 08-08-24.03 - Administrator 2008-08-25 11:35:45.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1382 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.

2008-08-25 10:04 . 2006-06-08 20:00 116,864 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2008-08-25 10:04 . 2006-06-08 20:00 58,464 --a------ C:\WINDOWS\system32\drivers\mvstdi5x.sys
2008-08-25 10:03 . 2008-08-25 10:03 <DIR> d-------- C:\Program Files\Network Associates
2008-08-25 10:03 . 2008-08-25 10:03 <DIR> d-------- C:\Program Files\Common Files\Network Associates
2008-08-25 10:03 . 2008-08-25 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Network Associates
2008-08-21 10:50 . 2008-08-21 10:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-19 14:37 . 2008-08-21 09:29 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-08-19 14:22 . 2008-08-19 14:37 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-19 11:40 . 2008-08-25 11:35 <DIR> d-------- C:\quarantine
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\HODObjs
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\HODData
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\HODCC158.73.207.36
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\Application Data\Sonic
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\Application Data\Leadertech
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\Application Data\Kensington
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\Application Data\AdobeUM
2008-08-08 14:50 . 2008-08-08 14:50 <DIR> d-------- C:\Documents and Settings\Mail4\.housecall6.6
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\HODObjs
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\HODData
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\HODCC158.73.207.36
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\Application Data\Sonic
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\Application Data\OfficeUpdate12
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\Application Data\Leadertech
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\Application Data\Kensington
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\Application Data\Fujitsu
2008-08-08 11:05 . 2008-08-08 11:05 <DIR> d-------- C:\Documents and Settings\rjwebb.000\Application Data\AdobeUM
2008-08-08 11:04 . 2008-08-19 14:22 <DIR> d-------- C:\Documents and Settings\rjwebb.000\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-25 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-21 16:23 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-20 21:42 --------- d-----w C:\Program Files\DYMO Label
2008-07-11 21:04 --------- d-----w C:\Documents and Settings\Rjwebb\Application Data\OfficeUpdate12
2008-06-25 23:18 --------- d-----w C:\Program Files\Windows Imaging
2008-06-25 23:18 --------- d-----w C:\Program Files\MSXML 6.0
.

((((((((((((((((((((((((((((( snapshot@2008-08-22_13.37.11.62 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 00:11:56 989,696 ----a-w C:\WINDOWS\system32\dllcache\kernel32.dll
+ 2008-04-14 00:12:01 343,040 ----a-w C:\WINDOWS\system32\dllcache\msvcrt.dll
+ 2006-06-09 02:00:00 8,448 ----a-w C:\WINDOWS\system32\drivers\EntDrv51.sys
+ 2004-09-22 14:00:00 11,264 ----a-w C:\WINDOWS\system32\dssdata.dll
+ 2006-06-09 02:00:00 41,018 ----a-w C:\WINDOWS\system32\EntAPI.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 18:12 15360]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 09:21 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2006-07-21 04:48 98304]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2006-07-21 04:50 86016]
"Persistence "= "C:\WINDOWS\system32\igfxpers.exe" [2006-07-21 04:47 81920]
"PTHOSTTR "= "C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-06-08 15:02 131072]
"SetRefresh "= "C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 12:01 525824]
"CognizanceTS "= "C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 13:12 17920]
"Recguard "= "C:\WINDOWS\Sminst\Recguard.exe" [2006-05-12 13:50 1138688]
"Reminder "= "C:\WINDOWS\Creator\Remind_XP.exe" [2006-03-31 15:44 761856]
"Scheduler "= "C:\WINDOWS\SMINST\Scheduler.exe" [2006-04-24 11:42 888832]
"NDPS "= "C:\WINDOWS\system32\dpmw32.exe" [2004-05-17 14:27 32859]
"PDDM "= "C:\Program Files\PatchLink\Update Agent\pddm.exe" [2007-01-25 16:32 421888]
"DLA "= "C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-09-21 05:20 127036]
"ISUSPM Startup "= "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"Acrobat Assistant 7.0 "= "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"FtLnSOP_setup "= "C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe" [2005-01-06 02:16 212992]
"FJTWAIN Setup "= "C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe" [2004-09-01 11:45 126976]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23 75520]
"ShStatEXE "= "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 08:00 94208]
"McAfeeUpdaterUI "= "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-03-27 15:06 136768]
"RTHDCPL "= "RTHDCPL.EXE" [2006-07-04 09:26 16250880 C:\WINDOWS\RTHDCPL.exe]
"ZENRC Tray Icon "= "zentray.exe" [2001-06-15 13:21 28672 C:\WINDOWS\system32\zentray.exe]
"NWTRAY "= "NWTRAY.EXE" [2002-03-12 10:37 28672 C:\WINDOWS\system32\nwtray.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat.exe [2007-04-05 14:11:29 25214]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
Error Recovery Guide.lnk - C:\Program Files\PFU\Error Recovery Guide\FTErGuid.exe [2007-04-05 14:13:52 225280]
Microsoft Office.lnk - C:\MSOFF2K\Office\OSA9.EXE [2000-01-21 01:15:54 65588]
Notify.lnk - C:\NOVELL\GroupWise\notify.exe [2007-04-06 01:49:17 192570]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2006-06-07 13:26 40448 C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-04-06 22:00 434176 C:\WINDOWS\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1241729245-301937640-312552118-3612\Scripts\Logon\0\0]
"Script "=Mapper111604v2.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1241729245-301937640-312552118-3909\Scripts\Logon\0\0]
"Script "=Mapper111604v2.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-963015747-1144427478-2257763956-4440\Scripts\Logon\0\0]
"Script "=Mapper111604v2.vbs

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\WINDOWS\\SMINST\\Scheduler.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

R1 PersonalSecureDrive;PersonalSecureDrive;C:\WINDOWS\system32\drivers\psd.sys [2006-04-06 22:46]
R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe [2008-04-13 18:12]
R2 BlankScreen;HBDevice;C:\WINDOWS\system32\drivers\BlankScreen.sys [2001-07-10 11:02]
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2008-05-20 04:00]
R2 Kblock;Kblock;C:\WINDOWS\system32\drivers\Kblock.sys [2001-06-15 13:01]
R2 Mouslock;Mouslock;C:\WINDOWS\system32\drivers\Mouslock.sys [2001-06-15 13:01]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2006-04-25 10:26]
R3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2008-05-20 04:00]
R3 smsmdd;smsmdd;C:\WINDOWS\system32\DRIVERS\smsmdm.sys [2008-04-08 17:27]
S3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys []
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 04:39]
S3 OnePointDomainAdminService;Active Directory Migration Agent;C:\WINDOWS\OnePointDomainAgent\DCTAgentService.exe []
S3 smstsmgr;SMS Task Sequence Agent;C:\WINDOWS\system32\CCM\TSManager.exe [2008-05-20 04:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 11:41:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nalntsrv.exe
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\system32\wm.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HPQ\IAM\Bin\asghost.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrodist.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-08-25 11:44:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-25 17:44:29
ComboFix2.txt 2008-08-25 15:46:45
ComboFix3.txt 2008-08-22 19:37:34

Pre-Run: 50,891,821,056 bytes free
Post-Run: 50,879,565,824 bytes free

174

 

Hi
Ok Good, now a on-line scan.

Your Java is out of date and needs to be updated.

Updating Java and Clearing Cache

1. Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
2. It will say "Java Plug-in" under the icon.
   Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
3. If you are unable to update you can manually update by going here:
   • 
     http://java.sun.com/javase/downloads/index.jsp
4. After the reboot, go back into the Control Panel and double-click the Java Icon.
5. On the general tab, at the bottom it has "temporary internet files "
6. Click the settings button. Then the Delete files button.
7. There are two options in the window to clear the cache - Leave both Checked
   • 
     Applications and Applets
     Trace and Log files
8. Click OK
   Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
9. Click OK to leave the Java Control Panel.
10. Delete older versions from Add/Remove list.

Now do this.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now the scan.

Please do an online scan with Kaspersky WebScanner

Click on "Accept" If your pop "“up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the "Scan Report" On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Geri

 

I updated the Java and ran the ATF Cleaner but I am unable to get to the kaspersky website from here. I've tried on 2 different computers and it just sits there and thinks and thinks and eventually goes to a page cannot be displayed screen. Other sites seem to be working fine and I know its not the Kaspersky site as I ran the check from my home computer yesterday and it worked fine. Is there an alternative I can use? I think the trendmicro site works.

 

Hi
Ok lets try Panda First.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Thanks
Geri

 

Hmm, I was running the Panda scan just fine, but it had found 3 infected files. The last I checked on it it was at about 45% scanned and I switched to working on another PC. I came back to check it again and the IE window had closed (a symptom of the virus in the beggining) and Macafee had popped up again with a warning that __c00A56A1.dat.vir was discovered in the folder C:\QooBox\Quarantine\C\WINDOWS\system32. Mcafee says it deleted the file. I don't have the ability to uninstall Macafee and I don't see the option to exit the program (even though I'm logged in as the computer administrator account). I do have the ability to Disable On Access Scan but that isn't the same as exiting or disabling Mcafee all together is it? I'm going to try and run Panda again and will report back what happens.

Edit: I called and got instructions from one of our other IT folks on disabling the Mcafee services. I'm still running the 2nd Panda scan and it is at 35%. I will report back when it has finished.

 

OK, here are the activescan results
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-08-27 11:13:45
PROTECTIONS: 1
MALWARE: 6
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan Enterprise 8.0.0.912 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00055522 Eicar.Mod Virus No 0 No No C:\quarantine\Av-test.txt.Vir
00055522 Eicar.Mod Virus No 0 No No C:\quarantine\Av-test.txt.Vir.0
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt
00366244 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP342\A0065976.exe[C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP342\A0065976.exe][nircmd.exe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP339\A0065461.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP340\A0065711.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP342\A0065979.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP339\A0065398.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP342\A0065920.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP340\A0065652.sys
;===================================================================================================================================================================================
SUSPECTS
Sent Location */
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description */
;===================================================================================================================================================================================
;===================================================================================================================================================================================