ZuriPhoenix

Hello,

I had received wonderful help on this forum just the other day. And i am back, with not a problem on my laptop, but on my friend's laptop. She has Windows XP Service Pack 3.

Throughout use of the laptop, avast reports:

Malware Was Found
File name: C:\\WINDOWS\SYSTEM32\OVFSTHXVSYQVDOT.DLL
Malware name: Win32:Alureon-U [Rtk]
Malware Type: Rootkit

I have provided the Logs



DDS (Ver_09-03-16.01) - NTFSx86
Run by Winston Peters at 17:29:11.82 on Sun 04/19/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1141 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090419-0] *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\TSTT\CCU550\Bin\CMTNF5500D.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Vongo\VongoService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\Winston Peters\Desktop\dds.scr
C:\WINDOWS\system32\wscntfy.exe

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
mSearch Page =
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [TSTTCCU_550] c:\program files\tstt\ccu550\bin\CMTNF5500D.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
StartupFolder: c:\docume~1\winsto~1\startm~1\programs\startup\rocket~1.lnk - c:\windows\bricopacks\vista inspirat 2\rocketdock\RocketDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppavi~1.lnk - c:\program files\hewlett-packard\hp pavilion webcam\HPWebcam.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000a-7350-4f3c-8081-5663ee0c6c49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780b25-18cc-41c8-b9be-3c9c571a8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: bmnet.dll
DPF: Justin.tv Publisher - hxxp://www.justin.tv/plugins/justintv_publisher.CAB
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: groovelocalgws - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\winsto~1\applic~1\mozilla\firefox\profiles\4md56u1a.default\
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

============= SERVICES / DRIVERS ===============

R1 aswsp;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-18 114768]
R2 aswfsblk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-18 20560]
R2 avast! antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-4-18 138680]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-2-20 55152]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-12 1251720]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-2-15 603904]
S1 54d3e3fb;54d3e3fb;c:\windows\system32\drivers\54d3e3fb.sys [2009-4-18 0]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-6-6 61952]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2007-9-18 109080]
S3 avast! mail scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-4-18 254040]
S3 avast! web scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-4-18 352920]
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [2007-1-10 58352]
S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [2007-1-10 8304]
S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [2007-1-10 93904]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 QuarticsWP;QuarticsWP_Display_Driver;c:\windows\system32\drivers\quarticswp.sys --> c:\windows\system32\drivers\QuarticsWP.sys [?]
S3 QuarticsWPMirror;QuarticsWPMirror_Display_Driver;c:\windows\system32\drivers\quarticswpmirror.sys --> c:\windows\system32\drivers\QuarticsWPMirror.sys [?]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [2007-6-27 101248]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [2007-6-27 73856]

=============== Created Last 30 ================

2009-04-18 13:24 32,592 a------- c:\windows\system32\msonpmon.dll
2009-04-18 13:22 155 a------- c:\windows\system32\SelfDel.bat
2009-04-18 13:22 84,045 a------- c:\windows\system32\ftp_non_crp.exe
2009-04-18 13:17 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2009-04-18 13:07 0 a------- c:\windows\system32\drivers\54d3e3fb.sys
2009-04-18 13:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8
2009-04-18 12:53 43 a------- c:\windows\system32\ovfsthxixdoepjc.dat
2009-04-18 12:51 60,928 a------- c:\windows\system32\ovfsthxioefjklf.dll
2009-04-18 12:51 18,432 a------- c:\windows\system32\ovfsthxvsyqvdot.dll
2009-04-18 12:51 18,432 a------- c:\windows\system32\ovfsthxrmupobbp.dll
2009-04-18 12:51 16,405 a------- c:\windows\system32\ovfsthxrcrsqttv.dat
2009-04-18 11:10 <DIR> --d----- c:\windows\system32\appmgmt
2009-04-17 14:18 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 14:18 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-17 14:18 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-03-23 19:14 <DIR> --dsh--- C:\found.000
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll

==================== Find3M ====================

2009-03-07 23:40 92,447 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 10:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 06:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-02-15 22:13 603,904 a------- c:\windows\system32\TUProgSt.exe
2009-02-15 22:13 360,192 a------- c:\windows\system32\TuneUpDefragService.exe
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 08:10 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 08:10 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 08:10 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 08:10 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 08:10 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 19:03 307,576 a------- c:\windows\WLXPGSS.SCR
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:11 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:39 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 06:10 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 15:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2007-08-26 15:33 256 a------- c:\documents and settings\winston peters\pool.bin
2007-01-02 16:10 22 a--sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 17:30:26.59 ===============


Thank You !

Attached Files

Attach.zip (6.0 KB, 1 views)

Ried

Hi ZuriPhoenix. I saw a new thread by you and had to come look. Gave me quite a scare, you know.

While I'm here, your friend has a rootkit onboard. Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on combofix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

ZuriPhoenix

Ha ! Sorry if i scared you !

Thank You again for coming to the rescue. Here is your requested log:


ComboFix 09-04-20.02 - Winston Peters 04/19/2009 20:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1116 [GMT -4:00]
Running from: c:\documents and settings\Winston Peters\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090419-0] *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\ovfsthxioefjklf.dll
c:\windows\system32\ovfsthxixdoepjc.dat
c:\windows\system32\ovfsthxrcrsqttv.dat
c:\windows\system32\ovfsthxrmupobbp.dll
c:\windows\system32\ovfsthxvsyqvdot.dll
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://drm.wippiespace.com
.
((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.

2009-04-19 07:08 . 2009-04-19 07:08 -------- d-----w c:\documents and settings\Winston Peters\Local Settings\Application Data\Mozilla
2009-04-18 17:24 . 2006-10-26 23:56 32592 ----a-w c:\windows\system32\msonpmon.dll
2009-04-18 17:22 . 2009-04-18 17:22 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-18 17:22 . 2009-04-18 17:22 84045 ----a-w c:\windows\system32\ftp_non_crp.exe
2009-04-18 17:21 . 2009-04-18 17:21 -------- d-----w c:\program files\MSBuild
2009-04-18 17:20 . 2009-04-18 17:20 -------- d-----w c:\program files\Microsoft.NET
2009-04-18 17:17 . 2009-04-18 17:17 -------- d-----w c:\program files\Microsoft Visual Studio 8
2009-04-18 17:16 . 2009-04-18 17:16 -------- d-----w c:\documents and settings\Winston Peters\Local Settings\Application Data\Microsoft Help
2009-04-18 17:16 . 2009-04-18 20:04 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-18 17:07 . 2009-04-18 19:46 0 ----a-w c:\windows\system32\drivers\54d3e3fb.sys
2009-04-18 17:04 . 2009-04-18 17:04 -------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2009-04-17 18:19 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-17 18:19 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 18:19 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-17 18:19 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-17 18:19 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 18:19 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 18:19 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 18:19 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 18:19 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 18:19 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 18:18 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 18:18 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 18:18 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-03-23 23:14 . 2009-03-23 23:14 -------- d-sh--w C:\found.000
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 20:29 . 2009-01-20 04:34 -------- d-----w c:\program files\Messenger Plus! Live
2009-04-19 16:52 . 2009-02-03 18:52 -------- d-----w c:\documents and settings\Winston Peters\Application Data\Skype
2009-04-19 16:49 . 2009-02-03 18:54 -------- d-----w c:\documents and settings\Winston Peters\Application Data\skypePM
2009-04-19 00:33 . 2007-12-16 00:43 -------- d-----w c:\program files\Canon
2009-04-19 00:32 . 2007-08-07 18:12 -------- d-----w c:\program files\Common Files\Research In Motion
2009-04-19 00:28 . 2006-09-12 07:29 -------- d-----w c:\program files\Quicken
2009-04-18 20:07 . 2006-09-12 06:39 129008 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-18 16:37 . 2009-01-31 23:52 -------- d-----w c:\documents and settings\Winston Peters\Application Data\LimeWire
2009-04-18 15:18 . 2007-01-04 19:19 -------- d-----w c:\program files\Rhapsody
2009-04-18 15:16 . 2007-01-02 17:57 -------- d-----w c:\program files\Common Files\AOL
2009-04-18 15:10 . 2006-09-12 06:47 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-18 15:09 . 2006-09-12 06:47 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-09 00:36 . 2009-03-09 00:36 -------- d-----w c:\documents and settings\Winston Peters\Application Data\PlayFirst
2009-03-09 00:36 . 2009-03-09 00:36 -------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-03-09 00:18 . 2009-03-09 00:18 -------- d-----w c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-03-08 17:32 . 2009-03-08 17:32 -------- d-----w c:\documents and settings\All Users\Application Data\Sandlot Games
2009-03-08 17:32 . 2009-03-08 17:32 -------- d-----w c:\program files\Common Files\Sandlot Shared
2009-03-08 03:40 . 2006-06-29 18:43 92447 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-08 03:31 . 2002-08-29 20:00 250048 --sha-r C:\ntldr
2009-03-06 20:39 . 2007-09-03 12:24 -------- d-----w c:\program files\Google
2009-03-06 14:22 . 2006-03-16 04:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-10-23 15:34 826368 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2006-03-16 04:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 04:54 . 2006-10-17 20:04 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-26 00:35 . 2009-01-20 04:29 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-20 15:53 . 2009-01-20 00:14 -------- d-----w c:\program files\Windows Live
2009-02-20 15:53 . 2009-02-20 15:53 -------- d-----w c:\program files\Microsoft Sync Framework
2009-02-20 10:20 . 2007-05-11 03:03 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2006-11-07 11:26 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2006-11-07 11:25 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-16 02:13 . 2009-02-16 02:13 603904 ----a-w c:\windows\system32\TUProgSt.exe
2009-02-16 02:13 . 2009-02-16 02:13 360192 ----a-w c:\windows\system32\TuneUpDefragService.exe
2009-02-09 12:10 . 2006-03-16 04:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-03-16 04:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2006-03-16 04:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2006-03-16 04:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2009-01-17 18:28 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2006-03-16 04:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2009-01-17 18:28 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 23:03 . 2009-02-06 23:03 307576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 22:52 . 2009-02-06 22:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2006-03-16 04:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2009-01-17 18:28 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:06 . 2009-01-17 18:28 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 11:06 . 2006-03-16 04:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2006-03-16 04:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2009-01-17 18:28 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 10:32 . 2006-03-16 04:00 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2006-03-16 04:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-26 12:57 . 2009-01-26 12:56 2346 ----a-w C:\wp_install.log
2007-08-26 19:33 . 2007-08-26 19:33 256 ----a-w c:\documents and settings\Winston Peters\pool.bin
2007-01-02 17:43 . 2007-01-02 17:40 137 ----a-w c:\documents and settings\Winston Peters\Local Settings\Application Data\fusioncache.dat
2006-09-12 07:53 . 2007-01-02 17:40 51192 ----a-w c:\documents and settings\Winston Peters\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-09-12 06:39 . 2006-09-12 06:39 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2007-01-02 20:10 . 2007-01-02 20:10 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-01-29 23975720]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-06 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-22 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-22 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"TSTTCCU_550"="c:\program files\TSTT\CCU550\Bin\CMTNF5500D.exe" [2005-07-18 208896]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\Winston Peters\Start Menu\Programs\Startup\
RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-3-18 630784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2007-1-2 102400]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1167760901\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 54d3e3fb;54d3e3fb;c:\windows\System32\drivers\54d3e3fb.sys [2009-04-18 0]
R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\Drivers\5U870CAP.sys [2006-06-06 61952]
R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2007-09-18 109080]
R3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\DRIVERS\cmo_bus.sys [2005-08-17 58352]
R3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\DRIVERS\cmo_mdfl.sys [2005-08-17 8304]
R3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\DRIVERS\cmo_mdm.sys [2005-08-17 93904]
R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
R3 QuarticsWP;QuarticsWP_Display_Driver; [x]
R3 QuarticsWPMirror;QuarticsWPMirror_Display_Driver; [x]
R3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\DRIVERS\swnc8u56.sys [2007-06-27 101248]
R3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\DRIVERS\swumx56.sys [2007-06-27 73856]
S1 aswsp;avast! Self Protection; [x]
S2 aswfsblk;aswfsblk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2009-02-06 55152]
S2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2009-02-16 603904]


--- Other Services/Drivers In Memory ---

*Deregistered* - aujasnkj

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1659ff1b-f508-11dc-bbaf-00038a000015}]
\Shell\Auto\command - F:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d39f71c-ff43-11dc-bbbf-00038a000015}]
\Shell\Auto\command - F:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a9cd2f5-08dc-11de-bc5a-00038a000015}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\m.exe /s

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc3d4b34-f4f5-11dc-bbae-00038a000015}]
\Shell\Auto\command - F:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-19 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 20:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
LSP: bmnet.dll
DPF: Justin.tv Publisher - hxxp://www.justin.tv/plugins/justintv_publisher.CAB
FF - ProfilePath - c:\documents and settings\Winston Peters\Application Data\Mozilla\Firefox\Profiles\4md56u1a.default\
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 20:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ovfsthxqjyuyxmp]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\ovfsthxfubhoyxi.sys"
.
Completion time: 2009-04-20 20:22
ComboFix-quarantined-files.txt 2009-04-20 00:22

Pre-Run: 71,477,514,240 bytes free
Post-Run: 73,030,844,416 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

266 --- E O F --- 2009-04-18 00:05

Ried

Hi ZuriPhoenix.


Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


Locate whatever is typically your friend's G: drive and insert it


***************************************************

Open notepad and copy/paste the text in the code box below into it:

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

==================================

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

==================================





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

Please return with the C:\ComboFix.txt. I'd like to review the deletions before I send you for the online scan.

ZuriPhoenix

ComboFix 09-04-20.02 - Winston Peters 04/19/2009 23:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1153 [GMT -4:00]
Running from: c:\documents and settings\Winston Peters\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Winston Peters\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090419-0] *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\drivers\54d3e3fb.sys
G:\m.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\54d3e3fb.sys
c:\windows\system32\ftp_non_crp.exe
c:\windows\system32\SelfDel.bat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OVFSTHXQJYUYXMP
-------\Service_54d3e3fb



((((((((((((((((((((((((((((( SnapShot@2009-04-20_00.16.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-20 04:13 . 2009-04-20 04:13 16384 c:\windows\temp\Perflib_Perfdata_408.dat
+ 2009-04-20 04:13 . 2009-04-20 04:13 16384 c:\windows\temp\Perflib_Perfdata_354.dat
+ 2009-04-18 05:05 . 2009-04-20 03:28 13428 c:\windows\SoftwareDistribution\EventCache\{4E83C19E-5E54-4A57-B3E1-EFA30A7AF01C}.bin
+ 2009-04-20 03:08 . 2006-06-20 08:56 225280 c:\windows\system32\rewire.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-01-29 23975720]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-06 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-22 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-22 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"TSTTCCU_550"="c:\program files\TSTT\CCU550\Bin\CMTNF5500D.exe" [2005-07-18 208896]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\Winston Peters\Start Menu\Programs\Startup\
RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-3-18 630784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2007-1-2 102400]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1167760901\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\Drivers\5U870CAP.sys [2006-06-06 61952]
R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2007-09-18 109080]
R3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\DRIVERS\cmo_bus.sys [2005-08-17 58352]
R3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\DRIVERS\cmo_mdfl.sys [2005-08-17 8304]
R3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\DRIVERS\cmo_mdm.sys [2005-08-17 93904]
R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
R3 QuarticsWP;QuarticsWP_Display_Driver; [x]
R3 QuarticsWPMirror;QuarticsWPMirror_Display_Driver; [x]
R3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\DRIVERS\swnc8u56.sys [2007-06-27 101248]
R3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\DRIVERS\swumx56.sys [2007-06-27 73856]
S1 aswsp;avast! Self Protection; [x]
S2 aswfsblk;aswfsblk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2009-02-06 55152]
S2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2009-02-16 603904]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1659ff1b-f508-11dc-bbaf-00038a000015}]
\Shell\Auto\command - F:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d39f71c-ff43-11dc-bbbf-00038a000015}]
\Shell\Auto\command - F:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc3d4b34-f4f5-11dc-bbae-00038a000015}]
\Shell\Auto\command - F:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-20 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 20:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
LSP: bmnet.dll
DPF: Justin.tv Publisher - hxxp://www.justin.tv/plugins/justintv_publisher.CAB
FF - ProfilePath - c:\documents and settings\Winston Peters\Application Data\Mozilla\Firefox\Profiles\4md56u1a.default\
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 00:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\54d3e3fb]
"ImagePath"="\SystemRoot\System32\drivers\54d3e3fb.sys"
--

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ovfsthxqjyuyxmp]
"imagepath"="\systemroot\system32\drivers\ovfsthxfubhoyxi.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2220)
c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\bmwebcfg.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Vongo\VongoService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\dllhost.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-04-20 0:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-20 04:18
ComboFix2.txt 2009-04-20 00:22

Pre-Run: 72,890,339,328 bytes free
Post-Run: 72,772,235,264 bytes free

210 --- E O F --- 2009-04-18 00:05

Ried

Please proceed with the online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

ZuriPhoenix

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, April 21, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, April 21, 2009 00:45:46
Records in database: 2064606
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 121517
Threat name: 4
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 02:01:33


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1F336468.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Winston Peters\My Documents\wpepro09x.zip Infected: HackTool.Win32.Sniffer.WpePro.a 1
C:\Documents and Settings\Winston Peters\My Documents\wpepro09x.zip Infected: HackTool.Win32.Sniffer.WpePro.w 1
C:\Qoobox\Quarantine\[4]-Submit_2009-04-20@23.56.zip Infected: Packed.Win32.PolyCrypt.d 1

The selected area was scanned.

Ried

Did your friend download wpepro09x.zip herself possibly for gaming? If so, leave it.

The remainder of Kaspersky's findings are backups created during the course of this fix which we shall be clearing now.

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

Should she wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.



To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer


In light of her recent issue, have her take a look at these articles to help I'm avoid any future infections:

PC Safety and Security--What Do I Need?
Think Prevention


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

ZuriPhoenix

Ah, yes ! I believe she has that for gaming.
Did everything you instructed. Laptop seems to be working wonderfully now, no alerts from Avast ! YAY !
Now i can focus my attention more on the problem with my Home PC .... no solution found for that one yet ...

Thank You again Ried !

Ried

You're welcome, and goog luck with your machine.

Here's a thought, have you tried using System Restore and go back a bit to before that issue started?

ZuriPhoenix

It doesn't give me restore points to before the incident

Ried

Not even if you click the arrow to view March?

ZuriPhoenix

I don't see an arrow to View March ...

Start - Programs - Accessories - System Tools - System Restore

Thats where i went, is that the correct place ?