routeme2

19 Posts

6022

March 18th, 2010 18:00

AVE.exe, fake windows security center alerts and system tray icon, IE internet access blocked with warning page

HiJack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:19 PM, on 3/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MozyPro\mozyprobackup.exe
C:\Program Files\PurgeIE\PurgeIE_Service.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MozyPro\mozyprostat.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\ave.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
G:\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DeleteHistoryFree] C:\Program Files\DeleteHistoryFree\dhf.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MozyPro Status.lnk = C:\Program Files\MozyPro\mozyprostat.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267743513437
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O18 - Filter hijack: text/html - {313ef444-a414-427f-ac09-c91237b84d2c} - C:\WINDOWS\default32.dll
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MozyPro Backup Service (mozyprobackup) - Mozy, Inc. - C:\Program Files\MozyPro\mozyprobackup.exe
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgeIE_Service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6449 bytes

Responses(17)

B

bamajim

10.4K Posts

0

March 19th, 2010 10:00

routeme2

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop(How to extract (decompress) zipped or compressed files, help in the link here: )

2. Copy all the text contained in the bold below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\Documents and Settings\Owner\Local Settings\Application Data\ave.exe
C:\WINDOWS\default32.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Select Load Script
Select Paste from Clipboard
The information should now appear in the Open window
Select Execute
Answer Yes When prompted "Are you sure you want to execute the current script?"

4. The Avenger will automatically do the following:

It will Restart your computer.
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log

routeme2

19 Posts

0

March 19th, 2010 18:00

Posted a reply about an hour ago and it showed fine in the forum. Now its gone. Reposting. Now I see a TOS violation message in my inbox. I would have never even imagined an innocent five letter word starting with "s" would be considered inappropriate language. The word has been replaced below with the word "issue".

Greetings Bamajim. Good to be onboard with you again after so long. I am routeme2 this time as I had an issue with my routeme id.

As Avenger executed, McAfee came up with a Trojan warning and quarantined a file. I did not catch the name and as noted below I had some trouble looking it up. After the reboot I did not see the black command box and got a warning about “cleanup.exe” not found. I started Windows Explorer to see what was in the avenger.txt file and I got an “Open With” prompt.

I rebooted again. Same result on starting Windows Explorer. To get around that I got to the “avenger.txt” by using “My Documents” from the Start Menu.

Zone Alarm is not starting on reboots. Clicking on the McAfee icon in the system tray results in no action. Trying to start McAfee from the All Programs list results in the “Open With” prompt. Trying to start Word and Excel results in an “Application not found” message.

The false warning screens and false Windows Security icon in the system tray are no longer appearing.

Went to run HijackThis and it also resulted in an “Open With” prompt. Geez. I browsed from that prompt back to the HijackThis.exe, selected it, it appeared in the “Open With” list box and I chose it and HijackThis opened. Logs follow.

Took a shot at repeating procedure for opening programs by “Open With” and going back to the exe with McAfee and got the Security Center up. The file that got quarantined was “C:\CLENUP.EXE” with a Detection Name of “ZapChast.gen(Trojan)”.

Safely removing hardware icon not working either. Just shut down to remove the jump drive.

Holding here for next steps.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Documents and Settings\Owner\Local Settings\Application Data\ave.exe" deleted successfully.

Error: file "C:\WINDOWS\default32.dll" not found!
Deletion of file "C:\WINDOWS\default32.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:24 PM, on 3/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MozyPro\mozyprobackup.exe
C:\Program Files\PurgeIE\PurgeIE_Service.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
G:\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DeleteHistoryFree] C:\Program Files\DeleteHistoryFree\dhf.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MozyPro Status.lnk = C:\Program Files\MozyPro\mozyprostat.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267743513437
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O18 - Filter hijack: text/html - {313ef444-a414-427f-ac09-c91237b84d2c} - C:\WINDOWS\default32.dll
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MozyPro Backup Service (mozyprobackup) - Mozy, Inc. - C:\Program Files\MozyPro\mozyprobackup.exe
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgeIE_Service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5939 bytes

routeme2

19 Posts

0

March 23rd, 2010 07:00

No problem on the delay, figured you got busied up. Machine has been powered down during wait.

Was unable to get the extract to create a folder but FIleLister ran fine(status box displayed progress) from the dektop. Log follows.

+++++++++++++++++++++++++++
+ File Lister Version 1.1.4 +
+ +
+ By bamajim / SpywareHammer.com +
+++++++++++++++++++++++++++

Report ran on --->>> 3/23/2010 9:20:53 AM

====== Running Processes ======

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MozyPro\mozyprobackup.exe
C:\Program Files\PurgeIE\PurgeIE_Service.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Internet Explorer\iexplore.exe

====== BHO's ======
BHO: (NO NAME) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: (NO NAME) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

BHO: (NO NAME) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

====== System Keys (some whitelisted items will not be shown)======

Winlogon\Userinit = C:\WINDOWS\system32\userinit.exe,
Winlogon\Shell = Explorer.exe

====== HKLM\~\Run Keys ======

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

[Logitech Utility] = Logi_MwX.Exe
[IgfxTray] = C:\WINDOWS\System32\igfxtray.exe
[HotKeysCmds] = C:\WINDOWS\System32\hkcmd.exe
[Zone Labs Client] = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
[MaxtorOneTouch] = C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
[AdaptecDirectCD] = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
[StorageGuard] = "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
[QuickTime Task] = "C:\Program Files\QuickTime\qttask.exe" -atboottime
[TkBellExe] = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[mcagent_exe] = "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
[SunJavaUpdateSched] = "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[Adobe Reader Speed Launcher] = "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
[Adobe ARM] = "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

====== HKCU\~\Run Keys ======

[ctfmon.exe] = C:\WINDOWS\system32\ctfmon.exe
[DeleteHistoryFree] = C:\Program Files\DeleteHistoryFree\dhf.exe
[updateMgr] = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8

====== DNS Info (List may be empty) ======

NV Hostname = lildell
DataBasePath = %SystemRoot%\System32\drivers\etc
NameServer = 208.67.220.220 208.67.222.222
ForwardBroadcasts = 0
IPEnableRouter = 0
Hostname = lildell
UseDomainNameDevolution = 1
EnableICMPRedirect = 1
DeadGWDetectDefault = 1
DontAddDefaultGatewayDefault = 0
EnableSecurityFilters = 0
DisableUserTOSSetting = 0

====== Folders and Files from "%\" and "%\Windows" Created Last 60 Days ======

3/19/2010 5:53:17 PM    201728    C:\Avenger
3/19/2010 5:53:16 PM    1476    32    C:\avenger.txt
3/19/2010 5:51:22 PM    574    32    C:\cleanup.bat
3/19/2010 9:46:14 AM    27671    32    C:\FileLister.vbe
3/19/2010 5:51:22 PM    135168    32    C:\zip.exe
3/4/2010 10:08:21 PM    2322927    C:\WINDOWS\$NtUninstallKB923561$
3/4/2010 10:08:21 PM    621496    C:\WINDOWS\$NtUninstallKB923561$\spuninst
3/4/2010 10:10:18 PM    630117    C:\WINDOWS\$NtUninstallKB938464-v2$
3/4/2010 10:10:18 PM    620043    C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst
3/4/2010 10:11:48 PM    715181    C:\WINDOWS\$NtUninstallKB946648$
3/4/2010 10:11:48 PM    619806    C:\WINDOWS\$NtUninstallKB946648$\spuninst
3/4/2010 10:13:12 PM    835213    C:\WINDOWS\$NtUninstallKB950762$
3/4/2010 10:13:12 PM    620158    C:\WINDOWS\$NtUninstallKB950762$\spuninst
3/4/2010 10:14:32 PM    878759    C:\WINDOWS\$NtUninstallKB950974$
3/4/2010 10:14:32 PM    620056    C:\WINDOWS\$NtUninstallKB950974$\spuninst
3/4/2010 10:14:51 PM    1324241    C:\WINDOWS\$NtUninstallKB951066$
3/4/2010 10:14:51 PM    620098    C:\WINDOWS\$NtUninstallKB951066$\spuninst
3/4/2010 10:15:04 PM    905982    C:\WINDOWS\$NtUninstallKB951376-v2$
3/4/2010 10:15:04 PM    620527    C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst
3/4/2010 10:15:19 PM    2404110    C:\WINDOWS\$NtUninstallKB952004$
3/4/2010 10:15:19 PM    621803    C:\WINDOWS\$NtUninstallKB952004$\spuninst
3/4/2010 10:15:39 PM    964494    C:\WINDOWS\$NtUninstallKB952287$
3/4/2010 10:15:39 PM    620287    C:\WINDOWS\$NtUninstallKB952287$\spuninst
3/4/2010 10:15:54 PM    706236    C:\WINDOWS\$NtUninstallKB952954$
3/4/2010 10:15:55 PM    620077    C:\WINDOWS\$NtUninstallKB952954$\spuninst
3/4/2010 10:16:15 PM    877691    C:\WINDOWS\$NtUninstallKB954600$
3/4/2010 10:16:15 PM    620165    C:\WINDOWS\$NtUninstallKB954600$\spuninst
3/4/2010 10:16:31 PM    1739532    C:\WINDOWS\$NtUninstallKB955069$
3/4/2010 10:16:31 PM    620157    C:\WINDOWS\$NtUninstallKB955069$\spuninst
3/4/2010 10:17:31 PM    8916564    C:\WINDOWS\$NtUninstallKB956572$
3/4/2010 10:17:31 PM    625737    C:\WINDOWS\$NtUninstallKB956572$\spuninst
3/4/2010 10:18:31 PM    915465    C:\WINDOWS\$NtUninstallKB956802$
3/4/2010 10:18:31 PM    620081    C:\WINDOWS\$NtUninstallKB956802$\spuninst
3/4/2010 10:18:42 PM    1087260    C:\WINDOWS\$NtUninstallKB957097$
3/4/2010 10:18:42 PM    620484    C:\WINDOWS\$NtUninstallKB957097$\spuninst
3/4/2010 10:18:54 PM    967706    C:\WINDOWS\$NtUninstallKB958644$
3/4/2010 10:18:54 PM    620098    C:\WINDOWS\$NtUninstallKB958644$\spuninst
3/4/2010 10:19:06 PM    965185    C:\WINDOWS\$NtUninstallKB958687$
3/4/2010 10:19:06 PM    620137    C:\WINDOWS\$NtUninstallKB958687$\spuninst
3/4/2010 10:19:18 PM    1678245    C:\WINDOWS\$NtUninstallKB959426$
3/4/2010 10:19:18 PM    620617    C:\WINDOWS\$NtUninstallKB959426$\spuninst
3/4/2010 10:19:30 PM    774708    C:\WINDOWS\$NtUninstallKB960225$
3/4/2010 10:19:30 PM    620124    C:\WINDOWS\$NtUninstallKB960225$\spuninst
3/4/2010 10:19:47 PM    984595    C:\WINDOWS\$NtUninstallKB960803$
3/4/2010 10:19:47 PM    620091    C:\WINDOWS\$NtUninstallKB960803$\spuninst
3/4/2010 10:20:02 PM    829870    C:\WINDOWS\$NtUninstallKB961371$
3/4/2010 10:20:02 PM    620432    C:\WINDOWS\$NtUninstallKB961371$\spuninst
3/4/2010 10:20:18 PM    972534    C:\WINDOWS\$NtUninstallKB961501$
3/4/2010 10:20:18 PM    620124    C:\WINDOWS\$NtUninstallKB961501$\spuninst
3/4/2010 10:20:34 PM    9091951    C:\WINDOWS\$NtUninstallKB967715$
3/4/2010 10:20:34 PM    620073    C:\WINDOWS\$NtUninstallKB967715$\spuninst
3/4/2010 10:21:20 PM    2476455    C:\WINDOWS\$NtUninstallKB968537$
3/4/2010 10:21:20 PM    620110    C:\WINDOWS\$NtUninstallKB968537$\spuninst
3/4/2010 10:21:32 PM    1215299    C:\WINDOWS\$NtUninstallKB970238$
3/4/2010 10:21:32 PM    620084    C:\WINDOWS\$NtUninstallKB970238$\spuninst
3/4/2010 10:21:43 PM    1917646    C:\WINDOWS\$NtUninstallKB971633$
3/4/2010 10:21:43 PM    620084    C:\WINDOWS\$NtUninstallKB971633$\spuninst
3/4/2010 10:21:58 PM    6952204    C:\WINDOWS\$NtUninstallKB972260$
3/4/2010 10:21:58 PM    621641    C:\WINDOWS\$NtUninstallKB972260$\spuninst
3/4/2010 9:56:38 PM    46127    C:\WINDOWS\l2schemas
3/4/2010 9:39:37 PM    593564    C:\WINDOWS\network diagnostic
3/4/2010 10:31:05 PM    3241850    C:\WINDOWS\Prefetch
3/4/2010 7:35:22 PM    19569    32    C:\WINDOWS\005314_.tmp
3/4/2010 10:31:33 PM    187    32    C:\WINDOWS\spupdsvc.log.1.log
3/4/2010 9:56:35 PM    76288    C:\WINDOWS\system32\en
3/4/2010 9:56:46 PM    139264    C:\WINDOWS\system32\en-us
3/4/2010 9:56:42 PM    83456    C:\WINDOWS\system32\scripting
3/4/2010 7:34:31 PM    136192    0    C:\WINDOWS\system32\aaclient.dll
3/4/2010 7:34:49 PM    233472    0    C:\WINDOWS\system32\azroles.dll
3/4/2010 7:34:51 PM    7168    0    C:\WINDOWS\system32\bitsprx4.dll
3/4/2010 7:35:02 PM    12800    0    C:\WINDOWS\system32\credssp.dll
3/4/2010 7:35:07 PM    48640    0    C:\WINDOWS\system32\dhcpqec.dll
3/4/2010 7:35:09 PM    19456    0    C:\WINDOWS\system32\dimsntfy.dll
3/4/2010 7:35:09 PM    39936    0    C:\WINDOWS\system32\dimsroam.dll
3/4/2010 7:35:12 PM    26112    0    C:\WINDOWS\system32\dot3api.dll
3/4/2010 7:35:12 PM    57856    0    C:\WINDOWS\system32\dot3cfg.dll
3/4/2010 7:35:12 PM    9216    0    C:\WINDOWS\system32\dot3dlg.dll
3/4/2010 7:35:12 PM    39936    0    C:\WINDOWS\system32\dot3gpclnt.dll
3/4/2010 7:35:12 PM    56320    0    C:\WINDOWS\system32\dot3msm.dll
3/4/2010 7:35:12 PM    132096    0    C:\WINDOWS\system32\dot3svc.dll
3/4/2010 7:35:12 PM    650752    0    C:\WINDOWS\system32\dot3ui.dll
3/4/2010 7:35:18 PM    30720    0    C:\WINDOWS\system32\eapolqec.dll
3/4/2010 7:35:18 PM    184832    0    C:\WINDOWS\system32\eapp3hst.dll
3/4/2010 7:35:18 PM    126976    0    C:\WINDOWS\system32\eappcfg.dll
3/4/2010 7:35:18 PM    94208    0    C:\WINDOWS\system32\eappgnui.dll
3/4/2010 7:35:18 PM    180224    0    C:\WINDOWS\system32\eapphost.dll
3/4/2010 7:35:18 PM    40960    0    C:\WINDOWS\system32\eappprxy.dll
3/4/2010 7:35:18 PM    59392    0    C:\WINDOWS\system32\eapqec.dll
3/4/2010 7:35:18 PM    33792    0    C:\WINDOWS\system32\eapsvc.dll
3/4/2010 7:35:50 PM    6144    0    C:\WINDOWS\system32\kbdbhc.dll
3/4/2010 7:35:50 PM    6144    0    C:\WINDOWS\system32\kbdiultn.dll
3/4/2010 7:35:51 PM    6144    0    C:\WINDOWS\system32\kbdnepr.dll
3/4/2010 7:35:51 PM    6144    0    C:\WINDOWS\system32\kbdpash.dll
3/4/2010 7:35:52 PM    61440    0    C:\WINDOWS\system32\kmsvc.dll
3/4/2010 7:35:54 PM    37376    0    C:\WINDOWS\system32\l2gpstore.dll
3/4/2010 7:36:07 PM    184320    0    C:\WINDOWS\system32\microsoft.managementconsole.dll
3/4/2010 7:36:07 PM    397312    0    C:\WINDOWS\system32\mmcex.dll
3/4/2010 7:36:07 PM    106496    0    C:\WINDOWS\system32\mmcfxcommon.dll
3/4/2010 7:36:08 PM    33792    0    C:\WINDOWS\system32\mmcperf.exe
3/4/2010 7:36:30 PM    155136    0    C:\WINDOWS\system32\mssha.dll
3/4/2010 7:36:31 PM    76800    0    C:\WINDOWS\system32\msshavmsg.dll
3/4/2010 7:36:34 PM    1306624    0    C:\WINDOWS\system32\msxml6.dll
3/4/2010 7:36:35 PM    79872    0    C:\WINDOWS\system32\msxml6r.dll
3/4/2010 7:36:37 PM    30208    0    C:\WINDOWS\system32\napipsec.dll
3/4/2010 7:36:37 PM    193024    0    C:\WINDOWS\system32\napmontr.dll
3/4/2010 7:36:37 PM    176640    0    C:\WINDOWS\system32\napstat.exe
3/4/2010 7:36:54 PM    144384    0    C:\WINDOWS\system32\onex.dll
3/4/2010 7:37:01 PM    412160    0    C:\WINDOWS\system32\photometadatahandler.dll
3/4/2010 7:35:38 PM    1261    0    C:\WINDOWS\system32\pid.inf
3/4/2010 7:37:05 PM    150528    0    C:\WINDOWS\system32\qagent.dll
3/4/2010 7:37:05 PM    291328    0    C:\WINDOWS\system32\qagentrt.dll
3/4/2010 7:37:05 PM    62464    0    C:\WINDOWS\system32\qcliprov.dll
3/4/2010 7:37:06 PM    76800    0    C:\WINDOWS\system32\qutil.dll
3/4/2010 7:37:08 PM    61952    0    C:\WINDOWS\system32\rasqec.dll
3/4/2010 7:37:11 PM    290304    0    C:\WINDOWS\system32\rhttpaa.dll
3/4/2010 7:37:20 PM    32768    0    C:\WINDOWS\system32\setupn.exe
3/4/2010 7:37:59 PM    53248    0    C:\WINDOWS\system32\tsgqec.dll
3/4/2010 7:37:59 PM    50688    0    C:\WINDOWS\system32\tspkg.dll
3/4/2010 7:38:15 PM    712704    0    C:\WINDOWS\system32\windowscodecs.dll
3/4/2010 7:38:15 PM    346112    0    C:\WINDOWS\system32\windowscodecsext.dll
3/4/2010 7:38:18 PM    69120    0    C:\WINDOWS\system32\wlanapi.dll
3/4/2010 7:38:24 PM    276992    0    C:\WINDOWS\system32\wmphoto.dll
3/4/2010 10:34:13 PM    221184    32    C:\WINDOWS\system32\wmpns.dll
3/4/2010 6:59:19 PM    15064    32    C:\WINDOWS\system32\wuapi.dll.mui
3/4/2010 7:38:33 PM    121856    0    C:\WINDOWS\system32\xmllite.dll

====== "\Administrator & All Users\Startup" Last 60 Days======

====== "\Program Files" Last 60 Days======

2/25/2010 2:53:02 PM 8829318 C:\Program Files\Citrix
3/17/2010 9:01:09 AM 967651 C:\Program Files\ComcastAccess

======"Drivers" Modified Last 60 Days======

9/13/2006 2:23:13 PM 96512 32 C:\WINDOWS\system32\drivers\atapi.sys

====== Files Deleted under "%Temp%" ======

5 Files deleted

======"All Users\Application Data" Last 60 Days======

3/17/2010 9:00:07 AM    4096    C:\Documents and Settings\All Users\Application Data\com.comcast.access
3/5/2010 8:51:36 PM    86016    C:\Documents and Settings\All Users\Application Data\NOS
3/5/2010 8:52:35 PM    86016    C:\Documents and Settings\All Users\Application Data\NOS\Adobe_Downloads
3/18/2010 12:56:49 PM    11578    38    C:\Documents and Settings\All Users\Application Data\EHa7lW0

====== HKLM\~\ShellServiceObjectDelayLoad======

PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - %SystemRoot%\system32\SHELL32.dll

CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll

WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - %SystemRoot%\System32\webcheck.dll

SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\System32\stobject.dll

====== HKLM\~\SharedTaskScheduler======

Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - %SystemRoot%\System32\browseui.dll

Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - %SystemRoot%\System32\browseui.dll

======HKLM\~\msconfig\startupreg======

HKLM\Software\microsoft\shared tools\msconfig\startupreg\

====== Services ( Services that are Whitelisted are not shown) ======

bcm4sbxp (Broadcom 440x 10/100 Integrated Controller XP Driver)- C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys - Manual/Running
cdudf_xp (cdudf_xp)- C:\WINDOWS\system32\drivers\cdudf_xp.sys - System/Running
drvmcdb (drvmcdb)- C:\WINDOWS\system32\DRIVERS\drvmcdb.sys - Boot/Running
dvd_2K (dvd_2K)- C:\WINDOWS\system32\drivers\dvd_2K.sys - Manual/Stopped
mmc_2K (mmc_2K)- C:\WINDOWS\system32\drivers\mmc_2K.sys - Manual/Running
mozyproFilter (mozyproFilter)- C:\WINDOWS\system32\DRIVERS\mozypro.sys - System/Running
mrtRate (mrtRate)- - Auto/Stopped
NdisIP (Microsoft TV/Video Connection)- C:\WINDOWS\system32\DRIVERS\NdisIP.sys - Manual/Stopped
OMCI (OMCI)- C:\WINDOWS\system32\DRIVERS\OMCI.SYS - System/Running
pwd_2k (pwd_2k)- C:\WINDOWS\system32\drivers\pwd_2k.sys - System/Running
SLIP (BDA Slip De-Framer)- C:\WINDOWS\system32\DRIVERS\SLIP.sys - Manual/Stopped
smwdm (smwdm)- C:\WINDOWS\system32\drivers\smwdm.sys - Manual/Running
srescan (srescan)- C:\WINDOWS\system32\ZoneLabs\srescan.sys - Boot/Running
UdfReadr_xp (UdfReadr_xp)- C:\WINDOWS\system32\drivers\UdfReadr_xp.sys - System/Running
usbvideo (USB Video Device (WDM))- C:\WINDOWS\system32\Drivers\usbvideo.sys - Manual/Stopped

====== Uninstall List ======

A file named 'UNI.txt' was created and saved to
FileListers default location. Post the results if requested.

======== Other Info ========

TOTAL PHYSICAL RAM: 266 MB

Boot Info

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

OS Type: Microsoft Windows XP Home Edition
Build: 5.1.2600
Service Pack: 3.0

====== Files with Hidden Attributes======

A file named 'Hidden.txt' was created and saved to
FileListers default location. Post the results if requested.

==End of Report==

B

bamajim

10.4K Posts

0

March 23rd, 2010 07:00

routeme2

Sorry for the delay

1. Go HERE and download FileLister.

Save it to your Desktop
Rt Click ->> Extract all ->> And extract it to your Desktop
Additional help on extracting zip files can be found HERE
Open the File Lister Folder.
Note: Leave the FileLister.vbe file in the folder and run it from there.

Rt Click FileLister.vbe ->>Select Open Then Open to confirm.
As the program runs, it will appear that nothing is happening.
When the program is fnished it will produce a log for you Files.txt
Which will be located in the default location from which FileLister was run(the FileLister folder)

Copy and paste the contents of that log in your reply.

routeme2

19 Posts

0

March 23rd, 2010 08:00

Found "hidec.exe" in a folder in C:\32xxxxxxxxx. Got an improper usgae box then it continued. Now ComboFix is running and the disclaimers came up and not asking me to terminate AV. DId that. ComboFix dos box is up and running.

B

bamajim

10.4K Posts

0

March 23rd, 2010 08:00

routeme2

Please download Combofix and save to your desktop:

Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
If you are prompted to Download and install the Windows Recovery Consol, then do so
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

routeme2

19 Posts

0

March 23rd, 2010 08:00

The "Open With" problem may be causing ComboFix to not run properly. When I double cliked it I had to navigate to the ".exe" using the browse function of "Open With". It started running. Then I got two prompts for "Open With" from IE. Now I have an "Open With" prompt for a file called "hidec.exe". I'm looking for that file but so far no luck.

routeme2

19 Posts

0

March 23rd, 2010 09:00

Second attempt went fine. Log follows.

ComboFix 10-03-22.03 - Owner 03/23/2010 11:08:42.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.107 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Shared
c:\program files\Shared\lib.sig
C:\zip.exe
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-02-23 to 2010-03-23 )))))))))))))))))))))))))))))))
.

2010-03-19 21:51 . 2010-03-19 21:51 574 ----a-w- C:\cleanup.bat
2010-03-19 13:46 . 2010-03-19 13:46 27671 ----a-w- C:\FileLister.vbe
2010-03-18 18:12 . 2010-03-18 18:12 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-03-18 17:20 . 2010-03-18 17:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-17 13:26 . 2010-03-17 13:26 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Move Networks
2010-03-17 13:17 . 2010-03-06 00:55 38784 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-17 13:02 . 2010-03-17 13:02 -------- d-----w- c:\documents and settings\Owner\Application Data\com.comcast.access.13A1FA90F0FC9DC009FB0956ADD0F13F8608561B.1
2010-03-17 13:01 . 2010-03-17 13:01 -------- d-----w- c:\program files\ComcastAccess
2010-03-17 13:00 . 2010-03-17 13:00 144162 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2010-03-17 13:00 . 2010-03-17 13:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2010-03-17 13:00 . 2010-03-18 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\com.comcast.access
2010-03-17 13:00 . 2010-03-17 13:01 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ComcastAccess
2010-03-06 01:03 . 2010-03-06 01:03 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-03-06 00:58 . 2010-03-06 00:55 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-06 00:58 . 2010-03-06 00:58 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-06 00:52 . 2010-03-06 00:52 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-06 00:51 . 2010-03-06 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-06 00:47 . 2010-03-06 00:47 55432 ----a-w- c:\documents and settings\Owner\Application Data\Adobe\Acrobat\7.0\Updater\DLMUninst_001.exe
2010-03-05 02:34 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-03-05 01:56 . 2010-03-05 01:56 -------- d-----w- c:\windows\system32\scripting
2010-03-05 01:56 . 2010-03-05 01:56 -------- d-----w- c:\windows\l2schemas
2010-03-05 01:56 . 2010-03-05 01:56 -------- d-----w- c:\windows\system32\en
2010-03-04 23:37 . 2008-04-14 00:12 53248 ------w- c:\windows\system32\tsgqec.dll
2010-03-04 23:37 . 2008-04-14 00:12 50688 ------w- c:\windows\system32\tspkg.dll
2010-03-04 23:37 . 2008-04-14 00:12 152064 -c----w- c:\windows\system32\dllcache\shmedia.dll
2010-03-04 23:37 . 2008-04-13 18:40 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2010-03-04 23:37 . 2008-04-14 00:12 774144 -c----w- c:\windows\system32\dllcache\setup_wm.exe
2010-03-04 23:37 . 2008-04-14 00:12 32768 ------w- c:\windows\system32\setupn.exe
2010-03-04 23:37 . 2008-04-14 00:12 290304 ------w- c:\windows\system32\rhttpaa.dll
2010-03-04 23:37 . 2008-04-14 00:12 61952 ------w- c:\windows\system32\rasqec.dll
2010-03-04 23:37 . 2008-04-14 00:12 76800 ------w- c:\windows\system32\qutil.dll
2010-03-04 23:37 . 2008-04-14 00:12 62464 ------w- c:\windows\system32\qcliprov.dll
2010-03-04 23:37 . 2008-04-14 00:12 291328 ------w- c:\windows\system32\qagentrt.dll
2010-03-04 23:37 . 2008-04-14 00:12 150528 ------w- c:\windows\system32\qagent.dll
2010-03-04 23:37 . 2008-04-14 00:12 412160 ------w- c:\windows\system32\photometadatahandler.dll
2010-03-04 23:35 . 2008-04-14 00:11 6656 -c----w- c:\windows\system32\dllcache\laprxy.dll
2010-03-04 23:34 . 2008-04-14 00:11 159232 -c----w- c:\windows\system32\dllcache\cewmdm.dll
2010-03-04 23:34 . 2008-04-14 00:11 7168 ------w- c:\windows\system32\bitsprx4.dll
2010-03-04 23:34 . 2008-04-14 00:11 286720 -c----w- c:\windows\system32\dllcache\blackbox.dll
2010-03-04 23:34 . 2008-04-14 00:11 233472 ------w- c:\windows\system32\azroles.dll
2010-03-04 23:34 . 2008-04-13 17:23 8192 -c----w- c:\windows\system32\dllcache\asferror.dll
2010-03-04 23:34 . 2008-04-14 00:11 136192 ------w- c:\windows\system32\aaclient.dll
2010-02-25 18:53 . 2010-02-25 18:53 -------- d-----w- c:\program files\Citrix
2010-02-25 18:52 . 2010-02-25 18:52 72080 ----a-w- c:\documents and settings\Owner\g2mdlhlpx.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-23 13:13 . 2008-10-28 19:45 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-03-19 12:07 . 2010-03-19 12:55 923648 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2010-03-18 23:23 . 2006-09-13 18:23 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-18 23:23 . 2006-09-13 18:23 96512 ----a-w- c:\windows\system32\drivers\atapi.svs
2010-03-18 18:23 . 2008-11-23 13:40 -------- d-----w- c:\documents and settings\Owner\Application Data\WIPE
2010-03-18 14:33 . 2010-03-18 14:33 2754560 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2010-03-17 13:00 . 2009-12-18 03:27 5603776 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071706000001.dll
2010-03-14 20:15 . 2006-10-29 11:48 2572 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-03-06 01:02 . 2006-09-14 14:50 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-06 00:47 . 2006-09-16 17:02 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2010-03-05 02:03 . 2006-09-13 18:12 77423 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-02-18 14:47 . 2006-09-13 22:49 -------- d-----w- c:\program files\McAfee
2010-02-12 03:39 . 2006-09-19 14:29 -------- d-----w- c:\program files\Quicken
2010-02-09 13:49 . 2008-11-25 23:32 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-11 18:19 . 2006-12-06 13:47 27934392 ----a-w- c:\windows\Internet Logs\tvDebug.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozypro]
@="{71B8CED8-5D67-4f57-89B1-F64CE6302A1E}"
[HKEY_CLASSES_ROOT\CLSID\{71B8CED8-5D67-4f57-89B1-F64CE6302A1E}]
2009-10-20 20:04 2840576 ----a-w- c:\program files\MozyPro\mozyproshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozypro2]
@="{CBAFE103-79DA-46ca-BD9A-63CBF6282882}"
[HKEY_CLASSES_ROOT\CLSID\{CBAFE103-79DA-46ca-BD9A-63CBF6282882}]
2009-10-20 20:04 2840576 ----a-w- c:\program files\MozyPro\mozyproshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozypro3]
@="{8B99EA55-1AFF-4539-80A0-A71C6011CD84}"
[HKEY_CLASSES_ROOT\CLSID\{8B99EA55-1AFF-4539-80A0-A71C6011CD84}]
2009-10-20 20:04 2840576 ----a-w- c:\program files\MozyPro\mozyproshell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-05-16 19968]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-24 968696]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-01 712704]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-11-03 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-03 185896]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
MozyPro Status.lnk - c:\program files\MozyPro\mozyprostat.exe [2009-10-20 2885120]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-29 57344]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
ntkrreg REG_SZ c:\windows\cmdager.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23721:TCP"= 23721:TCP:BitComet 23721 TCP
"23721:UDP"= 23721:UDP:BitComet 23721 UDP

R1 mozyproFilter;mozyproFilter;c:\windows\system32\drivers\mozypro.sys [4/30/2007 8:18 AM 54776]
R2 mozyprobackup;MozyPro Backup Service;c:\program files\MozyPro\mozyprobackup.exe [5/15/2009 1:02 PM 78136]
S2 mrtRate;mrtRate;
.
Contents of the 'Scheduled Tasks' folder

2010-03-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2002-09-03 00:12]

2010-03-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-09-13 16:22]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DeleteHistoryFree - c:\program files\DeleteHistoryFree\dhf.exe
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-23 11:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-03-23 11:20:56
ComboFix-quarantined-files.txt 2010-03-23 15:20

Pre-Run: 208,862,425,088 bytes free
Post-Run: 208,866,172,928 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - E85A1D1878869E4BFE372CB51D0A02A1

B

bamajim

10.4K Posts

0

March 23rd, 2010 09:00

routeme2

Reboot into safe mode and run Combofix and see what you get there.

routeme2

19 Posts

0

March 23rd, 2010 10:00

Note on machine behavior prior to CFScript run: the "Open With" issue is no longer and Zone Alarm is starting up and the system tray appears normal. CFScript ran fine in ComboFix and ComboFix did a system reboot. Log follows.

ComboFix 10-03-22.03 - Owner 03/23/2010 12:27:10.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.100 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MRTRATE
-------\Service_mrtRate

((((((((((((((((((((((((( Files Created from 2010-02-23 to 2010-03-23 )))))))))))))))))))))))))))))))
.

2010-03-19 21:51 . 2010-03-19 21:51 574 ----a-w- C:\cleanup.bat
2010-03-19 13:46 . 2010-03-19 13:46 27671 ----a-w- C:\FileLister.vbe
2010-03-18 18:12 . 2010-03-18 18:12 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-03-18 17:20 . 2010-03-18 17:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-17 13:26 . 2010-03-17 13:26 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Move Networks
2010-03-17 13:02 . 2010-03-17 13:02 -------- d-----w- c:\documents and settings\Owner\Application Data\com.comcast.access.13A1FA90F0FC9DC009FB0956ADD0F13F8608561B.1
2010-03-17 13:01 . 2010-03-17 13:01 -------- d-----w- c:\program files\ComcastAccess
2010-03-17 13:00 . 2010-03-17 13:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2010-03-17 13:00 . 2010-03-18 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\com.comcast.access
2010-03-17 13:00 . 2010-03-17 13:01 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ComcastAccess
2010-03-06 01:03 . 2010-03-06 01:03 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-03-06 00:58 . 2010-03-06 00:58 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-06 00:51 . 2010-03-06 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-05 02:34 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-03-05 01:56 . 2010-03-05 01:56 -------- d-----w- c:\windows\system32\scripting
2010-03-05 01:56 . 2010-03-05 01:56 -------- d-----w- c:\windows\l2schemas
2010-03-05 01:56 . 2010-03-05 01:56 -------- d-----w- c:\windows\system32\en
2010-03-04 23:37 . 2008-04-14 00:12 53248 ------w- c:\windows\system32\tsgqec.dll
2010-03-04 23:37 . 2008-04-14 00:12 50688 ------w- c:\windows\system32\tspkg.dll
2010-03-04 23:37 . 2008-04-14 00:12 152064 -c----w- c:\windows\system32\dllcache\shmedia.dll
2010-03-04 23:37 . 2008-04-13 18:40 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2010-03-04 23:37 . 2008-04-14 00:12 774144 -c----w- c:\windows\system32\dllcache\setup_wm.exe
2010-03-04 23:37 . 2008-04-14 00:12 32768 ------w- c:\windows\system32\setupn.exe
2010-03-04 23:37 . 2008-04-14 00:12 290304 ------w- c:\windows\system32\rhttpaa.dll
2010-03-04 23:37 . 2008-04-14 00:12 61952 ------w- c:\windows\system32\rasqec.dll
2010-03-04 23:37 . 2008-04-14 00:12 76800 ------w- c:\windows\system32\qutil.dll
2010-03-04 23:37 . 2008-04-14 00:12 62464 ------w- c:\windows\system32\qcliprov.dll
2010-03-04 23:37 . 2008-04-14 00:12 291328 ------w- c:\windows\system32\qagentrt.dll
2010-03-04 23:37 . 2008-04-14 00:12 150528 ------w- c:\windows\system32\qagent.dll
2010-03-04 23:37 . 2008-04-14 00:12 412160 ------w- c:\windows\system32\photometadatahandler.dll
2010-03-04 23:35 . 2008-04-14 00:11 6656 -c----w- c:\windows\system32\dllcache\laprxy.dll
2010-03-04 23:34 . 2008-04-14 00:11 159232 -c----w- c:\windows\system32\dllcache\cewmdm.dll
2010-03-04 23:34 . 2008-04-14 00:11 7168 ------w- c:\windows\system32\bitsprx4.dll
2010-03-04 23:34 . 2008-04-14 00:11 286720 -c----w- c:\windows\system32\dllcache\blackbox.dll
2010-03-04 23:34 . 2008-04-14 00:11 233472 ------w- c:\windows\system32\azroles.dll
2010-03-04 23:34 . 2008-04-13 17:23 8192 -c----w- c:\windows\system32\dllcache\asferror.dll
2010-03-04 23:34 . 2008-04-14 00:11 136192 ------w- c:\windows\system32\aaclient.dll
2010-02-25 18:53 . 2010-02-25 18:53 -------- d-----w- c:\program files\Citrix
2010-02-25 18:52 . 2010-02-25 18:52 72080 ----a-w- c:\documents and settings\Owner\g2mdlhlpx.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-23 15:31 . 2006-12-06 13:47 29745003 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2010-03-23 13:13 . 2008-10-28 19:45 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-03-19 12:07 . 2010-03-19 12:55 923648 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2010-03-18 23:23 . 2006-09-13 18:23 96512 ----a-w- c:\windows\system32\drivers\atapi.svs
2010-03-18 23:23 . 2006-09-13 18:23 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-18 18:23 . 2008-11-23 13:40 -------- d-----w- c:\documents and settings\Owner\Application Data\WIPE
2010-03-18 14:33 . 2010-03-18 14:33 2754560 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2010-03-17 13:00 . 2010-03-17 13:00 144162 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2010-03-17 13:00 . 2009-12-18 03:27 5603776 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071706000001.dll
2010-03-14 20:15 . 2006-10-29 11:48 2572 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-03-06 01:02 . 2006-09-14 14:50 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-06 00:55 . 2010-03-17 13:17 38784 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-06 00:55 . 2010-03-06 00:58 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-06 00:52 . 2010-03-06 00:52 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-06 00:47 . 2006-09-16 17:02 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2010-03-06 00:47 . 2010-03-06 00:47 55432 ----a-w- c:\documents and settings\Owner\Application Data\Adobe\Acrobat\7.0\Updater\DLMUninst_001.exe
2010-03-05 02:03 . 2006-09-13 18:12 77423 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-02-18 14:47 . 2006-09-13 22:49 -------- d-----w- c:\program files\McAfee
2010-02-12 03:39 . 2006-09-19 14:29 -------- d-----w- c:\program files\Quicken
2010-02-09 13:49 . 2008-11-25 23:32 -------- d-----w- c:\program files\Microsoft Silverlight
.