WIN32/vMALUM.fexg VIRUS

Kimcoco · 04-18-2009, 10:31 AM

How do I remove this virus?...thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:26 AM, on 4/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\DISC\DiscGui.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = AOL.com - Welcome to AOL
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Road Runner
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = AOL.com - Welcome to AOL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = AOL.com - Welcome to AOL
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = AOL.com - Welcome to AOL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\sw g.dll
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Common\_helper.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1237745537890
O18 - Filter hijack: text/html - {69bfd990-1b09-492a-8df0-551a9f1f31e7} - C:\WINDOWS\system32\dsound3dd.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 10724 bytes

My startup log:

StartupList report, 4/18/2009, 9:46:29 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\VOQQOBUH\HiJackThis[1].EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\DISC\DiscGui.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\VOQQOBUH\HiJackThis[1].exe
C:\WINDOWS\system32\NOTEPAD.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ehTray = C:\WINDOWS\ehome\ehtray.exe
AlwaysReady Power Message APP = ARPWRMSG.EXE
High Definition Audio Property Page Shortcut = HDAShCut.exe
igfxhkcmd = C:\WINDOWS\system32\hkcmd.exe
igfxpers = C:\WINDOWS\system32\igfxpers.exe
HPHUPD08 = c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
DISCover = C:\Program Files\DISC\DISCover.exe
DiscUpdateManager = C:\Program Files\DISC\DiscUpdateMgr.exe
(Default) =
PCDrProfiler =
HPBootOp = "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
SunJavaUpdateSched = "C:\Program Files\Java\jre6\bin\jusched.exe"
cctray = "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
CAVRID = "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
cafwc = C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
capfasem = C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
capfupgrade = C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
swg = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
DriverUpdaterPro = C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe -t

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\wpgldfsh.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Java\jre6\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\sw g.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
(no name) - C:\Program Files\Common\_helper.dll - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E}
(no name) - C:\Program Files\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9}
JQSIEStartDetectorImpl - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll - {E7E6F031-17CE-4C07-BC86-EABFE594F69C}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
CAAntiSpywareScan_Daily as HP_Administrator at 2 37 PM.job

--------------------------------------------------

Enumerating Download Program Files:

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsu...?1237745537890

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash10b.ocx
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\WINDOWS\system32\VetRedir.dll
Protocol #2: C:\WINDOWS\system32\VetRedir.dll
Protocol #3: C:\WINDOWS\system32\VetRedir.dll
Protocol #9: C:\WINDOWS\system32\VetRedir.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 9,131 bytes
Report generated in 0.156 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Osiris · 04-18-2009, 09:12 PM

Run Malwarebytes and post its log

Kimcoco · 04-19-2009, 02:49 AM

Thanks

Thanks...

Malwarebytes log:

Malwarebytes' Anti-Malware 1.36
Database version: 2006
Windows 5.1.2600 Service Pack 2

4/19/2009 12:57:42 AM
mbam-log-2009-04-19 (00-57-23).txt

Scan type: Quick Scan
Objects scanned: 94128
Time elapsed: 13 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Common\helper.dll (Trojan.BHO) -> No action taken.
C:\WINDOWS\system32\dsound3dd.dll (Trojan.Downloader) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{69bfd990-1b09-492a-8df0-551a9f1f31e7} (Trojan.Downloader) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common\helper.dll (Trojan.BHO) -> No action taken.
C:\Program Files\Common\helper.sig (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\dsound3dd.dll (Trojan.Downloader) -> No action taken.

Kimcoco · 04-19-2009, 02:51 AM

Thanks...

Malwarebytes log:

Malwarebytes' Anti-Malware 1.36
Database version: 2006
Windows 5.1.2600 Service Pack 2

4/19/2009 12:57:42 AM
mbam-log-2009-04-19 (00-57-23).txt

Scan type: Quick Scan
Objects scanned: 94128
Time elapsed: 13 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Common\helper.dll (Trojan.BHO) -> No action taken.
C:\WINDOWS\system32\dsound3dd.dll (Trojan.Downloader) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{69bfd990-1b09-492a-8df0-551a9f1f31e7} (Trojan.Downloader) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common\helper.dll (Trojan.BHO) -> No action taken.
C:\Program Files\Common\helper.sig (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\dsound3dd.dll (Trojan.Downloader) -> No action taken.

Osiris · 04-19-2009, 09:58 AM

Now run Combofix and post its log as well

Kimcoco · 04-19-2009, 02:58 PM

Combofix log:

ComboFix 09-04-19.05 - HP_Administrator 04/19/2009 13:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.489 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning enabled* (Updated)
FW: CA Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\IE4 Error Log.txt
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://sunmicro.ht.rd.llnw.net
.
((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.

2009-04-19 05:42 . 2009-04-19 05:42 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-04-19 05:42 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-19 05:42 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-19 05:42 . 2009-04-19 05:42 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-19 05:39 . 2009-04-19 05:39 2967800 ----a-w C:\mbam-setup[1].1.2D0D17.efw
2009-04-11 01:54 . 2009-04-11 01:54 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\MSNInstaller
2009-03-22 18:14 . 2008-10-16 19:07 23576 ----a-w c:\windows\system32\wuapi.dll.mui
2009-03-22 17:50 . 2009-04-19 18:08 54156 ---ha-w c:\windows\QTFont.qfn
2009-03-22 17:50 . 2009-03-22 17:50 1409 ----a-w c:\windows\QTFont.for
2009-03-22 17:25 . 2009-03-22 17:26 -------- d-----w c:\documents and settings\Guest\Local Settings\Application Data\Microsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-04-19 06:56 . 2009-03-18 06:35 -------- d-----w c:\program files\Common
2009-04-19 06:55 . 2007-10-23 21:09 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k7
2009-04-19 06:55 . 2007-10-23 21:09 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k6
2009-04-19 06:55 . 2007-10-23 21:09 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k5
2009-04-19 06:55 . 2007-10-23 21:09 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k4
2009-04-19 06:55 . 2007-10-23 21:09 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k3
2009-04-19 06:55 . 2007-10-23 21:09 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k2
2009-04-19 06:55 . 2007-10-23 21:09 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k1
2009-04-19 06:55 . 2007-10-23 21:09 116938 ----a-w c:\windows\system32\drivers\kmxcfg.u2k0
2009-04-19 05:42 . 2009-04-19 05:42 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-18 14:09 . 2009-04-18 14:09 -------- d-----w c:\program files\Trend Micro
2009-04-02 20:22 . 2007-02-06 21:05 394666 ----a-w C:\VETlog.txt
2009-04-02 20:22 . 2007-02-06 21:05 75700 ----a-w C:\VETlog.dmp
2009-03-22 17:27 . 2009-03-22 17:27 -------- d-----w c:\documents and settings\Guest\Application Data\Share-to-Web Upload Folder
2009-03-22 17:27 . 2009-03-22 17:25 48656 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-22 16:26 . 2006-04-07 19:36 -------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-22 16:26 . 2006-04-05 02:31 -------- d-----w c:\program files\Common Files\AOL
2009-03-22 16:26 . 2005-11-17 13:15 -------- d-----w c:\program files\Java
2009-03-22 16:25 . 2007-02-22 20:23 -------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2009-03-22 16:25 . 2008-01-06 04:56 -------- d-----w c:\program files\Apple Software Update
2009-03-22 15:49 . 2005-11-17 14:13 -------- d-----w c:\program files\Google
2009-03-19 01:41 . 2008-09-05 01:15 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\W Photo Studio Viewer
2009-03-08 08:50 . 2009-03-08 08:50 -------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2009-03-08 08:31 . 2007-12-04 05:07 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\AOL
2009-02-26 03:50 . 2007-11-14 23:35 669155 ----a-w C:\LM9831Log.txt
2009-02-05 03:02 . 2007-10-23 18:25 45672 ----a-w C:\caisslog.txt
2009-01-23 01:33 . 2009-01-23 01:33 410984 ----a-w c:\windows\system32\deploytk.dll
2008-04-10 17:47 . 2007-09-09 02:15 48656 ----a-w c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-09-14 17:35 . 2007-09-09 02:15 139 ----a-w c:\documents and settings\HP_Administrator\Local Settings\Application Data\fusioncache.dat
2007-09-11 02:45 . 2005-11-17 13:42 48656 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-11-17 13:08 . 2009-03-22 17:25 136 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\fusioncache.dat
2005-11-17 13:08 . 2005-11-17 13:08 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2004-08-10 12:00 . 2004-08-10 12:00 94784 -csh--w c:\windows\twain.dll
2004-08-10 12:00 . 2004-08-10 12:00 50688 --sh--w c:\windows\twain_32.dll
2004-07-30 15:04 . 2004-07-30 15:04 1216 -csh--w c:\windows\Twunk_16.dll
2004-07-30 15:04 . 2004-07-30 15:04 1216 -csh--w c:\windows\Twunk_32.dll
2004-08-10 12:00 . 2004-08-10 12:00 1028096 --sh--w c:\windows\system32\mfc42.dll
2004-08-10 12:00 . 2004-08-10 12:00 54784 --sh--w c:\windows\system32\msvcirt.dll
2004-08-10 12:00 . 2004-08-10 12:00 413696 --sh--w c:\windows\system32\msvcp60.dll
2004-08-10 12:00 . 2004-08-10 12:00 343040 --sh--w c:\windows\system32\msvcrt.dll
2007-12-04 18:38 . 2004-08-10 12:00 550912 --sh--w c:\windows\system32\oleaut32.dll
2004-08-10 12:00 . 2004-08-10 12:00 83456 --sh--w c:\windows\system32\olepro32.dll
2004-08-10 12:00 . 2004-08-10 12:00 11776 --sh--w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-09-14 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-23 136600]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-02-04 177392]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 230664]
"cafwc"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-08-01 1193200]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-08-01 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-08-01 259312]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 19:30 79368 ----a-w c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S0 KmxStart;KmxStart;c:\windows\System32\DRIVERS\kmxs tart.sys [2008-06-25 93712]
S1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxa gent.sys [2008-06-25 63504]
S1 KmxFile;KmxFile;c:\windows\system32\DRIVERS\KmxFil e.sys [2008-06-25 45584]
S1 KmxFw;KmxFw;c:\windows\system32\DRIVERS\kmxfw.sys [2008-06-25 115216]
S2 KmxCF;KmxCF;c:\windows\system32\DRIVERS\KmxCF.sys [2008-06-25 134648]
S2 KmxSbx;KmxSbx;c:\windows\system32\DRIVERS\KmxSbx.s ys [2008-06-25 66576]
S2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2007-10-04 1010192]
S2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2007-10-18 801296]
S2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2008-06-25 281104]
S3 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.s ys [2008-06-25 88816]
S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2007-08-17 189704]

.
Contents of the 'Scheduled Tasks' folder

2009-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

2009-04-17 c:\windows\Tasks\CAAntiSpywareScan_Daily as HP_Administrator at 2 37 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-17 02:10]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe
HKLM-Run-PCDrProfiler - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rr.com/flash/index.cfm?rev=10263
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavi lion&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavili on&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavi lion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavili on&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: matc.edu\blackboard
Trusted Zone: trymedia.com
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 13:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1268)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(1468)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
Completion time: 2009-04-19 13:56
ComboFix-quarantined-files.txt 2009-04-19 18:56

Pre-Run: 171,356,372,992 bytes free
Post-Run: 171,879,788,544 bytes free

198 --- E O F --- 2008-05-19 21:10

Osiris · 04-19-2009, 04:28 PM

Since Malwarebytes was unable to remove items the first time, go ahead and run in now and post its log

Kimcoco · 04-20-2009, 01:53 PM

No malicious items detected. However, I got a CA virus notification when I logged on today, Win32/nircmd.A in the Combofix file. Now the combofix isn't on my desktop anymore. I thought I saved it to my computer???

Malwarebytes' Anti-Malware 1.36
Database version: 2007
Windows 5.1.2600 Service Pack 2

4/20/2009 12:49:24 PM
mbam-log-2009-04-20 (12-49-24).txt

Scan type: Quick Scan
Objects scanned: 82144
Time elapsed: 7 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Osiris · 04-20-2009, 03:16 PM

Dsiable CA, redownload Combofix and run again

Kimcoco · 04-20-2009, 04:40 PM

I disabled CA the only way I know how (security overview shows attention needed for all programs, anti virus anti spyware, etc. as they show disabled), but I still get a popup message that Combofix detects CA, but Combofix runs anyway with a warning to do this at your own risk. Here's the log:

ComboFix 09-04-21.03 - HP_Administrator 04/20/2009 15:28.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.519 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning enabled* (Updated)
FW: CA Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-21 to 2009-04-21 )))))))))))))))))))))))))))))))
.

2009-04-19 05:42 . 2009-04-19 05:42 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-04-19 05:42 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-19 05:42 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-19 05:42 . 2009-04-19 05:42 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-19 05:39 . 2009-04-19 05:39 2967800 ----a-w C:\mbam-setup[1].1.2D0D17.efw
2009-04-11 01:54 . 2009-04-11 01:54 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\MSNInstaller
2009-03-22 18:14 . 2008-10-16 19:07 23576 ----a-w c:\windows\system32\wuapi.dll.mui
2009-03-22 17:50 . 2009-04-20 17:39 54156 ---ha-w c:\windows\QTFont.qfn
2009-03-22 17:50 . 2009-03-22 17:50 1409 ----a-w c:\windows\QTFont.for
2009-03-22 17:25 . 2009-03-22 17:26 -------- d-----w c:\documents and settings\Guest\Local Settings\Application Data\Microsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-04-19 06:56 . 2009-03-18 06:35 -------- d-----w c:\program files\Common
2009-04-19 06:55 . 2007-10-23 21:09 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k7
2009-04-19 06:55 . 2007-10-23 21:09 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k6
2009-04-19 06:55 . 2007-10-23 21:09 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k5
2009-04-19 06:55 . 2007-10-23 21:09 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k4
2009-04-19 06:55 . 2007-10-23 21:09 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k3
2009-04-19 06:55 . 2007-10-23 21:09 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k2
2009-04-19 06:55 . 2007-10-23 21:09 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k1
2009-04-19 06:55 . 2007-10-23 21:09 116938 ----a-w c:\windows\system32\drivers\kmxcfg.u2k0
2009-04-19 05:42 . 2009-04-19 05:42 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-18 14:09 . 2009-04-18 14:09 -------- d-----w c:\program files\Trend Micro
2009-04-02 20:22 . 2007-02-06 21:05 394666 ----a-w C:\VETlog.txt
2009-04-02 20:22 . 2007-02-06 21:05 75700 ----a-w C:\VETlog.dmp
2009-03-22 17:27 . 2009-03-22 17:27 -------- d-----w c:\documents and settings\Guest\Application Data\Share-to-Web Upload Folder
2009-03-22 17:27 . 2009-03-22 17:25 48656 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-22 16:26 . 2006-04-07 19:36 -------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-22 16:26 . 2006-04-05 02:31 -------- d-----w c:\program files\Common Files\AOL
2009-03-22 16:26 . 2005-11-17 13:15 -------- d-----w c:\program files\Java
2009-03-22 16:25 . 2007-02-22 20:23 -------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2009-03-22 16:25 . 2008-01-06 04:56 -------- d-----w c:\program files\Apple Software Update
2009-03-22 15:49 . 2005-11-17 14:13 -------- d-----w c:\program files\Google
2009-03-19 01:41 . 2008-09-05 01:15 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\W Photo Studio Viewer
2009-03-08 08:50 . 2009-03-08 08:50 -------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2009-03-08 08:31 . 2007-12-04 05:07 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\AOL
2009-02-26 03:50 . 2007-11-14 23:35 669155 ----a-w C:\LM9831Log.txt
2009-02-05 03:02 . 2007-10-23 18:25 45672 ----a-w C:\caisslog.txt
2009-01-23 01:33 . 2009-01-23 01:33 410984 ----a-w c:\windows\system32\deploytk.dll
2008-04-10 17:47 . 2007-09-09 02:15 48656 ----a-w c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-09-14 17:35 . 2007-09-09 02:15 139 ----a-w c:\documents and settings\HP_Administrator\Local Settings\Application Data\fusioncache.dat
2007-09-11 02:45 . 2005-11-17 13:42 48656 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-11-17 13:08 . 2009-03-22 17:25 136 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\fusioncache.dat
2005-11-17 13:08 . 2005-11-17 13:08 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2004-08-10 12:00 . 2004-08-10 12:00 94784 -csh--w c:\windows\twain.dll
2004-08-10 12:00 . 2004-08-10 12:00 50688 --sh--w c:\windows\twain_32.dll
2004-07-30 15:04 . 2004-07-30 15:04 1216 -csh--w c:\windows\Twunk_16.dll
2004-07-30 15:04 . 2004-07-30 15:04 1216 -csh--w c:\windows\Twunk_32.dll
2004-08-10 12:00 . 2004-08-10 12:00 1028096 --sh--w c:\windows\system32\mfc42.dll
2004-08-10 12:00 . 2004-08-10 12:00 54784 --sh--w c:\windows\system32\msvcirt.dll
2004-08-10 12:00 . 2004-08-10 12:00 413696 --sh--w c:\windows\system32\msvcp60.dll
2004-08-10 12:00 . 2004-08-10 12:00 343040 --sh--w c:\windows\system32\msvcrt.dll
2007-12-04 18:38 . 2004-08-10 12:00 550912 --sh--w c:\windows\system32\oleaut32.dll
2004-08-10 12:00 . 2004-08-10 12:00 83456 --sh--w c:\windows\system32\olepro32.dll
2004-08-10 12:00 . 2004-08-10 12:00 11776 --sh--w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-09-14 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-23 136600]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-02-04 177392]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 230664]
"cafwc"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-08-01 1193200]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-08-01 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-08-01 259312]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 19:30 79368 ----a-w c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S0 KmxStart;KmxStart;c:\windows\System32\DRIVERS\kmxs tart.sys [2008-06-25 93712]
S1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxa gent.sys [2008-06-25 63504]
S1 KmxFile;KmxFile;c:\windows\system32\DRIVERS\KmxFil e.sys [2008-06-25 45584]
S1 KmxFw;KmxFw;c:\windows\system32\DRIVERS\kmxfw.sys [2008-06-25 115216]
S2 KmxCF;KmxCF;c:\windows\system32\DRIVERS\KmxCF.sys [2008-06-25 134648]
S2 KmxSbx;KmxSbx;c:\windows\system32\DRIVERS\KmxSbx.s ys [2008-06-25 66576]
S2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2007-10-04 1010192]
S2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2007-10-18 801296]
S2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2008-06-25 281104]
S3 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.s ys [2008-06-25 88816]
S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2007-08-17 189704]

.
Contents of the 'Scheduled Tasks' folder

2009-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

2009-04-17 c:\windows\Tasks\CAAntiSpywareScan_Daily as HP_Administrator at 2 37 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-17 02:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rr.com/flash/index.cfm?rev=10263
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavi lion&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavili on&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavi lion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavili on&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: matc.edu\blackboard
Trusted Zone: trymedia.com
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 15:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1244)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(1448)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(4072)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-20 15:36
ComboFix-quarantined-files.txt 2009-04-20 20:36
ComboFix2.txt 2009-04-19 18:56

Pre-Run: 171,815,038,976 bytes free
Post-Run: 171,847,766,016 bytes free

194 --- E O F --- 2008-05-19 21:10

Member Login