Need help removing muzupera.dll and possibly others

lazyengineer · 03-13-2009, 11:18 PM

Hi,

I'm having problems getting rid of some trojans on my system. First, I noticed that I could no longer use Google Chrome. Pages stopped loading on that browser. When using IE or Firefox, ads would start popping up at random times whenever a browser was open. Occasionally I'll also get a popup warning me that I have viruses on my system, followed shortly thereafter by fake virus scan popup window. I have been unable to remove these trojans via Symantec Antivirus, Spybot, Ad-Aware, or Malwarebytes' Anti-Malware. They seem to detect the trojans to some degree of success, but are unable to permanently remove them. Muzupera.dll shows up as a startup item. Prior to running Anti-Malware, I also saw something called liyuwuviho as a startup item, but now it's not there. I do, however see a reference to it when running hijack this, but I'm not sure if it's been quarantined somehow, or if it's still running on my system.

If someone could help me clean off my computer, I'd be so very grateful. Per the instructions at the top of this forum, here is the text of DDS.txt, and ark.txt and Attach.txt are zipped and attached to this message.

DDS (Ver_09-02-01.01) - NTFSx86
Run by gkramer at 22:51:33.48 on Fri 03/13/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1202 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\WINDOWS\system32\ifxspmgt.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\altera\72\qprogrammer\bin\jtagserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Remote tools\msraLinkMonitor.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
c:\WINDOWS\system32\IfxPsdSv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
c:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\gkramer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
c:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Brownie\Brnipmon.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\gkramer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://athp.hp.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [Google Update] "c:\documents and settings\gkramer\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [COEMsgDisplay] c:\program files\hewlett-packard\pc coe\COEMsgDisplay.exe
mRun: [QuickPassword] c:\program files\activcard\activcard gold\agquickp.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [IDA] c:\program files\hewlett-packard\pc coe\IDA.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.exe
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
mRun: [IFXSPMGT] c:\windows\system32\ifxspmgt.exe /NotifyLogon
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [CPM87b0e2d2] Rundll32.exe "c:\windows\system32\muzupera.dll",a
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
mPolicies-system: DisableNT4Policy = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {E270AB82-96D5-45DB-ABE3-0BC038B92334} - c:\program files\hewlett-packard\ietoolbar\HP IE Fix.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: compaq.com
Trusted Zone: compaq.com\ie.config.asia
Trusted Zone: compaq.com\ie.config.eur
Trusted Zone: compaq.com\ie.config.im.hou
Trusted Zone: compaq.com\ie.config.jp
Trusted Zone: cpqcorp.net
Trusted Zone: dcu.org
Trusted Zone: dec.com
Trusted Zone: dec.com\ie.config.ecom
Trusted Zone: hp.com
Trusted Zone: hpe-learning.com
Trusted Zone: hpqcorp.net
Trusted Zone: hpshopping.com
Trusted Zone: tandem.com
Trusted Zone: tandem.com\ie.config
Trusted Zone: compaq.com\ie.config.asia
Trusted Zone: compaq.com\ie.config.eur
Trusted Zone: compaq.com\ie.config.im.hou
Trusted Zone: compaq.com\ie.config.jp
Trusted Zone: dec.com\ie.config.ecom
Trusted Zone: tandem.com\ie.config
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000032-9593-4264-8B29-930B3E4EDCCD} - hxxps://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall32.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxp://h50203.www5.hp.com/HPITWeb/Customer/cabs/HPISDataManager.CAB
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169809900876
DPF: {857ABA85-8AB2-4C9E-8FAA-D2A963739859} - hxxps://digitalbadge.external.hp.com/hp/HPPKI.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} - hxxps://digitalbadge.external.hp.com/hp/capicom.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: DeviceNP - DeviceNP.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll
AppInit_DLLs: APSHook.dll beblml.dll kvlpxb.dll c:\windows\system32\dusulotu.dll c:\windows\system32\nupuzife.dll qozedm.dll c:\windows\system32\hehoniwu.dll c:\windows\system32\muzupera.dll ,
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\muzupera.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\muzupera.dll
LSA: Notification Packages = SbHpNp scecli ASWLNPkg

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gkramer\applic~1\mozilla\firefox\profiles\da4h706u.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - plugin: c:\documents and settings\gkramer\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-10 64160]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-8-14 101167]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-9 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-6-14 13184]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-7-24 38816]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2007-8-14 5840]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 acautoreg;ActivCard Gold Autoregister;c:\program files\common files\activcard\acautoreg.exe [2007-6-26 53248]
R2 Accoca;ActivCard Gold service;c:\program files\common files\activcard\accoca.exe [2004-5-12 143360]
R2 ADAM_VMwareVCMSDS;VMwareVCMSDS;c:\windows\adam\dsamain.exe -sn:vmwarevcmsds --> c:\windows\adam\dsamain.exe -sn:VMwareVCMSDS [?]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [1979-12-31 14336]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2007-9-6 221184]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 951632]
R2 msralinkmonitor;MSRA Link Monitor;c:\program files\remote tools\msraLinkMonitor.exe [2007-11-29 151552]
R2 MSSQL$SQLEXP_VIM;SQL Server (SQLEXP_VIM);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-8-5 29184016]
R2 radexecd;HP OVCM Notify Daemon;c:\program files\hewlett-packard\pc coe 3\ov cms\radexecd.exe [2007-2-20 270510]
R2 radsched;HP OVCM Scheduler Daemon;c:\program files\hewlett-packard\pc coe 3\ov cms\radsched.exe [2007-3-22 172205]
R2 Radstgms;HP OVCM MSI Redirector;c:\program files\hewlett-packard\pc coe 3\ov cms\Radstgms.exe [2008-7-3 315570]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-5-26 115952]
R2 SWIHPWMI;SWIHPWMI;c:\program files\hpq\shared\sierra wireless\win32\unicode\SWIHPWMI.exe [2006-12-4 292384]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-5-26 1799408]
R2 vstor2Vpx;Vstor2 Virtual Storage Driver for VirtualCenter;c:\program files\vmware\infrastructure\virtualcenter server\vstor2.sys [2008-10-2 26112]
R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\drivers\akbus.sys [2007-1-26 13619]
R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\drivers\akpcsc.sys [2007-1-26 9493]
R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\drivers\aksbus.sys [2007-4-6 13647]
R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\drivers\akspcsc.sys [2008-2-19 10161]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-27 101936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-5-24 41216]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090312.019\naveng.sys [2009-3-13 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090312.019\navex15.sys [2009-3-13 876144]
R3 RadiaMsi;RadiaMsi;c:\windows\system32\drivers\radiamsi.sys [2007-8-3 23424]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2007-5-24 47616]
R3 SmartUSB;SmartReader-USB;c:\windows\system32\drivers\SmartUSB.sys [2007-1-26 17024]
S2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [1979-12-31 14336]
S2 vctomcat;VMware VirtualCenter Management Webservices;c:\program files\vmware\infrastructure\tomcat\bin\tomcat6.exe [2008-10-2 57344]
S2 vpxd;VMware VirtualCenter Server;c:\program files\vmware\infrastructure\virtualcenter server\vpxd.exe [2008-10-2 18567168]
S3 AlteraUSBBlaster;Altera USB-Blaster Device Driver;c:\windows\system32\drivers\ftdibus.sys [2008-2-27 47249]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2008-2-25 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2007-6-8 172131]
S3 magaService;Lan Discover Agent;c:\program files\sygate\ssa\maga\maga.exe --> c:\program files\sygate\ssa\maga\maga.exe [?]
S3 UPAS100K;CATC UPAS100K Driver;c:\windows\system32\drivers\upas100k.sys [2008-2-27 19616]
S3 vmountVpx;VMware Mount Service for VirtualCenter;c:\program files\vmware\infrastructure\virtualcenter server\vmount2.exe [2008-10-2 270336]

=============== Created Last 30 ================

2009-03-13 19:21 <DIR> --d----- c:\docume~1\gkramer\applic~1\Malwarebytes
2009-03-13 19:21 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-13 19:21 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-13 19:21 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-13 19:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-12 23:02 1,808,081 ---sh--- c:\windows\system32\ohirijam.ini
2009-03-12 22:52 142,336 a--sh--- c:\windows\system32\utjhuf.dll
2009-03-12 00:27 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-12 00:11 <DIR> --d----- c:\windows\system32\NtmsData
2009-03-12 00:01 <DIR> --d----- c:\program files\Trend Micro
2009-03-11 21:42 142,336 a--sh--- c:\windows\system32\ylkdgs.dll
2009-03-11 09:42 141,824 a--sh--- c:\windows\system32\angtwt.dll
2009-03-11 08:11 1,808,094 ---sh--- c:\windows\system32\uyenavay.ini
2009-03-11 07:47 25,348 a------- c:\windows\system32\AAWService_2009_03_11_07_47_04.dmp
2009-03-11 07:45 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-10 22:31 141,312 a------- c:\windows\system32\zfkswu.dll
2009-03-10 22:19 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-10 22:15 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-10 22:15 <DIR> --d----- c:\program files\Lavasoft
2009-03-10 21:40 141,312 a------- c:\windows\system32\rijegazo.dll
2009-03-10 09:50 2,098 ---sh--- c:\windows\system32\betifupu.dll
2009-03-10 09:47 2,098 ---sh--- c:\windows\system32\jedudisu.dll
2009-03-10 01:34 <DIR> --d----- C:\New Folder
2009-03-10 01:16 <DIR> --d----- c:\windows\system32\syncdb
2009-03-09 21:41 142,336 a--sh--- c:\windows\system32\kvlpxb.dll
2009-03-09 19:05 <DIR> --d----- C:\strawberry
2009-03-09 18:57 <DIR> --d----- C:\Perl
2009-03-09 18:24 327 a------- c:\windows\wininit.ini
2009-03-09 09:41 142,848 a--sh--- c:\windows\system32\beblml.dll
2009-03-08 21:38 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-08 21:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-07 16:13 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-03-07 16:09 <DIR> --d--r-- c:\program files\Skype
2009-03-04 00:09 <DIR> --d----- C:\abcc
2009-03-04 00:08 34 a---h--- c:\windows\system32\DVDRippper_sysquict.dat
2009-03-04 00:07 <DIR> --d----- c:\program files\Abcc Free FLV AVI MP4 MPEG WMV ASF MOV Converter
2009-03-04 00:07 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-03-03 23:52 53,248 a------- c:\windows\system32\xvid.ax
2009-03-03 23:52 856,064 a------- c:\windows\system32\mpgfiltr.ax
2009-03-03 23:52 208,896 a------- c:\windows\system32\VideoEdit.ocx
2009-03-03 23:52 139,264 a------- c:\windows\system32\viscomqtde.dll
2009-03-03 23:52 81,920 a------- c:\windows\system32\viscomwave.dll
2009-03-03 00:13 <DIR> --d----- c:\temp\ads
2009-03-01 20:54 8,192 a--sh--- c:\windows\Thumbs.db
2009-02-27 20:01 <DIR> --d----- C:\DVDSlideshow
2009-02-27 20:01 1,271,296 a------- c:\windows\system32\cygxml2-2.dll
2009-02-27 20:01 1,140,617 a------- c:\windows\system32\cygwin1.dll
2009-02-27 20:01 1,015,128 a------- c:\windows\system32\cygiconv-2.dll
2009-02-27 20:01 455,680 a------- c:\windows\system32\mkisofs.exe
2009-02-27 20:01 369,152 a------- c:\windows\system32\cygfreetype-6.dll
2009-02-27 20:01 368,640 a------- c:\windows\system32\cdrecord.exe
2009-02-27 20:01 331,008 a------- c:\windows\system32\dvdauthor.exe
2009-02-27 20:01 323,242 a------- c:\windows\system32\spumux.exe
2009-02-27 20:01 176,640 a------- c:\windows\system32\cygpng12.dll
2009-02-27 20:01 62,976 a------- c:\windows\system32\cygz.dll
2009-02-27 19:49 <DIR> --d----- c:\program files\MemoriesOnWeb
2009-02-21 18:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SmartSound Software Inc
2009-02-21 18:34 <DIR> --d----- c:\program files\SmartSound Software
2009-02-21 18:28 <DIR> --d----- c:\temp\elements
2009-02-20 23:57 <DIR> --d----- c:\temp\interviews
2009-02-19 21:36 <DIR> --d----- c:\program files\common files\DVDVideoSoft

==================== Find3M ====================

2009-03-12 22:52 142,336 a--sh--- c:\windows\system32\hujepaka.dll
2009-03-12 22:52 107,520 a--sh--- c:\windows\system32\muzupera.dll
2009-03-12 00:27 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-11 23:51 80,161 a------- c:\windows\system32\nvModes.dat
2009-03-11 09:42 106,496 a--sh--- c:\windows\system32\zadoguze.dll
2009-03-09 21:41 142,336 a--sh--- c:\windows\system32\viwipiya.dll
2009-03-09 09:41 142,848 a--sh--- c:\windows\system32\zesokuno.dll
2009-02-21 18:30 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-02-21 18:30 116,472 -------- c:\windows\system32\pxcpyi64.exe
2009-02-21 18:30 43,528 -------- c:\windows\system32\drivers\pxhelp20.sys

============= FINISH: 22:53:19.31 ===============

sjb007 · 03-15-2009, 03:03 PM

Howdy there and welcome to TSF Forums

I'm Steve and I will be helping you thoughout this fix.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription

Please note that the forum is very busy and if I don't hear from you within three days from this initial posting then the thread will be closed.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

lazyengineer · 03-15-2009, 03:37 PM

Hi Steve,

Thanks for your help. Here is the text of Combofix.txt:

ComboFix 09-03-14.02 - gkramer 2009-03-15 16:23:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1133 [GMT -5:00]
Running from: c:\documents and settings\gkramer\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.
The following files were disabled during the run:
c:\windows\system32\beblml.dll
c:\windows\system32\kvlpxb.dll
c:\windows\system32\muzupera.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\gkramer\LOCALS~1\Temp\tmp2.tmp
c:\windows\system32\angtwt.dll
c:\windows\system32\beblml.dll.vir
c:\windows\system32\hujepaka.dll
c:\windows\system32\kvlpxb.dll.vir
c:\windows\system32\muzupera.dll.vir
c:\windows\system32\ohirijam.ini
c:\windows\system32\rijegazo.dll
c:\windows\system32\utjhuf.dll
c:\windows\system32\uyenavay.ini
c:\windows\system32\viwipiya.dll
c:\windows\system32\ylkdgs.dll
c:\windows\system32\zadoguze.dll
c:\windows\system32\zesokuno.dll
c:\windows\system32\zfkswu.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))
.

2009-03-13 19:21 . 2009-03-13 19:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-13 19:21 . 2009-03-13 19:21 <DIR> d-------- c:\documents and settings\gkramer\Application Data\Malwarebytes
2009-03-13 19:21 . 2009-03-13 19:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-13 19:21 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-13 19:21 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-13 19:15 . 2009-03-13 19:16 <DIR> d-------- C:\rsit
2009-03-12 00:27 . 2009-03-12 00:27 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-12 00:11 . 2009-03-12 00:11 <DIR> d-------- c:\windows\system32\NtmsData
2009-03-12 00:01 . 2009-03-12 00:01 <DIR> d-------- c:\program files\Trend Micro
2009-03-11 07:47 . 2009-03-11 07:47 25,348 --a------ c:\windows\system32\AAWService_2009_03_11_07_47_04.dmp
2009-03-11 07:45 . 2009-03-10 22:19 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-10 22:20 . 2009-03-10 22:23 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-10 22:19 . 2009-03-10 22:19 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-10 22:15 . 2009-03-10 22:15 <DIR> d-------- c:\program files\Lavasoft
2009-03-10 22:15 . 2009-03-10 22:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-10 22:15 . 2009-03-10 22:15 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-10 09:50 . 2009-03-10 09:50 2,098 --ahs---- c:\windows\system32\betifupu.dll
2009-03-10 09:47 . 2009-03-10 09:47 2,098 --ahs---- c:\windows\system32\jedudisu.dll
2009-03-10 01:34 . 2009-03-10 01:34 <DIR> d-------- C:\New Folder
2009-03-10 01:16 . 2009-03-10 01:16 <DIR> d-------- c:\windows\system32\syncdb
2009-03-09 19:05 . 2009-03-10 22:52 <DIR> d-------- C:\strawberry
2009-03-09 18:57 . 2009-03-09 19:22 <DIR> d-------- C:\Perl
2009-03-09 18:24 . 2009-03-11 08:11 327 --a------ c:\windows\wininit.ini
2009-03-08 21:38 . 2009-03-10 22:24 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-08 21:38 . 2009-03-10 22:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-07 16:13 . 2009-03-07 16:13 <DIR> d-------- c:\documents and settings\gkramer\Application Data\skypePM
2009-03-07 16:13 . 2009-03-07 16:13 56 --ah----- c:\windows\system32\ezsidmv.dat
2009-03-07 16:09 . 2009-03-07 16:09 <DIR> dr------- c:\program files\Skype
2009-03-07 16:09 . 2009-03-07 16:09 <DIR> d-------- c:\program files\Common Files\Skype
2009-03-07 16:09 . 2009-03-07 16:14 <DIR> d-------- c:\documents and settings\gkramer\Application Data\Skype
2009-03-07 16:08 . 2009-03-07 16:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-03-04 22:13 . 2009-03-04 22:13 <DIR> d-------- c:\documents and settings\gkramer\Application Data\Media Player Classic
2009-03-04 22:12 . 2009-03-04 22:12 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Yahoo!
2009-03-04 00:09 . 2009-03-04 00:09 <DIR> d-------- C:\abcc
2009-03-04 00:08 . 2009-03-04 00:08 34 --ah----- c:\windows\system32\DVDRippper_sysquict.dat
2009-03-04 00:07 . 2009-03-04 22:13 <DIR> d-------- c:\program files\K-Lite Codec Pack
2009-03-04 00:07 . 2009-03-10 01:15 <DIR> d-------- c:\program files\Abcc Free FLV AVI MP4 MPEG WMV ASF MOV Converter
2009-03-03 23:52 . 2007-03-09 10:36 856,064 --a------ c:\windows\system32\mpgfiltr.ax
2009-03-03 23:52 . 2007-03-09 10:35 208,896 --a------ c:\windows\system32\VideoEdit.ocx
2009-03-03 23:52 . 2007-03-09 10:37 139,264 --a------ c:\windows\system32\viscomqtde.dll
2009-03-03 23:52 . 2007-03-09 10:36 81,920 --a------ c:\windows\system32\viscomwave.dll
2009-03-03 23:52 . 2004-09-06 04:06 53,248 --a------ c:\windows\system32\xvid.ax
2009-03-03 00:13 . 2009-03-03 00:13 <DIR> d-------- c:\temp\ads
2009-03-01 20:54 . 2009-03-01 20:54 8,192 --ahs---- c:\windows\Thumbs.db
2009-02-27 20:01 . 2009-02-27 20:01 <DIR> d-------- C:\DVDSlideshow
2009-02-27 20:01 . 2006-12-29 12:29 1,271,296 --a------ c:\windows\system32\cygxml2-2.dll
2009-02-27 20:01 . 2006-12-29 12:29 1,140,617 --a------ c:\windows\system32\cygwin1.dll
2009-02-27 20:01 . 2006-12-29 12:29 1,015,128 --a------ c:\windows\system32\cygiconv-2.dll
2009-02-27 20:01 . 2006-12-04 14:48 455,680 --a------ c:\windows\system32\mkisofs.exe
2009-02-27 20:01 . 2006-12-29 12:29 369,152 --a------ c:\windows\system32\cygfreetype-6.dll
2009-02-27 20:01 . 2006-12-04 14:48 368,640 --a------ c:\windows\system32\cdrecord.exe
2009-02-27 20:01 . 2006-12-29 12:29 331,008 --a------ c:\windows\system32\dvdauthor.exe
2009-02-27 20:01 . 2006-12-29 12:29 323,242 --a------ c:\windows\system32\spumux.exe
2009-02-27 20:01 . 2006-12-29 12:29 176,640 --a------ c:\windows\system32\cygpng12.dll
2009-02-27 20:01 . 2006-12-29 12:29 62,976 --a------ c:\windows\system32\cygz.dll
2009-02-27 19:49 . 2009-02-27 19:57 <DIR> d-------- c:\program files\MemoriesOnWeb
2009-02-21 18:54 . 2009-02-21 18:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-02-21 18:34 . 2009-02-21 18:34 <DIR> d-------- c:\program files\SmartSound Software
2009-02-21 18:34 . 2009-02-21 18:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2009-02-21 18:28 . 2009-02-21 18:29 <DIR> d-------- c:\temp\elements
2009-02-21 17:44 . 2009-02-21 18:30 <DIR> d-------- c:\documents and settings\gkramer\Application Data\Download Manager
2009-02-20 23:57 . 2009-03-03 00:06 <DIR> d-------- c:\temp\interviews
2009-02-19 21:36 . 2009-03-10 01:21 <DIR> d-------- c:\program files\Common Files\DVDVideoSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-15 21:28 --------- d-----w c:\program files\symantec antivirus
2009-03-15 21:27 --------- d-----w c:\program files\Hewlett-Packard
2009-03-10 06:22 --------- d-----w c:\program files\Yahoo!
2009-03-10 06:19 --------- d-----w c:\program files\Common Files\Adobe
2009-03-10 06:16 --------- d-----w c:\program files\AviSynth 2.5
2009-03-10 06:16 --------- d-----w c:\program files\Any Video Converter
2009-03-10 06:15 --------- d-----w c:\documents and settings\gkramer\Application Data\Any Video Converter
2009-03-04 04:28 --------- d-----w c:\documents and settings\gkramer\Application Data\U3
2009-02-21 23:30 43,528 ------w c:\windows\system32\drivers\pxhelp20.sys
2009-02-13 06:31 --------- d-----w c:\documents and settings\gkramer\Application Data\Ulead Systems
2009-02-11 05:11 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2009-02-11 05:10 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-11 05:10 --------- d-----w c:\program files\Windows Media Components
2009-02-11 05:10 --------- d-----w c:\documents and settings\All Users\Application Data\InterVideo
2009-02-11 05:09 --------- d-----w c:\program files\Corel
2009-02-11 05:02 --------- d-----w c:\documents and settings\gkramer\Application Data\avidemux
2009-02-05 06:10 --------- d-----w c:\documents and settings\gkramer\Application Data\Apple Computer
2009-02-05 06:09 --------- d-----w c:\program files\QuickTime
2009-02-05 06:09 --------- d-----w c:\program files\iTunes
2009-02-05 06:09 --------- d-----w c:\program files\iPod
2009-02-05 06:09 --------- d-----w c:\program files\Common Files\Apple
2009-02-05 06:09 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-05 06:09 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-03 01:14 --------- d-----w c:\program files\REA
2009-01-23 01:20 --------- d-----w c:\program files\Brownie
2009-01-23 01:19 --------- d-----w c:\program files\Brother
2009-01-23 01:12 --------- d-----w c:\documents and settings\All Users\Application Data\Brother
2009-01-18 02:06 --------- d-----w c:\program files\Java
2007-04-02 10:46 13,248 ----a-w c:\windows\system32\config\systemprofile\createprof.vbs
2007-04-02 10:46 13,248 ----a-w c:\documents and settings\hpadmin\createprof.vbs
2007-04-02 10:46 13,248 ----a-w c:\documents and settings\Default User\createprof.vbs
2007-02-23 14:43 851 ----a-w c:\windows\system32\config\systemprofile\enablecoe.vbs
2007-02-23 14:43 851 ----a-w c:\documents and settings\hpadmin\enablecoe.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\gkramer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-12 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COEMsgDisplay"="c:\program files\Hewlett-Packard\PC COE\COEMsgDisplay.exe" [2007-04-11 26624]
"QuickPassword"="c:\program files\ActivCard\ActivCard Gold\agquickp.exe" [2007-06-26 225280]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-05-26 124656]
"IDA"="c:\program files\Hewlett-Packard\PC COE\IDA.EXE" [2008-08-12 176128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-01 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-01 81920]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-07-24 677144]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-05-11 472632]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2007-07-31 815104]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-10 515416]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-12 148888]
"nwiz"="nwiz.exe" [2007-05-01 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-06 561213]
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2008-02-21 274432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"DisableNT4Policy"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-06-08 10:04 49152 c:\windows\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAXPnP"=c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radexecd.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RadUIShell.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radtray.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-10 64160]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-08-14 101167]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-09 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-06-14 13184]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-07-24 38816]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2007-08-14 5840]
R2 acautoreg;ActivCard Gold Autoregister;c:\program files\Common Files\ActivCard\acautoreg.exe [2007-06-26 53248]
R2 Accoca;ActivCard Gold service;c:\program files\Common Files\ActivCard\accoca.exe [2004-05-12 143360]
R2 ADAM_VMwareVCMSDS;VMwareVCMSDS;c:\windows\ADAM\dsamain.exe -sn:VMwareVCMSDS --> c:\windows\ADAM\dsamain.exe -sn:VMwareVCMSDS [?]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2007-09-06 221184]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
R2 msralinkmonitor;MSRA Link Monitor;c:\program files\Remote tools\msraLinkMonitor.exe [2007-11-29 151552]
R2 MSSQL$SQLEXP_VIM;SQL Server (SQLEXP_VIM);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-08-05 29184016]
R2 radexecd;HP OVCM Notify Daemon;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe [2007-02-20 270510]
R2 radsched;HP OVCM Scheduler Daemon;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe [2007-03-22 172205]
R2 Radstgms;HP OVCM MSI Redirector;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe [2008-07-03 315570]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-05-26 115952]
R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [2006-12-04 292384]
R2 vstor2Vpx;Vstor2 Virtual Storage Driver for VirtualCenter;c:\program files\VMware\Infrastructure\VirtualCenter Server\vstor2.sys [2008-10-02 26112]
R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\drivers\akbus.sys [2007-01-26 13619]
R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\drivers\akpcsc.sys [2007-01-26 9493]
R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\drivers\aksbus.sys [2007-04-06 13647]
R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\drivers\akspcsc.sys [2008-02-19 10161]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-05-24 41216]
R3 RadiaMsi;RadiaMsi;c:\windows\system32\drivers\radiamsi.sys [2007-08-03 23424]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2007-05-24 47616]
R3 SmartUSB;SmartReader-USB;c:\windows\system32\drivers\SmartUSB.sys [2007-01-26 17024]
S2 vctomcat;VMware VirtualCenter Management Webservices;c:\program files\VMware\Infrastructure\tomcat\bin\tomcat6.exe [2008-10-02 57344]
S2 vpxd;VMware VirtualCenter Server;c:\program files\VMware\Infrastructure\VirtualCenter Server\vpxd.exe [2008-10-02 18567168]
S3 AlteraUSBBlaster;Altera USB-Blaster Device Driver;c:\windows\system32\drivers\ftdibus.sys [2008-02-27 47249]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2008-02-25 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2007-06-08 172131]
S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\maga\maga.exe --> c:\program files\Sygate\SSA\maga\maga.exe [?]
S3 UPAS100K;CATC UPAS100K Driver;c:\windows\system32\drivers\upas100k.sys [2008-02-27 19616]
S3 vmountVpx;VMware Mount Service for VirtualCenter;c:\program files\VMware\Infrastructure\VirtualCenter Server\vmount2.exe [2008-10-02 270336]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17282938-8790-11dd-a1fd-001e37088728}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C99D666B-62E4-461B-A346-9375D55AB9BC}]
"c:\program files\Common Files\Hewlett-Packard\ActSet\HpActSet.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-03-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-10 22:18]

2009-03-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-1383384898-515967899-316697.job
- c:\documents and settings\gkramer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-12 08:08]

2009-03-15 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}000.job
- c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2008-09-12 01:17]

2009-03-15 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}001.job
- c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2008-09-12 01:17]

2009-03-15 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.job
- c:\progra~1\HEWLET~1\PCCOE~1\clinvsi.dll [2008-09-07 18:06]

2009-03-15 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job
- c:\program files\Hewlett-Packard\PC COE\coetl32.exe [2007-06-24 01:27]

2009-03-15 c:\windows\Tasks\IDA{E1B2A4DD-AE06-4B97-9B55-8E8F1348E7FB}000.job
- c:\progra~1\HEWLET~1\PCCOE~1\critupsi.dll [2008-09-07 17:13]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-CPM87b0e2d2 - c:\windows\system32\muzupera.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{E270AB82-96D5-45DB-ABE3-0BC038B92334} - c:\program files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
Trusted Zone: compaq.com
Trusted Zone: compaq.com\ie.config.asia
Trusted Zone: compaq.com\ie.config.eur
Trusted Zone: compaq.com\ie.config.im.hou
Trusted Zone: compaq.com\ie.config.jp
Trusted Zone: cpqcorp.net
Trusted Zone: dcu.org
Trusted Zone: dec.com
Trusted Zone: dec.com\ie.config.ecom
Trusted Zone: hp.com
Trusted Zone: hpe-learning.com
Trusted Zone: hpqcorp.net
Trusted Zone: hpshopping.com
Trusted Zone: tandem.com
Trusted Zone: tandem.com\ie.config
Trusted Zone: compaq.com\ie.config.asia
Trusted Zone: compaq.com\ie.config.eur
Trusted Zone: compaq.com\ie.config.im.hou
Trusted Zone: compaq.com\ie.config.jp
Trusted Zone: dec.com\ie.config.ecom
Trusted Zone: tandem.com\ie.config
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\gkramer\Application Data\Mozilla\Firefox\Profiles\da4h706u.default\
FF - plugin: c:\documents and settings\gkramer\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-15 16:29:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ADAM_VMwareVCMSDS]
"ImagePath"="c:\windows\ADAM\dsamain.exe -sn:VMwareVCMSDS"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\DeviceNP.dll
c:\windows\system32\accsp.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acpinto.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivCard\ActivCard Gold\resources\acerrmrc.dll
c:\program files\ActivCard\ActivCard Gold\resources\asphatrc.dll
c:\program files\ActivCard\ActivCard Gold\resources\accsprc.dll
c:\windows\system32\acober.dll
c:\program files\ActivCard\ActivCard Gold\resources\acoberrc.dll

- - - - - - - > 'lsass.exe'(1016)
c:\windows\SbHpNp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\symantec antivirus\DefWatch.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\altera\72\qprogrammer\bin\jtagserver.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IfxPsdSv.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\symantec antivirus\Rtvscan.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\ADAM\dsamain.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\rundll32.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Completion time: 2009-03-15 16:33:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-15 21:33:56

Pre-Run: 75,783,999,488 bytes free
Post-Run: 75,720,658,944 bytes free

359 --- E O F --- 2009-02-25 09:00:38

sjb007 · 03-16-2009, 01:39 AM

Hi there

I do notice that you have placed sites in your trusted zone. Sites in the trusted zone have the security level set to low by default. These site can be removed from the trusted zone and simply placed in bookmarks. More information on using the trusted zone is available from here -> How to use security zones in Internet Explorer

Please open Notepad and copy and paste the following in the Code box into Notepad.

Quote:

File::
c:\windows\system32\betifupu.dll
c:\windows\system32\jedudisu.dll

DirLook::
c:\temp\ads

Click on File > Save As....

In the File Name field, copy and paste in CFScript.txt. Do not change the file name.

Click Save.

Referring to the picture below, drag CFScript into Combofix.

Combofix will start running. When done, a log will be produced. Please post this log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.[/quote]

============================

Download and scan with CCleaner Slim
1.Double click the file and install ccleaner

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:

Clean all entries in the "Internet Explorer" section.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.

In the Applications Tab:

Clean all in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

============================

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:

**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Please post back with the logs from Combofix and Kaspersky

lazyengineer · 03-16-2009, 09:44 PM

Thanks again for your help. The sites in my trusted zone were put there by default by our IT dept at work, but I'll go ahead and take them out. Here are the log files that I got from combofix and Kaspersky scan:

ComboFix 09-03-15.01 - gkramer 2009-03-16 7:38:47.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1348 [GMT -5:00]
Running from: c:\documents and settings\gkramer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\gkramer\Desktop\logfiles\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\betifupu.dll
c:\windows\system32\jedudisu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\betifupu.dll
c:\windows\system32\jedudisu.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 )))))))))))))))))))))))))))))))
.

2009-03-15 23:42 . 2009-03-15 23:42 <DIR> d-------- c:\temp\hadiya's photos
2009-03-13 19:21 . 2009-03-13 19:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-13 19:21 . 2009-03-13 19:21 <DIR> d-------- c:\documents and settings\gkramer\Application Data\Malwarebytes
2009-03-13 19:21 . 2009-03-13 19:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-13 19:21 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-13 19:21 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-13 19:15 . 2009-03-13 19:16 <DIR> d-------- C:\rsit
2009-03-12 00:27 . 2009-03-12 00:27 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-12 00:11 . 2009-03-12 00:11 <DIR> d-------- c:\windows\system32\NtmsData
2009-03-12 00:01 . 2009-03-12 00:01 <DIR> d-------- c:\program files\Trend Micro
2009-03-11 07:47 . 2009-03-11 07:47 25,348 --a------ c:\windows\system32\AAWService_2009_03_11_07_47_04.dmp
2009-03-11 07:45 . 2009-03-10 22:19 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-10 22:20 . 2009-03-10 22:23 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-10 22:19 . 2009-03-10 22:19 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-10 22:15 . 2009-03-10 22:15 <DIR> d-------- c:\program files\Lavasoft
2009-03-10 22:15 . 2009-03-10 22:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-10 22:15 . 2009-03-10 22:15 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-10 01:34 . 2009-03-10 01:34 <DIR> d-------- C:\New Folder
2009-03-10 01:16 . 2009-03-10 01:16 <DIR> d-------- c:\windows\system32\syncdb
2009-03-09 19:05 . 2009-03-10 22:52 <DIR> d-------- C:\strawberry
2009-03-09 18:57 . 2009-03-09 19:22 <DIR> d-------- C:\Perl
2009-03-09 18:24 . 2009-03-11 08:11 327 --a------ c:\windows\wininit.ini
2009-03-08 21:38 . 2009-03-10 22:24 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-08 21:38 . 2009-03-10 22:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-07 16:13 . 2009-03-07 16:13 <DIR> d-------- c:\documents and settings\gkramer\Application Data\skypePM
2009-03-07 16:13 . 2009-03-07 16:13 56 --ah----- c:\windows\system32\ezsidmv.dat
2009-03-07 16:09 . 2009-03-07 16:09 <DIR> dr------- c:\program files\Skype
2009-03-07 16:09 . 2009-03-07 16:09 <DIR> d-------- c:\program files\Common Files\Skype
2009-03-07 16:09 . 2009-03-07 16:14 <DIR> d-------- c:\documents and settings\gkramer\Application Data\Skype
2009-03-07 16:08 . 2009-03-07 16:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-03-04 22:13 . 2009-03-04 22:13 <DIR> d-------- c:\documents and settings\gkramer\Application Data\Media Player Classic
2009-03-04 22:12 . 2009-03-04 22:12 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Yahoo!
2009-03-04 00:09 . 2009-03-04 00:09 <DIR> d-------- C:\abcc
2009-03-04 00:08 . 2009-03-04 00:08 34 --ah----- c:\windows\system32\DVDRippper_sysquict.dat
2009-03-04 00:07 . 2009-03-04 22:13 <DIR> d-------- c:\program files\K-Lite Codec Pack
2009-03-04 00:07 . 2009-03-10 01:15 <DIR> d-------- c:\program files\Abcc Free FLV AVI MP4 MPEG WMV ASF MOV Converter
2009-03-03 23:52 . 2007-03-09 10:36 856,064 --a------ c:\windows\system32\mpgfiltr.ax
2009-03-03 23:52 . 2007-03-09 10:35 208,896 --a------ c:\windows\system32\VideoEdit.ocx
2009-03-03 23:52 . 2007-03-09 10:37 139,264 --a------ c:\windows\system32\viscomqtde.dll
2009-03-03 23:52 . 2007-03-09 10:36 81,920 --a------ c:\windows\system32\viscomwave.dll
2009-03-03 23:52 . 2004-09-06 04:06 53,248 --a------ c:\windows\system32\xvid.ax
2009-03-03 00:13 . 2009-03-03 00:13 <DIR> d-------- c:\temp\ads
2009-03-01 20:54 . 2009-03-01 20:54 8,192 --ahs---- c:\windows\Thumbs.db
2009-02-27 20:01 . 2009-02-27 20:01 <DIR> d-------- C:\DVDSlideshow
2009-02-27 20:01 . 2006-12-29 12:29 1,271,296 --a------ c:\windows\system32\cygxml2-2.dll
2009-02-27 20:01 . 2006-12-29 12:29 1,140,617 --a------ c:\windows\system32\cygwin1.dll
2009-02-27 20:01 . 2006-12-29 12:29 1,015,128 --a------ c:\windows\system32\cygiconv-2.dll
2009-02-27 20:01 . 2006-12-04 14:48 455,680 --a------ c:\windows\system32\mkisofs.exe
2009-02-27 20:01 . 2006-12-29 12:29 369,152 --a------ c:\windows\system32\cygfreetype-6.dll
2009-02-27 20:01 . 2006-12-04 14:48 368,640 --a------ c:\windows\system32\cdrecord.exe
2009-02-27 20:01 . 2006-12-29 12:29 331,008 --a------ c:\windows\system32\dvdauthor.exe
2009-02-27 20:01 . 2006-12-29 12:29 323,242 --a------ c:\windows\system32\spumux.exe
2009-02-27 20:01 . 2006-12-29 12:29 176,640 --a------ c:\windows\system32\cygpng12.dll
2009-02-27 20:01 . 2006-12-29 12:29 62,976 --a------ c:\windows\system32\cygz.dll
2009-02-27 19:49 . 2009-02-27 19:57 <DIR> d-------- c:\program files\MemoriesOnWeb
2009-02-21 18:54 . 2009-02-21 18:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-02-21 18:34 . 2009-02-21 18:34 <DIR> d-------- c:\program files\SmartSound Software
2009-02-21 18:34 . 2009-02-21 18:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2009-02-21 18:28 . 2009-02-21 18:29 <DIR> d-------- c:\temp\elements
2009-02-21 17:44 . 2009-02-21 18:30 <DIR> d-------- c:\documents and settings\gkramer\Application Data\Download Manager
2009-02-20 23:57 . 2009-03-03 00:06 <DIR> d-------- c:\temp\interviews
2009-02-19 21:36 . 2009-03-10 01:21 <DIR> d-------- c:\program files\Common Files\DVDVideoSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-16 12:44 --------- d-----w c:\program files\symantec antivirus
2009-03-15 21:27 --------- d-----w c:\program files\Hewlett-Packard
2009-03-10 06:22 --------- d-----w c:\program files\Yahoo!
2009-03-10 06:19 --------- d-----w c:\program files\Common Files\Adobe
2009-03-10 06:16 --------- d-----w c:\program files\AviSynth 2.5
2009-03-10 06:16 --------- d-----w c:\program files\Any Video Converter
2009-03-10 06:15 --------- d-----w c:\documents and settings\gkramer\Application Data\Any Video Converter
2009-03-04 04:28 --------- d-----w c:\documents and settings\gkramer\Application Data\U3
2009-02-21 23:30 43,528 ------w c:\windows\system32\drivers\pxhelp20.sys
2009-02-13 06:31 --------- d-----w c:\documents and settings\gkramer\Application Data\Ulead Systems
2009-02-11 05:11 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2009-02-11 05:10 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-11 05:10 --------- d-----w c:\program files\Windows Media Components
2009-02-11 05:10 --------- d-----w c:\documents and settings\All Users\Application Data\InterVideo
2009-02-11 05:09 --------- d-----w c:\program files\Corel
2009-02-11 05:02 --------- d-----w c:\documents and settings\gkramer\Application Data\avidemux
2009-02-05 06:10 --------- d-----w c:\documents and settings\gkramer\Application Data\Apple Computer
2009-02-05 06:09 --------- d-----w c:\program files\QuickTime
2009-02-05 06:09 --------- d-----w c:\program files\iTunes
2009-02-05 06:09 --------- d-----w c:\program files\iPod
2009-02-05 06:09 --------- d-----w c:\program files\Common Files\Apple
2009-02-05 06:09 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-05 06:09 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-03 01:14 --------- d-----w c:\program files\REA
2009-01-23 01:20 --------- d-----w c:\program files\Brownie
2009-01-23 01:19 --------- d-----w c:\program files\Brother
2009-01-23 01:12 --------- d-----w c:\documents and settings\All Users\Application Data\Brother
2009-01-18 02:06 --------- d-----w c:\program files\Java
2007-04-02 10:46 13,248 ----a-w c:\windows\system32\config\systemprofile\createprof.vbs
2007-04-02 10:46 13,248 ----a-w c:\documents and settings\hpadmin\createprof.vbs
2007-04-02 10:46 13,248 ----a-w c:\documents and settings\Default User\createprof.vbs
2007-02-23 14:43 851 ----a-w c:\windows\system32\config\systemprofile\enablecoe.vbs
2007-02-23 14:43 851 ----a-w c:\documents and settings\hpadmin\enablecoe.vbs
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\temp\ads ----

2009-03-03 00:13 4908 --a------ c:\temp\ads\wiracles.jpeg
2009-03-03 00:13 1995 --a------ c:\temp\ads\blissfulsoul.jpeg

((((((((((((((((((((((((((((( SnapShot@2009-03-15_16.33.00.62 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-09 11:08:53 1,847,552 ----a-w c:\windows\$hf_mig$\KB958690\SP3QFE\win32k.sys
+ 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB958690\spmsg.dll
+ 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB958690\spuninst.exe
+ 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB958690\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB958690\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB958690\update\updspapi.dll
+ 2008-12-05 06:58:08 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP3QFE\schannel.dll
+ 2007-11-30 11:18:51 17,272 ----a-w c:\windows\$hf_mig$\KB960225\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w c:\windows\$hf_mig$\KB960225\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w c:\windows\$hf_mig$\KB960225\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB960225\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB960225\update\updspapi.dll
+ 2008-12-05 06:54:55 144,896 -c----w c:\windows\system32\dllcache\schannel.dll
- 2008-09-15 12:12:56 1,846,400 -c----w c:\windows\system32\dllcache\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 -c----w c:\windows\system32\dllcache\win32k.sys
- 2009-03-10 06:25:04 245,512 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-16 08:08:15 245,512 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-02-25 17:55:00 24,768,960 ----a-w c:\windows\system32\MRT.exe
- 2009-03-12 04:51:42 80,161 ----a-w c:\windows\system32\nvModes.dat
+ 2009-03-16 12:30:24 80,161 ----a-w c:\windows\system32\nvModes.dat
- 2009-03-14 03:52:52 100,228 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-16 12:31:39 100,228 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-14 03:52:52 518,848 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-16 12:31:39 518,848 ----a-w c:\windows\system32\perfh009.dat
- 2008-04-14 00:12:05 144,384 ----a-w c:\windows\system32\schannel.dll
+ 2008-12-05 06:54:55 144,896 ----a-w c:\windows\system32\schannel.dll
- 2008-07-09 07:38:24 17,272 ----a-w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
- 2008-09-15 12:12:56 1,846,400 ----a-w c:\windows\system32\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 ----a-w c:\windows\system32\win32k.sys
+ 2009-03-16 12:43:31 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1f4.dat
+ 2008-04-15 17:47:33 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\gkramer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-12 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COEMsgDisplay"="c:\program files\Hewlett-Packard\PC COE\COEMsgDisplay.exe" [2007-04-11 26624]
"QuickPassword"="c:\program files\ActivCard\ActivCard Gold\agquickp.exe" [2007-06-26 225280]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-05-26 124656]
"IDA"="c:\program files\Hewlett-Packard\PC COE\IDA.EXE" [2008-08-12 176128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-01 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-01 81920]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-07-24 677144]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-05-11 472632]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2007-07-31 815104]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-10 515416]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-12 148888]
"nwiz"="nwiz.exe" [2007-05-01 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-06 561213]
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2008-02-21 274432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"DisableNT4Policy"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-06-08 10:04 49152 c:\windows\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAXPnP"=c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radexecd.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RadUIShell.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radtray.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-10 64160]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-08-14 101167]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-09 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-06-14 13184]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-07-24 38816]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2007-08-14 5840]
R2 acautoreg;ActivCard Gold Autoregister;c:\program files\Common Files\ActivCard\acautoreg.exe [2007-06-26 53248]
R2 Accoca;ActivCard Gold service;c:\program files\Common Files\ActivCard\accoca.exe [2004-05-12 143360]
R2 ADAM_VMwareVCMSDS;VMwareVCMSDS;c:\windows\ADAM\dsamain.exe -sn:VMwareVCMSDS --> c:\windows\ADAM\dsamain.exe -sn:VMwareVCMSDS [?]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2007-09-06 221184]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
R2 msralinkmonitor;MSRA Link Monitor;c:\program files\Remote tools\msraLinkMonitor.exe [2007-11-29 151552]
R2 MSSQL$SQLEXP_VIM;SQL Server (SQLEXP_VIM);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-08-05 29184016]
R2 radexecd;HP OVCM Notify Daemon;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe [2007-02-20 270510]
R2 radsched;HP OVCM Scheduler Daemon;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe [2007-03-22 172205]
R2 Radstgms;HP OVCM MSI Redirector;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe [2008-07-03 315570]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-05-26 115952]
R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [2006-12-04 292384]
R2 vstor2Vpx;Vstor2 Virtual Storage Driver for VirtualCenter;c:\program files\VMware\Infrastructure\VirtualCenter Server\vstor2.sys [2008-10-02 26112]
R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\drivers\akbus.sys [2007-01-26 13619]
R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\drivers\akpcsc.sys [2007-01-26 9493]
R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\drivers\aksbus.sys [2007-04-06 13647]
R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\drivers\akspcsc.sys [2008-02-19 10161]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-05-24 41216]
R3 RadiaMsi;RadiaMsi;c:\windows\system32\drivers\radiamsi.sys [2007-08-03 23424]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2007-05-24 47616]
R3 SmartUSB;SmartReader-USB;c:\windows\system32\drivers\SmartUSB.sys [2007-01-26 17024]
S2 vctomcat;VMware VirtualCenter Management Webservices;c:\program files\VMware\Infrastructure\tomcat\bin\tomcat6.exe [2008-10-02 57344]
S2 vpxd;VMware VirtualCenter Server;c:\program files\VMware\Infrastructure\VirtualCenter Server\vpxd.exe [2008-10-02 18567168]
S3 AlteraUSBBlaster;Altera USB-Blaster Device Driver;c:\windows\system32\drivers\ftdibus.sys [2008-02-27 47249]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2008-02-25 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2007-06-08 172131]
S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\maga\maga.exe --> c:\program files\Sygate\SSA\maga\maga.exe [?]
S3 UPAS100K;CATC UPAS100K Driver;c:\windows\system32\drivers\upas100k.sys [2008-02-27 19616]
S3 vmountVpx;VMware Mount Service for VirtualCenter;c:\program files\VMware\Infrastructure\VirtualCenter Server\vmount2.exe [2008-10-02 270336]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17282938-8790-11dd-a1fd-001e37088728}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C99D666B-62E4-461B-A346-9375D55AB9BC}]
"c:\program files\Common Files\Hewlett-Packard\ActSet\HpActSet.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-03-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-10 22:18]

2009-03-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-1383384898-515967899-316697.job
- c:\documents and settings\gkramer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-12 08:08]

2009-03-16 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}000.job
- c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2008-09-12 01:17]

2009-03-16 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}001.job
- c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2008-09-12 01:17]

2009-03-16 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.job
- c:\progra~1\HEWLET~1\PCCOE~1\clinvsi.dll [2008-09-07 18:06]

2009-03-16 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job
- c:\program files\Hewlett-Packard\PC COE\coetl32.exe [2007-06-24 01:27]

2009-03-16 c:\windows\Tasks\IDA{E1B2A4DD-AE06-4B97-9B55-8E8F1348E7FB}000.job
- c:\progra~1\HEWLET~1\PCCOE~1\critupsi.dll [2008-09-07 17:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{E270AB82-96D5-45DB-ABE3-0BC038B92334} - c:\program files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
Trusted Zone: compaq.com
Trusted Zone: compaq.com\ie.config.asia
Trusted Zone: compaq.com\ie.config.eur
Trusted Zone: compaq.com\ie.config.im.hou
Trusted Zone: compaq.com\ie.config.jp
Trusted Zone: cpqcorp.net
Trusted Zone: dcu.org
Trusted Zone: dec.com
Trusted Zone: dec.com\ie.config.ecom
Trusted Zone: hp.com
Trusted Zone: hpe-learning.com
Trusted Zone: hpqcorp.net
Trusted Zone: hpshopping.com
Trusted Zone: tandem.com
Trusted Zone: tandem.com\ie.config
Trusted Zone: compaq.com\ie.config.asia
Trusted Zone: compaq.com\ie.config.eur
Trusted Zone: compaq.com\ie.config.im.hou
Trusted Zone: compaq.com\ie.config.jp
Trusted Zone: dec.com\ie.config.ecom
Trusted Zone: tandem.com\ie.config
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\gkramer\Application Data\Mozilla\Firefox\Profiles\da4h706u.default\
FF - plugin: c:\documents and settings\gkramer\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-16 07:44:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ADAM_VMwareVCMSDS]
"ImagePath"="c:\windows\ADAM\dsamain.exe -sn:VMwareVCMSDS"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\DeviceNP.dll
c:\windows\system32\accsp.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acpinto.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivCard\ActivCard Gold\resources\acerrmrc.dll
c:\program files\ActivCard\ActivCard Gold\resources\asphatrc.dll
c:\program files\ActivCard\ActivCard Gold\resources\accsprc.dll
c:\windows\system32\acober.dll
c:\program files\ActivCard\ActivCard Gold\resources\acoberrc.dll

- - - - - - - > 'lsass.exe'(1016)
c:\windows\SbHpNp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\symantec antivirus\DefWatch.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\altera\72\qprogrammer\bin\jtagserver.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IfxPsdSv.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\symantec antivirus\Rtvscan.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\ADAM\dsamain.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\rundll32.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
.
**************************************************************************
.
Completion time: 2009-03-16 7:49:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-16 12:49:34
ComboFix2.txt 2009-03-15 21:33:59

Pre-Run: 75,582,734,336 bytes free
Post-Run: 75,565,752,320 bytes free

386 --- E O F --- 2009-03-16 08:02:00

========================================================

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, March 16, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, March 17, 2009 02:10:59
Records in database: 1917855
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
V:\

Scan statistics:
Files scanned: 102186
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 02:10:46

No malware has been detected. The scan area is clean.

The selected area was scanned.

sjb007 · 03-17-2009, 01:49 AM

Hi there

All is looking good log wise, unless you are still experiencing any problems you are good to go.

Lets do a little bit of updating....

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

There is a newer version of Adobe Acrobat Reader available.

Please go to this link Adobe Acrobat Reader Download Link
Click Download
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts

When the installation is complete go to Add/Remove Programs and uninstall all previous versions.

Older versions of java are vunerable to malware.

Go to Start Menu > Control Panel > Add/Remove Programs
- Select J2SE Runtime Environment 5.0 Update 10 > click Remove
- Select J2SE Runtime Environment 5.0 Update 15 > click Remove
- Now Exit.

Lets tidy up after ourselves

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Now that you appear to be free from malware lets help you stay that way!

Update windows on a regular basis - If you do not have automatic updates enabled then

Visit Microsoft's Update Page and update your computer from there
Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions.
Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here

Make your Internet Explorer more secure - This can be done by following these simple instructions:

Open Internet Explorer, click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Safer Browsing
Use software such as Trendprotect or Sitehound to help you stay away from unsuspecting sites that have malicious purposes.
Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects)

Use an alternative browser
Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser.

Computer Maintenance
Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis.

Scan your computer regularly for malware
Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy and Adaware 2007 Free by Lavasoft can help you keep clear. These products are scan on demand and do not have active back ground scanning. These two products can be installed together without any complications.

Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) - Please note that this product can also be run as free without a licience but the background protection will not be active.

Secure your router
Change your routers default username and password, do not leave it at factory preset, doing so makes it easy for unauthorised access.

Encrypt your network. Set your wireless network encryption to a minimum level of WPA-PSK [TKIP]. This will help prevent any unauthorised users "piggybacking" onto your network and stealing your bandwidth which you have rightly paid for.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet.

-> So How Did I Get Infected In First Place - By TonyKlein
-> How to prevent Malware - By miekiemoes
-> I'm not pulling your leg, honest - By Sandi Hardmeie

**Kindly respond one more time and let me know if we may consider this thread resolved.

lazyengineer · 03-17-2009, 08:29 PM

Thanks for all your help! One last question--what is your opinion of Google Chrome, security-wise? That is what I mainly use.

sjb007 · 03-18-2009, 01:39 AM

Hi there

To be honest Google Chrome is not a browser I use myself so I cannot really comment on it, although on saying that I do have a news article tucked away in my bookmarks regarding the security of browsers here. Feel free to read the article, but at the same time please bear in mind that this article is now 3 months old and changes may have been made to various software.

I hope this answers your question.

As this topic is now resolved I will now discontinue monitoring this thread for replies. Should you require any further assistance please start a new topic in the relevant section of the forums

Good luck and happy safe surfing!

03-15-2009, 03:03 PM	#2 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 2,273 OS: Windows 7 Premium x64 My System	Re: Need help removing muzupera.dll and possibly others Howdy there and welcome to TSF Forums I'm Steve and I will be helping you thoughout this fix. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence. Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription Please note that the forum is very busy and if I don't hear from you within three days from this initial posting then the thread will be closed. We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Please include the C:\ComboFix.txt in your next reply for further review. __________________ If we have helped you then please consider donating Proud Member of ASAP & UNITE Since 2007

03-15-2009, 03:37 PM	#3 (permalink)
lazyengineer Registered User Join Date: Mar 2009 Posts: 4 OS: Windows XP SP3	Re: Need help removing muzupera.dll and possibly others Hi Steve, Thanks for your help. Here is the text of Combofix.txt: ComboFix 09-03-14.02 - gkramer 2009-03-15 16:23:22.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1133 [GMT -5:00] Running from: c:\documents and settings\gkramer\Desktop\ComboFix.exe AV: Symantec AntiVirus Corporate Edition On-access scanning disabled (Updated) * Created a new restore point . The following files were disabled during the run: c:\windows\system32\beblml.dll c:\windows\system32\kvlpxb.dll c:\windows\system32\muzupera.dll ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\gkramer\LOCALS~1\Temp\tmp2.tmp c:\windows\system32\angtwt.dll c:\windows\system32\beblml.dll.vir c:\windows\system32\hujepaka.dll c:\windows\system32\kvlpxb.dll.vir c:\windows\system32\muzupera.dll.vir c:\windows\system32\ohirijam.ini c:\windows\system32\rijegazo.dll c:\windows\system32\utjhuf.dll c:\windows\system32\uyenavay.ini c:\windows\system32\viwipiya.dll c:\windows\system32\ylkdgs.dll c:\windows\system32\zadoguze.dll c:\windows\system32\zesokuno.dll c:\windows\system32\zfkswu.dll . ((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 ))))))))))))))))))))))))))))))) . 2009-03-13 19:21 . 2009-03-13 19:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-03-13 19:21 . 2009-03-13 19:21 <DIR> d-------- c:\documents and settings\gkramer\Application Data\Malwarebytes 2009-03-13 19:21 . 2009-03-13 19:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-03-13 19:21 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-13 19:21 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-03-13 19:15 . 2009-03-13 19:16 <DIR> d-------- C:\rsit 2009-03-12 00:27 . 2009-03-12 00:27 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-03-12 00:11 . 2009-03-12 00:11 <DIR> d-------- c:\windows\system32\NtmsData 2009-03-12 00:01 . 2009-03-12 00:01 <DIR> d-------- c:\program files\Trend Micro 2009-03-11 07:47 . 2009-03-11 07:47 25,348 --a------ c:\windows\system32\AAWService_2009_03_11_07_47_04.dmp 2009-03-11 07:45 . 2009-03-10 22:19 15,688 --a------ c:\windows\system32\lsdelete.exe 2009-03-10 22:20 . 2009-03-10 22:23 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP 2009-03-10 22:19 . 2009-03-10 22:19 64,160 --a------ c:\windows\system32\drivers\Lbd.sys 2009-03-10 22:15 . 2009-03-10 22:15 <DIR> d-------- c:\program files\Lavasoft 2009-03-10 22:15 . 2009-03-10 22:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2009-03-10 22:15 . 2009-03-10 22:15 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800} 2009-03-10 09:50 . 2009-03-10 09:50 2,098 --ahs---- c:\windows\system32\betifupu.dll 2009-03-10 09:47 . 2009-03-10 09:47 2,098 --ahs---- c:\windows\system32\jedudisu.dll 2009-03-10 01:34 . 2009-03-10 01:34 <DIR> d-------- C:\New Folder 2009-03-10 01:16 . 2009-03-10 01:16 <DIR> d-------- c:\windows\system32\syncdb 2009-03-09 19:05 . 2009-03-10 22:52 <DIR> d-------- C:\strawberry 2009-03-09 18:57 . 2009-03-09 19:22 <DIR> d-------- C:\Perl 2009-03-09 18:24 . 2009-03-11 08:11 327 --a------ c:\windows\wininit.ini 2009-03-08 21:38 . 2009-03-10 22:24 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-03-08 21:38 . 2009-03-10 22:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-03-07 16:13 . 2009-03-07 16:13 <DIR> d-------- c:\documents and settings\gkramer\Application Data\skypePM 2009-03-07 16:13 . 2009-03-07 16:13 56 --ah----- c:\windows\system32\ezsidmv.dat 2009-03-07 16:09 . 2009-03-07 16:09 <DIR> dr------- c:\program files\Skype 2009-03-07 16:09 . 2009-03-07 16:09 <DIR> d-------- c:\program files\Common Files\Skype 2009-03-07 16:09 . 2009-03-07 16:14 <DIR> d-------- c:\documents and settings\gkramer\Application Data\Skype 2009-03-07 16:08 . 2009-03-07 16:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype 2009-03-04 22:13 . 2009-03-04 22:13 <DIR> d-------- c:\documents and settings\gkramer\Application Data\Media Player Classic 2009-03-04 22:12 . 2009-03-04 22:12 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Yahoo! 2009-03-04 00:09 . 2009-03-04 00:09 <DIR> d-------- C:\abcc 2009-03-04 00:08 . 2009-03-04 00:08 34 --ah----- c:\windows\system32\DVDRippper_sysquict.dat 2009-03-04 00:07 . 2009-03-04 22:13 <DIR> d-------- c:\program files\K-Lite Codec Pack 2009-03-04 00:07 . 2009-03-10 01:15 <DIR> d-------- c:\program files\Abcc Free FLV AVI MP4 MPEG WMV ASF MOV Converter 2009-03-03 23:52 . 2007-03-09 10:36 856,064 --a------ c:\windows\system32\mpgfiltr.ax 2009-03-03 23:52 . 2007-03-09 10:35 208,896 --a------ c:\windows\system32\VideoEdit.ocx 2009-03-03 23:52 . 2007-03-09 10:37 139,264 --a------ c:\windows\system32\viscomqtde.dll 2009-03-03 23:52 . 2007-03-09 10:36 81,920 --a------ c:\windows\system32\viscomwave.dll 2009-03-03 23:52 . 2004-09-06 04:06 53,248 --a------ c:\windows\system32\xvid.ax 2009-03-03 00:13 . 2009-03-03 00:13 <DIR> d-------- c:\temp\ads 2009-03-01 20:54 . 2009-03-01 20:54 8,192 --ahs---- c:\windows\Thumbs.db 2009-02-27 20:01 . 2009-02-27 20:01 <DIR> d-------- C:\DVDSlideshow 2009-02-27 20:01 . 2006-12-29 12:29 1,271,296 --a------ c:\windows\system32\cygxml2-2.dll 2009-02-27 20:01 . 2006-12-29 12:29 1,140,617 --a------ c:\windows\system32\cygwin1.dll 2009-02-27 20:01 . 2006-12-29 12:29 1,015,128 --a------ c:\windows\system32\cygiconv-2.dll 2009-02-27 20:01 . 2006-12-04 14:48 455,680 --a------ c:\windows\system32\mkisofs.exe 2009-02-27 20:01 . 2006-12-29 12:29 369,152 --a------ c:\windows\system32\cygfreetype-6.dll 2009-02-27 20:01 . 2006-12-04 14:48 368,640 --a------ c:\windows\system32\cdrecord.exe 2009-02-27 20:01 . 2006-12-29 12:29 331,008 --a------ c:\windows\system32\dvdauthor.exe 2009-02-27 20:01 . 2006-12-29 12:29 323,242 --a------ c:\windows\system32\spumux.exe 2009-02-27 20:01 . 2006-12-29 12:29 176,640 --a------ c:\windows\system32\cygpng12.dll 2009-02-27 20:01 . 2006-12-29 12:29 62,976 --a------ c:\windows\system32\cygz.dll 2009-02-27 19:49 . 2009-02-27 19:57 <DIR> d-------- c:\program files\MemoriesOnWeb 2009-02-21 18:54 . 2009-02-21 18:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet 2009-02-21 18:34 . 2009-02-21 18:34 <DIR> d-------- c:\program files\SmartSound Software 2009-02-21 18:34 . 2009-02-21 18:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\SmartSound Software Inc 2009-02-21 18:28 . 2009-02-21 18:29 <DIR> d-------- c:\temp\elements 2009-02-21 17:44 . 2009-02-21 18:30 <DIR> d-------- c:\documents and settings\gkramer\Application Data\Download Manager 2009-02-20 23:57 . 2009-03-03 00:06 <DIR> d-------- c:\temp\interviews 2009-02-19 21:36 . 2009-03-10 01:21 <DIR> d-------- c:\program files\Common Files\DVDVideoSoft . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-15 21:28 --------- d-----w c:\program files\symantec antivirus 2009-03-15 21:27 --------- d-----w c:\program files\Hewlett-Packard 2009-03-10 06:22 --------- d-----w c:\program files\Yahoo! 2009-03-10 06:19 --------- d-----w c:\program files\Common Files\Adobe 2009-03-10 06:16 --------- d-----w c:\program files\AviSynth 2.5 2009-03-10 06:16 --------- d-----w c:\program files\Any Video Converter 2009-03-10 06:15 --------- d-----w c:\documents and settings\gkramer\Application Data\Any Video Converter 2009-03-04 04:28 --------- d-----w c:\documents and settings\gkramer\Application Data\U3 2009-02-21 23:30 43,528 ------w c:\windows\system32\drivers\pxhelp20.sys 2009-02-13 06:31 --------- d-----w c:\documents and settings\gkramer\Application Data\Ulead Systems 2009-02-11 05:11 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems 2009-02-11 05:10 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-11 05:10 --------- d-----w c:\program files\Windows Media Components 2009-02-11 05:10 --------- d-----w c:\documents and settings\All Users\Application Data\InterVideo 2009-02-11 05:09 --------- d-----w c:\program files\Corel 2009-02-11 05:02 --------- d-----w c:\documents and settings\gkramer\Application Data\avidemux 2009-02-05 06:10 --------- d-----w c:\documents and settings\gkramer\Application Data\Apple Computer 2009-02-05 06:09 --------- d-----w c:\program files\QuickTime 2009-02-05 06:09 --------- d-----w c:\program files\iTunes 2009-02-05 06:09 --------- d-----w c:\program files\iPod 2009-02-05 06:09 --------- d-----w c:\program files\Common Files\Apple 2009-02-05 06:09 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer 2009-02-05 06:09 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2009-02-03 01:14 --------- d-----w c:\program files\REA 2009-01-23 01:20 --------- d-----w c:\program files\Brownie 2009-01-23 01:19 --------- d-----w c:\program files\Brother 2009-01-23 01:12 --------- d-----w c:\documents and settings\All Users\Application Data\Brother 2009-01-18 02:06 --------- d-----w c:\program files\Java 2007-04-02 10:46 13,248 ----a-w c:\windows\system32\config\systemprofile\createprof.vbs 2007-04-02 10:46 13,248 ----a-w c:\documents and settings\hpadmin\createprof.vbs 2007-04-02 10:46 13,248 ----a-w c:\documents and settings\Default User\createprof.vbs 2007-02-23 14:43 851 ----a-w c:\windows\system32\config\systemprofile\enablecoe.vbs 2007-02-23 14:43 851 ----a-w c:\documents and settings\hpadmin\enablecoe.vbs . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\documents and settings\gkramer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-12 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "COEMsgDisplay"="c:\program files\Hewlett-Packard\PC COE\COEMsgDisplay.exe" [2007-04-11 26624] "QuickPassword"="c:\program files\ActivCard\ActivCard Gold\agquickp.exe" [2007-06-26 225280] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-05-26 124656] "IDA"="c:\program files\Hewlett-Packard\PC COE\IDA.EXE" [2008-08-12 176128] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-01 8429568] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-01 81920] "AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928] "PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184] "IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-07-24 677144] "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-05-11 472632] "BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2007-07-31 815104] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-10 515416] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-12 148888] "nwiz"="nwiz.exe" [2007-05-01 c:\windows\system32\nwiz.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-06 561213] Launchy.lnk - c:\program files\Launchy\Launchy.exe [2008-02-21 274432] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "SynchronousMachineGroupPolicy"= 0 (0x0) "SynchronousUserGroupPolicy"= 0 (0x0) "DisableNT4Policy"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoMSAppLogo5ChannelNotify"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP] 2007-06-08 10:04 49152 c:\windows\system32\DeviceNP.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "SENTINEL"= snti386.dll "msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm "msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm "msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ SbHpNp scecli [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe "ctfmon.exe"=c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "SoundMAXPnP"=c:\program files\Analog Devices\Core\smax4pnp.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radexecd.exe"= "c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RadUIShell.exe"= "c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radtray.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-10 64160] R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-08-14 101167] R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-09 44720] R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-06-14 13184] R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-07-24 38816] R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2007-08-14 5840] R2 acautoreg;ActivCard Gold Autoregister;c:\program files\Common Files\ActivCard\acautoreg.exe [2007-06-26 53248] R2 Accoca;ActivCard Gold service;c:\program files\Common Files\ActivCard\accoca.exe [2004-05-12 143360] R2 ADAM_VMwareVCMSDS;VMwareVCMSDS;c:\windows\ADAM\dsamain.exe -sn:VMwareVCMSDS --> c:\windows\ADAM\dsamain.exe -sn:VMwareVCMSDS [?] R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2007-09-06 221184] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632] R2 msralinkmonitor;MSRA Link Monitor;c:\program files\Remote tools\msraLinkMonitor.exe [2007-11-29 151552] R2 MSSQL$SQLEXP_VIM;SQL Server (SQLEXP_VIM);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-08-05 29184016] R2 radexecd;HP OVCM Notify Daemon;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe [2007-02-20 270510] R2 radsched;HP OVCM Scheduler Daemon;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe [2007-03-22 172205] R2 Radstgms;HP OVCM MSI Redirector;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe [2008-07-03 315570] R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-05-26 115952] R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [2006-12-04 292384] R2 vstor2Vpx;Vstor2 Virtual Storage Driver for VirtualCenter;c:\program files\VMware\Infrastructure\VirtualCenter Server\vstor2.sys [2008-10-02 26112] R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\drivers\akbus.sys [2007-01-26 13619] R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\drivers\akpcsc.sys [2007-01-26 9493] R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\drivers\aksbus.sys [2007-04-06 13647] R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\drivers\akspcsc.sys [2008-02-19 10161] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-05-24 41216] R3 RadiaMsi;RadiaMsi;c:\windows\system32\drivers\radiamsi.sys [2007-08-03 23424] R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2007-05-24 47616] R3 SmartUSB;SmartReader-USB;c:\windows\system32\drivers\SmartUSB.sys [2007-01-26 17024] S2 vctomcat;VMware VirtualCenter Management Webservices;c:\program files\VMware\Infrastructure\tomcat\bin\tomcat6.exe [2008-10-02 57344] S2 vpxd;VMware VirtualCenter Server;c:\program files\VMware\Infrastructure\VirtualCenter Server\vpxd.exe [2008-10-02 18567168] S3 AlteraUSBBlaster;Altera USB-Blaster Device Driver;c:\windows\system32\drivers\ftdibus.sys [2008-02-27 47249] S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2008-02-25 30008] S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2007-06-08 172131] S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\maga\maga.exe --> c:\program files\Sygate\SSA\maga\maga.exe [?] S3 UPAS100K;CATC UPAS100K Driver;c:\windows\system32\drivers\upas100k.sys [2008-02-27 19616] S3 vmountVpx;VMware Mount Service for VirtualCenter;c:\program files\VMware\Infrastructure\VirtualCenter Server\vmount2.exe [2008-10-02 270336] --- Other Services/Drivers In Memory --- Deregistered - uphcleanhlp [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17282938-8790-11dd-a1fd-001e37088728}] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C99D666B-62E4-461B-A346-9375D55AB9BC}] "c:\program files\Common Files\Hewlett-Packard\ActSet\HpActSet.exe" . Contents of the 'Scheduled Tasks' folder 2009-03-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-10 22:18] 2009-03-10 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2009-03-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-1383384898-515967899-316697.job - c:\documents and settings\gkramer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-12 08:08] 2009-03-15 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}000.job - c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2008-09-12 01:17] 2009-03-15 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}001.job - c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2008-09-12 01:17] 2009-03-15 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.job - c:\progra~1\HEWLET~1\PCCOE~1\clinvsi.dll [2008-09-07 18:06] 2009-03-15 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job - c:\program files\Hewlett-Packard\PC COE\coetl32.exe [2007-06-24 01:27] 2009-03-15 c:\windows\Tasks\IDA{E1B2A4DD-AE06-4B97-9B55-8E8F1348E7FB}000.job - c:\progra~1\HEWLET~1\PCCOE~1\critupsi.dll [2008-09-07 17:13] . - - - - ORPHANS REMOVED - - - - HKLM-Run-CPM87b0e2d2 - c:\windows\system32\muzupera.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: {{E270AB82-96D5-45DB-ABE3-0BC038B92334} - c:\program files\Hewlett-Packard\IEToolBar\HP IE Fix.exe Trusted Zone: compaq.com Trusted Zone: compaq.com\ie.config.asia Trusted Zone: compaq.com\ie.config.eur Trusted Zone: compaq.com\ie.config.im.hou Trusted Zone: compaq.com\ie.config.jp Trusted Zone: cpqcorp.net Trusted Zone: dcu.org Trusted Zone: dec.com Trusted Zone: dec.com\ie.config.ecom Trusted Zone: hp.com Trusted Zone: hpe-learning.com Trusted Zone: hpqcorp.net Trusted Zone: hpshopping.com Trusted Zone: tandem.com Trusted Zone: tandem.com\ie.config Trusted Zone: compaq.com\ie.config.asia Trusted Zone: compaq.com\ie.config.eur Trusted Zone: compaq.com\ie.config.im.hou Trusted Zone: compaq.com\ie.config.jp Trusted Zone: dec.com\ie.config.ecom Trusted Zone: tandem.com\ie.config DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\gkramer\Application Data\Mozilla\Firefox\Profiles\da4h706u.default\ FF - plugin: c:\documents and settings\gkramer\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-15 16:29:27 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ADAM_VMwareVCMSDS] "ImagePath"="c:\windows\ADAM\dsamain.exe -sn:VMwareVCMSDS" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(960) c:\windows\system32\DeviceNP.dll c:\windows\system32\accsp.dll c:\windows\system32\acerrmes.dll c:\windows\system32\asphat32.dll c:\windows\system32\acpinto.dll c:\windows\system32\aspcom.dll c:\program files\ActivCard\ActivCard Gold\resources\acerrmrc.dll c:\program files\ActivCard\ActivCard Gold\resources\asphatrc.dll c:\program files\ActivCard\ActivCard Gold\resources\accsprc.dll c:\windows\system32\acober.dll c:\program files\ActivCard\ActivCard Gold\resources\acoberrc.dll - - - - - - - > 'lsass.exe'(1016) c:\windows\SbHpNp.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\windows\system32\scardsvr.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\symantec antivirus\DefWatch.exe c:\windows\system32\IFXTCS.exe c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe c:\program files\Java\jre6\bin\jqs.exe c:\altera\72\qprogrammer\bin\jtagserver.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\nvsvc32.exe c:\windows\system32\IfxPsdSv.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\program files\symantec antivirus\Rtvscan.exe c:\program files\UPHClean\uphclean.exe c:\windows\ADAM\dsamain.exe c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe c:\windows\system32\wbem\unsecapp.exe c:\windows\system32\rundll32.exe c:\program files\Hewlett-Packard\Shared\HpqToaster.exe c:\program files\Hewlett-Packard\Embedded Security Software\PSDrt.exe c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE . ************************************************************************ . Completion time: 2009-03-15 16:33:58 - machine was rebooted ComboFix-quarantined-files.txt 2009-03-15 21:33:56 Pre-Run: 75,783,999,488 bytes free Post-Run: 75,720,658,944 bytes free 359 --- E O F --- 2009-02-25 09:00:38

03-16-2009, 09:44 PM	#5 (permalink)
lazyengineer Registered User Join Date: Mar 2009 Posts: 4 OS: Windows XP SP3	Re: Need help removing muzupera.dll and possibly others Thanks again for your help. The sites in my trusted zone were put there by default by our IT dept at work, but I'll go ahead and take them out. Here are the log files that I got from combofix and Kaspersky scan: ComboFix 09-03-15.01 - gkramer 2009-03-16 7:38:47.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1348 [GMT -5:00] Running from: c:\documents and settings\gkramer\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\gkramer\Desktop\logfiles\CFScript.txt AV: Symantec AntiVirus Corporate Edition On-access scanning disabled (Updated) * Created a new restore point FILE :: c:\windows\system32\betifupu.dll c:\windows\system32\jedudisu.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\betifupu.dll c:\windows\system32\jedudisu.dll . ((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 ))))))))))))))))))))))))))))))) . 2009-03-15 23:42 . 2009-03-15 23:42 <DIR> d-------- c:\temp\hadiya's photos 2009-03-13 19:21 . 2009-03-13 19:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-03-13 19:21 . 2009-03-13 19:21 <DIR> d-------- c:\documents and settings\gkramer\Application Data\Malwarebytes 2009-03-13 19:21 . 2009-03-13 19:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-03-13 19:21 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-13 19:21 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-03-13 19:15 . 2009-03-13 19:16 <DIR> d-------- C:\rsit 2009-03-12 00:27 . 2009-03-12 00:27 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-03-12 00:11 . 2009-03-12 00:11 <DIR> d-------- c:\windows\system32\NtmsData 2009-03-12 00:01 . 2009-03-12 00:01 <DIR> d-------- c:\program files\Trend Micro 2009-03-11 07:47 . 2009-03-11 07:47 25,348 --a------ c:\windows\system32\AAWService_2009_03_11_07_47_04.dmp 2009-03-11 07:45 . 2009-03-10 22:19 15,688 --a------ c:\windows\system32\lsdelete.exe 2009-03-10 22:20 . 2009-03-10 22:23 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP 2009-03-10 22:19 . 2009-03-10 22:19 64,160 --a------ c:\windows\system32\drivers\Lbd.sys 2009-03-10 22:15 . 2009-03-10 22:15 <DIR> d-------- c:\program files\Lavasoft 2009-03-10 22:15 . 2009-03-10 22:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2009-03-10 22:15 . 2009-03-10 22:15 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800} 2009-03-10 01:34 . 2009-03-10 01:34 <DIR> d-------- C:\New Folder 2009-03-10 01:16 . 2009-03-10 01:16 <DIR> d-------- c:\windows\system32\syncdb 2009-03-09 19:05 . 2009-03-10 22:52 <DIR> d-------- C:\strawberry 2009-03-09 18:57 . 2009-03-09 19:22 <DIR> d-------- C:\Perl 2009-03-09 18:24 . 2009-03-11 08:11 327 --a------ c:\windows\wininit.ini 2009-03-08 21:38 . 2009-03-10 22:24 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-03-08 21:38 . 2009-03-10 22:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-03-07 16:13 . 2009-03-07 16:13 <DIR> d-------- c:\documents and settings\gkramer\Application Data\skypePM 2009-03-07 16:13 . 2009-03-07 16:13 56 --ah----- c:\windows\system32\ezsidmv.dat 2009-03-07 16:09 . 2009-03-07 16:09 <DIR> dr------- c:\program files\Skype 2009-03-07 16:09 . 2009-03-07 16:09 <DIR> d-------- c:\program files\Common Files\Skype 2009-03-07 16:09 . 2009-03-07 16:14 <DIR> d-------- c:\documents and settings\gkramer\Application Data\Skype 2009-03-07 16:08 . 2009-03-07 16:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype 2009-03-04 22:13 . 2009-03-04 22:13 <DIR> d-------- c:\documents and settings\gkramer\Application Data\Media Player Classic 2009-03-04 22:12 . 2009-03-04 22:12 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Yahoo! 2009-03-04 00:09 . 2009-03-04 00:09 <DIR> d-------- C:\abcc 2009-03-04 00:08 . 2009-03-04 00:08 34 --ah----- c:\windows\system32\DVDRippper_sysquict.dat 2009-03-04 00:07 . 2009-03-04 22:13 <DIR> d-------- c:\program files\K-Lite Codec Pack 2009-03-04 00:07 . 2009-03-10 01:15 <DIR> d-------- c:\program files\Abcc Free FLV AVI MP4 MPEG WMV ASF MOV Converter 2009-03-03 23:52 . 2007-03-09 10:36 856,064 --a------ c:\windows\system32\mpgfiltr.ax 2009-03-03 23:52 . 2007-03-09 10:35 208,896 --a------ c:\windows\system32\VideoEdit.ocx 2009-03-03 23:52 . 2007-03-09 10:37 139,264 --a------ c:\windows\system32\viscomqtde.dll 2009-03-03 23:52 . 2007-03-09 10:36 81,920 --a------ c:\windows\system32\viscomwave.dll 2009-03-03 23:52 . 2004-09-06 04:06 53,248 --a------ c:\windows\system32\xvid.ax 2009-03-03 00:13 . 2009-03-03 00:13 <DIR> d-------- c:\temp\ads 2009-03-01 20:54 . 2009-03-01 20:54 8,192 --ahs---- c:\windows\Thumbs.db 2009-02-27 20:01 . 2009-02-27 20:01 <DIR> d-------- C:\DVDSlideshow 2009-02-27 20:01 . 2006-12-29 12:29 1,271,296 --a------ c:\windows\system32\cygxml2-2.dll 2009-02-27 20:01 . 2006-12-29 12:29 1,140,617 --a------ c:\windows\system32\cygwin1.dll 2009-02-27 20:01 . 2006-12-29 12:29 1,015,128 --a------ c:\windows\system32\cygiconv-2.dll 2009-02-27 20:01 . 2006-12-04 14:48 455,680 --a------ c:\windows\system32\mkisofs.exe 2009-02-27 20:01 . 2006-12-29 12:29 369,152 --a------ c:\windows\system32\cygfreetype-6.dll 2009-02-27 20:01 . 2006-12-04 14:48 368,640 --a------ c:\windows\system32\cdrecord.exe 2009-02-27 20:01 . 2006-12-29 12:29 331,008 --a------ c:\windows\system32\dvdauthor.exe 2009-02-27 20:01 . 2006-12-29 12:29 323,242 --a------ c:\windows\system32\spumux.exe 2009-02-27 20:01 . 2006-12-29 12:29 176,640 --a------ c:\windows\system32\cygpng12.dll 2009-02-27 20:01 . 2006-12-29 12:29 62,976 --a------ c:\windows\system32\cygz.dll 2009-02-27 19:49 . 2009-02-27 19:57 <DIR> d-------- c:\program files\MemoriesOnWeb 2009-02-21 18:54 . 2009-02-21 18:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet 2009-02-21 18:34 . 2009-02-21 18:34 <DIR> d-------- c:\program files\SmartSound Software 2009-02-21 18:34 . 2009-02-21 18:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\SmartSound Software Inc 2009-02-21 18:28 . 2009-02-21 18:29 <DIR> d-------- c:\temp\elements 2009-02-21 17:44 . 2009-02-21 18:30 <DIR> d-------- c:\documents and settings\gkramer\Application Data\Download Manager 2009-02-20 23:57 . 2009-03-03 00:06 <DIR> d-------- c:\temp\interviews 2009-02-19 21:36 . 2009-03-10 01:21 <DIR> d-------- c:\program files\Common Files\DVDVideoSoft . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-16 12:44 --------- d-----w c:\program files\symantec antivirus 2009-03-15 21:27 --------- d-----w c:\program files\Hewlett-Packard 2009-03-10 06:22 --------- d-----w c:\program files\Yahoo! 2009-03-10 06:19 --------- d-----w c:\program files\Common Files\Adobe 2009-03-10 06:16 --------- d-----w c:\program files\AviSynth 2.5 2009-03-10 06:16 --------- d-----w c:\program files\Any Video Converter 2009-03-10 06:15 --------- d-----w c:\documents and settings\gkramer\Application Data\Any Video Converter 2009-03-04 04:28 --------- d-----w c:\documents and settings\gkramer\Application Data\U3 2009-02-21 23:30 43,528 ------w c:\windows\system32\drivers\pxhelp20.sys 2009-02-13 06:31 --------- d-----w c:\documents and settings\gkramer\Application Data\Ulead Systems 2009-02-11 05:11 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems 2009-02-11 05:10 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-11 05:10 --------- d-----w c:\program files\Windows Media Components 2009-02-11 05:10 --------- d-----w c:\documents and settings\All Users\Application Data\InterVideo 2009-02-11 05:09 --------- d-----w c:\program files\Corel 2009-02-11 05:02 --------- d-----w c:\documents and settings\gkramer\Application Data\avidemux 2009-02-05 06:10 --------- d-----w c:\documents and settings\gkramer\Application Data\Apple Computer 2009-02-05 06:09 --------- d-----w c:\program files\QuickTime 2009-02-05 06:09 --------- d-----w c:\program files\iTunes 2009-02-05 06:09 --------- d-----w c:\program files\iPod 2009-02-05 06:09 --------- d-----w c:\program files\Common Files\Apple 2009-02-05 06:09 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer 2009-02-05 06:09 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2009-02-03 01:14 --------- d-----w c:\program files\REA 2009-01-23 01:20 --------- d-----w c:\program files\Brownie 2009-01-23 01:19 --------- d-----w c:\program files\Brother 2009-01-23 01:12 --------- d-----w c:\documents and settings\All Users\Application Data\Brother 2009-01-18 02:06 --------- d-----w c:\program files\Java 2007-04-02 10:46 13,248 ----a-w c:\windows\system32\config\systemprofile\createprof.vbs 2007-04-02 10:46 13,248 ----a-w c:\documents and settings\hpadmin\createprof.vbs 2007-04-02 10:46 13,248 ----a-w c:\documents and settings\Default User\createprof.vbs 2007-02-23 14:43 851 ----a-w c:\windows\system32\config\systemprofile\enablecoe.vbs 2007-02-23 14:43 851 ----a-w c:\documents and settings\hpadmin\enablecoe.vbs . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\temp\ads ---- 2009-03-03 00:13 4908 --a------ c:\temp\ads\wiracles.jpeg 2009-03-03 00:13 1995 --a------ c:\temp\ads\blissfulsoul.jpeg ((((((((((((((((((((((((((((( SnapShot@2009-03-15_16.33.00.62 ))))))))))))))))))))))))))))))))))))))))) . + 2009-02-09 11:08:53 1,847,552 ----a-w c:\windows\$hf_mig$\KB958690\SP3QFE\win32k.sys + 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB958690\spmsg.dll + 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB958690\spuninst.exe + 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB958690\update\spcustom.dll + 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB958690\update\update.exe + 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB958690\update\updspapi.dll + 2008-12-05 06:58:08 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP3QFE\schannel.dll + 2007-11-30 11:18:51 17,272 ----a-w c:\windows\$hf_mig$\KB960225\spmsg.dll + 2007-11-30 11:18:51 231,288 ----a-w c:\windows\$hf_mig$\KB960225\spuninst.exe + 2007-11-30 11:18:51 26,488 ----a-w c:\windows\$hf_mig$\KB960225\update\spcustom.dll + 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB960225\update\update.exe + 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB960225\update\updspapi.dll + 2008-12-05 06:54:55 144,896 -c----w c:\windows\system32\dllcache\schannel.dll - 2008-09-15 12:12:56 1,846,400 -c----w c:\windows\system32\dllcache\win32k.sys + 2009-02-09 11:13:27 1,846,784 -c----w c:\windows\system32\dllcache\win32k.sys - 2009-03-10 06:25:04 245,512 ----a-w c:\windows\system32\FNTCACHE.DAT + 2009-03-16 08:08:15 245,512 ----a-w c:\windows\system32\FNTCACHE.DAT + 2009-02-25 17:55:00 24,768,960 ----a-w c:\windows\system32\MRT.exe - 2009-03-12 04:51:42 80,161 ----a-w c:\windows\system32\nvModes.dat + 2009-03-16 12:30:24 80,161 ----a-w c:\windows\system32\nvModes.dat - 2009-03-14 03:52:52 100,228 ----a-w c:\windows\system32\perfc009.dat + 2009-03-16 12:31:39 100,228 ----a-w c:\windows\system32\perfc009.dat - 2009-03-14 03:52:52 518,848 ----a-w c:\windows\system32\perfh009.dat + 2009-03-16 12:31:39 518,848 ----a-w c:\windows\system32\perfh009.dat - 2008-04-14 00:12:05 144,384 ----a-w c:\windows\system32\schannel.dll + 2008-12-05 06:54:55 144,896 ----a-w c:\windows\system32\schannel.dll - 2008-07-09 07:38:24 17,272 ----a-w c:\windows\system32\spmsg.dll + 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll - 2008-09-15 12:12:56 1,846,400 ----a-w c:\windows\system32\win32k.sys + 2009-02-09 11:13:27 1,846,784 ----a-w c:\windows\system32\win32k.sys + 2009-03-16 12:43:31 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1f4.dat + 2008-04-15 17:47:33 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\documents and settings\gkramer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-12 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "COEMsgDisplay"="c:\program files\Hewlett-Packard\PC COE\COEMsgDisplay.exe" [2007-04-11 26624] "QuickPassword"="c:\program files\ActivCard\ActivCard Gold\agquickp.exe" [2007-06-26 225280] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-05-26 124656] "IDA"="c:\program files\Hewlett-Packard\PC COE\IDA.EXE" [2008-08-12 176128] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-01 8429568] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-01 81920] "AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928] "PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184] "IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-07-24 677144] "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-05-11 472632] "BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2007-07-31 815104] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-10 515416] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-12 148888] "nwiz"="nwiz.exe" [2007-05-01 c:\windows\system32\nwiz.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-06 561213] Launchy.lnk - c:\program files\Launchy\Launchy.exe [2008-02-21 274432] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "SynchronousMachineGroupPolicy"= 0 (0x0) "SynchronousUserGroupPolicy"= 0 (0x0) "DisableNT4Policy"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoMSAppLogo5ChannelNotify"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP] 2007-06-08 10:04 49152 c:\windows\system32\DeviceNP.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "SENTINEL"= snti386.dll "msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm "msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm "msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ SbHpNp scecli [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe "ctfmon.exe"=c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "SoundMAXPnP"=c:\program files\Analog Devices\Core\smax4pnp.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radexecd.exe"= "c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RadUIShell.exe"= "c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radtray.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-10 64160] R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-08-14 101167] R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-09 44720] R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-06-14 13184] R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-07-24 38816] R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2007-08-14 5840] R2 acautoreg;ActivCard Gold Autoregister;c:\program files\Common Files\ActivCard\acautoreg.exe [2007-06-26 53248] R2 Accoca;ActivCard Gold service;c:\program files\Common Files\ActivCard\accoca.exe [2004-05-12 143360] R2 ADAM_VMwareVCMSDS;VMwareVCMSDS;c:\windows\ADAM\dsamain.exe -sn:VMwareVCMSDS --> c:\windows\ADAM\dsamain.exe -sn:VMwareVCMSDS [?] R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2007-09-06 221184] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632] R2 msralinkmonitor;MSRA Link Monitor;c:\program files\Remote tools\msraLinkMonitor.exe [2007-11-29 151552] R2 MSSQL$SQLEXP_VIM;SQL Server (SQLEXP_VIM);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-08-05 29184016] R2 radexecd;HP OVCM Notify Daemon;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe [2007-02-20 270510] R2 radsched;HP OVCM Scheduler Daemon;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe [2007-03-22 172205] R2 Radstgms;HP OVCM MSI Redirector;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe [2008-07-03 315570] R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-05-26 115952] R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [2006-12-04 292384] R2 vstor2Vpx;Vstor2 Virtual Storage Driver for VirtualCenter;c:\program files\VMware\Infrastructure\VirtualCenter Server\vstor2.sys [2008-10-02 26112] R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\drivers\akbus.sys [2007-01-26 13619] R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\drivers\akpcsc.sys [2007-01-26 9493] R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\drivers\aksbus.sys [2007-04-06 13647] R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\drivers\akspcsc.sys [2008-02-19 10161] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-05-24 41216] R3 RadiaMsi;RadiaMsi;c:\windows\system32\drivers\radiamsi.sys [2007-08-03 23424] R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2007-05-24 47616] R3 SmartUSB;SmartReader-USB;c:\windows\system32\drivers\SmartUSB.sys [2007-01-26 17024] S2 vctomcat;VMware VirtualCenter Management Webservices;c:\program files\VMware\Infrastructure\tomcat\bin\tomcat6.exe [2008-10-02 57344] S2 vpxd;VMware VirtualCenter Server;c:\program files\VMware\Infrastructure\VirtualCenter Server\vpxd.exe [2008-10-02 18567168] S3 AlteraUSBBlaster;Altera USB-Blaster Device Driver;c:\windows\system32\drivers\ftdibus.sys [2008-02-27 47249] S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2008-02-25 30008] S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2007-06-08 172131] S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\maga\maga.exe --> c:\program files\Sygate\SSA\maga\maga.exe [?] S3 UPAS100K;CATC UPAS100K Driver;c:\windows\system32\drivers\upas100k.sys [2008-02-27 19616] S3 vmountVpx;VMware Mount Service for VirtualCenter;c:\program files\VMware\Infrastructure\VirtualCenter Server\vmount2.exe [2008-10-02 270336] --- Other Services/Drivers In Memory --- Deregistered - uphcleanhlp [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17282938-8790-11dd-a1fd-001e37088728}] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C99D666B-62E4-461B-A346-9375D55AB9BC}] "c:\program files\Common Files\Hewlett-Packard\ActSet\HpActSet.exe" . Contents of the 'Scheduled Tasks' folder 2009-03-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-10 22:18] 2009-03-10 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2009-03-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-1383384898-515967899-316697.job - c:\documents and settings\gkramer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-12 08:08] 2009-03-16 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}000.job - c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2008-09-12 01:17] 2009-03-16 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}001.job - c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2008-09-12 01:17] 2009-03-16 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.job - c:\progra~1\HEWLET~1\PCCOE~1\clinvsi.dll [2008-09-07 18:06] 2009-03-16 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job - c:\program files\Hewlett-Packard\PC COE\coetl32.exe [2007-06-24 01:27] 2009-03-16 c:\windows\Tasks\IDA{E1B2A4DD-AE06-4B97-9B55-8E8F1348E7FB}000.job - c:\progra~1\HEWLET~1\PCCOE~1\critupsi.dll [2008-09-07 17:13] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: {{E270AB82-96D5-45DB-ABE3-0BC038B92334} - c:\program files\Hewlett-Packard\IEToolBar\HP IE Fix.exe Trusted Zone: compaq.com Trusted Zone: compaq.com\ie.config.asia Trusted Zone: compaq.com\ie.config.eur Trusted Zone: compaq.com\ie.config.im.hou Trusted Zone: compaq.com\ie.config.jp Trusted Zone: cpqcorp.net Trusted Zone: dcu.org Trusted Zone: dec.com Trusted Zone: dec.com\ie.config.ecom Trusted Zone: hp.com Trusted Zone: hpe-learning.com Trusted Zone: hpqcorp.net Trusted Zone: hpshopping.com Trusted Zone: tandem.com Trusted Zone: tandem.com\ie.config Trusted Zone: compaq.com\ie.config.asia Trusted Zone: compaq.com\ie.config.eur Trusted Zone: compaq.com\ie.config.im.hou Trusted Zone: compaq.com\ie.config.jp Trusted Zone: dec.com\ie.config.ecom Trusted Zone: tandem.com\ie.config DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\gkramer\Application Data\Mozilla\Firefox\Profiles\da4h706u.default\ FF - plugin: c:\documents and settings\gkramer\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-16 07:44:55 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ADAM_VMwareVCMSDS] "ImagePath"="c:\windows\ADAM\dsamain.exe -sn:VMwareVCMSDS" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(960) c:\windows\system32\DeviceNP.dll c:\windows\system32\accsp.dll c:\windows\system32\acerrmes.dll c:\windows\system32\asphat32.dll c:\windows\system32\acpinto.dll c:\windows\system32\aspcom.dll c:\program files\ActivCard\ActivCard Gold\resources\acerrmrc.dll c:\program files\ActivCard\ActivCard Gold\resources\asphatrc.dll c:\program files\ActivCard\ActivCard Gold\resources\accsprc.dll c:\windows\system32\acober.dll c:\program files\ActivCard\ActivCard Gold\resources\acoberrc.dll - - - - - - - > 'lsass.exe'(1016) c:\windows\SbHpNp.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\windows\system32\scardsvr.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\symantec antivirus\DefWatch.exe c:\windows\system32\IFXTCS.exe c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe c:\program files\Java\jre6\bin\jqs.exe c:\altera\72\qprogrammer\bin\jtagserver.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\nvsvc32.exe c:\windows\system32\IfxPsdSv.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\program files\symantec antivirus\Rtvscan.exe c:\program files\UPHClean\uphclean.exe c:\windows\ADAM\dsamain.exe c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe c:\windows\system32\wbem\unsecapp.exe c:\windows\system32\rundll32.exe c:\program files\Hewlett-Packard\Shared\HpqToaster.exe c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE c:\program files\Hewlett-Packard\Embedded Security Software\PSDrt.exe . ************************************************************************ . Completion time: 2009-03-16 7:49:37 - machine was rebooted ComboFix-quarantined-files.txt 2009-03-16 12:49:34 ComboFix2.txt 2009-03-15 21:33:59 Pre-Run: 75,582,734,336 bytes free Post-Run: 75,565,752,320 bytes free 386 --- E O F --- 2009-03-16 08:02:00 ======================================================== -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Monday, March 16, 2009 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Tuesday, March 17, 2009 02:10:59 Records in database: 1917855 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ V:\ Scan statistics: Files scanned: 102186 Threat name: 0 Infected objects: 0 Suspicious objects: 0 Duration of the scan: 02:10:46 No malware has been detected. The scan area is clean. The selected area was scanned.

03-17-2009, 01:49 AM	#6 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 2,273 OS: Windows 7 Premium x64 My System	Re: Need help removing muzupera.dll and possibly others Hi there All is looking good log wise, unless you are still experiencing any problems you are good to go. Lets do a little bit of updating.... Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system. There is a newer version of Adobe Acrobat Reader available. Please go to this link Adobe Acrobat Reader Download Link Click Download On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation. Click the Continue button Click Run, and click Run again Next click the Install Now button and follow the on screen prompts When the installation is complete go to Add/Remove Programs and uninstall all previous versions. Older versions of java are vunerable to malware. Go to Start Menu > Control Panel > Add/Remove Programs - Select J2SE Runtime Environment 5.0 Update 10 > click Remove - Select J2SE Runtime Environment 5.0 Update 15 > click Remove - Now Exit. Lets tidy up after ourselves The following will implement some cleanup procedures as well as reset System Restore points: Click Start > Run and copy/paste the following bolded text into the Run box and click OK: ComboFix /u Now that you appear to be free from malware lets help you stay that way! Update windows on a regular basis - If you do not have automatic updates enabled then Visit Microsoft's Update Page and update your computer from there Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions. Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here Make your Internet Explorer more secure - This can be done by following these simple instructions: Open Internet Explorer, click on the Tools menu and then click on Options. Click once on the Security tab Click once on the Internet icon so it becomes highlighted. Click once on the Custom Level button. Change the Download signed ActiveX controls to Prompt Change the Download unsigned ActiveX controls to Disable Change the Initialise and script ActiveX controls not marked as safe to Disable Change the Installation of desktop items to Prompt Change the Launching programs and files in an IFRAME to Prompt Change the Navigate sub-frames across different domains to Prompt When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Next press the Apply button and then the OK to exit the Internet Properties page. Safer Browsing Use software such as Trendprotect or Sitehound to help you stay away from unsuspecting sites that have malicious purposes. Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects) Use an alternative browser Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser. Computer Maintenance Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis. Scan your computer regularly for malware Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy and Adaware 2007 Free by Lavasoft can help you keep clear. These products are scan on demand and do not have active back ground scanning. These two products can be installed together without any complications. Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) - Please note that this product can also be run as *free without a licience* but the background protection will not be active. Secure your router Change your routers default username and password, do not leave it at factory preset, doing so makes it easy for unauthorised access. Encrypt your network. Set your wireless network encryption to a minimum level of WPA-PSK [TKIP]. This will help prevent any unauthorised users "piggybacking" onto your network and stealing your bandwidth which you have rightly paid for. I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet. -> So How Did I Get Infected In First Place - By TonyKlein -> How to prevent Malware - By miekiemoes -> I'm not pulling your leg, honest - By Sandi Hardmeie Kindly respond one more time and let me know if we may consider this thread resolved. __________________ If we have helped you then please consider donating** Proud Member of ASAP & UNITE Since 2007

03-17-2009, 08:29 PM	#7 (permalink)
lazyengineer Registered User Join Date: Mar 2009 Posts: 4 OS: Windows XP SP3	Re: Need help removing muzupera.dll and possibly others Thanks for all your help! One last question--what is your opinion of Google Chrome, security-wise? That is what I mainly use.

03-18-2009, 01:39 AM	#8 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 2,273 OS: Windows 7 Premium x64 My System	Re: Need help removing muzupera.dll and possibly others Hi there To be honest Google Chrome is not a browser I use myself so I cannot really comment on it, although on saying that I do have a news article tucked away in my bookmarks regarding the security of browsers here. Feel free to read the article, but at the same time please bear in mind that this article is now 3 months old and changes may have been made to various software. I hope this answers your question. As this topic is now resolved I will now discontinue monitoring this thread for replies. Should you require any further assistance please start a new topic in the relevant section of the forums Good luck and happy safe surfing! __________________ If we have helped you then please consider donating Proud Member of ASAP & UNITE Since 2007