SpywareInfo Forum: Google Redirect and Many Pop ups - SpywareInfo Forum

Jump to content

Posting Guidelines



Before posting, please make sure you have read the forum FAQ. It's there for a reason.


If you do not have spyware or another parasite and just want a check for anything suspicious, do not post that here. Click here for that.


Please do not post your email address or other personal information. Spammers do lurk here and they also operate email harvester bots to scan for email addresses. If a moderator sees that you have posted an email address, it will be removed.



DO NOT POST YOUR LOG FILE INTO SOMEONE ELSE'S TOPIC!

START YOUR OWN TOPIC.


Please stay with your original topic when posting follow up log files.

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Google Redirect and Many Pop ups

#1 User is offline   anaitat_02 Icon

  • Member
  • Pip
  • Group: Full Member
  • Posts: 2
  • Joined: 03-November 09

Posted 03 November 2009 - 04:03 PM

Hi:

Every time I do a search in google (in IE or Firefox) when I click the link it redirects me to another site, this site is different every time I click the same link and after some attemps I'm able to access the site I want. Also, a few day ago, pop ups began to open randomly while i'm using either IE or Firefox (it always go first to bu520.com and then redirect to another site, last time it redirects me to for example eInsuranceMarket, Dish). I read the FAQ, run Spybot - Search and Destroy and it found some cookies and deleted, then I ran Malwarebytes - AntiMalware and it found nothing (below the log), then i run Panda Active Scan (results below)and finally I run HiJacktThis (log below). My antivirus is Symantec Endpoint Protection with last definition as of nov 1 09.

Have a great day and thanks for all.

Here is my Malwarebytes log:

Malwarebytes' Anti-Malware 1.41
Database version: 3092
Windows 5.1.2600 Service Pack 2

11/3/2009 10:27:44 AM
mbam-log-2009-11-03 (10-27-44).txt

Scan type: Quick Scan
Objects scanned: 128966
Time elapsed: 6 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

BitDefender Quick Scan
BitDefender QuickScan Beta v0.9.7.8
-----------------------------------

Scan date: Tue Nov 03 16:57:24 2009
Machine ID: FC11AFFD



No infection found.
---------------------


Processes
---------
<unsigned> ActivCard Gold Quick Fill 3800 C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
<unsigned> ActivCard Gold - New Card Registration 1320 C:\Program Files\Common Files\ActivCard\acautoreg.exe
<unsigned> ActivCard Cache Server 1980 C:\Program Files\Common Files\ActivCard\accoca.exe
<unsigned> InstallShield Update Service Scheduler 2852 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
<unsigned> LSSrvc.exe 1172 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
<unsigned> Sonic CinePlayer® Tray Application 3968 C:\Program Files\Common Files\Sonic Shared\CineTray.exe
<unsigned> Battery backup management service 708 C:\Program Files\Conext\Conext Shutdown Manager\mainserv.exe
<unsigned> QLB Controller 2256 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
<unsigned> radexecd 2228 C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe
<unsigned> radsched 2372 C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe
<unsigned> radstgms 2620 C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe
<unsigned> COEMsgDisplay Utility 2328 C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe
<unsigned> Intelligent Desktop Assistant (IDA) 4072 C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
<unsigned> hpqwmiex Module 3656 C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
<unsigned> HP CUE alert Popup Window Objects 4344 C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
<unsigned> HP CUE Status Root 5600 C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
<unsigned> Hewlett-Packard Product Assistant 2332 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
<unsigned> AvChgSvc Application 616 C:\Program Files\HPAVAdminScan\avChgSvc.exe
<unsigned> HP Wireless Assistant Module 2240 C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
<unsigned> HpqToaster Module 5144 C:\Program Files\HPQ\Shared\HpqToaster.exe
<unsigned> Intel® PROSet/Wireless Event Log 224 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
<unsigned> Intel Framework MFC Application 1888 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
<unsigned> Intel® PROSet/Wireless Registry Service 2812 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
<unsigned> Wireless Management Service 308 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
<unsigned> ezprint.exe 2440 C:\Program Files\Lexmark 7100 Series\ezprint.exe
<unsigned> Lexmark 7100 Series Device Monitor 2436 C:\Program Files\Lexmark 7100 Series\lxbxmon.exe
<unsigned> User Profile Hive Cleanup Service 3452 C:\Program Files\UPHClean\uphclean.exe
<unsigned> Hp Accelerometer System Tray 2248 C:\WINDOWS\system32\AccelerometerSt.exe
<unsigned> Drive Letter Access Component 2540 C:\WINDOWS\system32\dla\tfswctrl.exe

<verified> SMax4PNP 416 C:\Program Files\Analog Devices\Core\smax4pnp.exe
<verified> Apple Mobile Device Service 1680 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
<verified> Machine Debug Manager 2080 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
<verified> RealNetworks Scheduler 3132 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
<verified> Symantec User Session 2368 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
<verified> Symantec Service Framework 1792 C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
<verified> HP Digital Imaging Monitor 3888 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
<verified> Internet Explorer 5236 C:\Program Files\Internet Explorer\iexplore.exe
<verified> Windows Messenger 3380 C:\Program Files\Messenger\msmsgs.exe
<verified> Microsoft Office Communicator 2007 2424 C:\Program Files\Microsoft Office Communicator\communicator.exe
<verified> Microsoft Office Outlook 3168 C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
<verified> Firefox 2336 C:\Program Files\Mozilla Firefox\firefox.exe
<verified> Symantec AntiVirus 3220 C:\Program Files\Symantec AntiVirus\Rtvscan.exe
<verified> Symantec CMC Smc 492 C:\Program Files\Symantec AntiVirus\Smc.exe
<verified> Symantec CMC SmcGui 2416 C:\Program Files\Symantec AntiVirus\SmcGui.exe
<verified> Symantec Network Access Control 1140 C:\Program Files\Symantec AntiVirus\SNAC.EXE
<verified> Synaptics TouchPad Enhancements 2320 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
<verified> SoftModem Messaging Applet 1268 C:\WINDOWS\AGRSMMSG.exe
<verified> Windows Explorer 948 C:\WINDOWS\Explorer.EXE
<verified> Application Layer Gateway Service 4264 C:\WINDOWS\System32\alg.exe
<verified> ATI External Event Utility EXE Module 1672 C:\WINDOWS\system32\Ati2evxx.exe
<verified> ATI External Event Utility EXE Module 2564 C:\WINDOWS\system32\Ati2evxx.exe
<verified> Client Server Runtime Process 1380 C:\WINDOWS\system32\csrss.exe
<verified> CTF Loader 3332 C:\WINDOWS\system32\ctfmon.exe
<verified> LSA Shell (Export Version) 1468 C:\WINDOWS\system32\lsass.exe
<verified> Lexmark Communication System 4040 C:\WINDOWS\system32\lxbxcoms.exe
<verified> Remote Desktop Connection 5780 C:\WINDOWS\system32\mstsc.exe
<verified> Smart Card Resource Management Server 1764 C:\WINDOWS\System32\SCardSvr.exe
<verified> Services and Controller app 1456 C:\WINDOWS\system32\services.exe
<verified> Windows NT Session Manager 1324 C:\WINDOWS\System32\smss.exe
<verified> Spooler SubSystem App 896 C:\WINDOWS\system32\spoolsv.exe
<verified> Generic Host Process for Win32 Services 2148 C:\WINDOWS\System32\svchost.exe
<verified> Generic Host Process for Win32 Services 2108 C:\WINDOWS\System32\svchost.exe
<verified> Generic Host Process for Win32 Services 2008 C:\WINDOWS\System32\svchost.exe
<verified> Generic Host Process for Win32 Services 1808 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 1696 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 2968 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 992 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 1056 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 1012 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 772 C:\WINDOWS\system32\svchost.exe
<verified> WMI 3844 C:\WINDOWS\system32\wbem\wmiprvse.exe
<verified> Windows NT Logon Application 1408 C:\WINDOWS\system32\winlogon.exe


Network activity
----------------
Process firefox.exe (2336) connected on port 8088 - proxy.atlanta.hp.com
Process firefox.exe (2336) connected on port 8088 - proxy.atlanta.hp.com
Process firefox.exe (2336) connected on port 8088 - proxy.atlanta.hp.com
Process firefox.exe (2336) connected on port 8088 - proxy.atlanta.hp.com
Process firefox.exe (2336) connected on port 8088 - proxy.atlanta.hp.com
Process firefox.exe (2336) connected on port 8088 - proxy.atlanta.hp.com
Process firefox.exe (2336) connected on port 8088 - proxy.atlanta.hp.com
Process communicator.exe (2424) connected on port 5061 (SIP) - rtcprdpool1.austin.hp.com
Process communicator.exe (2424) connected on port 13784 - gvw1098exb.houston.hp.com
Process communicator.exe (2424) connected on port 49155 (RPC) - g6w0024.americas.hpqcorp.net
Process OUTLOOK.EXE (3168) connected on port 49155 (RPC) - g6w0023.americas.hpqcorp.net
Process OUTLOOK.EXE (3168) connected on port 13784 - gvw1098exb.houston.hp.com
Process OUTLOOK.EXE (3168) connected on port 1536 - g3w0857.americas.hpqcorp.net
Process iexplore.exe (5236) connected on port 8088 - proxy.atlanta.hp.com
Process iexplore.exe (5236) connected on port 8088 - proxy.atlanta.hp.com
Process mstsc.exe (5780) connected on port 3389 (Terminal Server) - zeus.ads.hhven.net

Process svchost.exe (1808) listens on ports: 135 (RPC)
Process radexecd.exe (2228) listens on ports: 3465
Process Radstgms.exe (2620) listens on ports: 3460


Autoruns and critical files
---------------------------
<unsigned> ActivCard Gold Quick Fill C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
<unsigned> InstallShield Update Service Scheduler C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
<unsigned> InstallShield Update Service Update Manager C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
<unsigned> Sonic CinePlayer® Tray Application C:\Program Files\Common Files\Sonic Shared\CineTray.exe
<unsigned> QLB Controller C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
<unsigned> COEMsgDisplay Utility C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe
<unsigned> COE Application Usage tracker (16 and 32-bit appli c:\Program Files\Hewlett-Packard\PC COE\coetl32.exe
<unsigned> Intelligent Desktop Assistant (IDA) C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
<unsigned> Hewlett-Packard Product Assistant C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
<unsigned> HP Wireless Assistant Module C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
<unsigned> Intel Framework MFC Application C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
<unsigned> DVDCheck Application C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
<unsigned> ezprint.exe C:\Program Files\Lexmark 7100 Series\ezprint.exe
<unsigned> Lexmark 7100 Series Device Monitor C:\Program Files\Lexmark 7100 Series\lxbxmon.exe
<unsigned> QuickTime Task C:\Program Files\QuickTime\qttask.exe
<unsigned> Hp Accelerometer System Tray C:\WINDOWS\system32\AccelerometerSt.exe
<unsigned> Drive Letter Access Component C:\WINDOWS\system32\dla\tfswctrl.exe

<verified> Adobe Acrobat SpeedLauncher C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
<verified> SMax4PNP C:\Program Files\Analog Devices\Core\smax4pnp.exe
<verified> Apple Software Update C:\Program Files\Apple Software Update\SoftwareUpdate.exe
<verified> AppleSyncNotifier C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
<verified> RealNetworks Scheduler C:\Program Files\Common Files\Real\Update_OB\realsched.exe
<verified> Symantec User Session C:\Program Files\Common Files\Symantec Shared\ccApp.exe
<verified> HP Digital Imaging Monitor C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
<verified> Malwarebytes' Anti-Malware C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
<verified> Windows Messenger C:\program files\messenger\msmsgs.exe
<verified> Microsoft Office Communicator 2007 C:\program files\microsoft office communicator\communicator.exe
<verified> Norton Security Scan C:\Program Files\Norton Security Scan\Nss.exe
<verified> Synaptics TouchPad Enhancements C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
<verified> ATI External Event Utility DLL Module C:\WINDOWS\system32\ati2evxx.dll
<verified> Shell Browser UI Library C:\WINDOWS\system32\browseui.dll
<verified> Crypto API32 C:\WINDOWS\system32\crypt32.dll
<verified> Crypto Network Related API C:\WINDOWS\system32\cryptnet.dll
<verified> Offline Network Agent C:\WINDOWS\system32\cscdll.dll
<verified> CTF Loader C:\WINDOWS\system32\ctfmon.exe
<verified> Windows Logon UI C:\WINDOWS\system32\logonui.exe
<verified> Run a DLL as an App C:\WINDOWS\system32\rundll32.exe
<verified> Secondary Logon Service Notification DLL C:\WINDOWS\system32\sclgntfy.dll
<verified> Windows Shell Common Dll C:\WINDOWS\system32\shell32.dll
<verified> Systray shell service object C:\WINDOWS\system32\stobject.dll
<verified> Userinit Logon Application c:\windows\system32\userinit.exe
<verified> Web Site Monitor C:\WINDOWS\system32\webcheck.dll
<verified> Windows Genuine Advantage Notifications C:\WINDOWS\system32\WgaLogon.dll
<verified> Common DLL to receive Winlogon notifications C:\WINDOWS\system32\wlnotify.dll
<verified> Windows Portable Device Shell Service Object C:\WINDOWS\system32\WPDShServiceObj.dll


Browser plugins
---------------
<unsigned> Fix Common Internet Explorer Problems C:\Program Files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
<unsigned> Adobe Shockwave for Director Netscape plug-in, ver C:\Program Files\Mozilla Firefox\plugins\np32dsw.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
<unsigned> RealJukebox Netscape Plugin C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
<unsigned> 6.0.12.448 C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
<unsigned> RealJukebox Netscape Plugin C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
<unsigned> 6.0.12.448 C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
<unsigned> bdoscandel.exe C:\WINDOWS\bdoscandel.exe
<unsigned> InstallShield Update Service Setup Player Module C:\WINDOWS\Downloaded Program Files\dwusplay.dll
<unsigned> InstallShield Update Service Setup Player C:\WINDOWS\Downloaded Program Files\dwusplay.exe
<unsigned> ipsupd.dll C:\WINDOWS\Downloaded Program Files\ipsupd.dll
<unsigned> InstallShield Update Service Web Agent C:\WINDOWS\Downloaded Program Files\isusweb.dll
<unsigned> BitDefender Online Scanner C:\WINDOWS\Downloaded Program Files\oscan82.ocx
<unsigned> Adobe Shockwave for Director Netscape plug-in, ver C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
<unsigned> Drive Letter Access Component C:\WINDOWS\system32\dla\tfswshx.dll

<verified> npmnqmp 989898989877 C:\Documents and Settings\avellant\Application Data\Move Networks\plugins\npqmp071504000001.dll
<verified> Adobe PDF Helper for Internet Explorer C:\program files\common files\adobe\acrobat\activex\acroiehelper.dll
<verified> Leo (Framework) - add-on for Internet Explorer c:\program files\hp\smart web printing\hpswp_framework.dll
<verified> hpswp_printenhancer dll c:\program files\hp\smart web printing\hpswp_printenhancer.dll
<verified> Java™ Platform SE binary c:\program files\java\jre1.6.0_05\bin\ssv.dll
<verified> SAM Name Service Provider C:\Program Files\Juniper Networks\Secure Application Manager\samnsp.dll
<verified> Windows Messenger C:\program files\messenger\msmsgs.exe
<verified> 2.0.31005.0 C:\Program Files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
<verified> Default Plug-in C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
<verified> Office Plugin for Netscape Navigator C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL
<verified> Adobe PDF Plug-In For Firefox and Netscape C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
<verified> RealPlayer™ LiveConnect-Enabled Plug-In C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
<verified> Panda ActiveScan 2.0 Plugin for Firefox C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll
<verified> RealPlayer™ LiveConnect-Enabled Plug-In C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
<verified> RealPlayer Download and Record Plugin c:\program files\real\realplayer\rpbrowserrecordplugin.dll
<verified> Snagit Browser Helper Object for Internet Explorer c:\program files\techsmith\snagit 9\snagitbho.dll
<verified> Snagit Add-in for Internet Explorer c:\program files\techsmith\snagit 9\snagitieaddin.dll
<verified> Panda ActiveScan 2.0 Stub Library C:\WINDOWS\Downloaded Program Files\as2stubie.dll
<verified> HP Virtual Rooms Install C:\WINDOWS\Downloaded Program Files\HPVirtualRooms32.dll
<verified> HP Virtual Rooms Install C:\WINDOWS\Downloaded Program Files\HPVirtualRooms33.dll
<verified> JuniperSetupClientATL ActiveX Control Module C:\WINDOWS\Downloaded Program Files\JuniperSetup.ocx
<verified> Network Diagnostic for Windows XP C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
<verified> Internet Explorer C:\WINDOWS\system32\ieframe.dll
<verified> NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
<verified> Microsoft Windows Sockets 2.0 Service Provider C:\WINDOWS\system32\mswsock.dll
<verified> Microsoft Windows Rsvp 1.0 Service Provider C:\WINDOWS\system32\rsvpsp.dll
<verified> LDAP RnR Provider DLL C:\WINDOWS\system32\winrnr.dll


Missing files
-------------
File not found: AGRSMMSG.exe
referenced in: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"AGRSMMSG"

File not found: UnHackMe Rootkit Check
referenced in: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\"Title"

File not found: rundll32
referenced in: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"LXBXCATS"


Scan
----
Using HTTP proxy: web-proxy:8088

The following file(s) must be uploaded for server-side scanning:
C:\Program Files\Conext\Conext Shutdown Manager\UpsDevice.dll
C:\Program Files\Conext\Conext Shutdown Manager\res.dll
C:\Program Files\Conext\Conext Shutdown Manager\UpsControl.dll
C:\Program Files\Conext\Conext Shutdown Manager\drvutil.dll
C:\Program Files\Conext\Conext Shutdown Manager\mainserv.exe
C:\Program Files\Conext\Conext Shutdown Manager\pdcdll.dll

Upload started - 6 file(s)
Upload: C:\Program Files\Conext\Conext Shutdown Manager\mainserv.exe - 143482 bytes, hash: 907e6ca965e1d92a7108f9c89ec133c6
Upload: C:\Program Files\Conext\Conext Shutdown Manager\res.dll - 65536 bytes, hash: 413355a4d137d97d35a1eece43e0e4a3
Upload: C:\Program Files\Conext\Conext Shutdown Manager\drvutil.dll - 233592 bytes, hash: b6e3b0c7dabf07b56b508c6b272773e4
Upload: C:\Program Files\Conext\Conext Shutdown Manager\pdcdll.dll - 245885 bytes, hash: f5707d7b47e28b6d2a5efeb454ee9dac
Upload: C:\Program Files\Conext\Conext Shutdown Manager\UpsDevice.dll - 262268 bytes, hash: 27c70667952c20626968a26dc9b7f446
Upload: C:\Program Files\Conext\Conext Shutdown Manager\UpsControl.dll - 274558 bytes, hash: c6e984e392c26501fe5e6103f97d6366
Upload speed - 91 KB/s
Upload finished - 6 uploaded, 0 failed

The uploaded file(s) were found clean.

Scan finished - communication took 14 sec
Total traffic - 1.25 MB sent, 3.67 KB recvd
Scanned 1704 files and modules - 52 seconds

This is my HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:15 PM, on 11/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\Symantec AntiVirus\SNAC.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\HPAVAD~1\avChgSvc.exe
C:\Program Files\Conext\Conext Shutdown Manager\mainserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Lexmark 7100 Series\lxbxmon.exe
C:\Program Files\Lexmark 7100 Series\ezprint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\WINDOWS\system32\lxbxcoms.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\mstsc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.hp.c...PuertoRico.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy:8088
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 141.124.242.67;sm.hhven.net;sm-test.hhven.net;141.124.242.69;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll
O4 - HKLM\..\Run: [QuickPassword] "C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe"
O4 - HKLM\..\Run: [IDA] "c:\Program Files\Hewlett-Packard\PC COE\IDA.EXE"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] "AGRSMMSG.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] "C:\WINDOWS\system32\AccelerometerSt.exe"
O4 - HKLM\..\Run: [QlbCtrl] "%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [COEMsgDisplay] "c:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [dla] "C:\WINDOWS\system32\dla\tfswctrl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LXBXCATS] "rundll32" C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)
O9 - Extra button: Fix Common Internet Explorer Problems - {E270AB82-96D5-45DB-ABE3-0BC038B92334} - C:\Program Files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
O9 - Extra 'Tools' menuitem: Fix Common Internet Explorer Problems - {E270AB82-96D5-45DB-ABE3-0BC038B92334} - C:\Program Files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com
O15 - Trusted Zone: http://ie.config.eur.compaq.com
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
O15 - Trusted Zone: http://ie.config.jp.compaq.com
O15 - Trusted Zone: http://*.compaq.com
O15 - Trusted Zone: *.cpqcorp.net
O15 - Trusted Zone: http://*.dcu.org
O15 - Trusted Zone: http://ie.config.ecom.dec.com
O15 - Trusted Zone: http://*.dec.com
O15 - Trusted Zone: *.hp.com
O15 - Trusted Zone: http://*.hpe-learning.com
O15 - Trusted Zone: *.hpqcorp.net
O15 - Trusted Zone: *.hpshopping.com
O15 - Trusted Zone: http://ie.config.tandem.com
O15 - Trusted Zone: http://*.tandem.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)
O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)
O16 - DPF: {00000033-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms33 Class) - https://www.rooms.hp...VCInstall33.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1159954358084
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://digitalbadge...vpn/capicom.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://sfo2-vpn1.hh...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\Software\..\Telephony: DomainName = americas.hpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivIdentity - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: HP-AV Change Monitor Service (AvChgSvc) - Unknown owner - C:\PROGRA~1\HPAVAD~1\avChgSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Conext UPS Service - Conext - C:\Program Files\Conext\Conext Shutdown Manager\mainserv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe
O23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe
O23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 16321 bytes
Symantec Enpoint Information:

Quarentine log :

11/02/2009 Risk - Backdoor.Trojan filename - l2mfix[1].exe

System Log :

Date and Time Event Computer User Logged By Description
11/3/2009 10:20 Symantec Endpoint Protection Startup AGD-AVELLANT02 avellant System Symantec Endpoint Protection services startup was successful.
11/3/2009 10:15 Symantec Endpoint Protection Shutdown AGD-AVELLANT02 SYSTEM System Symantec Endpoint Protection services shutdown was successful.
11/3/2009 8:31 Symantec Endpoint Protection Startup AGD-AVELLANT02 avellant System Symantec Endpoint Protection services startup was successful.
11/3/2009 7:27 Symantec Endpoint Protection Shutdown AGD-AVELLANT02 SYSTEM System Symantec Endpoint Protection services shutdown was successful.
11/2/2009 22:35 Symantec Endpoint Protection Startup AGD-AVELLANT02 avellant System Symantec Endpoint Protection services startup was successful.
11/2/2009 22:30 Symantec Endpoint Protection Shutdown AGD-AVELLANT02 SYSTEM System Symantec Endpoint Protection services shutdown was successful.
11/2/2009 22:28 Symantec Endpoint Protection Auto-Protect Enabled AGD-AVELLANT02 avellant System Symantec Endpoint Protection Auto-Protect Enabled.
11/2/2009 22:28 Configuration Changed AGD-AVELLANT02 avellant System Changed value 'HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\APEOff' from '1257215006' to '0'
11/2/2009 22:28 Configuration Changed AGD-AVELLANT02 avellant System Changed value 'HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\OnOff' from '0' to '1'
11/2/2009 22:23 Symantec Endpoint Protection Auto-Protect Disabled AGD-AVELLANT02 avellant System Symantec Endpoint Protection Auto-Protect Disabled.
11/2/2009 22:23 Configuration Changed AGD-AVELLANT02 avellant System Changed value 'HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\APEOff' from '0' to '1257215006'
11/2/2009 22:23 Configuration Changed AGD-AVELLANT02 avellant System Changed value 'HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\OnOff' from '1' to '0'

This post has been edited by anaitat_02: 03 November 2009 - 04:04 PM

#2 User is offline   jedi Icon

  • Canis meus id comedit
  • PipPipPipPipPip
  • Group: Administrators
  • Posts: 13,443
  • Joined: 16-June 04

Posted 06 November 2009 - 05:20 AM

Hi,

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

[COLOR=purple]* IMPORTANT !!! Save ComboFix.exe to your Desktop[/COLOR]


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools


  • Double click on ComboFix.exe & follow the prompts.


    [list]
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

jedi
jedi
Member of ASAP since 2005


My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#3 User is offline   anaitat_02 Icon

  • Member
  • Pip
  • Group: Full Member
  • Posts: 2
  • Joined: 03-November 09

Posted 11 November 2009 - 08:16 AM

Hi Thanks for all you help.

Here is the Combo fix log:

ComboFix 09-11-09.02 - avellant 11/11/2009 8:48.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3455.2854 [GMT -4:00]
Running from: c:\documents and settings\avellant\Desktop\ComboFix.exe
AV: Doctor Web Anti-Virus *On-access scanning enabled* (Updated) {3454C8F1-ECBC-4180-A6F4-04632FBA762B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\data
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\AutoRun.inf
c:\windows\system32\Drivers\bhfjcovobrgr.sys
c:\windows\system32\Drivers\fsadtxecatkr.sys
c:\windows\system32\Drivers\ihgtrtvxfmkm.sys
c:\windows\system32\Drivers\wpuakiqnmvkg.sys
c:\windows\system32\uninstall.exe

Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it :p
c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_bhfjcovobrgr
-------\Legacy_fsadtxecatkr
-------\Legacy_ihgtrtvxfmkm
-------\Legacy_wpuakiqnmvkg
-------\Service_bhfjcovobrgr
-------\Service_fsadtxecatkr
-------\Service_ihgtrtvxfmkm
-------\Service_wpuakiqnmvkg


((((((((((((((((((((((((( Files Created from 2009-10-11 to 2009-11-11 )))))))))))))))))))))))))))))))
.

2009-11-05 20:03 . 2009-11-05 20:03 -------- d-----w- c:\program files\Uniblue
2009-11-05 19:20 . 2009-11-05 19:21 -------- d-----w- c:\program files\Premium Booster
2009-11-03 20:57 . 2009-11-03 20:58 -------- d-----w- c:\documents and settings\avellant\Application Data\QuickScan
2009-11-03 20:57 . 2009-10-23 20:35 679936 ----a-w- c:\documents and settings\avellant\Application Data\Mozilla\Firefox\Profiles\4i7nophc.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
2009-11-03 20:57 . 2009-10-23 20:34 610304 ----a-w- c:\documents and settings\avellant\Application Data\Mozilla\Firefox\Profiles\4i7nophc.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2009-11-03 20:42 . 2009-11-03 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-11-03 20:03 . 2009-11-03 20:56 -------- d-----w- c:\windows\BDOSCAN8
2009-11-03 14:18 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-03 14:18 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 13:20 . 2009-11-03 20:59 -------- d-----w- C:\HJT
2009-11-03 13:08 . 2009-11-03 14:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-03 12:54 . 2009-11-03 12:54 -------- d-----w- c:\program files\Trend Micro
2009-11-03 02:29 . 2009-11-03 02:29 -------- d-----w- c:\program files\MSSOAP
2009-10-31 06:15 . 2009-10-31 06:16 -------- d-----w- c:\program files\The KMPlayer
2009-10-30 14:48 . 2009-10-30 14:48 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-30 01:51 . 2009-10-30 01:51 117760 ----a-w- c:\documents and settings\avellant\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-10-30 01:49 . 2009-10-30 01:49 -------- d-----w- c:\documents and settings\avellant\Application Data\SUPERAntiSpyware.com
2009-10-28 19:06 . 2009-10-28 19:06 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-10-27 19:19 . 2009-09-03 09:17 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-27 14:45 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-25 05:13 . 2009-10-25 05:13 35440 ----a-w- c:\windows\system32\FM20ENU.DLL
2009-10-22 13:00 . 2009-05-07 15:03 307200 ----a-w- c:\windows\system32\AscSQLite.dll
2009-10-22 13:00 . 2008-11-06 20:04 36864 ----a-w- c:\windows\system32\ascbalon.dll
2009-10-22 13:00 . 2009-04-15 22:50 217088 ----a-w- c:\windows\system32\AscConTest.dll
2009-10-21 19:55 . 2009-10-21 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith
2009-10-21 19:55 . 2009-10-21 19:55 -------- d-----w- c:\documents and settings\avellant\Local Settings\Application Data\TechSmith
2009-10-21 19:54 . 2009-10-30 03:41 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-20 16:54 . 2009-10-20 16:54 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe
2009-10-20 16:39 . 2009-10-27 14:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Doctor Web
2009-10-16 03:33 . 2009-10-16 03:33 -------- d-----w- C:\RootkitNO
2009-10-16 02:55 . 2009-10-16 02:55 2 --shatr- c:\windows\winstart.bat
2009-10-16 01:36 . 2009-11-05 19:09 63 ----a-w- c:\windows\system\SYSPCB.dll
2009-10-16 01:35 . 2009-08-26 02:22 442368 --s-a-w- c:\windows\system32\Eraser.dll
2009-10-15 18:19 . 2009-10-15 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-14 18:55 . 2009-10-14 18:55 -------- d-----w- c:\program files\AVG
2009-10-14 18:55 . 2009-10-16 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-12 20:57 . 2009-10-27 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-12 18:09 . 2009-10-12 18:16 -------- d-----w- C:\_Backup
2009-10-12 18:09 . 2009-10-12 18:09 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Avanquest
2009-10-12 18:08 . 2009-10-12 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Avanquest
2009-10-12 18:08 . 2009-10-12 18:09 -------- d-----w- c:\documents and settings\avellant\Application Data\Avanquest
2009-10-12 18:08 . 2009-10-30 03:39 -------- d-----w- c:\program files\Common Files\AntiVirus
2009-10-12 18:07 . 2009-10-12 18:07 -------- d-----w- c:\program files\Avanquest

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-11 12:44 . 2006-10-04 14:09 -------- d-----w- c:\program files\symantec antivirus
2009-11-11 12:01 . 2008-12-11 12:44 -------- d-----w- c:\program files\RA2HP
2009-11-11 12:00 . 2009-05-18 20:18 56432 ----a-w- c:\documents and settings\avellant\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-05 19:04 . 2009-07-08 13:18 -------- d-----w- c:\documents and settings\avellant\Application Data\Uniblue
2009-11-03 13:49 . 2009-10-07 22:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-03 13:48 . 2009-10-07 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-31 05:44 . 2009-07-08 13:26 -------- d-----w- c:\program files\Ace Utilities
2009-10-31 05:44 . 2009-07-08 13:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-29 12:23 . 2008-08-20 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-25 05:05 . 2006-10-04 14:53 28040 ----a-w- c:\windows\system32\mdimon.dll
2009-10-22 16:38 . 2007-04-11 18:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-21 19:55 . 2009-07-21 14:16 -------- d-----w- c:\program files\TechSmith
2009-10-16 02:31 . 2007-06-30 22:56 -------- d-----w- c:\program files\Punch! Pro - Platinum
2009-10-11 00:34 . 2007-12-29 02:11 -------- d-----w- c:\program files\vanBasco's Karaoke Player
2009-10-07 22:05 . 2009-10-07 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-10-07 20:11 . 2009-10-07 20:11 -------- d-----w- c:\documents and settings\avellant\Application Data\Malwarebytes
2009-10-07 20:11 . 2009-10-07 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-03 15:40 . 2008-09-17 16:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-02 20:17 . 2003-02-21 02:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-29 07:36 . 1980-01-01 00:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2008-09-17 15:43 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 1980-01-01 00:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-20 20:45 . 2009-08-20 20:45 127921 ----a-w- c:\documents and settings\avellant\Application Data\Move Networks\uninstall.exe
2009-08-20 20:45 . 2009-06-17 07:52 4183416 ----a-w- c:\documents and settings\avellant\Application Data\Move Networks\plugins\npqmp071504000001.dll
2009-08-20 20:45 . 2009-08-20 20:45 1686744 ----a-w- c:\documents and settings\avellant\Application Data\Move Networks\MoveMediaPlayerWin_071504000001.exe
2006-12-29 20:15 . 2009-02-02 01:42 3100672 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2006-12-29 20:15 . 2009-02-02 01:42 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2006-12-29 20:15 . 2009-02-02 01:42 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2006-12-29 20:15 . 2009-02-02 01:42 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx
2006-12-07 15:26 . 2009-02-02 01:42 1129984 ----a-w- c:\program files\Common Files\SAPActiveXL.xlt
2006-12-07 15:26 . 2009-02-02 01:42 1124864 ----a-w- c:\program files\Common Files\SAPActiveXL_nosig.xlt
2008-02-19 14:57 . 2008-02-19 14:57 5 --sha-w- c:\windows\system32\cdaadec_s.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"UniblueRegistryBooster"="c:\program files\Uniblue\RegistryBooster 2010\launcher.exe" [2009-09-29 59184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickPassword"="c:\program files\ActivCard\ActivCard Gold\agquickp.exe" [2005-01-07 225280]
"IDA"="c:\program files\Hewlett-Packard\PC COE\IDA.EXE" [2008-08-12 176128]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2006-01-17 53248]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 131072]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2004-10-26 184320]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 761946]
"COEMsgDisplay"="c:\program files\Hewlett-Packard\PC COE\COEMsgDisplay.exe" [2007-04-12 26624]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-02-15 39792]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-07-29 5720072]
"lxbxmon.exe"="c:\program files\Lexmark 7100 Series\lxbxmon.exe" [2005-01-18 196608]
"EzPrint"="c:\program files\Lexmark 7100 Series\ezprint.exe" [2004-09-17 61440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-07-08 115560]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-02-25 127037]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-02 198160]
"LXBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll" [2004-11-02 69632]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-12-12 88203]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-4-11 184320]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\CineTray.exe [2005-4-25 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"DisableNT4Policy"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radexecd.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RADUISHELL.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radtray.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\symantec antivirus\\Smc.exe"=
"c:\\Program Files\\symantec antivirus\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/27/2009 10:45 AM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [10/7/2009 9:54 AM 28552]
R1 NEOFLTR_630_14121;Juniper Networks TDI Filter Driver (NEOFLTR_630_14121);c:\windows\system32\drivers\NEOFLTR_630_14121.sys [3/26/2009 11:02 PM 64480]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/30/2009 10:48 AM 93360]
R2 acautoreg;ActivCard Gold Autoregister;c:\program files\Common Files\ActivCard\acautoreg.exe [12/13/2005 5:29 PM 53248]
R2 Accoca;ActivCard Gold service;c:\program files\Common Files\ActivCard\accoca.exe [5/12/2004 7:51 PM 143360]
R2 AvChgSvc;HP-AV Change Monitor Service;c:\progra~1\HPAVAD~1\avChgSvc.exe [10/7/2008 5:01 PM 238080]
R2 Conext UPS Service;Conext UPS Service;c:\program files\Conext\Conext Shutdown Manager\mainserv.exe [8/23/2008 2:49 PM 143482]
R2 radexecd;HP OVCM Notify Daemon;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe [2/20/2007 1:59 PM 270510]
R2 radsched;HP OVCM Scheduler Daemon;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe [3/22/2007 5:19 PM 172205]
R2 Radstgms;HP OVCM MSI Redirector;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe [7/3/2008 8:28 AM 315570]
R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\drivers\akbus.sys [10/4/2006 9:15 AM 13619]
R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\drivers\akpcsc.sys [10/4/2006 9:15 AM 9493]
R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\drivers\aksbus.sys [4/6/2007 11:46 AM 13647]
R3 AKSIM;ActivKey Sim;c:\windows\system32\drivers\aksim.sys [6/18/2007 4:48 PM 27008]
R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\drivers\akspcsc.sys [6/18/2007 4:48 PM 10161]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 8:50 AM 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [10/11/2006 5:41 AM 88192]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [10/11/2006 5:41 AM 36352]
R3 RadiaMsi;RadiaMsi;c:\windows\system32\drivers\radiamsi.sys [8/3/2007 10:31 AM 23424]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; [x]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/8/2008 1:45 PM 23888]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [8/26/2009 1:14 PM 16456]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [8/26/2009 1:14 PM 11088]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [1/3/2008 11:59 AM 44928]
S3 SmartUSB;SmartReader-USB;c:\windows\system32\drivers\SmartUSB.sys [10/4/2006 9:15 AM 17024]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9AC2D554-AC12-4F1F-AAB9-E6363ADE5381}]
"c:\program files\Common Files\Hewlett-Packard\ActSet\HpActSet.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B7B3E9B3-FB14-4927-894B-E9124509AF5A}]
msiexec.exe /fou {B7B3E9B3-FB14-4927-894B-E9124509AF5A} /qb!
.
Contents of the 'Scheduled Tasks' folder

2009-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2009-11-11 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}000.job
- c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2008-09-12 05:17]

2009-11-11 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}001.job
- c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2008-09-12 05:17]

2009-11-11 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.job
- c:\progra~1\HEWLET~1\PCCOE~1\clinvsi.dll [2008-09-07 22:06]

2009-11-11 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job
- c:\program files\Hewlett-Packard\PC COE\coetl32.exe [2007-06-24 04:27]

2009-11-11 c:\windows\Tasks\IDA{E1B2A4DD-AE06-4B97-9B55-8E8F1348E7FB}000.job
- c:\progra~1\HEWLET~1\PCCOE~1\critupsi.dll [2008-09-07 21:13]

2009-11-01 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2008-01-09 08:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet.hp.com/ipg/ams/PuertoRico/Pages/PuertoRico.aspx
uInternet Settings,ProxyServer = web-proxy:8088
uInternet Settings,ProxyOverride = 141.124.242.67;sm.hhven.net;sm-test.hhven.net;141.124.242.69;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {{E270AB82-96D5-45DB-ABE3-0BC038B92334} - c:\program files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
Trusted Zone: compaq.com
Trusted Zone: compaq.com\ie.config.asia
Trusted Zone: compaq.com\ie.config.eur
Trusted Zone: compaq.com\ie.config.im.hou
Trusted Zone: compaq.com\ie.config.jp
Trusted Zone: cpqcorp.net
Trusted Zone: dcu.org
Trusted Zone: dec.com
Trusted Zone: dec.com\ie.config.ecom
Trusted Zone: hp.com
Trusted Zone: hpe-learning.com
Trusted Zone: hpqcorp.net
Trusted Zone: hpshopping.com
Trusted Zone: tandem.com
Trusted Zone: tandem.com\ie.config
Trusted Zone: compaq.com\ie.config.asia
Trusted Zone: compaq.com\ie.config.eur
Trusted Zone: compaq.com\ie.config.im.hou
Trusted Zone: compaq.com\ie.config.jp
Trusted Zone: dec.com\ie.config.ecom
Trusted Zone: tandem.com\ie.config
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\avellant\Application Data\Mozilla\Firefox\Profiles\4i7nophc.default\
FF - prefs.js: browser.startup.homepage - hxxp://intranet.hp.com/ipg/ams/PuertoRico/Pages/PuertoRico.aspx
FF - prefs.js: network.proxy.ftp - web-proxy
FF - prefs.js: network.proxy.ftp_port - 8088
FF - prefs.js: network.proxy.gopher - web-proxy
FF - prefs.js: network.proxy.gopher_port - 8088
FF - prefs.js: network.proxy.http - web-proxy
FF - prefs.js: network.proxy.http_port - 8088
FF - prefs.js: network.proxy.socks - web-proxy
FF - prefs.js: network.proxy.socks_port - 8088
FF - prefs.js: network.proxy.ssl - web-proxy
FF - prefs.js: network.proxy.ssl_port - 8088
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\avellant\Application Data\Mozilla\Firefox\Profiles\4i7nophc.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\avellant\Application Data\Move Networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\avellant\Application Data\Mozilla\Firefox\Profiles\4i7nophc.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-11 08:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1412)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\accsp.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acpinto.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivCard\ActivCard Gold\resources\acerrmrc.dll
c:\program files\ActivCard\ActivCard Gold\resources\asphatrc.dll
c:\program files\ActivCard\ActivCard Gold\resources\accsprc.dll
c:\windows\system32\acgnd.dll
c:\program files\ActivCard\ActivCard Gold\resources\acgndrc.dll

- - - - - - - > 'explorer.exe'(4628)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Symantec AntiVirus\Smc.exe
c:\program files\Symantec AntiVirus\SNAC.EXE
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec AntiVirus\SmcGui.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\windows\system32\lxbxcoms.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2009-11-11 9:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-11 13:04

Pre-Run: 48,269,410,304 bytes free
Post-Run: 48,913,022,976 bytes free

- - End Of File - - 9B79923390F5F22E1E08E49FE633FAA9

Have a great day,

Tatiana

#4 User is offline   jedi Icon

  • Canis meus id comedit
  • PipPipPipPipPip
  • Group: Administrators
  • Posts: 13,443
  • Joined: 16-June 04

Posted 11 November 2009 - 12:34 PM

Hi again,

Open notepad and copy/paste the text in the quotebox below into it (do not include the word ‘Quote’)

Quote

http://www.spywarein...ndpost&p=706268

Suspect::[18]
c:\windows\winstart.bat
c:\windows\system\SYSPCB.dll


Save this as CFScript

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

jedi
jedi
Member of ASAP since 2005


My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users


Support the forum!