# Solved: buritos.exe



## robin.alden (Jul 29, 2008)

Hi Everyone,

I have been infected by a very sticky *Trogen*. It came in a *email* that posed as an *invoice from UPS* and was sent from a college.

Unfortunatly due to the fact I had not had sleep in 36 hours (Just come home from my first daughters birth) when I read my email I opened the *zip file* and clicked on the file that said something like *Invoice.exe*. Note something I would usually do I can assure you. When the file didnt open the invoice and my *PC started shutting down*. I suddenly realized what I'd clicked on  and turned of the PC .

The next day I went about trying to remove the Trogen. I found the following extra tasks were being launched...

*buritos.exe* (HKLM\...\run) - Located in c:\Windows\buritos.exe
braviax.exe (HKLM\...\run) - Located in c:\Windows\System32\braviax.exe
lphc5joj0ea2r.exe (HKLM\...\run) - Located in c:\Windows\System32\lphc5joj0ea2r.exe
rhc1joj0ea2r.exe (HKCU\...\run) - Located in c:\Program Files\rhc1joj0ea2r\rhc1joj0ea2r.exe
9.tmp (*Changes every time the system restarts & is running as the SYSTEM user* - I cannot find its mount point)

I installed and run the *HijackThis* but *nothing happens*. Both the latest version and 1.99.1

So I went to safe mode and *tried removing the files manually*. When I restarted and logged back in as the infected user *it got most upset and shut down the computer*. I then created a limited user and a Administrator in safe mode, restarted and logged back in. So far it has not logged me out again. *All the tasks have re-appeared!*

The trogen has *installed a* *fake spyware removal tool* I have seen in the past, it has a red cross icon in the task bar and tells the user "Your Computer is Infected ..... etc" then says click here to remove it.

The desktop image has been changed to say "*Warning spyware detected on your computer. Install an antivirus or spyware remover to clean your computer*". It is on a blue background with yellow. *This message also shows just before the windows login screen shows when the computer starts up!*

Adaware detected something but had no idea what it was and asked me to send details. I did not remove it.

This is a *worrying Trojen* and *I cannot find a solution on the NET*! I will check back on this thread every few days to see what people have to say. Sorry I would check more often but I'm a bit busy at the moment what with a new baby girl and all. 

*Thanks for taking the time to read my post.* :up:


----------



## robin.alden (Jul 29, 2008)

OK, I have added a *HijackThis log*. I had to *rename HijackThis.exe* to get it to work. I also renamed the folders it was in too just in case. (Thanks to *PCcruncher* for this advice :up.

I also noticed *tanker guy* *managed to remove this infection* using this program http://www.malwarebytes.org/mbam.php. I have *decided not to remove the infection yet incase there is anything to be learnt from my logs*.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:27 p.m., on 2/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rsvp.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\TEMP\D585.tmp
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\lphc5joj0ea2r.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Program Files\Trend Micros\aHijackThis\Temp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKLM\..\Run: [lphc5joj0ea2r] C:\WINDOWS\system32\lphc5joj0ea2r.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www4.snapfish.co.nz/SnapfishActivia.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: karina.dat
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O20 - Winlogon Notify: wlcrdplauncher - C:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll
O23 - Service: Google Update Service (gupdate1c8d8c839b4ffe2) (gupdate1c8d8c839b4ffe2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
--
End of file - 5268 bytes


----------



## robin.alden (Jul 29, 2008)

Hmm, went to bath the baby came back and my pc had a *blue screen* stating something like *WQL_IRL or similar *. I pressed *<CTRL> <ALT> * and the *windows startup screen* (the one with the windows logo and the progress bar) was showing but with like *EGA colors *. I hit ESC and the login screen appeared.

The *login screen still had me logged in*  with the applications I was using showing as running (4 running tasks). I logged in and everything is back as I left the PC 20mins ago.

I'm guessing the PC tried to go to standby and the infection didn't like that. *I have never before seen a PC recover from a blue screen*. I have disabled my data partition as I have seen talk of buritos.exe killing files. The worst that can happen now is the infection destroys the windows partition or perhaps my MBR.


----------



## ~Candy~ (Jan 27, 2001)

Hi and welcome. And what virus program would you be running?


----------



## robin.alden (Jul 29, 2008)

Hi AcaCandy. I dont usually run a anti virus as I dont typically do things that attract viruses. Unfortunatly on this occasion due to sleep deprivation I was caught out.


----------



## cybertech (Apr 16, 2002)

Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of SDFix and make sure you are disconnected from the Internet after downloading the program but before extracting the files.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with SDFix and remove some of its embedded files which may cause _"unpredictable results"_.
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive% 
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
Instead of Windows loading as normal, the Advanced Options Menu should appear
Select the first option, to run Windows in Safe Mode, then press *Enter*
Choose your usual account.

Open the extracted SDFix folder and double click *RunThis.bat* to start the script. 
Type *Y* to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot. 
Press any Key and it will restart the PC. 
When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to the clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

*Next*

Visit *this webpage* for instructions for downloading and running ComboFix.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.


----------



## robin.alden (Jul 29, 2008)

Hi *cybertech*,

*Well thats better*.

I *ran SDFix (had to rename it to make it start).* When it finished I noticed it had killed all the nasty tasks bar one that was still showing in the Task Manager (*lphc5joj02a2r*.exe). I plugged the Internet back in so I could post the results. About 30 secs after I did that the fake antivirus application had downloaded again and most of the tasks were back.

I was curious to know where the program came from so I re-ran SDFix and this time before I re-connected the network *I started a network packet sniffer*. The Trogen contacted "www . avpx2008 . com" using HTTP and downloaded enough data to install the fake virus and associated tasks, then they showed up in the Task Manager. I have the etherreal logs if you want them.

*Next I ran combofix.exe* (which I didn't need to rename) by dropping the XP Boot disk image onto ComboFix.exe as per the instructions.

*Now all the offending tasks appear to have been cleaned and my computer is back to peace and quiet free from nasties*. 

I have attached the Logs in the following posts. Hopefully it is now all clean.

If so thanks for the help :up:, If not what next?


----------



## robin.alden (Jul 29, 2008)

*SDFix: Version 1.213 *
Run by Administrator on Wed 06/08/2008 at 10:09 p.m.
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
*Checking Services *:

Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper 
Resetting AppInit_DLLs value

Rebooting

*Infected beep.sys Found!*
beep.sys File Locations:
"C:\WINDOWS\system32\dllcache\beep.sys" 27648 29/07/2008 10:24 a.m. 
"C:\WINDOWS\system32\drivers\beep.sys" 27648 29/07/2008 10:24 a.m. 
Infected File Listed Below:
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys
File copied to Backups Folder
Attempting to replace beep.sys with original version

Original beep.sys Restored
"C:\WINDOWS\system32\dllcache\beep.sys" 4224 03/08/2008 04:05 a.m.
"C:\WINDOWS\system32\drivers\beep.sys" 4224 03/08/2008 04:05 a.m.

*Checking Files *: 
Trojan Files Found:
C:\Program Files\rhc1joj0ea2r\database.dat - Deleted
C:\Program Files\rhc1joj0ea2r\license.txt - Deleted
C:\Program Files\rhc1joj0ea2r\MFC71.dll - Deleted
C:\Program Files\rhc1joj0ea2r\MFC71ENU.DLL - Deleted
C:\Program Files\rhc1joj0ea2r\msvcp71.dll - Deleted
C:\Program Files\rhc1joj0ea2r\msvcr71.dll - Deleted
C:\Program Files\rhc1joj0ea2r\rhc1joj0ea2r.exe - Deleted
C:\Program Files\rhc1joj0ea2r\rhc1joj0ea2r.exe.local - Deleted
C:\Program Files\rhc1joj0ea2r\Uninstall.exe - Deleted
C:\WINDOWS\SYSTEM32\PPHC5J~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\PHC5JO~1.BMP - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk - Deleted
C:\WINDOWS\system32\12.tmp - Deleted
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk - Deleted
C:\WINDOWS\buritos.exe - Deleted
C:\WINDOWS\cru629.dat - Deleted
C:\WINDOWS\karina.dat - Deleted
C:\WINDOWS\system32\braviax.exe - Deleted
C:\WINDOWS\system32\buritos.exe - Deleted
C:\WINDOWS\system32\cru629.dat - Deleted
C:\WINDOWS\system32\crypts.dll - Deleted
C:\WINDOWS\system32\delself.bat - Deleted
C:\WINDOWS\system32\karina.dat - Deleted
C:\WINDOWS\system32\winivstr.exe - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted
C:\Documents and Settings\Limited User\Application Data\wsnpoem\audio.dll.cla - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll.cla - Deleted
C:\Documents and Settings\Limited User\Application Data\wsnpoem\video.dll - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
C:\Documents and Settings\Limited User\Application Data\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted

Folder C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 - Removed
Folder C:\WINDOWS\system32\wsnpoem - Removed

Removing Temp Files
*ADS Check *:

*Final Check *:
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 23:29:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a3a639c7c]
"000d3aa752e4"=hex:0a,1d,d7,f7,6d,12,df,ac,66,9b,65,02,fd,b8,55,b6
"0007a4b64478"=hex:23,ed,1b,2d,4b,a0,1b,49,d9,7e,63,e3,93,75,71,5d
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000d3aa7bc1d]
"00092d04f89f"=hex:7f,f2,26,2c,be,7a,12,3f,44,32,90,b5,3b,e2,cf,a9
"000d3aa752e4"=hex:7b,27,c6,07,44,65,ee,28,73,32,c0,0f,17,60,59,dc
"001e3a7cd256"=hex:c6,33,d1,3a,a8,62,8c,fc,51,fa,3f,0a,01,81,6e,1e
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
"Epoch"=dword:00008bea
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:d71ec9a2
"s1"=dword:a8020f67
"s2"=dword:7152433a
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 52\"
"h0"=dword:00000000
"ujdew"=hex:e7,6d,ed,bc,5d,89,93,fd,62,47,1b,9a,6c,e8,14,e3,44,c7,09,49,45,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3D7F9281-6AFB-4AC3-A2C0-D117C80816FC}]
"LeaseObtainedTime"=dword:48998ab3
"T1"=dword:48998b32
"T2"=dword:48998b92
"LeaseTerminatesTime"=dword:48998bb2
"DhcpRetryTime"=dword:0000007e
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{3D7F9281-6AFB-4AC3-A2C0-D117C80816FC}\Parameters\Tcpip]
"LeaseObtainedTime"=dword:48998ab3
"T1"=dword:48998b32
"T2"=dword:48998b92
"LeaseTerminatesTime"=dword:48998bb2
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000a3a639c7c]
"000d3aa752e4"=hex:0a,1d,d7,f7,6d,12,df,ac,66,9b,65,02,fd,b8,55,b6
"0007a4b64478"=hex:23,ed,1b,2d,4b,a0,1b,49,d9,7e,63,e3,93,75,71,5d
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000d3aa7bc1d]
"00092d04f89f"=hex:7f,f2,26,2c,be,7a,12,3f,44,32,90,b5,3b,e2,cf,a9
"000d3aa752e4"=hex:7b,27,c6,07,44,65,ee,28,73,32,c0,0f,17,60,59,dc
"001e3a7cd256"=hex:c6,33,d1,3a,a8,62,8c,fc,51,fa,3f,0a,01,81,6e,1e
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 52\"
"h0"=dword:00000000
"ujdew"=hex:e7,6d,ed,bc,5d,89,93,fd,62,47,1b,9a,6c,e8,14,e3,44,c7,09,49,45,..
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

*Remaining Services *:

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe:*isabled:WinDVD"
"O:\\Games\\UT2003\\System\\UT2003.exe"="O:\\Games\\UT2003\\System\\UT2003.exe:*:Enabled:UT2003"
"C:\\Program Files\\EA GAMES\\Battlefield 2\\bf2_w32ded.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\bf2_w32ded.exe:*:Enabled:bf2_w32ded"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\sandra.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\sandra.exe:*:Enabled:SiSoftware Sandra Lite"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\RpcSandraSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Lite"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\Win32\\RpcDataSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\Win32\\RpcDataSrv.exe:*:Enabled:SiSoftware Sandra Lite"
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\TOCA III\\RD3.exe"="C:\\Program Files\\TOCA III\\RD3.exe:*:Enabled:Launch ToCA Race Driver 3."
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe:*:Enabled:Sid Meier's Civilization 4 Warlords"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Pitboss"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"O:\\Games\\World In Conflict\\Installed\\wic.exe"="O:\\Games\\World In Conflict\\Installed\\wic.exe:*:Enabled:World in Conflict"
"O:\\Games\\World In Conflict\\Installed\\wic_online.exe"="O:\\Games\\World In Conflict\\Installed\\wic_online.exe:*:Enabled:World in Conflict - Online Only"
"O:\\Games\\World In Conflict\\Installed\\wic_ds.exe"="O:\\Games\\World In Conflict\\Installed\\wic_ds.exe:*:Enabled:World in Conflict - Dedicated Server"
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"="C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe:*:Enabled:tvprunner"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"O:\\Programs\\Autodesk\\Backburner\\monitor.exe"="O:\\Programs\\Autodesk\\Backburner\\monitor.exe:*:Enabled:backburner 2.3 monitor"
"O:\\Programs\\Autodesk\\Backburner\\manager.exe"="O:\\Programs\\Autodesk\\Backburner\\manager.exe:*:Enabled:backburner 2.3 manager"
"O:\\Programs\\Autodesk\\Backburner\\server.exe"="O:\\Programs\\Autodesk\\Backburner\\server.exe:*:Enabled:backburner 2.3 server"
"O:\\Programs\\Autodesk\\3D Studio Max\\3dsmax.exe"="O:\\Programs\\Autodesk\\3D Studio Max\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 2008 32-bit"
"C:\\Documents and Settings\\MediaCenter\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"="C:\\Documents and Settings\\MediaCenter\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe:*:Enabled:Live Mesh"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\sandra.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\sandra.exe:*:Enabled:SiSoftware Sandra Lite"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\RpcSandraSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Lite"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\Win32\\RpcDataSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\Win32\\RpcDataSrv.exe:*:Enabled:SiSoftware Sandra Lite"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
*Remaining Files *:

File Backups: - C:\SDFix\backups\backups.zip
*Files with Hidden Attributes *:
Tue 1 Jan 2008 56 A.SH. --- "C:\Documents and Settings\All Users\Application Data\dc64vg9.sys"
Sun 4 Jun 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 4 Jun 2006 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv13.bak"
Mon 18 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 19 Apr 2006 4,348 A..H. --- "C:\Documents and Settings\MediaCenter\My Documents\License Backup\drmv1key.bak"
Wed 19 Apr 2006 401 A..H. --- "C:\Documents and Settings\MediaCenter\My Documents\License Backup\drmv1lic.bak"
Mon 6 Feb 2006 312 A.SH. --- "C:\Documents and Settings\MediaCenter\My Documents\License Backup\drmv2key.bak"
Fri 14 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT7.tmp"
Fri 14 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT5.tmp"
Fri 14 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BIT9.tmp"
Mon 28 Apr 2008 7,134,072 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\932c84dd1bf7c1257fcc650981219d45\BIT6A0.tmp"
Fri 14 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BIT8.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc066f3f60df1b38218903dd0d40ce98\BIT6.tmp"
Tue 29 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\be9cebb68dd8282073067488451b3f0b\BIT8.tmp"
Fri 14 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BITA.tmp"
Mon 28 Apr 2008 13,293,000 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e598a7d762acb3677048798428b92f3f\BIT6A1.tmp"
Fri 14 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916bb150f8a929e7a4ffdfbc120f\BIT6.tmp"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT5.tmp"
Sun 6 Jul 2008 77,312 ...H. --- "C:\Documents and Settings\MediaCenter\Application Data\Microsoft\Word\~WRL0003.tmp"
Sat 6 Oct 2007 888 ...HR --- "C:\Documents and Settings\MediaCenter\Application Data\SecuROM\UserData\securom_v7_01.bak"
Sat 3 May 2008 79,872 ...H. --- "C:\Documents and Settings\MediaCenter\Local Settings\Temporary Internet Files\Content.MSO\~WRL0005.tmp"
Wed 6 Aug 2008 5,946 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE4.tmp"
Wed 6 Aug 2008 5,946 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE5.tmp"
*Finished!*


----------



## robin.alden (Jul 29, 2008)

ComboFix 08-08-06.02 - tempadmin 2008-08-07 20:44:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1531 [GMT 12:00]
Running from: C:\Documents and Settings\tempadmin\Desktop\Kill Bits\ComboFix.exe
Command switches used :: C:\Documents and Settings\tempadmin\Desktop\Kill Bits\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Starware353
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\FindIt.bmp
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\FindItHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\findithotxp.png
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\finditxp.png
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\Highlight.bmp
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\HighlightHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\highlighthotxp.png
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\highlightxp.png
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\recipes.bmp
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\recipes.png
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\recipes_foreign_feed.bmp
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\recipes_foreign_feed.png
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\Reference.bmp
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\ReferenceHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\referencehotxp.png
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\referencexp.png
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\starware_toolbar_icon.bmp
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\Weather.bmp
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\weatherhotxp.png
C:\Documents and Settings\All Users\Application Data\Starware353\buttons\weatherxp.png
C:\Documents and Settings\All Users\Application Data\Starware353\contexts\error.xml
C:\Documents and Settings\All Users\Application Data\Starware353\contexts\Related.xml
C:\Documents and Settings\All Users\Application Data\Starware353\contexts\Travel.xml
C:\Documents and Settings\All Users\Application Data\Starware353\images\walertXP.bmp
C:\Documents and Settings\All Users\Application Data\Starware353\SimpleUpdate\ProductMessagingConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware353\SimpleUpdate\ProductMessagingConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware353\SimpleUpdate\SimpleUpdateConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware353\SimpleUpdate\SimpleUpdateConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware353\SimpleUpdate\TimerManagerConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware353\SimpleUpdate\TimerManagerConfig.xml.backup
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\Limited User\Application Data\rhc1joj0ea2r
C:\Documents and Settings\Limited User\Application Data\wsnpoem
C:\Documents and Settings\MediaCenter\Application Data\Starware353
C:\Documents and Settings\MediaCenter\Application Data\Starware353\BrowserSearch\BrowserSearch.xml
C:\Documents and Settings\MediaCenter\Application Data\Starware353\BrowserSearch\BrowserSearch.xml.backup
C:\Documents and Settings\MediaCenter\Application Data\Starware353\Configurator\Configurator.xml
C:\Documents and Settings\MediaCenter\Application Data\Starware353\Configurator\Configurator.xml.backup
C:\Documents and Settings\MediaCenter\Application Data\Starware353\ErrorSearch\ErrorSearchOptions.xml
C:\Documents and Settings\MediaCenter\Application Data\Starware353\ErrorSearch\ErrorSearchOptions.xml.backup
C:\Documents and Settings\MediaCenter\Application Data\Starware353\Games\GamesOptions.xml
C:\Documents and Settings\MediaCenter\Application Data\Starware353\Games\GamesOptions.xml.backup
C:\Documents and Settings\MediaCenter\Application Data\Starware353\Games\images\active\Games0.bmp
C:\Documents and Settings\MediaCenter\Application Data\Starware353\Layouts\ToolbarLayout.xml
C:\Documents and Settings\MediaCenter\Application Data\Starware353\Layouts\ToolbarLayout.xml.backup
C:\Documents and Settings\MediaCenter\Application Data\Starware353\Manager\ManagerOptions.xml
C:\Documents and Settings\MediaCenter\Application Data\Starware353\Manager\ManagerOptions.xml.backup
C:\Documents and Settings\MediaCenter\Application Data\Starware353\Movies\images\active\Movies0.bmp
C:\Documents and Settings\MediaCenter\Application Data\Starware353\Movies\MoviesOptions.xml
C:\Documents and Settings\MediaCenter\Application Data\Starware353\Movies\MoviesOptions.xml.backup
C:\Documents and Settings\MediaCenter\Application Data\Starware353\Recipes_Foreign\Recipes_ForeignOptions.xml
C:\Documents and Settings\MediaCenter\Application Data\Starware353\Recipes_Foreign\Recipes_ForeignOptions.xml.backup
C:\Documents and Settings\MediaCenter\Application Data\Starware353\RecipeSearch_Foreign\RecipeSearch_ForeignOptions.xml
C:\Documents and Settings\MediaCenter\Application Data\Starware353\RecipeSearch_Foreign\RecipeSearch_ForeignOptions.xml.backup
C:\Documents and Settings\MediaCenter\Application Data\Starware353\Reference\ReferenceOptions.xml
C:\Documents and Settings\MediaCenter\Application Data\Starware353\Reference\ReferenceOptions.xml.backup
C:\Documents and Settings\MediaCenter\Application Data\Starware353\RelatedSearch\RelatedSearchOptions.xml
C:\Documents and Settings\MediaCenter\Application Data\Starware353\RelatedSearch\RelatedSearchOptions.xml.backup
C:\Documents and Settings\MediaCenter\Application Data\Starware353\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp
C:\Documents and Settings\MediaCenter\Application Data\Starware353\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
C:\Documents and Settings\MediaCenter\Application Data\Starware353\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
C:\Documents and Settings\MediaCenter\Application Data\Starware353\Toolbar\TBProductsOptions.xml
C:\Documents and Settings\MediaCenter\Application Data\Starware353\Toolbar\TBProductsOptions.xml.backup
C:\Documents and Settings\MediaCenter\Application Data\Starware353\ToolbarLogo\ToolbarLogoOptions.xml
C:\Documents and Settings\MediaCenter\Application Data\Starware353\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\Documents and Settings\MediaCenter\Application Data\Starware353\ToolbarSearch\ToolbarSearchOptions.xml
C:\Documents and Settings\MediaCenter\Application Data\Starware353\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\Documents and Settings\MediaCenter\Application Data\Starware353\TravelSearch\TravelSearchOptions.xml
C:\Documents and Settings\MediaCenter\Application Data\Starware353\TravelSearch\TravelSearchOptions.xml.backup
C:\Documents and Settings\MediaCenter\Application Data\Starware353\Weather\AlertArchive.xml
C:\Documents and Settings\MediaCenter\Application Data\Starware353\Weather\WeatherOptions.xml
C:\Documents and Settings\MediaCenter\Application Data\Starware353\Weather\WeatherOptions.xml.backup
C:\Documents and Settings\tempadmin\Application Data\rhc1joj0ea2r
C:\Program Files\rhc1joj0ea2r
C:\WINDOWS\system32\blphc5joj0ea2r.scr
C:\WINDOWS\system32\C.tmp
C:\WINDOWS\system32\lphc5joj0ea2r.exe
C:\WINDOWS\system32\phc5joj0ea2r.bmp
C:\WINDOWS\system32\pphc5joj0ea2r.exe
.
((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.
2008-08-07 20:17 . 2008-08-07 20:17 d-------- C:\Documents and Settings\tempadmin\Application Data\Ethereal
2008-08-07 20:16 . 2008-08-07 20:16 d--h----- C:\WINDOWS\PIF
2008-08-06 21:55 . 2008-08-06 21:55 d-------- C:\WINDOWS\ERUNT
2008-08-06 21:51 . 2008-08-06 21:51 d-------- C:\Documents and Settings\Administrator
2008-08-06 21:42 . 2008-08-07 19:53 d-------- C:\SDFix
2008-08-03 09:27 . 2008-08-03 09:27 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-03 09:27 . 2008-08-03 09:27 d-------- C:\Documents and Settings\tempadmin\Application Data\Malwarebytes
2008-08-03 09:27 . 2008-08-03 09:27 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-03 09:27 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-03 09:27 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-02 12:22 . 2008-08-02 12:23 d-------- C:\Program Files\Trend Micros
2008-07-29 21:10 . 2008-07-29 21:10 d-------- C:\Documents and Settings\tempadmin
2008-07-29 10:46 . 2008-07-29 10:46 144 --a------ C:\Documents and Settings\Limited User\delself.bat
2008-07-29 10:40 . 2008-07-29 10:46 d-------- C:\Documents and Settings\Limited User
2008-07-24 19:13 . 2008-07-24 19:13 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-07-24 19:04 . 2008-07-24 19:04 d-------- C:\WINDOWS\SQLTools9_KB948109_ENU
2008-07-24 18:23 . 2008-07-24 18:23 d-------- C:\WINDOWS\SQL9_KB948109_ENU
2008-07-22 20:17 . 2008-07-22 20:17 d-------- C:\Program Files\Common Files\Wise Installation Wizard
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 16:05 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-07-26 23:48 --------- d-----w C:\Documents and Settings\MediaCenter\Application Data\Skype
2008-07-26 19:56 --------- d-----w C:\Program Files\DynDNS Updater
2008-07-25 20:32 --------- d-----w C:\Program Files\Google
2008-07-24 07:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-24 07:04 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-22 21:12 --------- d-----w C:\Documents and Settings\MediaCenter\Application Data\SOUNDGRAPH
2008-07-22 08:18 --------- d-----w C:\Program Files\Lavasoft
2008-07-22 08:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-26 08:22 --------- d-----w C:\Documents and Settings\MediaCenter\Application Data\Autodesk
2008-06-26 08:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-06-26 08:18 --------- d-----w C:\Program Files\turbo squid tentacles
2008-06-26 08:16 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-06-26 08:16 --------- d-----w C:\Program Files\Autodesk
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 08:56 --------- d-----w C:\Documents and Settings\MediaCenter\Application Data\Hamachi
2008-01-01 00:01 56 --sha-w C:\Documents and Settings\All Users\Application Data\dc64vg9.sys
2004-08-10 12:00 621,056 ----a-r C:\Documents and Settings\Limited User\Application Data\ntos.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-11 00:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 18:41 1232896]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "C:\PROGRA~1\DVDREG~2\DVDShell.dll" [2004-10-09 14:18 49152]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 15:39 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]
2008-07-16 09:04 23552 C:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^MediaCenter^Start Menu^Programs^Startup^Hamachi.lnk]
path=C:\Documents and Settings\MediaCenter\Start Menu\Programs\Startup\Hamachi.lnk
backup=C:\WINDOWS\pss\Hamachi.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^MediaCenter^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\MediaCenter\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-11 00:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]
--a------ 2005-11-23 14:04 1544192 C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 13:56 64512 C:\WINDOWS\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iMON]
--a------ 2007-03-06 07:33 2179072 C:\Program Files\SOUNDGRAPH\iMON\iMON.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MRT]
--a------ 2008-06-25 09:15 17972344 C:\WINDOWS\system32\MRT.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
--a------ 2008-03-26 18:41 1232896 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-03-10 17:38 7557120 C:\WINDOWS\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2008-03-28 11:20 1079296 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-12-18 16:32 25365032 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-03-30 14:20 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-11 00:00 110592 C:\WINDOWS\system32\bthprops.cpl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2005-08-17 22:39 90112 C:\WINDOWS\SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=3 (0x3)
"rpcapd"=3 (0x3)
"PnkBstrA"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Norton Ghost"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"mi-raysat_3dsMax2008_32"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate1c8d8c839b4ffe2"=3 (0x3)
"Autodesk Licensing Service"=3 (0x3)
"Apple Mobile Device"=3 (0x3)
"WMPNetworkSvc"=2 (0x2)
"StarWindService"=2 (0x2)
"SQLWriter"=2 (0x2)
"SQLBrowser"=2 (0x2)
"ServiceLayer"=3 (0x3)
"NVSvc"=2 (0x2)
"MSSQL$SQLEXPRESS"=2 (0x2)
"MSSQL$MSSMLBIZ"=2 (0x2)
"GEARSecurity"=2 (0x2)
"DynDNS_Updater_Service"=2 (0x2)
"Bonjour Service"=2 (0x2)
"ANIWZCSdService"=2 (0x2)
"aawservice"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\bf2_w32ded.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\sandra.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\RpcSandraSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\TOCA III\\RD3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\MediaCenter\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
R0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [2004-11-10 10:30]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-07 03:11]
R0 Si3132r5;SiI-3132 SoftRaid 5 Controller;C:\WINDOWS\system32\DRIVERS\Si3132r5.sys [2006-04-12 09:15]
R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [2004-11-10 10:49]
R2 npdrv;npdrv;C:\WINDOWS\system32\drivers\npdrv.sys [2007-02-03 20:23]
R2 wlcrasvc;Live Mesh Remote Desktop;C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe [2008-07-16 09:04]
R3 RDPDISPM;RDPDISPM;C:\WINDOWS\system32\DRIVERS\rdpdispm.sys [2008-05-31 11:41]
R3 RDPVDD;RDPVDD;C:\WINDOWS\system32\DRIVERS\rdpvmp.sys [2008-05-31 11:41]
S2 gupdate1c8d8c839b4ffe2;Google Update Service (gupdate1c8d8c839b4ffe2);C:\Program Files\Google\Update\GoogleUpdate.exe [2008-07-12 15:59]
S3 HVWINDR.SYS;HVWINDR.SYS;O:\Downloads\Software\Sky Decoder\HVWINDR.SYS []
S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-07-30 20:07]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-03 09:10]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-24 14:12]
S3 PciCon;PciCon;D:\PciCon.sys []
S3 V0080Dev;Creative Camera VF0080 Driver;C:\WINDOWS\system32\DRIVERS\V0080Dev.sys [2005-05-06 15:11]
S4 DynDNS_Updater_Service;DynDNS Updater Service;C:\Program Files\DynDNS Updater\DynDNS.exe [2006-09-17 10:32]
S4 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 22:08]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;o:\Programs\Visual Studio 2005\Common7\IDE\Remote Debugger\x86\msvsmon.exe []
S4 msvsmon90;Visual Studio 2008 Remote Debugger;O:\Programs\Microsoft Visual Studio 2008\Common7\IDE\Remote Debugger\x86\msvsmon.exe []
S4 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-05 09:38]
.
Contents of the 'Scheduled Tasks' folder
2007-03-16 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1166225828.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 16:56]
2008-08-02 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1170790141.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 16:56]
2008-08-07 C:\WINDOWS\Tasks\GoogleUpdateTask.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2008-07-12 15:59]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-lphc5joj0ea2r - C:\WINDOWS\system32\lphc5joj0ea2r.exe
HKLM-Run-SMrhc1joj0ea2r - C:\Program Files\rhc1joj0ea2r\rhc1joj0ea2r.exe
MSConfigStartUp-lphc5joj0ea2r - C:\WINDOWS\system32\lphc5joj0ea2r.exe
MSConfigStartUp-SMrhc1joj0ea2r - C:\Program Files\rhc1joj0ea2r\rhc1joj0ea2r.exe
MSConfigStartUp-buritos - buritos.exe

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
C:\WINDOWS\Downloaded Program Files\DownloadManagerV2.inf
C:\WINDOWS\Downloaded Program Files\Manager.exe
C:\WINDOWS\Downloaded Program Files\DownloadManagerV2.ocx

**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 20:48:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ...
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\searchindexer.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rsvp.exe
.
**************************************************************************
.
Completion time: 2008-08-07 20:53:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-07 08:53:33
Pre-Run: 2,743,607,296 bytes free
Post-Run: 3,785,506,816 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
343 --- E O F --- 2008-07-24 07:14:20


----------



## robin.alden (Jul 29, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:25 p.m., on 7/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micros\aHijackThis\Temp.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www4.snapfish.co.nz/SnapfishActivia.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: wlcrdplauncher - C:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll
O23 - Service: Google Update Service (gupdate1c8d8c839b4ffe2) (gupdate1c8d8c839b4ffe2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
--
End of file - 4798 bytes


----------



## cybertech (Apr 16, 2002)

Print these instructions or save them to Notepad!

Close any open browsers.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. 
Open notepad and copy/paste the text in the quotebox below into it:



> KILLALL::
> File::
> C:\Documents and Settings\Limited User\Application Data\ntos.exe
> C:\WINDOWS\system32\lphc5joj0ea2r.exe
> ...


Save this as *CFScript.txt* in the same location as ComboFix.exe










Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.








Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

*Upgrading Java*:

Download the latest version of *Java Runtime Environment (JRE) 6 Update 7*.
Scroll down to where it says "*The J2SE Runtime Environment (JRE) allows end-users to run Java applications*".
Click the "*Download*" button to the right.
Select your Platform and check the box that says: "*I agree to the Java SE Runtime Environment 6 License Agreement.*".
Click on *Continue*.
Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

I don't see any anti-virus software running. 
Go *>>here<<* and select one of the free anti-virus programs to load.

Run Malwarebytes and post the resulting log with a new Hijackthis log and the ComboFix log.


----------



## robin.alden (Jul 29, 2008)

Hi cybertech,

Sorry it took so long to get back to you, life seams to have taken on a new level of busy these last few weeks.

Everything went to plan, except I was unable to post a log for malware bytes. I went to the logs tab when it finished and there was no log. I did read the log on screen and there were 4 threats found and removed. They were the buritos.exe and UPS.zip files that outlook put in its temp folder when I ran them.

Logs follow...

NOTE: the combofix log is approx 7 days older than the hijack this log. In the meantime I had installed the Windows Media Centre Extender for my xbox.


----------



## robin.alden (Jul 29, 2008)

ComboFix 08-08-08.06 - MediaCenter 2008-08-09 11:02:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1604 [GMT 12:00]
Running from: O:\Admin\Kill Bits\ComboFix.exe
Command switches used :: O:\Admin\Kill Bits\CFScript.txt
* Created a new restore point
FILE ::
C:\Documents and Settings\Limited User\Application Data\ntos.exe
C:\WINDOWS\system32\lphc5joj0ea2r.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Limited User\Application Data\ntos.exe
C:\Documents and Settings\Limited User\Application Data\wsnpoem
C:\Documents and Settings\Limited User\Application Data\wsnpoem\audio.dll
C:\Documents and Settings\Limited User\Application Data\wsnpoem\video.dll
.
((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 )))))))))))))))))))))))))))))))
.
2008-08-07 22:34 . 2008-08-07 22:34 d-------- C:\Documents and Settings\MediaCenter\Application Data\Malwarebytes
2008-08-07 20:17 . 2008-08-07 20:17 d-------- C:\Documents and Settings\tempadmin\Application Data\Ethereal
2008-08-07 20:16 . 2008-08-07 20:16 d--h----- C:\WINDOWS\PIF
2008-08-06 21:55 . 2008-08-06 21:55 d-------- C:\WINDOWS\ERUNT
2008-08-06 21:51 . 2008-08-06 21:51 d-------- C:\Documents and Settings\Administrator
2008-08-06 21:42 . 2008-08-07 19:53 d-------- C:\SDFix
2008-08-03 09:27 . 2008-08-03 09:27 d-------- C:\Documents and Settings\tempadmin\Application Data\Malwarebytes
2008-08-03 09:27 . 2008-08-03 09:27 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-02 12:22 . 2008-08-02 12:23 d-------- C:\Program Files\Trend Micros
2008-07-29 21:10 . 2008-07-29 21:10 d-------- C:\Documents and Settings\tempadmin
2008-07-29 10:46 . 2008-07-29 10:46 144 --a------ C:\Documents and Settings\Limited User\delself.bat
2008-07-29 10:40 . 2008-07-29 10:46 d-------- C:\Documents and Settings\Limited User
2008-07-24 19:13 . 2008-07-24 19:13 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-07-24 19:04 . 2008-07-24 19:04 d-------- C:\WINDOWS\SQLTools9_KB948109_ENU
2008-07-24 18:23 . 2008-07-24 18:23 d-------- C:\WINDOWS\SQL9_KB948109_ENU
2008-07-22 20:17 . 2008-07-22 20:17 d-------- C:\Program Files\Common Files\Wise Installation Wizard
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 16:05 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-07-26 23:48 --------- d-----w C:\Documents and Settings\MediaCenter\Application Data\Skype
2008-07-26 19:56 --------- d-----w C:\Program Files\DynDNS Updater
2008-07-25 20:32 --------- d-----w C:\Program Files\Google
2008-07-24 07:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-24 07:04 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-22 21:12 --------- d-----w C:\Documents and Settings\MediaCenter\Application Data\SOUNDGRAPH
2008-07-22 08:18 --------- d-----w C:\Program Files\Lavasoft
2008-07-22 08:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-26 08:22 --------- d-----w C:\Documents and Settings\MediaCenter\Application Data\Autodesk
2008-06-26 08:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-06-26 08:18 --------- d-----w C:\Program Files\turbo squid tentacles
2008-06-26 08:16 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-06-26 08:16 --------- d-----w C:\Program Files\Autodesk
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 08:56 --------- d-----w C:\Documents and Settings\MediaCenter\Application Data\Hamachi
2008-06-09 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-01 00:01 56 --sha-w C:\Documents and Settings\All Users\Application Data\dc64vg9.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoeMonitor.exe"="C:\Documents and Settings\MediaCenter\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.3103.2\MoeMonitor.exe" [2008-07-16 09:04 1188864]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-11 00:00 15360]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-03-28 11:20 1079296]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-30 14:20 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 18:41 1232896]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "C:\PROGRA~1\DVDREG~2\DVDShell.dll" [2004-10-09 14:18 49152]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 15:39 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]
2008-07-16 09:04 23552 C:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^MediaCenter^Start Menu^Programs^Startup^Hamachi.lnk]
path=C:\Documents and Settings\MediaCenter\Start Menu\Programs\Startup\Hamachi.lnk
backup=C:\WINDOWS\pss\Hamachi.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^MediaCenter^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\MediaCenter\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-11 00:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]
--a------ 2005-11-23 14:04 1544192 C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 13:56 64512 C:\WINDOWS\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iMON]
--a------ 2007-03-06 07:33 2179072 C:\Program Files\SOUNDGRAPH\iMON\iMON.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MRT]
--a------ 2008-06-25 09:15 17972344 C:\WINDOWS\system32\MRT.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
--a------ 2008-03-26 18:41 1232896 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-03-10 17:38 7557120 C:\WINDOWS\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2008-03-28 11:20 1079296 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-12-18 16:32 25365032 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-03-30 14:20 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-11 00:00 110592 C:\WINDOWS\system32\bthprops.cpl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2005-08-17 22:39 90112 C:\WINDOWS\SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=3 (0x3)
"rpcapd"=3 (0x3)
"PnkBstrA"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Norton Ghost"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"mi-raysat_3dsMax2008_32"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate1c8d8c839b4ffe2"=3 (0x3)
"Autodesk Licensing Service"=3 (0x3)
"Apple Mobile Device"=3 (0x3)
"WMPNetworkSvc"=2 (0x2)
"StarWindService"=2 (0x2)
"SQLWriter"=2 (0x2)
"SQLBrowser"=2 (0x2)
"ServiceLayer"=3 (0x3)
"NVSvc"=2 (0x2)
"MSSQL$SQLEXPRESS"=2 (0x2)
"MSSQL$MSSMLBIZ"=2 (0x2)
"GEARSecurity"=2 (0x2)
"DynDNS_Updater_Service"=2 (0x2)
"Bonjour Service"=2 (0x2)
"ANIWZCSdService"=2 (0x2)
"aawservice"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\bf2_w32ded.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\sandra.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\RpcSandraSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\TOCA III\\RD3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\MediaCenter\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
R0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [2004-11-10 10:30]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-07 03:11]
R0 Si3132r5;SiI-3132 SoftRaid 5 Controller;C:\WINDOWS\system32\DRIVERS\Si3132r5.sys [2006-04-12 09:15]
R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [2004-11-10 10:49]
R2 npdrv;npdrv;C:\WINDOWS\system32\drivers\npdrv.sys [2007-02-03 20:23]
R2 wlcrasvc;Live Mesh Remote Desktop;C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe [2008-07-16 09:04]
R3 RDPDISPM;RDPDISPM;C:\WINDOWS\system32\DRIVERS\rdpdispm.sys [2008-05-31 11:41]
R3 RDPVDD;RDPVDD;C:\WINDOWS\system32\DRIVERS\rdpvmp.sys [2008-05-31 11:41]
S2 gupdate1c8d8c839b4ffe2;Google Update Service (gupdate1c8d8c839b4ffe2);C:\Program Files\Google\Update\GoogleUpdate.exe [2008-07-12 15:59]
S3 HVWINDR.SYS;HVWINDR.SYS;O:\Downloads\Software\Sky Decoder\HVWINDR.SYS [2003-02-21 19:28]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-03 09:10]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-24 14:12]
S3 PciCon;PciCon;D:\PciCon.sys []
S3 V0080Dev;Creative Camera VF0080 Driver;C:\WINDOWS\system32\DRIVERS\V0080Dev.sys [2005-05-06 15:11]
S4 DynDNS_Updater_Service;DynDNS Updater Service;C:\Program Files\DynDNS Updater\DynDNS.exe [2006-09-17 10:32]
S4 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 22:08]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;o:\Programs\Visual Studio 2005\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 06:17]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;O:\Programs\Microsoft Visual Studio 2008\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-11-07 08:58]
S4 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-05 09:38]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\Vault\Setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Setup.exe
.
Contents of the 'Scheduled Tasks' folder
2007-03-16 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1166225828.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 16:56]
2008-08-02 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1170790141.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 16:56]
2008-08-08 C:\WINDOWS\Tasks\GoogleUpdateTask.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2008-07-12 15:59]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 11:08:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ...
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\searchindexer.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Documents and Settings\MediaCenter\Local Settings\Application Data\Microsoft\Live Mesh\GacBase\Moe.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rsvp.exe
.
**************************************************************************
.
Completion time: 2008-08-09 11:14:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-08 23:14:40
ComboFix2.txt 2008-08-07 08:53:37
Pre-Run: 3,684,438,016 bytes free
Post-Run: 3,719,585,792 bytes free
246 --- E O F --- 2008-07-24 07:14:20


----------



## robin.alden (Jul 29, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:51 p.m., on 16/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Documents and Settings\MediaCenter\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.3103.2\MoeMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Documents and Settings\MediaCenter\Local Settings\Application Data\Microsoft\Live Mesh\GacBase\Moe.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\PROGRA~1\AVG\AVG8\avgscanx.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micros\aHijackThis\Temp.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MoeMonitor.exe] "C:\Documents and Settings\MediaCenter\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.3103.2\MoeMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www4.snapfish.co.nz/SnapfishActivia.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: wlcrdplauncher - C:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate1c8d8c839b4ffe2) (gupdate1c8d8c839b4ffe2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O24 - Desktop Component 0: (no name) - http://upload.wikimedia.org/wikipedia/en/0/0d/TopGearClarksonVeyronRace.jpg
--
End of file - 7153 bytes


----------



## cybertech (Apr 16, 2002)

How is it running now? Any problems?


----------



## robin.alden (Jul 29, 2008)

Hi cybertech,

All seams 100% fine. I cant see any unexpected tasks running or any adverse behaviour.

*Thanks so much for your help! *


----------



## cybertech (Apr 16, 2002)

Good, You're welcome!

*Follow these steps to uninstall Combofix and tools used in the removal of malware*

 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Download *OTCleanIt*. Save this application on your desktop. Once downloaded Double click on the *OTCleanIt.exe*. This should remove most malware tools you downloaded. A restart will be required.

Here are some additional links for you to check out to help you with your computer security.

How did I get infected in the first place.

Secunia software inspector & update checker

Good free tools and advice on how to tighten your security settings.


----------

