vundo/zlob/smitfraud HELP!

Hi googlistics,

Welcome to TSF!

I go by markamus here. I will be glad to assist you with your computer problems. HijackThis logs can take a while to research, so please be patient with me. I know that you want your problems solved quickly, and I will work hard to help you.

Please observe these rules while we work:

1. I will be working on your malware issues. This may or may not solve other issues with your machine.
2. If you don't understand something, stop and ask! Don't keep going on.
3. Please reply to this thread. Do not start a new topic.
4. The fixes are specific to your problem and should only be used for the issues on this machine.
5. Please continue to review my answers until I tell you your machine is clear. Absense of symptoms does not mean everything is clear!

If you can do these things, everything should go smoothly

I am currently reviewing your log and will have a reply shortly.

Thanks,

markamus

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Hi Markamus,

Oh thank you so much for the prompt help.
Yes, I finally got rid of the virus FOR GOOD! ray:
Actually, before posting here I tried my hand at siri's SmitFraudFix and VundoFix, but both didnt seem to work. VundoFix showed the presence of the virus even after running it. KillBox-ing the dlls wudnt work either.

Finally, I searched some more and stumbled upon this GODSEND app ComboFix, which worked like a charm!!! :tongue:
I didnt even have to try the Recovery Console implementation. Just running the app worked fine. Today I log on here to find you giving me the same solution. AHHH! The sweet feeling of a virus-free computer!

THANKS A TON buddy, for helping me out. :wave:


Still, here's my HJT log to confirm. :smile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43, on 2008-06-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Elitecore\Single Signon\SSCyberoam_7310.exe
C:\Program Files\My Lockbox\flockbox.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AvaFind\AvaFind.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\sudasoft\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.0.160:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://nlt-deploy;https://nims.nihilent.com;https://finance.nihilent.com;<local>
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: {5e350f12-9732-f3e8-5b54-0f81195e0d53} - {35d0e591-18f0-45b5-8e3f-237921f053e5} - C:\WINDOWS\system32\wbvipmnc.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Single Signon] C:\Program Files\Elitecore\Single Signon\SSCyberoam_7310.exe
O4 - HKLM\..\Run: [flockbox] C:\Program Files\My Lockbox\flockbox.exe /a
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AvaFind] "C:\Program Files\AvaFind\AvaFind.exe" /minimized
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = FPS.NIHILENT.COM
O17 - HKLM\Software\..\Telephony: DomainName = FPS.NIHILENT.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = FPS.NIHILENT.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = FPS.NIHILENT.COM
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe

--
End of file - 8490 bytes


All right with the log, eh mate? :wink:

Hi Markamus,

Hey, sorry for the delay. Was busy enjoying my weekend.
This is an office PC that has been infected you see!

Neway, here's the ComboFix log.
Please tell me how to proceed further.



ComboFix 08-06-04.5 - abhijeet.savle 2008-06-05 16:48:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.474 [GMT 5.5:30]
Running from: E:\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\BMeb3ddf2f.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\byXNfEts.dll
C:\WINDOWS\system32\cevvstkx.ini
C:\WINDOWS\system32\dxofypqu.ini
C:\WINDOWS\system32\lmutcohd.ini
C:\WINDOWS\system32\osttojwa.ini
C:\WINDOWS\system32\stEfNXyb.ini
C:\WINDOWS\system32\stEfNXyb.ini2
C:\WINDOWS\system32\urqonnno.dll
C:\WINDOWS\system32\vshatvye.ini
C:\WINDOWS\system32\vuuadffv.ini

----- BITS: Possible infected sites -----

hxxp://172.16.0.185
.
((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-05 15:10 . 2008-06-05 15:10 2,126 --a------ C:\WINDOWS\system32\wpa.dbl
2008-06-05 12:26 . 2008-06-05 12:26 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-06-05 10:54 . 2008-06-05 10:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-05 10:54 . 2008-06-05 10:54 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-04 18:51 . 2008-06-04 18:51 <DIR> d-------- C:\Program Files\iTunes
2008-06-04 18:51 . 2008-06-04 18:51 <DIR> d-------- C:\Program Files\iPod
2008-06-04 18:51 . 2008-06-05 10:54 <DIR> d-------- C:\Documents and Settings\abhijeet.savle\Application Data\Apple Computer
2008-06-04 18:50 . 2008-06-04 18:50 <DIR> d-------- C:\Program Files\QuickTime
2008-06-04 18:50 . 2008-06-04 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-04 15:14 . 2008-06-05 15:07 <DIR> d-------- C:\!KillBox
2008-06-04 14:21 . 2008-06-04 14:21 <DIR> d-------- C:\Program Files\AvaFind
2008-06-04 14:21 . 2008-06-05 15:23 <DIR> d-------- C:\Documents and Settings\abhijeet.savle\Application Data\AvaFind Data
2008-06-04 12:04 . 2008-06-04 12:05 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-04 12:04 . 2008-06-04 12:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-04 11:05 . 2008-06-04 11:05 <DIR> d-------- C:\WINDOWS\system32\SmitfraudFix
2008-06-03 11:33 . 2008-06-03 11:44 <DIR> d-------- C:\Program Files\GoldWave
2008-05-30 12:42 . 2008-05-30 12:42 <DIR> d-------- C:\Documents and Settings\ABHIJE~1~SAV\LOCALS~1
2008-05-30 12:42 . 2008-05-30 12:42 <DIR> d-------- C:\Documents and Settings\ABHIJE~1~SAV
2008-05-29 18:03 . 2007-03-17 04:21 <DIR> d-------- C:\Program Files\libmp3lame-3.97
2008-05-29 17:19 . 2008-05-29 17:19 <DIR> d-------- C:\Documents and Settings\lavanya.rajagopalan
2008-05-22 14:32 . 2008-05-22 14:33 <DIR> d-------- C:\Program Files\gtheme
2008-05-20 14:36 . 2008-05-20 14:36 <DIR> d-------- C:\Program Files\My Lockbox
2008-05-20 14:36 . 2007-12-13 20:13 17,264 --a------ C:\WINDOWS\system32\drivers\mprifl.sys
2008-05-19 13:57 . 2008-05-19 13:57 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-05-14 19:04 . 2008-05-14 19:04 <DIR> d-------- C:\Documents and Settings\abhijeet.savle\Application Data\tor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 11:22 --------- d-----w C:\Documents and Settings\abhijeet.savle\Application Data\OpenOffice.org2
2008-06-05 11:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\vulScan
2008-06-04 12:26 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-02 12:57 --------- d-----w C:\Documents and Settings\abhijeet.savle\Application Data\Audacity
2008-06-02 05:04 --------- d-----w C:\Program Files\DAP
2008-05-30 07:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-30 07:16 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-30 09:35 --------- d-----w C:\Documents and Settings\abhijeet.savle\Application Data\CopyTransControlCenter
2008-04-30 09:15 --------- d-----w C:\Documents and Settings\abhijeet.savle\Application Data\CopyTransManager
2008-04-23 09:36 --------- d-----w C:\Program Files\Easy RealMedia Tools
2008-04-17 05:00 --------- d-----w C:\Program Files\Elitecore
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35d0e591-18f0-45b5-8e3f-237921f053e5}]
C:\WINDOWS\system32\wbvipmnc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-13 18:11 68856]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-11 18:16 4670968]
"AvaFind"="C:\Program Files\AvaFind\AvaFind.exe" [2004-06-01 12:48 295936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-05-08 09:28 1015808]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-06-05 21:23 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-06-05 21:23 162328]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-06-05 21:22 137752]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2008-03-14 15:06 136512]
"SDClientMonitor"="C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2006-11-01 08:06 258048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 08:50 112216]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52 3739648]
"Single Signon"="C:\Program Files\Elitecore\Single Signon\SSCyberoam_7310.exe" [2006-12-22 20:32 57344]
"flockbox"="C:\Program Files\My Lockbox\flockbox.exe" [2007-12-14 16:59 1071472]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 01:58 229952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 15:30 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\abhijeet.savle\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 21:57:56 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 20:45:54 65588]
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2006-03-14 09:01:00 5517312]
VPN Client.lnk - C:\WINDOWS\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2008-03-12 15:45:53 6144]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2008-03-17 15:17:02 19968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"VIDC.YV12"= yv12vfw.dll
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\FPS.NIHILENT.com\SysVol\FPS.NIHILENT.COM\scripts\cyberlogin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\nipns00a150\SYSVOL\FPS.NIHILENT.COM\scripts\cyberlogin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-484061587-725345543-12418\Scripts\Logon\0\0]
"Script"=a.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-484061587-725345543-12418\Scripts\Logon\0\1]
"Script"=\\FPS.NIHILENT.com\SysVol\FPS.NIHILENT.COM\scripts\cyberlogin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-484061587-725345543-12418\Scripts\Logon\1\0]
"Script"=cyberlogin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-484061587-725345543-12440\Scripts\Logon\0\0]
"Script"=a.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-484061587-725345543-12440\Scripts\Logon\1\0]
"Script"=a.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\WINDOWS\\system32\\cba\\pds.exe"=
"C:\\WINDOWS\\system32\\msgsys.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

R0 MPRIFL;MPRIFL;C:\WINDOWS\system32\DRIVERS\MPRIFL.SYS [2007-12-13 20:13]
R2 CBA8;LANDesk(R) Management Agent;"C:\Program Files\LANDesk\Shared Files\residentagent.exe" [2007-01-09 11:03]
R2 Softmon;LANDesk(R) Software Monitoring Service;"C:\Program Files\LANDesk\LDClient\softmon.exe" [2007-04-27 05:53]
R3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys [2005-07-02 05:18]
R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys [2005-07-02 05:18]
R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys [2005-07-02 05:18]
S3 TPPWRIF;TPPWRIF;C:\Documents and Settings\All Users\Application Data\vulScan\TPPWRIF.sys [2006-09-21 17:53]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 16:51:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\LANDesk\LDClient\rcgui.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\TechSmith\SnagIt 8\TscHelp.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2008-06-05 16:53:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-05 11:23:37

Pre-Run: 14,533,349,376 bytes free
Post-Run: 14,519,353,344 bytes free

183

Run an online virus scan called Kaspersky from HERE.

• 1. Click on "Kaspersky Online Scanner"
  2. A new smaller window will pop up. Press on "Accept". After reading the contents.
  3. Now Kaspersky will update the anti-virus database. Let it run.
  4. Click on "Next"->>"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  5. Then click on "My Computer". And the scan will start.
  6. When the scan is complete Select "Save error report as"
  Then in the file name just type in kaspersky
  Under "save as type" select text .txt
  Save it to your Desktop.

Copy and post the results of the Kaspersky Online scan along with a fresh HijackThis log please.

Thanks,

markamus