I have NOD32 anti-virus that has been VERY good to me. I can not delete or remove this one virus. I have included my combo fix and HiJackThis log. I went into safe mode and ran malwarebytes and spybot but it did not help with this.
"C:\WINDOWS\system32\winlo
gon.exe contains Win32/Spy.Ursnif.A virus"
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:59:36 PM, on 7/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
xe
C:\WINDOWS\system32\winlog
on.exe
C:\WINDOWS\system32\servic
es.exe
C:\WINDOWS\system32\lsass.
exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\System32\svchos
t.exe
C:\WINDOWS\system32\spools
v.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
iceService
.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchos
t.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateServic
e.exe
C:\Program Files\LogMeIn\x86\RaMaint.
exe
C:\Program Files\LogMeIn\x86\LogMeIn.
exe
C:\Program Files\LogMeIn\x86\LMIGuard
ian.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchos
t.exe
C:\WINDOWS\System32\svchos
t.exe
C:\WINDOWS\system32\svchos
t.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\LogMeIn\x86\LogMeInS
ystray.exe
C:\Program Files\Google\GoogleToolbar
Notifier\G
oogleToolb
arNotifier
.exe
C:\WINDOWS\system32\ctfmon
.exe
C:\Program Files\Skype\Phone\Skype.ex
e
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\LogMeIn\x86\LMIGuard
ian.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepa
d.exe
C:\WINDOWS\system32\wscntf
y.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\LogMeIn\x86\LogMeIn.
exe
C:\Program Files\LogMeIn\x86\LMIGuard
ian.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.ex
e
C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterServi
ce.exe
C:\DOCUME~1\COMPAQ~1\LOCAL
S~1\Temp\G
oogle Toolbar\gtbF.tmp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi
s.exe
R1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Default_Sear
ch_URL =
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktopR1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Default_Page
_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Default_Sear
ch_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Search Bar =
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktopR1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Start Page =
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktopR1 - HKCU\Software\Microsoft\In
ternet Connection Wizard,ShellNext =
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktopR1 - HKCU\Software\Microsoft\Wi
ndows\Curr
entVersion
\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-7
68834316C6
1} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhanc
er.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-5
8F732D338C
0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.d
ll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
84B7D6BE0B
3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d
ll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
4DAF1D92D4
3} - C:\Program Files\Java\jre1.5.0_09\bin
\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7
D2660C9EC9
8} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.d
ll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
F10577473F
7} - c:\program files\google\googletoolbar
3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
E66B5AD205
D} - C:\Program Files\Google\GoogleToolbar
Notifier\3
.1.807.174
6\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
09027A5CD4
F} - c:\program files\google\googletoolbar
3.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2
561D68B201
2} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dl
l
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInS
ystray.exe
"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
Notifier\G
oogleToolb
arNotifier
.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateMana
ger.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.ex
e" /nosplash /minimized
O4 - HKUS\S-1-5-21-1695938045-3
12014396-1
043483193-
1011\..\Ru
n: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
.exe (User 'LogMeInRemoteUser')
O4 - HKUS\S-1-5-21-1695938045-3
12014396-1
043483193-
1011\..\Ru
n: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
" /background (User 'LogMeInRemoteUser')
O4 - S-1-5-21-1695938045-312014
396-104348
3193-1011 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'LogMeInRemoteUser')
O4 - S-1-5-21-1695938045-312014
396-104348
3193-1011 User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'LogMeInRemoteUser')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4
\Office10\
EXCEL.EXE/
3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
0401C60850
1} - C:\Program Files\Java\jre1.5.0_09\bin
\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
0401C60850
1} - C:\Program Files\Java\jre1.5.0_09\bin
\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-1
0282ABF65E
7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.
dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3
250410481E
8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.
dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-4
62D6D54C78
9} - C:\WINDOWS\PCHEALTH\HELPCT
R\Vendors\
CN=Hewlett
-Packard,L
=Cupertino
,S=Ca,C=US
\IEButton\
support.ht
m
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-4
62D6D54C78
9} - C:\WINDOWS\PCHEALTH\HELPCT
R\Vendors\
CN=Hewlett
-Packard,L
=Cupertino
,S=Ca,C=US
\IEButton\
support.ht
m
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
2ba3849658
3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
2ba3849658
3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1
830C7DD7F5
D} - C:\PROGRA~1\COMMON~1\Skype
\SKYPE4~1.
DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
iceService
.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterServi
ce.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateServic
e.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.
exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.
exe
--
End of file - 8299 bytes
ComboFix 09-07-14.08 - Administrator 07/15/2009 15:15.1.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.
447.222 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Des
ktop\Combo
Fix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D
96ACA4F34C
0}
.
((((((((((((((((((((((((((
((((((((((
((( Other Deletions ))))))))))))))))))))))))))
))))))))))
))))))))))
)))
.
c:\recycler\S-1-5-21-11760
9710-48406
1587-68200
3330-1003
c:\windows\system32\AutoRu
n.inf
D:\Autorun.inf
.
((((((((((((((((((((((((((
((((((((((
((( Drivers/Services ))))))))))))))))))))))))))
))))))))))
))))))))))
)))
.
-------\Legacy_TDSSSERV.SY
S)
-------\Service_TDSSserv.s
ys
-------\Service_TDSSserv.s
ys)
((((((((((((((((((((((((( Files Created from 2009-06-15 to 2009-07-15 ))))))))))))))))))))))))))
)))))
.
2009-07-15 19:02 . 2009-07-15 19:02 -------- d-----w- c:\documents and settings\Compaq_Owner\Appl
ication Data\Malwarebytes
2009-07-15 02:43 . 2009-07-15 02:43 -------- d-----w- c:\documents and settings\Administrator\Loc
al Settings\Application Data\Mozilla
2009-07-15 02:33 . 2009-07-15 02:33 -------- d-----w- c:\documents and settings\Administrator\App
lication Data\Malwarebytes
2009-07-15 02:33 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\driver
s\mbamswis
sarmy.sys
2009-07-15 02:33 . 2009-07-15 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-15 02:33 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\driver
s\mbam.sys
2009-07-15 02:33 . 2009-07-15 02:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-15 02:16 . 2009-07-15 02:16 -------- d-----w- c:\documents and settings\Administrator\Doc
torWeb
2009-06-22 01:10 . 2009-05-19 05:36 2884832 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\
4426.0.4\v
wpt.exe
.
((((((((((((((((((((((((((
((((((((((
(((( Find3M Report ))))))))))))))))))))))))))
))))))))))
))))))))))
))))))
.
2009-07-15 19:04 . 2006-01-24 03:06 40768 -c--a-w- c:\documents and settings\Compaq_Owner\Loca
l Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-15 19:03 . 2008-11-26 23:11 -------- d-----w- c:\documents and settings\Compaq_Owner\Appl
ication Data\skypePM
2009-07-15 19:03 . 2008-11-26 23:10 -------- d-----w- c:\documents and settings\Compaq_Owner\Appl
ication Data\Skype
2009-07-15 11:19 . 2008-11-20 21:18 -------- d-----w- c:\program files\LogMeIn
2009-07-15 02:33 . 2008-11-20 20:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-14 00:08 . 2008-01-03 22:02 0 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2009-07-14 00:04 . 2008-01-04 04:22 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2009-06-14 22:21 . 2006-01-16 17:43 -------- d-----w- c:\program files\WildTangent
2009-05-19 05:36 . 2009-06-22 01:10 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\
4426.0.4\u
nregister.
bat
2009-05-19 05:36 . 2009-06-22 01:10 1484856 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\
4426.0.4\t
oolbar.exe
2009-05-19 05:36 . 2009-06-22 01:10 25 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\
4426.0.4\r
egister.ba
t
2009-05-19 05:36 . 2009-06-22 01:10 97072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\
4426.0.4\b
setutil.ex
e
2009-05-19 05:36 . 2009-06-22 01:10 142040 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\
4426.0.4\a
lsetup.exe
2009-05-19 05:36 . 2009-06-22 01:10 30512 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\
4426.0.4\U
ninstaller
.exe
2009-05-19 05:36 . 2009-06-22 01:10 111920 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\
4426.0.4\A
OLSearch.d
ll
2009-05-07 15:32 . 2004-08-04 05:00 345600 ----a-w- c:\windows\system32\locals
pl.dll
2009-04-29 04:56 . 2004-08-04 05:00 827392 ----a-w- c:\windows\system32\winine
t.dll
2009-04-29 04:55 . 2004-08-04 05:00 78336 ----a-w- c:\windows\system32\ieenco
de.dll
2009-04-17 12:26 . 2004-08-04 05:00 1847168 ----a-w- c:\windows\system32\win32k
.sys
2009-06-15 01:21 . 2008-09-03 12:40 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcm
p.dll
.
------- Sigcheck -------
[7] 2004-08-04 05:00 502272 01C3346C241652F43AED8E2149
881BFE c:\windows\$NtServicePackU
ninstall$\
winlogon.e
xe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F041188
70003E c:\windows\ServicePackFile
s\i386\win
logon.exe
[-] 2008-10-23 19:48 507904 !HASH: COULD NOT OPEN FILE !!!!! c:\windows\system32\winlog
on.exe
[7] 2004-08-04 05:00 295424 B60C877D16D9C880B952FDA04A
DF16E6 c:\windows\$NtServicePackU
ninstall$\
termsrv.dl
l
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684
B3479F c:\windows\ServicePackFile
s\i386\ter
msrv.dll
[-] 2008-10-23 19:48 295424 !HASH: COULD NOT OPEN FILE !!!!! c:\windows\system32\termsr
v.dll
.
((((((((((((((((((((((((((
((((((((((
( Reg Loading Points ))))))))))))))))))))))))))
))))))))))
))))))))))
))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR
E\Microsof
t\Windows\
CurrentVer
sion\Run]
"swg"="c:\program files\Google\GoogleToolbar
Notifier\G
oogleToolb
arNotifier
.exe" [2007-06-23 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateMana
ger.exe" [2006-03-30 313472]
"ctfmon.exe"="c:\windows\s
ystem32\ct
fmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.ex
e" [2008-11-18 21633320]
[HKEY_LOCAL_MACHINE\SOFTWA
RE\Microso
ft\Windows
\CurrentVe
rsion\Run]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-04-23 1443072]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInS
ystray.exe
" [2008-07-24 63048]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2008-08-04 160800]
c:\documents and settings\LogMeInRemoteUser
\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-1-16 27136]
c:\documents and settings\Administrator\Sta
rt Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-1-16 27136]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
[HKEY_LOCAL_MACHINE\softwa
re\microso
ft\windows
\currentve
rsion\poli
cies\explo
rer]
"NoActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\softwa
re\microso
ft\windows
nt\currentversion\winlogon
\notify\LM
Iinit]
2008-10-17 01:35 87352 ----a-w- c:\windows\system32\LMIini
t.dll
[HKLM\~\startupfolder\C:^D
ocuments and Settings^All Users^Start Menu^Programs^Startup^Adob
e Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adob
e Reader Speed Launch.lnk
backup=c:\windows\pss\Adob
e Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^D
ocuments and Settings^All Users^Start Menu^Programs^Startup^Comp
aq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Comp
aq Connections.lnk
backup=c:\windows\pss\Comp
aq Connections.lnkCommon Startup
[HKLM\~\startupfolder\C:^D
ocuments and Settings^All Users^Start Menu^Programs^Startup^Koda
k EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Koda
k EasyShare software.lnk
backup=c:\windows\pss\Koda
k EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^D
ocuments and Settings^All Users^Start Menu^Programs^Startup^KODA
K Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODA
K Software Updater.lnk
backup=c:\windows\pss\KODA
K Software Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^D
ocuments and Settings^All Users^Start Menu^Programs^Startup^Micr
osoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Micr
osoft Office.lnk
backup=c:\windows\pss\Micr
osoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\softwa
re\microso
ft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"NSCService"=3 (0x3)
"navapsvc"=2 (0x2)
"MDM"=2 (0x2)
"LiveUpdate"=3 (0x3)
"IDriverT"=3 (0x3)
"comHost"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"ANIWZCSdService"=2 (0x2)
[HKEY_LOCAL_MACHINE\softwa
re\microso
ft\securit
y center]
"FirewallOverride"=dword:0
0000001
[HKEY_LOCAL_MACHINE\softwa
re\microso
ft\securit
y center\Monitoring\Symantec
AntiVirus]
"DisableMonitoring"=dword:
00000001
[HKEY_LOCAL_MACHINE\softwa
re\microso
ft\securit
y center\Monitoring\Symantec
Firewall]
"DisableMonitoring"=dword:
00000001
[HKLM\~\services\sharedacc
ess\parame
ters\firew
allpolicy\
standardpr
ofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedacc
ess\parame
ters\firew
allpolicy\
standardpr
ofile\Auth
orizedAppl
ications\L
ist]
"%windir%\\system32\\sessm
gr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Prog
ram\\Compa
q Connections.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolloa
d.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138757663\\ee
\\aolsoftw
are.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138757663\\ee
\\aim6.exe
"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"
=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.e
xe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Bonjour\\mDNSRespon
der.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"
=
"c:\\Program Files\\Skype\\Phone\\Skype
.exe"=
R1 epfwtdir;epfwtdir;c:\windo
ws\system3
2\drivers\
epfwtdir.s
ys [4/23/2008 3:00 PM 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [4/23/2008 2:58 PM 472320]
R2 IntuitUpdateService;Intuit
Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateServic
e.exe [10/10/2008 5:45 AM 13088]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.s
ys [7/24/2008 7:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32
\drivers\L
MIRfsDrive
r.sys [11/20/2008 5:18 PM 47640]
R3 MSHUSBVideo;NX6000/NX3000/
VX5000/VX5
500/VX7000
Filter Driver;c:\windows\system32
\drivers\n
x6000.sys [11/26/2008 2:14 PM 33808]
S4 LMIRfsClientNP;LMIRfsClien
tNP; [x]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\Vie
wpointServ
ice.exe [11/19/2007 11:04 AM 24652]
[HKEY_LOCAL_MACHINE\softwa
re\microso
ft\windows
nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\softwar
e\microsof
t\windows\
currentver
sion\explo
rer\mountp
oints2\{12
bb4872-715
a-11dc-aa4
d-00134696
7eb7}]
\Shell\AutoRun\command - explorer.exe "
http://www.FestivalDisney.com/dcishow"
[HKEY_CURRENT_USER\softwar
e\microsof
t\windows\
currentver
sion\explo
rer\mountp
oints2\{2d
435b36-e50
6-11d9-9b7
8-e6b00935
2ae7}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL
32.EXE Shell32.DLL,ShellExec_RunD
LL Info.exe protect.ed 480 480
[HKEY_CURRENT_USER\softwar
e\microsof
t\windows\
currentver
sion\explo
rer\mountp
oints2\{e7
77ff2d-12d
a-11dc-aa3
c-00134696
7eb7}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-07-06 c:\windows\Tasks\AppleSoft
wareUpdate
.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://
www.google.com/uDefault_Search_URL = hxxp://ie.redirect.hp.com/
svs/rdr?TY
PE=3&tp=ie
search&loc
ale=EN_US&
c=Q106&bd=
presario&p
f=desktop
uSearchMigratedDefaultURL = hxxp://
www.google.com/search?q={sear
chTerms}&s
ourceid=ie
7&rls=com.
microsoft:
en-US&ie=u
tf8&oe=utf
8
mStart Page = hxxp://ie.redirect.hp.com/
svs/rdr?TY
PE=3&tp=ie
home&local
e=EN_US&c=
Q106&bd=pr
esario&pf=
desktop
mSearch Bar = hxxp://ie.redirect.hp.com/
svs/rdr?TY
PE=3&tp=ie
search&loc
ale=EN_US&
c=Q106&bd=
presario&p
f=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/
svs/rdr?TY
PE=3&tp=ie
home&local
e=EN_US&c=
Q106&bd=pr
esario&pf=
desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://
www.google.com/search?q=%sIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Offic
e10\EXCEL.
EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Appl
ication Data\Mozilla\Firefox\Profi
les\y7i99m
1f.default
\
FF - prefs.js: browser.search.selectedEng
ine - Google
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721
C7-F507-49
82-B2E5-50
2A71474FED
}\componen
ts\NPCompo
nent.dll
FF - plugin: c:\documents and settings\Compaq_Owner\Appl
ication Data\Mozilla\Firefox\Profi
les\y7i99m
1f.default
\extension
s\moveplay
er@movenet
works.com\
platform\W
INNT_x86-m
svc\plugin
s\npmnqmp0
7075003.dl
l
FF - plugin: c:\program files\Java\jre1.5.0_09\bin
\NPJava11.
dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin
\NPJava12.
dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin
\NPJava13.
dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin
\NPJava14.
dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin
\NPJava32.
dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin
\NPJPI150_
09.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin
\NPOJI610.
dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.d
ll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoin
t.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************
**********
**********
**********
**********
********
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-07-15 15:26
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
**********
**********
**********
**********
********
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\Ati2ev
xx.dll
c:\windows\system32\LMIini
t.dll
c:\windows\system32\LMIRfs
ClientNP.d
ll
- - - - - - - > 'explorer.exe'(3524)
c:\windows\system32\WPDShS
erviceObj.
dll
c:\windows\system32\Portab
leDeviceTy
pes.dll
c:\windows\system32\Portab
leDeviceAp
i.dll
c:\windows\system32\LMIRfs
ClientNP.d
ll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
iceService
.exe
c:\program files\LogMeIn\x86\ramaint.
exe
c:\program files\LogMeIn\x86\LogMeIn.
exe
c:\program files\LogMeIn\x86\LMIGuard
ian.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\LogMeIn\x86\LMIGuard
ian.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\LogMeIn\x86\LogMeIn.
exe
c:\program files\LogMeIn\x86\LMIGuard
ian.exe
.
**************************
**********
**********
**********
**********
********
.
Completion time: 2009-07-15 15:34 - machine was rebooted [Compaq_Owner]
ComboFix-quarantined-files
.txt 2009-07-15 19:33
Pre-Run: 50,478,583,808 bytes free
Post-Run: 50,410,614,784 bytes free
234 --- E O F --- 2009-06-16 00:36
