packed.win.32.monder.gen

jwe · 04-14-2008, 07:21 AM

Hello,

I am having problems with (packed.win.32.monder.gen) I downloaded the SDFix and ran it but it still shows that I am infected. Any suggestions on what I can do next?

Thanks.

Rahina · 04-14-2008, 09:53 AM

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:

Create a new System Restore point in Windows XP and Vista.
Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
Check some important areas of your system and produce a report for me to analyze.
Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.

You must be logged onto an account with administrator privileges when using.

Close all applications and windows.
Double-click on dss.exe to run it and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not
malicious.
When the scan is complete, two text files will open in Notepad:
- main.txt <- this one will be maximized
- extra.txt <- this one will be minimized
If not, they both can be found in the C:\Deckard\System Scanner folder.
Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.

-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.

jwe · 04-15-2008, 12:43 PM

I hope I did this right.

Deckard's System Scanner v20071014.68
Run by James Werven on 2008-04-15 15:29:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
12: 2008-04-15 19:30:07 UTC - RP528 - Deckard's System Scanner Restore Point
11: 2008-04-15 02:17:15 UTC - RP527 - System Checkpoint
10: 2008-04-14 01:35:44 UTC - RP526 - Software Distribution Service 3.0
9: 2008-04-13 15:26:47 UTC - RP525 - Installed ParetoLogic Anti-Virus PLUS.
8: 2008-04-13 14:53:11 UTC - RP524 - Removed CA eTrust PestPatrol

-- First Restore Point --
1: 2008-04-09 02:49:38 UTC - RP517 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 88% (more than 75%).

-- HijackThis (run as James Werven.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:33:08 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\TARGUS\PAUM008U\Ver_2.32\LWBWHEEL.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SHARP\OZ_ZQ-590A\sync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\James Werven\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\James Werven.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?rev=10331
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {757A892B-F0A1-40DC-AA7C-84AEF160CED7} - C:\WINDOWS\system32\khfEWNdC.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {76DD9751-0D3B-4D93-9934-88F1A51308D7} - C:\WINDOWS\system32\urqPhggD.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: {7db5dedc-e8b4-9569-2314-3ffd7e25893d} - {d39852e7-dff3-4132-9659-4b8ecded5bd7} - C:\WINDOWS\system32\olgmxjow.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\TARGUS\PAUM008U\Ver_2.32\LWBWHEEL.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ParetoLogic Anti-Virus PLUS] "C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.lnk" -NM -hidesplash
O4 - HKLM\..\Run: [7B5D4F0F67007850585D] Rundll32.exe "C:\WINDOWS\system32\cwovxdxu.dll",s
O4 - HKLM\..\Run: [588c4dce] rundll32.exe "C:\WINDOWS\system32\wphuubyx.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: OZ_ZQ-590A Synchronization Software.lnk = C:\Program Files\SHARP\OZ_ZQ-590A\sync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/273c9c81...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095432334956
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/...ws-i586-jc.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://join-test.webex.com/client/T...ex/ieatgpc.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: plasservice (ZeppelinService) - ParetoLogic Inc. - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe

--
End of file - 9337 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.7) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.7>

S3 catchme - c:\docume~1\jamesw~1\locals~1\temp\catchme.sys (file missing)
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 SDDMI2 - c:\windows\system32\ddmi2.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ZeppelinService (plasservice) - "c:\program files\common files\paretologic\plas\plasservice.exe" <Not Verified; ParetoLogic Inc.; PLAS Service>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: Office Source Engine
Device ID: ROOT\LEGACY_OSE\0000
Manufacturer:
Name: Office Source Engine
PNP Device ID: ROOT\LEGACY_OSE\0000
Service:

Class GUID:
Description: SDDMI2
Device ID: ROOT\LEGACY_SDDMI2\0000
Manufacturer:
Name: SDDMI2
PNP Device ID: ROOT\LEGACY_SDDMI2\0000
Service:

-- Scheduled Tasks -------------------------------------------------------------

2008-04-15 02:00:06 480 --a------ C:\WINDOWS\Tasks\ParetoLogic Anti-Virus PLUS.job
2008-04-15 00:33:11 430 --a------ C:\WINDOWS\Tasks\ParetoLogic Update Version2.job
2008-04-14 18:00:05 456 --a------ C:\WINDOWS\Tasks\ParetoLogic Registration.job
2008-04-14 18:00:03 456 --a------ C:\WINDOWS\Tasks\ParetoLogic Anti-Virus PLUS_dbsummary.job
2004-08-13 15:30:56 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job

-- Files created between 2008-03-15 and 2008-04-15 -----------------------------

2008-04-15 15:32:34 0 d-------- C:\Program Files\Trend Micro
2008-04-15 09:57:02 86080 --a------ C:\WINDOWS\system32\wphuubyx.dll
2008-04-14 09:49:44 0 --a------ C:\WINDOWS\system32\ujtspgew.dll
2008-04-13 19:49:51 0 d-------- C:\WINDOWS\ERUNT
2008-04-13 11:31:57 12064 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-13 11:31:57 1632544 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-12 22:33:01 86592 --a------ C:\WINDOWS\system32\kaktxqho.dll
2008-04-11 19:53:21 0 d-------- C:\Program Files\Common Files\ParetoLogic
2008-04-11 19:53:21 0 d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2008-04-11 19:53:20 0 d-------- C:\Program Files\ParetoLogic
2008-04-11 19:53:19 0 d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic
2008-04-11 19:50:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-04-11 18:15:24 0 d-------- C:\Program Files\Java
2008-04-11 14:26:20 0 d-------- C:\Documents and Settings\James Werven\.housecall6.6
2008-04-11 12:44:51 0 d-------- C:\Documents and Settings\James Werven\Application Data\HouseCall 6.6
2008-04-11 12:44:39 0 d-------- C:\WINDOWS\system32\HouseCall 6.6
2008-04-10 23:20:08 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-08 22:49:29 3670016 --a------ C:\Documents and Settings\James Werven\ntuser.dat
2008-04-08 21:07:14 179037 --ahs---- C:\WINDOWS\system32\DgghPqru.ini2
2008-04-08 21:07:10 269824 --a------ C:\WINDOWS\system32\urqPhggD.dll
2008-04-08 19:39:57 83520 --a------ C:\WINDOWS\system32\cwovxdxu.dll
2008-04-06 15:03:11 14094 --a------ C:\WINDOWS\system32\rsfdgphr.dll
2008-04-06 15:00:20 14129 --a------ C:\WINDOWS\system32\vtcrtdly.dll
2008-04-02 14:17:08 182456 --ahs---- C:\WINDOWS\system32\CdNWEfhk.ini2
2008-03-28 20:50:42 0 d-------- C:\Documents and Settings\All Users\Application Data\vypivmvq

-- Find3M Report ---------------------------------------------------------------

2008-04-11 19:53:21 0 d-------- C:\Program Files\Common Files
2008-04-02 14:15:12 0 d-------- C:\Documents and Settings\James Werven\Application Data\Adobe
2008-03-26 10:25:16 0 d-------- C:\Documents and Settings\James Werven\Application Data\Real

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{757A892B-F0A1-40DC-AA7C-84AEF160CED7}]
C:\WINDOWS\system32\khfEWNdC.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76DD9751-0D3B-4D93-9934-88F1A51308D7}]
04/08/2008 09:07 PM 269824 --a------ C:\WINDOWS\system32\urqPhggD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d39852e7-dff3-4132-9659-4b8ecded5bd7}]
C:\WINDOWS\system32\olgmxjow.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 06:59 AM C:\WINDOWS\BCMSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [08/15/2003 01:38 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [08/15/2003 01:37 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [03/15/2004 02:04 AM]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [08/19/2003 02:01 AM]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [04/11/2004 09:15 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [04/11/2004 12:43 PM]
"MMTray"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [05/10/2005 04:04 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [11/27/2004 10:51 AM]
"LWBMOUSE"="C:\Program Files\TARGUS\PAUM008U\Ver_2.32\LWBWHEEL.exe" [05/18/2003 11:24 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [12/11/2007 11:56 AM]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [05/10/2005 04:04 PM]
"Zone Labs Client"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" [01/26/2005 03:43 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 09:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 09:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 09:36 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/11/2007 01:10 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"ParetoLogic Anti-Virus PLUS"="C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.lnk -NM -hidesplash" []
"7B5D4F0F67007850585D"="C:\WINDOWS\system32\cwovxdxu.dll" [04/08/2008 07:39 PM]
"588c4dce"="C:\WINDOWS\system32\wphuubyx.dll" [04/15/2008 09:57 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/16/2007 10:26 PM]

C:\Documents and Settings\James Werven\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]
OZ_ZQ-590A Synchronization Software.lnk - C:\Program Files\SHARP\OZ_ZQ-590A\sync.exe [4/24/2006 2:42:04 PM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\urqPhggD
"Notification Packages"= :\WINDOWS\syste

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

-- End of Deckard's System Scanner: finished at 2008-04-15 15:36:15 ------------

Rahina · 04-15-2008, 12:54 PM

Please visit this webpage for download links, and instructions for running this tool: http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware, and will only take a few moments of your time.

After ensuring the Recovery Console is installed on your system...

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleaning the system:

C:\CF_RC.txt
C:\ComboFix.txt
New HijackThis log.

jwe · 04-16-2008, 06:45 PM

Here it is:

ComboFix 08-04-16.2 - James Werven 2008-04-16 21:17:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.630 [GMT -4:00]
Running from: C:\Documents and Settings\James Werven\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James Werven\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\CdNWEfhk.ini
C:\WINDOWS\SYSTEM32\CdNWEfhk.ini2
C:\WINDOWS\system32\cwovxdxu.dll
C:\WINDOWS\SYSTEM32\DgghPqru.ini
C:\WINDOWS\SYSTEM32\DgghPqru.ini2
C:\WINDOWS\SYSTEM32\euunpnjd.ini
C:\WINDOWS\system32\gnnfecti.dll
C:\WINDOWS\SYSTEM32\itcefnng.ini
C:\WINDOWS\SYSTEM32\jvnbcrur.ini
C:\WINDOWS\system32\kaktxqho.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\ohqxtkak.ini
C:\WINDOWS\SYSTEM32\pbstikfr.ini
C:\WINDOWS\system32\urqPhggD.dll
C:\WINDOWS\system32\wphuubyx.dll
C:\WINDOWS\SYSTEM32\xybuuhpw.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 )))))))))))))))))))))))))))))))
.

2008-04-15 15:32 . 2008-04-15 15:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-15 15:29 . 2008-04-15 15:29 <DIR> d-------- C:\Deckard
2008-04-13 20:42 . 2008-04-16 21:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-13 20:42 . 2008-04-13 20:42 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-13 19:49 . 2008-04-13 19:49 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-13 19:29 . 2008-04-13 21:19 <DIR> d-------- C:\SDFix
2008-04-13 11:31 . 2008-04-16 21:23 1,670,176 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-04-13 11:31 . 2008-04-16 21:23 21,092 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-04-13 11:31 . 2008-04-16 21:25 15,392 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.dat
2008-04-13 11:31 . 2008-04-16 21:23 2,444 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.idx
2008-04-13 08:50 . 2008-04-15 17:51 2,725 --a------ C:\rollback.ini
2008-04-11 19:53 . 2008-04-11 19:53 <DIR> d-------- C:\Program Files\ParetoLogic
2008-04-11 19:53 . 2008-04-13 11:27 <DIR> d-------- C:\Program Files\Common Files\ParetoLogic
2008-04-11 19:53 . 2008-04-11 19:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2008-04-11 19:53 . 2008-04-13 11:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic
2008-04-11 19:50 . 2008-04-11 19:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-04-11 18:17 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-04-11 18:15 . 2008-04-11 18:17 <DIR> d-------- C:\Program Files\Java
2008-04-11 14:26 . 2008-04-11 19:41 <DIR> d-------- C:\Documents and Settings\James Werven\.housecall6.6
2008-04-11 12:44 . 2008-04-11 14:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\HouseCall 6.6
2008-04-11 12:44 . 2008-04-11 12:44 <DIR> d-------- C:\Documents and Settings\James Werven\Application Data\HouseCall 6.6
2008-04-11 00:24 . 2008-04-11 00:24 73 --a------ C:\WINDOWS\st_affiliate.ini
2008-04-10 23:20 . 2008-04-13 10:38 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-07 20:46 . 2008-04-07 20:46 243,024 --a------ C:\WINDOWS\SYSTEM32\LSPInstall.dll
2008-04-07 20:46 . 2008-04-07 20:46 111,960 --a------ C:\WINDOWS\SYSTEM32\INetHTTPFilter.dll
2008-04-06 15:03 . 2008-04-06 15:03 14,094 --a------ C:\WINDOWS\SYSTEM32\rsfdgphr.dll
2008-04-06 15:00 . 2008-04-06 15:00 14,129 --a------ C:\WINDOWS\SYSTEM32\vtcrtdly.dll
2008-04-04 23:59 . 2008-04-16 21:12 3,334,310 --a------ C:\WINDOWS\SYSTEM32\scolmpdain.xml
2008-03-28 20:50 . 2008-03-30 23:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vypivmvq

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 00:19 2,701,824 ----a-w C:\WINDOWS\Internet Logs\xDBB6.tmp
2008-04-13 14:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2008-04-13 14:13 452,608 ----a-w C:\WINDOWS\Internet Logs\xDBB5.tmp
2008-04-13 14:13 2,693,632 ----a-w C:\WINDOWS\Internet Logs\xDBB4.tmp
2008-04-12 01:17 2,686,464 ----a-w C:\WINDOWS\Internet Logs\xDBB2.tmp
2008-04-12 01:17 114,688 ----a-w C:\WINDOWS\Internet Logs\xDBB3.tmp
2008-04-11 03:29 61,952 ----a-w C:\WINDOWS\Internet Logs\xDBB1.tmp
2008-04-11 03:29 2,649,600 ----a-w C:\WINDOWS\Internet Logs\xDBB0.tmp
2008-04-08 23:43 2,611,712 ----a-w C:\WINDOWS\Internet Logs\xDBAE.tmp
2008-04-08 23:43 129,536 ----a-w C:\WINDOWS\Internet Logs\xDBAF.tmp
2008-03-31 03:06 2,496,512 ----a-w C:\WINDOWS\Internet Logs\xDBAD.tmp
2008-03-27 17:48 238,592 ----a-w C:\WINDOWS\Internet Logs\xDBAC.tmp
2008-03-27 17:48 2,478,080 ----a-w C:\WINDOWS\Internet Logs\xDBAB.tmp
2008-02-10 03:36 25,600 ----a-w C:\WINDOWS\Internet Logs\xDBAA.tmp
2008-02-10 03:36 2,383,360 ----a-w C:\WINDOWS\Internet Logs\xDBA9.tmp
2008-02-09 04:09 2,382,848 ----a-w C:\WINDOWS\Internet Logs\xDBA7.tmp
2008-02-09 04:09 101,376 ----a-w C:\WINDOWS\Internet Logs\xDBA8.tmp
2008-02-02 16:12 2,381,312 ----a-w C:\WINDOWS\Internet Logs\xDBA6.tmp
2008-01-19 18:34 28,160 ----a-w C:\WINDOWS\Internet Logs\xDBA5.tmp
2008-01-19 18:33 2,370,048 ----a-w C:\WINDOWS\Internet Logs\xDBA4.tmp
2008-01-18 02:18 2,370,048 ----a-w C:\WINDOWS\Internet Logs\xDBA3.tmp
2008-01-18 00:24 44,032 ----a-w C:\WINDOWS\Internet Logs\xDBA2.tmp
2008-01-18 00:24 2,371,584 ----a-w C:\WINDOWS\Internet Logs\xDBA1.tmp
2008-01-12 17:38 20,992 ----a-w C:\WINDOWS\Internet Logs\xDBA0.tmp
2008-01-12 17:38 2,404,864 ----a-w C:\WINDOWS\Internet Logs\xDB9F.tmp
2008-01-12 13:56 28,672 ----a-w C:\WINDOWS\Internet Logs\xDB9E.tmp
2008-01-12 13:56 2,408,448 ----a-w C:\WINDOWS\Internet Logs\xDB9D.tmp
2008-01-11 19:53 24,064 ----a-w C:\WINDOWS\Internet Logs\xDB9C.tmp
2008-01-11 19:53 2,368,000 ----a-w C:\WINDOWS\Internet Logs\xDB9B.tmp
2008-01-07 01:22 877,568 ----a-w C:\WINDOWS\Internet Logs\xDB9A.tmp
2008-01-07 01:22 2,361,344 ----a-w C:\WINDOWS\Internet Logs\xDB99.tmp
2007-10-27 20:38 33,280 ----a-w C:\WINDOWS\Internet Logs\xDB98.tmp
2007-10-27 20:38 2,103,296 ----a-w C:\WINDOWS\Internet Logs\xDB97.tmp
2007-10-25 18:57 2,093,568 ----a-w C:\WINDOWS\Internet Logs\xDB95.tmp
2007-10-25 18:55 222,208 ----a-w C:\WINDOWS\Internet Logs\xDB96.tmp
2007-10-08 02:04 21,504 ----a-w C:\WINDOWS\Internet Logs\xDB94.tmp
2007-10-08 02:04 2,092,032 ----a-w C:\WINDOWS\Internet Logs\xDB93.tmp
2007-10-08 00:25 13,824 ----a-w C:\WINDOWS\Internet Logs\xDB92.tmp
2007-10-08 00:23 2,085,888 ----a-w C:\WINDOWS\Internet Logs\xDB91.tmp
2007-10-08 00:04 23,552 ----a-w C:\WINDOWS\Internet Logs\xDB90.tmp
2007-10-08 00:04 2,093,056 ----a-w C:\WINDOWS\Internet Logs\xDB8F.tmp
2007-09-04 17:38 16,384 ----a-w C:\WINDOWS\Internet Logs\xDB8E.tmp
2007-09-04 17:37 2,087,424 ----a-w C:\WINDOWS\Internet Logs\xDB8D.tmp
2007-09-04 14:00 26,112 ----a-w C:\WINDOWS\Internet Logs\xDB8C.tmp
2007-09-04 14:00 2,085,376 ----a-w C:\WINDOWS\Internet Logs\xDB8B.tmp
2007-08-03 20:37 2,082,816 ----a-w C:\WINDOWS\Internet Logs\xDB89.tmp
2007-08-03 16:42 35,328 ----a-w C:\WINDOWS\Internet Logs\xDB8A.tmp
2007-07-31 17:05 65,536 ----a-w C:\WINDOWS\Internet Logs\xDB88.tmp
2007-07-31 16:21 2,080,256 ----a-w C:\WINDOWS\Internet Logs\xDB87.tmp
2007-07-29 00:59 71,680 ----a-w C:\WINDOWS\Internet Logs\xDB86.tmp
2007-07-29 00:52 2,077,696 ----a-w C:\WINDOWS\Internet Logs\xDB85.tmp
2007-07-28 17:14 2,078,208 ----a-w C:\WINDOWS\Internet Logs\xDB84.tmp
2007-07-25 21:24 25,088 ----a-w C:\WINDOWS\Internet Logs\xDB83.tmp
2007-07-25 21:24 2,073,600 ----a-w C:\WINDOWS\Internet Logs\xDB82.tmp
2007-07-24 17:40 2,074,112 ----a-w C:\WINDOWS\Internet Logs\xDB80.tmp
2007-07-24 17:40 16,896 ----a-w C:\WINDOWS\Internet Logs\xDB81.tmp
2007-07-23 21:26 20,992 ----a-w C:\WINDOWS\Internet Logs\xDB7F.tmp
2007-07-23 21:22 2,073,088 ----a-w C:\WINDOWS\Internet Logs\xDB7E.tmp
2007-07-23 15:52 57,344 ----a-w C:\WINDOWS\Internet Logs\xDB7D.tmp
2007-07-23 15:15 2,076,672 ----a-w C:\WINDOWS\Internet Logs\xDB7C.tmp
2007-07-20 02:42 23,040 ----a-w C:\WINDOWS\Internet Logs\xDB7B.tmp
2007-07-20 02:42 2,065,408 ----a-w C:\WINDOWS\Internet Logs\xDB7A.tmp
2007-07-18 13:45 2,061,312 ----a-w C:\WINDOWS\Internet Logs\xDB78.tmp
2007-07-18 13:45 16,896 ----a-w C:\WINDOWS\Internet Logs\xDB79.tmp
2007-07-18 13:23 58,880 ----a-w C:\WINDOWS\Internet Logs\xDB77.tmp
2007-07-18 13:23 2,064,896 ----a-w C:\WINDOWS\Internet Logs\xDB76.tmp
2007-07-17 02:30 81,408 ----a-w C:\WINDOWS\Internet Logs\xDB75.tmp
2007-07-17 02:29 2,066,432 ----a-w C:\WINDOWS\Internet Logs\xDB74.tmp
2007-04-22 23:14 14,848 ----a-w C:\WINDOWS\Internet Logs\xDB73.tmp
2007-04-22 23:13 2,025,984 ----a-w C:\WINDOWS\Internet Logs\xDB72.tmp
2007-04-22 22:50 24,576 ----a-w C:\WINDOWS\Internet Logs\xDB71.tmp
2007-04-22 22:50 2,025,984 ----a-w C:\WINDOWS\Internet Logs\xDB70.tmp
2007-04-22 13:35 35,840 ----a-w C:\WINDOWS\Internet Logs\xDB6F.tmp
2007-04-22 13:19 2,022,912 ----a-w C:\WINDOWS\Internet Logs\xDB6E.tmp
2007-04-22 01:20 2,028,032 ----a-w C:\WINDOWS\Internet Logs\xDB6C.tmp
2007-04-22 01:19 25,088 ----a-w C:\WINDOWS\Internet Logs\xDB6D.tmp
2007-04-22 00:55 17,408 ----a-w C:\WINDOWS\Internet Logs\xDB6B.tmp
2007-04-22 00:51 2,021,888 ----a-w C:\WINDOWS\Internet Logs\xDB6A.tmp
2007-04-21 23:46 2,021,888 ----a-w C:\WINDOWS\Internet Logs\xDB68.tmp
2007-04-21 23:46 15,360 ----a-w C:\WINDOWS\Internet Logs\xDB69.tmp
2007-04-21 22:12 27,648 ----a-w C:\WINDOWS\Internet Logs\xDB67.tmp
2007-04-21 20:42 2,022,912 ----a-w C:\WINDOWS\Internet Logs\xDB66.tmp
2007-04-11 19:04 2,022,912 ----a-w C:\WINDOWS\Internet Logs\xDB64.tmp
2007-04-11 19:02 16,896 ----a-w C:\WINDOWS\Internet Logs\xDB65.tmp
2007-04-08 00:06 33,792 ----a-w C:\WINDOWS\Internet Logs\xDB63.tmp
2007-04-08 00:06 2,023,424 ----a-w C:\WINDOWS\Internet Logs\xDB62.tmp
2007-03-28 19:05 2,026,496 ----a-w C:\WINDOWS\Internet Logs\xDB60.tmp
2007-03-28 16:13 18,432 ----a-w C:\WINDOWS\Internet Logs\xDB61.tmp
2007-03-28 13:46 16,384 ----a-w C:\WINDOWS\Internet Logs\xDB5F.tmp
2007-03-28 13:42 2,017,280 ----a-w C:\WINDOWS\Internet Logs\xDB5E.tmp
2007-03-28 01:06 2,017,280 ----a-w C:\WINDOWS\Internet Logs\xDB5C.tmp
2007-03-28 00:40 24,576 ----a-w C:\WINDOWS\Internet Logs\xDB5D.tmp
2007-03-24 10:59 2,019,840 ----a-w C:\WINDOWS\Internet Logs\xDB5B.tmp
2007-03-23 17:54 42,496 ----a-w C:\WINDOWS\Internet Logs\xDB5A.tmp
2007-03-23 17:54 2,016,256 ----a-w C:\WINDOWS\Internet Logs\xDB59.tmp
2007-03-21 17:19 51,712 ----a-w C:\WINDOWS\Internet Logs\xDB58.tmp
2007-03-21 17:19 2,014,208 ----a-w C:\WINDOWS\Internet Logs\xDB57.tmp
2007-02-28 16:30 16,896 ----a-w C:\WINDOWS\Internet Logs\xDB56.tmp
2007-02-28 16:30 1,995,264 ----a-w C:\WINDOWS\Internet Logs\xDB55.tmp
2007-02-27 02:50 76,288 ----a-w C:\WINDOWS\Internet Logs\xDB54.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{757A892B-F0A1-40DC-AA7C-84AEF160CED7}]
C:\WINDOWS\system32\khfEWNdC.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d39852e7-dff3-4132-9659-4b8ecded5bd7}]
C:\WINDOWS\system32\olgmxjow.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 22:26 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 06:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-08-15 13:38 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-08-15 13:37 618496]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 02:04 122933]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01 110592]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15 290816]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 12:43 53248]
"MMTray"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2005-05-10 16:04 110592]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-11-27 10:51 180269]
"LWBMOUSE"="C:\Program Files\TARGUS\PAUM008U\Ver_2.32\LWBWHEEL.exe" [2003-05-18 23:24 438272]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [2005-05-10 16:04 11776]
"Zone Labs Client"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" [2005-01-26 03:43 722712]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ParetoLogic Anti-Virus PLUS"="C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.lnk -NM -hidesplash" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
OZ_ZQ-590A Synchronization Software.lnk - C:\Program Files\SHARP\OZ_ZQ-590A\sync.exe [2006-04-24 14:42:04 655360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ :\WINDOWS\syste

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 ZeppelinService;plasservice;"C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe" [2008-04-07 20:43]
S3 SPCP825K;Sunplus Serial port driver;C:\WINDOWS\system32\DRIVERS\SPCP825K.sys [2004-02-02 15:23]

.
Contents of the 'Scheduled Tasks' folder
"2004-08-13 19:30:56 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
"2008-04-16 06:00:00 C:\WINDOWS\Tasks\ParetoLogic Anti-Virus PLUS.job"
- C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe
"2008-04-15 22:00:28 C:\WINDOWS\Tasks\ParetoLogic Anti-Virus PLUS_dbsummary.job"
- C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe
"2008-04-15 22:00:25 C:\WINDOWS\Tasks\ParetoLogic Registration.job"
- C:\WINDOWS\system32\rundll32.exe@
"2008-04-16 04:33:00 C:\WINDOWS\Tasks\ParetoLogic Update Version2.job"
- C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 21:26:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\DOCUME~1\JAMESW~1\LOCALS~1\Temp\temp0.exe

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\WLTRYSVC.EXE
C:\WINDOWS\SYSTEM32\BCMWLTRY.EXE
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\WINDOWS\SYSTEM32\igfxsrvc.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-16 21:35:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-17 01:35:22

Pre-Run: 15,955,873,792 bytes free
Post-Run: 15,886,635,008 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
.
2008-04-14 01:39:17 --- E O F ---

Rahina · 04-17-2008, 12:56 AM

Please delete your existing version of ComboFix, get a new version from one of these links, and do the drag and drop of Recovery Console package once again.

Link 1
Link 2
Link 3

Please post C:\Combofix.txt

04-14-2008, 07:21 AM	#1 (permalink)
jwe Registered User Join Date: Apr 2008 Posts: 3 OS: winxp	packed.win.32.monder.gen Hello, I am having problems with (packed.win.32.monder.gen) I downloaded the SDFix and ran it but it still shows that I am infected. Any suggestions on what I can do next? Thanks.

04-14-2008, 09:53 AM	#2 (permalink)
Rahina Analyst, Security Team Join Date: Feb 2007 Posts: 209 OS: Windows XP Pro	Re: packed.win.32.monder.gen Please download Deckard's System Scanner (DSS) and save to your Desktop. alternate download site DSS will do the following: Create a new System Restore point in Windows XP and Vista. Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives. Check some important areas of your system and produce a report for me to analyze. Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes. You must be logged onto an account with administrator privileges when using. Close all applications and windows. Double-click on dss.exe to run it and follow the prompts. If your anti-virus or firewall complains, please allow this script to run as it is not malicious. When the scan is complete, two text files will open in Notepad: main.txt <- this one will be maximized extra.txt <- this one will be minimized If not, they both can be found in the C:\Deckard\System Scanner folder. Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply. -- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so. -- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful. __________________

04-15-2008, 12:54 PM	#4 (permalink)
Rahina Analyst, Security Team Join Date: Feb 2007 Posts: 209 OS: Windows XP Pro	Re: packed.win.32.monder.gen Please visit this webpage for download links, and instructions for running this tool: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware, and will only take a few moments of your time. After ensuring the Recovery Console is installed on your system... 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. -------------------------------------------------------------------- Double click on ComboFix.exe & follow the prompts. When the tool is finished, it will produce a report for you. Please include the following reports for further review, and so we may continue cleaning the system: C:\CF_RC.txt C:\ComboFix.txt New HijackThis log. __________________

04-16-2008, 06:45 PM	#5 (permalink)
jwe Registered User Join Date: Apr 2008 Posts: 3 OS: winxp	Re: packed.win.32.monder.gen Here it is: ComboFix 08-04-16.2 - James Werven 2008-04-16 21:17:23.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.630 [GMT -4:00] Running from: C:\Documents and Settings\James Werven\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\James Werven\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\cookies.ini C:\WINDOWS\pskt.ini C:\WINDOWS\SYSTEM32\CdNWEfhk.ini C:\WINDOWS\SYSTEM32\CdNWEfhk.ini2 C:\WINDOWS\system32\cwovxdxu.dll C:\WINDOWS\SYSTEM32\DgghPqru.ini C:\WINDOWS\SYSTEM32\DgghPqru.ini2 C:\WINDOWS\SYSTEM32\euunpnjd.ini C:\WINDOWS\system32\gnnfecti.dll C:\WINDOWS\SYSTEM32\itcefnng.ini C:\WINDOWS\SYSTEM32\jvnbcrur.ini C:\WINDOWS\system32\kaktxqho.dll C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\SYSTEM32\ohqxtkak.ini C:\WINDOWS\SYSTEM32\pbstikfr.ini C:\WINDOWS\system32\urqPhggD.dll C:\WINDOWS\system32\wphuubyx.dll C:\WINDOWS\SYSTEM32\xybuuhpw.ini . ((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 ))))))))))))))))))))))))))))))) . 2008-04-15 15:32 . 2008-04-15 15:32 <DIR> d-------- C:\Program Files\Trend Micro 2008-04-15 15:29 . 2008-04-15 15:29 <DIR> d-------- C:\Deckard 2008-04-13 20:42 . 2008-04-16 21:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-04-13 20:42 . 2008-04-13 20:42 1,409 --a------ C:\WINDOWS\QTFont.for 2008-04-13 19:49 . 2008-04-13 19:49 <DIR> d-------- C:\WINDOWS\ERUNT 2008-04-13 19:29 . 2008-04-13 21:19 <DIR> d-------- C:\SDFix 2008-04-13 11:31 . 2008-04-16 21:23 1,670,176 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat 2008-04-13 11:31 . 2008-04-16 21:23 21,092 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx 2008-04-13 11:31 . 2008-04-16 21:25 15,392 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.dat 2008-04-13 11:31 . 2008-04-16 21:23 2,444 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.idx 2008-04-13 08:50 . 2008-04-15 17:51 2,725 --a------ C:\rollback.ini 2008-04-11 19:53 . 2008-04-11 19:53 <DIR> d-------- C:\Program Files\ParetoLogic 2008-04-11 19:53 . 2008-04-13 11:27 <DIR> d-------- C:\Program Files\Common Files\ParetoLogic 2008-04-11 19:53 . 2008-04-11 19:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS 2008-04-11 19:53 . 2008-04-13 11:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic 2008-04-11 19:50 . 2008-04-11 19:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations 2008-04-11 18:17 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl 2008-04-11 18:15 . 2008-04-11 18:17 <DIR> d-------- C:\Program Files\Java 2008-04-11 14:26 . 2008-04-11 19:41 <DIR> d-------- C:\Documents and Settings\James Werven\.housecall6.6 2008-04-11 12:44 . 2008-04-11 14:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\HouseCall 6.6 2008-04-11 12:44 . 2008-04-11 12:44 <DIR> d-------- C:\Documents and Settings\James Werven\Application Data\HouseCall 6.6 2008-04-11 00:24 . 2008-04-11 00:24 73 --a------ C:\WINDOWS\st_affiliate.ini 2008-04-10 23:20 . 2008-04-13 10:38 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-04-07 20:46 . 2008-04-07 20:46 243,024 --a------ C:\WINDOWS\SYSTEM32\LSPInstall.dll 2008-04-07 20:46 . 2008-04-07 20:46 111,960 --a------ C:\WINDOWS\SYSTEM32\INetHTTPFilter.dll 2008-04-06 15:03 . 2008-04-06 15:03 14,094 --a------ C:\WINDOWS\SYSTEM32\rsfdgphr.dll 2008-04-06 15:00 . 2008-04-06 15:00 14,129 --a------ C:\WINDOWS\SYSTEM32\vtcrtdly.dll 2008-04-04 23:59 . 2008-04-16 21:12 3,334,310 --a------ C:\WINDOWS\SYSTEM32\scolmpdain.xml 2008-03-28 20:50 . 2008-03-30 23:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vypivmvq . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-14 00:19 2,701,824 ----a-w C:\WINDOWS\Internet Logs\xDBB6.tmp 2008-04-13 14:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA 2008-04-13 14:13 452,608 ----a-w C:\WINDOWS\Internet Logs\xDBB5.tmp 2008-04-13 14:13 2,693,632 ----a-w C:\WINDOWS\Internet Logs\xDBB4.tmp 2008-04-12 01:17 2,686,464 ----a-w C:\WINDOWS\Internet Logs\xDBB2.tmp 2008-04-12 01:17 114,688 ----a-w C:\WINDOWS\Internet Logs\xDBB3.tmp 2008-04-11 03:29 61,952 ----a-w C:\WINDOWS\Internet Logs\xDBB1.tmp 2008-04-11 03:29 2,649,600 ----a-w C:\WINDOWS\Internet Logs\xDBB0.tmp 2008-04-08 23:43 2,611,712 ----a-w C:\WINDOWS\Internet Logs\xDBAE.tmp 2008-04-08 23:43 129,536 ----a-w C:\WINDOWS\Internet Logs\xDBAF.tmp 2008-03-31 03:06 2,496,512 ----a-w C:\WINDOWS\Internet Logs\xDBAD.tmp 2008-03-27 17:48 238,592 ----a-w C:\WINDOWS\Internet Logs\xDBAC.tmp 2008-03-27 17:48 2,478,080 ----a-w C:\WINDOWS\Internet Logs\xDBAB.tmp 2008-02-10 03:36 25,600 ----a-w C:\WINDOWS\Internet Logs\xDBAA.tmp 2008-02-10 03:36 2,383,360 ----a-w C:\WINDOWS\Internet Logs\xDBA9.tmp 2008-02-09 04:09 2,382,848 ----a-w C:\WINDOWS\Internet Logs\xDBA7.tmp 2008-02-09 04:09 101,376 ----a-w C:\WINDOWS\Internet Logs\xDBA8.tmp 2008-02-02 16:12 2,381,312 ----a-w C:\WINDOWS\Internet Logs\xDBA6.tmp 2008-01-19 18:34 28,160 ----a-w C:\WINDOWS\Internet Logs\xDBA5.tmp 2008-01-19 18:33 2,370,048 ----a-w C:\WINDOWS\Internet Logs\xDBA4.tmp 2008-01-18 02:18 2,370,048 ----a-w C:\WINDOWS\Internet Logs\xDBA3.tmp 2008-01-18 00:24 44,032 ----a-w C:\WINDOWS\Internet Logs\xDBA2.tmp 2008-01-18 00:24 2,371,584 ----a-w C:\WINDOWS\Internet Logs\xDBA1.tmp 2008-01-12 17:38 20,992 ----a-w C:\WINDOWS\Internet Logs\xDBA0.tmp 2008-01-12 17:38 2,404,864 ----a-w C:\WINDOWS\Internet Logs\xDB9F.tmp 2008-01-12 13:56 28,672 ----a-w C:\WINDOWS\Internet Logs\xDB9E.tmp 2008-01-12 13:56 2,408,448 ----a-w C:\WINDOWS\Internet Logs\xDB9D.tmp 2008-01-11 19:53 24,064 ----a-w C:\WINDOWS\Internet Logs\xDB9C.tmp 2008-01-11 19:53 2,368,000 ----a-w C:\WINDOWS\Internet Logs\xDB9B.tmp 2008-01-07 01:22 877,568 ----a-w C:\WINDOWS\Internet Logs\xDB9A.tmp 2008-01-07 01:22 2,361,344 ----a-w C:\WINDOWS\Internet Logs\xDB99.tmp 2007-10-27 20:38 33,280 ----a-w C:\WINDOWS\Internet Logs\xDB98.tmp 2007-10-27 20:38 2,103,296 ----a-w C:\WINDOWS\Internet Logs\xDB97.tmp 2007-10-25 18:57 2,093,568 ----a-w C:\WINDOWS\Internet Logs\xDB95.tmp 2007-10-25 18:55 222,208 ----a-w C:\WINDOWS\Internet Logs\xDB96.tmp 2007-10-08 02:04 21,504 ----a-w C:\WINDOWS\Internet Logs\xDB94.tmp 2007-10-08 02:04 2,092,032 ----a-w C:\WINDOWS\Internet Logs\xDB93.tmp 2007-10-08 00:25 13,824 ----a-w C:\WINDOWS\Internet Logs\xDB92.tmp 2007-10-08 00:23 2,085,888 ----a-w C:\WINDOWS\Internet Logs\xDB91.tmp 2007-10-08 00:04 23,552 ----a-w C:\WINDOWS\Internet Logs\xDB90.tmp 2007-10-08 00:04 2,093,056 ----a-w C:\WINDOWS\Internet Logs\xDB8F.tmp 2007-09-04 17:38 16,384 ----a-w C:\WINDOWS\Internet Logs\xDB8E.tmp 2007-09-04 17:37 2,087,424 ----a-w C:\WINDOWS\Internet Logs\xDB8D.tmp 2007-09-04 14:00 26,112 ----a-w C:\WINDOWS\Internet Logs\xDB8C.tmp 2007-09-04 14:00 2,085,376 ----a-w C:\WINDOWS\Internet Logs\xDB8B.tmp 2007-08-03 20:37 2,082,816 ----a-w C:\WINDOWS\Internet Logs\xDB89.tmp 2007-08-03 16:42 35,328 ----a-w C:\WINDOWS\Internet Logs\xDB8A.tmp 2007-07-31 17:05 65,536 ----a-w C:\WINDOWS\Internet Logs\xDB88.tmp 2007-07-31 16:21 2,080,256 ----a-w C:\WINDOWS\Internet Logs\xDB87.tmp 2007-07-29 00:59 71,680 ----a-w C:\WINDOWS\Internet Logs\xDB86.tmp 2007-07-29 00:52 2,077,696 ----a-w C:\WINDOWS\Internet Logs\xDB85.tmp 2007-07-28 17:14 2,078,208 ----a-w C:\WINDOWS\Internet Logs\xDB84.tmp 2007-07-25 21:24 25,088 ----a-w C:\WINDOWS\Internet Logs\xDB83.tmp 2007-07-25 21:24 2,073,600 ----a-w C:\WINDOWS\Internet Logs\xDB82.tmp 2007-07-24 17:40 2,074,112 ----a-w C:\WINDOWS\Internet Logs\xDB80.tmp 2007-07-24 17:40 16,896 ----a-w C:\WINDOWS\Internet Logs\xDB81.tmp 2007-07-23 21:26 20,992 ----a-w C:\WINDOWS\Internet Logs\xDB7F.tmp 2007-07-23 21:22 2,073,088 ----a-w C:\WINDOWS\Internet Logs\xDB7E.tmp 2007-07-23 15:52 57,344 ----a-w C:\WINDOWS\Internet Logs\xDB7D.tmp 2007-07-23 15:15 2,076,672 ----a-w C:\WINDOWS\Internet Logs\xDB7C.tmp 2007-07-20 02:42 23,040 ----a-w C:\WINDOWS\Internet Logs\xDB7B.tmp 2007-07-20 02:42 2,065,408 ----a-w C:\WINDOWS\Internet Logs\xDB7A.tmp 2007-07-18 13:45 2,061,312 ----a-w C:\WINDOWS\Internet Logs\xDB78.tmp 2007-07-18 13:45 16,896 ----a-w C:\WINDOWS\Internet Logs\xDB79.tmp 2007-07-18 13:23 58,880 ----a-w C:\WINDOWS\Internet Logs\xDB77.tmp 2007-07-18 13:23 2,064,896 ----a-w C:\WINDOWS\Internet Logs\xDB76.tmp 2007-07-17 02:30 81,408 ----a-w C:\WINDOWS\Internet Logs\xDB75.tmp 2007-07-17 02:29 2,066,432 ----a-w C:\WINDOWS\Internet Logs\xDB74.tmp 2007-04-22 23:14 14,848 ----a-w C:\WINDOWS\Internet Logs\xDB73.tmp 2007-04-22 23:13 2,025,984 ----a-w C:\WINDOWS\Internet Logs\xDB72.tmp 2007-04-22 22:50 24,576 ----a-w C:\WINDOWS\Internet Logs\xDB71.tmp 2007-04-22 22:50 2,025,984 ----a-w C:\WINDOWS\Internet Logs\xDB70.tmp 2007-04-22 13:35 35,840 ----a-w C:\WINDOWS\Internet Logs\xDB6F.tmp 2007-04-22 13:19 2,022,912 ----a-w C:\WINDOWS\Internet Logs\xDB6E.tmp 2007-04-22 01:20 2,028,032 ----a-w C:\WINDOWS\Internet Logs\xDB6C.tmp 2007-04-22 01:19 25,088 ----a-w C:\WINDOWS\Internet Logs\xDB6D.tmp 2007-04-22 00:55 17,408 ----a-w C:\WINDOWS\Internet Logs\xDB6B.tmp 2007-04-22 00:51 2,021,888 ----a-w C:\WINDOWS\Internet Logs\xDB6A.tmp 2007-04-21 23:46 2,021,888 ----a-w C:\WINDOWS\Internet Logs\xDB68.tmp 2007-04-21 23:46 15,360 ----a-w C:\WINDOWS\Internet Logs\xDB69.tmp 2007-04-21 22:12 27,648 ----a-w C:\WINDOWS\Internet Logs\xDB67.tmp 2007-04-21 20:42 2,022,912 ----a-w C:\WINDOWS\Internet Logs\xDB66.tmp 2007-04-11 19:04 2,022,912 ----a-w C:\WINDOWS\Internet Logs\xDB64.tmp 2007-04-11 19:02 16,896 ----a-w C:\WINDOWS\Internet Logs\xDB65.tmp 2007-04-08 00:06 33,792 ----a-w C:\WINDOWS\Internet Logs\xDB63.tmp 2007-04-08 00:06 2,023,424 ----a-w C:\WINDOWS\Internet Logs\xDB62.tmp 2007-03-28 19:05 2,026,496 ----a-w C:\WINDOWS\Internet Logs\xDB60.tmp 2007-03-28 16:13 18,432 ----a-w C:\WINDOWS\Internet Logs\xDB61.tmp 2007-03-28 13:46 16,384 ----a-w C:\WINDOWS\Internet Logs\xDB5F.tmp 2007-03-28 13:42 2,017,280 ----a-w C:\WINDOWS\Internet Logs\xDB5E.tmp 2007-03-28 01:06 2,017,280 ----a-w C:\WINDOWS\Internet Logs\xDB5C.tmp 2007-03-28 00:40 24,576 ----a-w C:\WINDOWS\Internet Logs\xDB5D.tmp 2007-03-24 10:59 2,019,840 ----a-w C:\WINDOWS\Internet Logs\xDB5B.tmp 2007-03-23 17:54 42,496 ----a-w C:\WINDOWS\Internet Logs\xDB5A.tmp 2007-03-23 17:54 2,016,256 ----a-w C:\WINDOWS\Internet Logs\xDB59.tmp 2007-03-21 17:19 51,712 ----a-w C:\WINDOWS\Internet Logs\xDB58.tmp 2007-03-21 17:19 2,014,208 ----a-w C:\WINDOWS\Internet Logs\xDB57.tmp 2007-02-28 16:30 16,896 ----a-w C:\WINDOWS\Internet Logs\xDB56.tmp 2007-02-28 16:30 1,995,264 ----a-w C:\WINDOWS\Internet Logs\xDB55.tmp 2007-02-27 02:50 76,288 ----a-w C:\WINDOWS\Internet Logs\xDB54.tmp . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{757A892B-F0A1-40DC-AA7C-84AEF160CED7}] C:\WINDOWS\system32\khfEWNdC.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d39852e7-dff3-4132-9659-4b8ecded5bd7}] C:\WINDOWS\system32\olgmxjow.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 22:26 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 06:59 122880 C:\WINDOWS\BCMSMMSG.exe] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-08-15 13:38 110592] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-08-15 13:37 618496] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 02:04 122933] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01 110592] "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15 290816] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 12:43 53248] "MMTray"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2005-05-10 16:04 110592] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-11-27 10:51 180269] "LWBMOUSE"="C:\Program Files\TARGUS\PAUM008U\Ver_2.32\LWBWHEEL.exe" [2003-05-18 23:24 438272] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720] "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [2005-05-10 16:04 11776] "Zone Labs Client"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" [2005-01-26 03:43 722712] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "ParetoLogic Anti-Virus PLUS"="C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.lnk -NM -hidesplash" [ ] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ OZ_ZQ-590A Synchronization Software.lnk - C:\Program Files\SHARP\OZ_ZQ-590A\sync.exe [2006-04-24 14:42:04 655360] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ :\WINDOWS\syste [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= R2 ZeppelinService;plasservice;"C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe" [2008-04-07 20:43] S3 SPCP825K;Sunplus Serial port driver;C:\WINDOWS\system32\DRIVERS\SPCP825K.sys [2004-02-02 15:23] . Contents of the 'Scheduled Tasks' folder "2004-08-13 19:30:56 C:\WINDOWS\Tasks\ISP signup reminder 1.job" - C:\WINDOWS\System32\OOBE\OOBEBALN.EXE "2008-04-16 06:00:00 C:\WINDOWS\Tasks\ParetoLogic Anti-Virus PLUS.job" - C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe "2008-04-15 22:00:28 C:\WINDOWS\Tasks\ParetoLogic Anti-Virus PLUS_dbsummary.job" - C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe "2008-04-15 22:00:25 C:\WINDOWS\Tasks\ParetoLogic Registration.job" - C:\WINDOWS\system32\rundll32.exe@ "2008-04-16 04:33:00 C:\WINDOWS\Tasks\ParetoLogic Update Version2.job" - C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe . ************************************************************************ catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-16 21:26:11 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\DOCUME~1\JAMESW~1\LOCALS~1\Temp\temp0.exe scan completed successfully hidden files: 1 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\SYSTEM32\WLTRYSVC.EXE C:\WINDOWS\SYSTEM32\BCMWLTRY.EXE C:\WINDOWS\SYSTEM32\wscntfy.exe C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe C:\WINDOWS\SYSTEM32\igfxsrvc.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\Program Files\iPod\bin\iPodService.exe . ************************************************************************ . Completion time: 2008-04-16 21:35:39 - machine was rebooted ComboFix-quarantined-files.txt 2008-04-17 01:35:22 Pre-Run: 15,955,873,792 bytes free Post-Run: 15,886,635,008 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons . 2008-04-14 01:39:17 --- E O F ---

04-17-2008, 12:56 AM	#6 (permalink)
Rahina Analyst, Security Team Join Date: Feb 2007 Posts: 209 OS: Windows XP Pro	Re: packed.win.32.monder.gen Please delete your existing version of ComboFix, get a new version from one of these links, and do the drag and drop of Recovery Console package once again. Link 1 Link 2 Link 3 Please post C:\Combofix.txt __________________