Bullguard Antivirus Forum Download A Free Copy Of Bullguard Antivirus Software
Free Antivirus Forum - Learn about antivirus, firewalls and personal security Free Antivirus Forum - Learn about antivirus, firewalls and personal security
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
MS anti virus, (multiple trojan, maybe?)
   
BullGuard Antivirus Forum > Bullguard zone > BullGuard Trial users > MS anti virus, (multiple trojan, maybe?)  
Forum Quick Jump
 
New Topic Post reply to : MS anti virus, (multiple trojan, maybe?) Printable version of : MS anti virus, (multiple trojan, maybe?)
[ << Previous Thread | Next Thread >> ]

Baskanos
New Member


Date Joined Sep 2008
Total Posts : 5
  		   Posted 9-3-2008 2:19 (GMT +1)    Quote: MS anti virus, (multiple trojan, maybe?)Alert an admin about: MS anti virus, (multiple trojan, maybe?)
been dealing with this for a few weeks, just found your site and you guys seem to be my only hope.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:05 PM, on 9/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Documents and Settings\All Users\Application Data\fsxadsbu\tgzudydo.exe
D:\WINDOWS\Mixer.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\WINDOWS\vobwpobw.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\utevadir.exe
D:\WINDOWS\system32\hetshuxa.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\PCHealthCenter\1.exe
D:\Program Files\PCHealthCenter\2.exe
D:\Program Files\PCHealthCenter\3.exe
D:\Program Files\PCHealthCenter\4.exe
D:\Program Files\MSA\MSA.exe
D:\Program Files\PCHealthCenter\7.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\vobwpobw.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Default\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [osCheck] "D:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [UpdatePPShortCut] "D:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "D:\Program Files\CyberLink\PowerProducer" update "Software\CyberLink\PowerProducer\4.0"
O4 - HKLM\..\Run: [hlpchkutil] D:\WINDOWS\vobwpobw.exe
O4 - HKLM\..\Run: [~YÕA~] Ù‹exe
O4 - HKLM\..\Run: [Antivirus] D:\Program Files\MSA\MSA.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [~YÕA~] Ù‹exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [debugpop] D:\DOCUME~1\Default\APPLIC~1\EACHLO~1\drive deaf.exe
O4 - HKCU\..\Run: [SrvProcMon] D:\WINDOWS\system32\utevadir.exe
O4 - HKCU\..\Run: [mntutilapl] D:\WINDOWS\system32\ngxilahw.exe
O4 - HKCU\..\Run: [genactinfo] D:\WINDOWS\system32\tulkfmfw.exe
O4 - HKLM\..\Policies\Explorer\Run: [QcsL60w10k] D:\Documents and Settings\All Users\Application Data\fsxadsbu\tgzudydo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://clubgames.pogo.com/online2/pogop/mahjong_escape_ancient_japan/SpinTopGamesLauncher.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: procchkact - {5A8DF54F-3C3A-F718-BF1B-008624137EAF} - D:\Program Files\brwireg\procchkact.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8356 bytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/02/2008 at 10:45 AM

Application Version : 4.20.1046

Core Rules Database Version : 3554
Trace Rules Database Version: 1542

Scan type : Complete Scan
Total Scan Time : 01:09:17

Memory items scanned : 510
Memory threats detected : 5
Registry items scanned : 6790
Registry threats detected : 14
File items scanned : 49692
File threats detected : 61

Adware.Vundo Variant
D:\WINDOWS\SYSTEM32\APPMGMT.DLL
D:\WINDOWS\SYSTEM32\APPMGMT.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A13649E2-A47E-4D21-8ABB-6DBFBE55483A}
HKCR\CLSID\{A13649E2-A47E-4D21-8ABB-6DBFBE55483A}
HKCR\CLSID\{A13649E2-A47E-4D21-8ABB-6DBFBE55483A}\InprocServer32
HKCR\CLSID\{A13649E2-A47E-4D21-8ABB-6DBFBE55483A}\InprocServer32#ThreadingModel

Rogue.Dropper/Gen
D:\WINDOWS\SYSTEM32\LPHCAQLJ0EC6P.EXE
D:\WINDOWS\SYSTEM32\LPHCAQLJ0EC6P.EXE
D:\WINDOWS\Prefetch\LPHCAQLJ0EC6P.EXE-26913B0F.pf

NotHarmful.Sysinternals Bluescreen Screen Saver
D:\WINDOWS\SYSTEM32\BLPHCAQLJ0EC6P.SCR
D:\WINDOWS\SYSTEM32\BLPHCAQLJ0EC6P.SCR

Rogue.MS AntiVirus
D:\PROGRAM FILES\MSA\MSA.EXE
D:\PROGRAM FILES\MSA\MSA.EXE
[Antivirus] D:\PROGRAM FILES\MSA\MSA.EXE
D:\DOCUMENTS AND SETTINGS\DEFAULT\DESKTOP\MS ANTIVIRUS.LNK
D:\WINDOWS\Prefetch\MSA.EXE-35AD0B56.pf

Rogue.MalwareProtector/Variant
D:\WINDOWS\SYSTEM32\PPHCAQLJ0EC6P.EXE
D:\WINDOWS\SYSTEM32\PPHCAQLJ0EC6P.EXE
D:\WINDOWS\Prefetch\PPHCAQLJ0EC6P.EXE-11E4AE47.pf

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}
HKU\S-1-5-21-1606980848-1532298954-682003330-1003\Software\Classes\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}
HKCR\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}

Adware.Tracking Cookie
D:\Documents and Settings\Default\Cookies\default@st[17].txt
D:\Documents and Settings\Default\Cookies\default@st[26].txt
D:\Documents and Settings\Default\Cookies\default@dtr.txt
D:\Documents and Settings\Default\Cookies\default@st[45].txt
D:\Documents and Settings\Default\Cookies\default@st[27].txt
D:\Documents and Settings\Default\Cookies\default@st.txt
D:\Documents and Settings\Default\Cookies\default@st.txt
D:\Documents and Settings\Default\Cookies\default@cgi-bin.txt
D:\Documents and Settings\Default\Cookies\default@st[19].txt
D:\Documents and Settings\Default\Cookies\default@st.txt
D:\Documents and Settings\Default\Cookies\default@st[37].txt
D:\Documents and Settings\Default\Cookies\default@st[21].txt
D:\Documents and Settings\Default\Cookies\default@st[44].txt
D:\Documents and Settings\Default\Cookies\default@st[8].txt
D:\Documents and Settings\Default\Cookies\default@st[7].txt

Trojan.Unknown Origin
D:\WINDOWS\mslagent
D:\WINDOWS\SYSTEM32\1.ICO
D:\WINDOWS\SYSTEM32\2.ICO

Trojan.Media-Codec
D:\Program Files\PCHealthCenter\sc.html
D:\Program Files\PCHealthCenter\xe
D:\Program Files\PCHealthCenter\ًexe
D:\Program Files\PCHealthCenter

Trojan.DNSChanger-Codec
HKU\S-1-5-21-1606980848-1532298954-682003330-1003\Software\uninstall

Rogue.WindowsSecurityAdviser
D:\Program Files\Microsoft Security Adviser\msctrl.log
D:\Program Files\Microsoft Security Adviser\msctrl2.exe
D:\Program Files\Microsoft Security Adviser\msctrl2.log
D:\Program Files\Microsoft Security Adviser\mssadv.log
D:\Program Files\Microsoft Security Adviser\mssadv_sp.log
D:\Program Files\Microsoft Security Adviser
D:\WINDOWS\Prefetch\MSCTRL2.EXE-0804B4A3.pf

Rogue.PC-Cleaner
HKU\S-1-5-21-1606980848-1532298954-682003330-1003\Software\mwc

Rogue.AntiVirus 2008
HKU\S-1-5-21-1606980848-1532298954-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Run#Antivirus [ D:\Program Files\MSA\MSA.exe ]
D:\Documents and Settings\Default\Application Data\RHCEQLJ0EC6P
D:\WINDOWS\SYSTEM32\PHCAQLJ0EC6P.BMP
D:\Program Files\RHCEQLJ0EC6P

Rogue.AntiVirus XP 2008
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
D:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk

Trojan.FakeAlert/Desktop
HKU\S-1-5-21-1606980848-1532298954-682003330-1003\CONTROL PANEL\DESKTOP#WALLPAPER
HKU\S-1-5-21-1606980848-1532298954-682003330-1003\CONTROL PANEL\DESKTOP#ORIGINALWALLPAPER
HKU\S-1-5-21-1606980848-1532298954-682003330-1003\CONTROL PANEL\DESKTOP#CONVERTEDWALLPAPER

Trojan.Downloader-SVCHost/Fake
C:\GOOGLE.COM\SVCHOST.EXE
D:\WINDOWS\Prefetch\SVCHOST.EXE-1396A748.pf

Trojan.Aff-YourThumbs
D:\DOCUMENTS AND SETTINGS\DEFAULT\MSSADV.DLL

Trojan.Unclassified/MSCTRL
D:\DOCUMENTS AND SETTINGS\DEFAULT\MSAVSC.DLL
D:\DOCUMENTS AND SETTINGS\DEFAULT\MSCTRL.DLL
D:\DOCUMENTS AND SETTINGS\DEFAULT\MSFW.DLL
D:\DOCUMENTS AND SETTINGS\DEFAULT\MSIEMON.DLL
D:\DOCUMENTS AND SETTINGS\DEFAULT\MSSCAN.DLL

Rogue.MS AntiVirus/A
D:\PROGRAM FILES\MSA\MSA.CPL
D:\WINDOWS\SYSTEM32\MSA.CPL

Adware.Multi-Dropper/Trace
D:\WINDOWS\CROCK+MOCK.CONFIG

Rootkit.Filter-Gen
D:\WINDOWS\SYSTEM32\DRIVERS\LZTQAJOG.DAT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ComboFix 08-09-01.03 - Default 2008-09-02 11:36:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.622 [GMT -4:00]
Running from: D:\Documents and Settings\Default\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Program Files\altcmd
D:\Program Files\PCHealthCenter
D:\Program Files\PCHealthCenter\Ù‹exe
D:\Program Files\PCHealthCenter\0.exe
D:\Program Files\PCHealthCenter\0.gif
D:\Program Files\PCHealthCenter\1.exe
D:\Program Files\PCHealthCenter\1.gif
D:\Program Files\PCHealthCenter\1.ico
D:\Program Files\PCHealthCenter\2.exe
D:\Program Files\PCHealthCenter\2.gif
D:\Program Files\PCHealthCenter\2.ico
D:\Program Files\PCHealthCenter\3.exe
D:\Program Files\PCHealthCenter\3.gif
D:\Program Files\PCHealthCenter\4.exe
D:\Program Files\PCHealthCenter\5.exe
D:\Program Files\PCHealthCenter\7.exe
D:\Program Files\PCHealthCenter\xe
D:\WINDOWS\system32\blphcaqlj0ec6p.scr
D:\WINDOWS\system32\ijl11pro.dll
D:\WINDOWS\system32\lphcaqlj0ec6p.exe
D:\WINDOWS\system32\phcaqlj0ec6p.bmp
D:\WINDOWS\winlogon.exe
D:\Documents and Settings\Default\Application Data\~tmp.html . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-08-02 to 2008-09-02 )))))))))))))))))))))))))))))))
.

2008-09-02 11:43 . 2008-09-02 11:46 <DIR> d-------- D:\Program Files\PCHealthCenter
2008-09-02 11:43 . 2008-09-02 11:43 118,784 --a------ D:\WINDOWS\system32\blphcaqlj0ec6p.scr
2008-09-02 11:43 . 2008-09-02 11:43 98,304 --a------ D:\WINDOWS\system32\ngxilahw.exe
2008-09-02 11:26 . 2008-09-02 11:26 98,304 --a------ D:\WINDOWS\system32\utevadir.exe
2008-09-02 08:59 . 2008-09-02 08:59 <DIR> d-------- D:\Program Files\CCleaner
2008-09-02 08:54 . 2008-09-02 08:54 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
2008-09-02 08:54 . 2008-09-02 08:54 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-09-02 08:54 . 2008-09-02 08:54 <DIR> d-------- D:\Documents and Settings\Default\Application Data\SUPERAntiSpyware.com
2008-09-02 08:54 . 2008-09-02 08:54 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-02 08:41 . 2008-09-02 08:41 <DIR> d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-09-02 08:41 . 2008-09-02 00:16 38,528 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-02 08:41 . 2008-09-02 00:16 17,200 --a------ D:\WINDOWS\system32\drivers\mbam.sys
2008-09-02 08:35 . 2008-09-02 11:42 <DIR> d-------- D:\Program Files\MSA
2008-09-01 20:02 . 2008-09-01 20:02 203,776 --a------ D:\WINDOWS\system32\bwbyxszu.exe
2008-08-22 12:48 . 2008-08-22 12:48 <DIR> d-------- D:\WINDOWS\system32\xlib254.dll
2008-08-22 12:48 . 2008-08-22 12:48 <DIR> d-------- D:\WINDOWS\system32\append.dll
2008-08-22 12:19 . 2008-08-22 12:18 40,960 -r-hs---- D:\WINDOWS\system32\6to4svcl.exe
2008-08-22 12:19 . 2008-08-22 12:20 144 --ahs---- D:\WINDOWS\system32\1884727700.dat
2008-08-18 20:12 . 2008-08-18 20:12 <DIR> d-------- D:\Program Files\Sun
2008-08-18 18:23 . 2008-08-18 20:26 <DIR> d-------- D:\WINDOWS\system32\CatRoot_bak
2008-08-14 12:51 . 2008-08-14 12:51 53,248 --a------ D:\WINDOWS\vobwpobw.exe
2008-08-04 15:49 . 2008-08-04 15:49 <DIR> d-------- D:\Documents and Settings\Default\Application Data\Malwarebytes
2008-08-04 15:49 . 2008-08-04 15:49 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-04 14:37 . 2008-08-04 14:37 <DIR> d-------- D:\Program Files\brwireg
2008-08-04 14:37 . 2008-08-04 14:37 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\fsxadsbu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-27 18:54 --------- d-----w D:\Program Files\XoftSpySE
2008-08-23 17:45 --------- d-----w D:\Program Files\MySpace
2008-08-23 17:43 --------- d-----w D:\Program Files\Lavasoft
2008-08-22 16:51 --------- d-----w D:\Program Files\Common Files\Symantec Shared
2008-08-19 14:25 --------- d-----w D:\Program Files\Microsoft Silverlight
2008-08-19 00:11 --------- d-----w D:\Program Files\Java
2008-07-29 02:48 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-07-29 02:48 --------- d-----w D:\Program Files\Logitech
2008-07-29 02:48 --------- d-----w D:\Program Files\Common Files\Logitech
2008-07-22 17:57 --------- d-----w D:\Program Files\RegCure
2008-07-22 16:14 --------- d-----w D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-22 15:13 --------- d-----w D:\Program Files\Norton AntiVirus
2008-07-22 02:27 --------- d-----w D:\Program Files\Diablo II
2008-07-22 01:22 --------- d-----w D:\Program Files\PlayOnline
2008-07-21 23:05 --------- d-----w D:\Program Files\each logo type
2008-07-21 23:05 --------- d-----w D:\Documents and Settings\Default\Application Data\each logo type
2008-07-21 23:05 --------- d-----w D:\Documents and Settings\All Users\Application Data\bat glue time dash
2008-07-21 21:52 --------- d-----w D:\Program Files\LimeWire
2008-07-19 02:10 94,920 ----a-w D:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w D:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w D:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w D:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w D:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w D:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w D:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w D:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w D:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w D:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w D:\WINDOWS\system32\es.dll
2008-07-05 16:04 --------- d-----w D:\Documents and Settings\Default\Application Data\CyberLink
2008-07-05 16:03 --------- d-----w D:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-05 15:52 --------- d-----w D:\Program Files\CyberLink
2008-06-24 16:23 74,240 ----a-w D:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w D:\WINDOWS\system32\wininet.dll
2008-06-22 00:42 21,840 ----a-w D:\WINDOWS\system32\SIntfNT.dll
2008-06-22 00:42 17,212 ----a-w D:\WINDOWS\system32\SIntf32.dll
2008-06-22 00:42 12,067 ----a-w D:\WINDOWS\system32\SIntf16.dll
2008-06-20 17:41 245,248 ----a-w D:\WINDOWS\system32\mswsock.dll
.

------- Sigcheck -------

2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 D:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 D:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 D:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d D:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e D:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 D:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 D:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 D:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"~YÕA~"="Ù‹exe" [X]
"@"="xe" [X]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2002-12-31 15360]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 1576176]
"debugpop"="D:\DOCUME~1\Default\APPLIC~1\EACHLO~1\drive deaf.exe" [2008-07-21 526336]
"SrvProcMon"="D:\WINDOWS\system32\utevadir.exe" [2008-09-02 98304]
"mntutilapl"="D:\WINDOWS\system32\ngxilahw.exe" [2008-09-02 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"~YÕA~"="Ù‹exe" [X]
"@"="xe" [X]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="D:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" [2008-05-27 413696]
"osCheck"="D:\Program Files\Norton AntiVirus\osCheck.exe" [2007-02-07 771704]
"ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="D:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"UpdatePPShortCut"="D:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2007-08-16 218408]
"hlpchkutil"="D:\WINDOWS\vobwpobw.exe" [2008-08-14 53248]
"Antivirus"="D:\Program Files\MSA\MSA.exe" [2008-08-30 412160]
"C-Media Mixer"="Mixer.exe" [2001-11-15 D:\WINDOWS\mixer.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"QcsL60w10k"="D:\Documents and Settings\All Users\Application Data\fsxadsbu\tgzudydo.exe" [2008-08-04 61440]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"procchkact"= {5A8DF54F-3C3A-F718-BF1B-008624137EAF} - D:\Program Files\brwireg\procchkact.dll [2008-08-04 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComAplApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcaqlj0ec6p
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhceqlj0ec6p

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-12-31 08:00 15360 D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2003-08-19 06:43 57344 D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-04-19 13:26 484904 D:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Time Dash Second Regs]
--a------ 2008-09-02 11:46 5051392 D:\Documents and Settings\All Users\Application Data\bat glue time dash\bags bend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2003-12-01 11:38 892928 D:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2006-02-21 21:05 344064 D:\WINDOWS\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"D:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"D:\\Program Files\\Yahoo!\\UPnP\\yupnpsrv.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"D:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"D:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;D:\WINDOWS\system32\drivers\si3112r.sys [2003-05-09 89749]
R0 SiWinAcc;SiWinAcc;D:\WINDOWS\system32\drivers\SiWinAcc.sys [2003-02-12 9600]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};D:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51 13560]
S0 uckkagnh;uckkagnh;D:\WINDOWS\system32\drivers\lztqajog.dat [ ]
S3 LCcfltr;Logitech USB Filter Driver;D:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-11-07 14092]
S3 MBAMSwissArmy;MBAMSwissArmy;D:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-09-02 38528]
S3 XDva020;XDva020;D:\WINDOWS\system32\XDva020.sys [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"D:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-lphcaqlj0ec6p - D:\WINDOWS\system32\lphcaqlj0ec6p.exe
HKLM-Run-SMrhceqlj0ec6p - D:\Program Files\rhceqlj0ec6p\rhceqlj0ec6p.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - D:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\bravk493.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - D:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - D:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF -: plugin - D:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-02 11:43:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


D:\WINDOWS\system32\ngxilahw.exe 98304 bytes executable
D:\WINDOWS\system32\blphcaqlj0ec6p.scr 118784 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uckkagnh]
"ImagePath"="system32\drivers\lztqajog.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\D:\Program Files\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\ati2evxx.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Qoobox\Quarantine\D\WINDOWS\system32\lphcaqlj0ec6p.exe.vir
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\PCHealthCenter\0.exe
D:\Program Files\PCHealthCenter\1.exe
D:\Program Files\PCHealthCenter\2.exe
D:\Program Files\PCHealthCenter\3.exe
D:\Program Files\PCHealthCenter\4.exe
D:\Program Files\PCHealthCenter\7.exe
C:\winlo.exe
C:\winlo.exe
.
**************************************************************************
.
Completion time: 2008-09-02 11:56:00 - machine was rebooted [Default]
ComboFix-quarantined-files.txt 2008-09-02 15:55:53

Pre-Run: 122,769,555,456 bytes free
Post-Run: 122,721,222,656 bytes free

270 --- E O F --- 2008-08-19 14:25:12
any thing you suggest will be of great help
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 13590
  		   Posted 9-3-2008 4:23 (GMT +1)    Quote: MS anti virus, (multiple trojan, maybe?)Alert an admin about: MS anti virus, (multiple trojan, maybe?)
Hello smile
 
 
Please download Malwarebytes' Anti-Malware:
http://www.spywarefri.dk/downloads1/mbam-setup.exe
 
Or here:
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968
 
 to your desktop.
 
Double-click mbam-setup.exe and follow the prompts to install the program.
                     
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch


Malwarebytes' Anti-Malware, then click Finish.
                     
If an update is found, it will download and install the latest version.
                     
Once the program has loaded, select Perform full scan, then click Scan.
                     
When the scan is complete, click OK, then Show Results to view the results.
 
Be sure that everything is checked, and click Remove Selected.
 
When completed, a log will open in Notepad. Please save it to a convenient location.
 
Copy and Paste that log into your next reply, along with fresh combofix  log.
 
 
NB: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
 
 

Do NOT post your problem in someone elses thread.
Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Back to Top
 

Baskanos
New Member


Date Joined Sep 2008
Total Posts : 5
  		   Posted 9-4-2008 2:15 (GMT +1)    Quote: MS anti virus, (multiple trojan, maybe?)Alert an admin about: MS anti virus, (multiple trojan, maybe?)
Malwarebytes' Anti-Malware 1.26
Database version: 1110
Windows 5.1.2600 Service Pack 2

9/3/2008 4:46:33 AM
mbam-log-2008-09-03 (04-46-33).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 264322
Time elapsed: 4 hour(s), 26 minute(s), 39 second(s)

Memory Processes Infected: 17
Memory Modules Infected: 6
Registry Keys Infected: 13
Registry Values Infected: 43
Registry Data Items Infected: 4
Folders Infected: 17
Files Infected: 69

Memory Processes Infected:
D:\WINDOWS\runsql.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\WINDOWS\sv.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\WINDOWS\svzip.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\WINDOWS\vlc.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\WINDOWS\wdmon.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\WINDOWS\svx.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\WINDOWS\svw.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\WINDOWS\svc.exe (Trojan.Downloader) -> Unloaded process successfully.
D:\Program Files\Microsoft Security Adviser\msctrl.exe (Trojan.Agent) -> Unloaded process successfully.
D:\Program Files\Microsoft Security Adviser\msavsc.exe (Trojan.Agent) -> Unloaded process successfully.
D:\Program Files\Microsoft Security Adviser\msscan.exe (Trojan.Agent) -> Unloaded process successfully.
D:\Program Files\Microsoft Security Adviser\msiemon.exe (Trojan.Agent) -> Unloaded process successfully.
D:\Program Files\Microsoft Security Adviser\msfw.exe (Trojan.Agent) -> Unloaded process successfully.
D:\Program Files\Microsoft Security Adviser\mssadv.exe (Trojan.Clicker) -> Unloaded process successfully.
D:\Program Files\rhceqlj0ec6p\rhceqlj0ec6p.exe (Rogue.Multiple) -> Unloaded process successfully.
D:\WINDOWS\svhoster.exe (Trojan.Agent) -> Unloaded process successfully.
D:\WINDOWS\system32\pphcaqlj0ec6p.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
D:\Documents and Settings\Default\Local Settings\Temp\wndutl32.dll (Trojan.FakeAlert) -> Delete on reboot.
D:\Program Files\rhceqlj0ec6p\MFC71.dll (Rogue.Multiple) -> Delete on reboot.
D:\Program Files\rhceqlj0ec6p\MFC71ENU.DLL (Rogue.Multiple) -> Delete on reboot.
D:\Program Files\rhceqlj0ec6p\msvcp71.dll (Rogue.Multiple) -> Delete on reboot.
D:\Program Files\rhceqlj0ec6p\msvcr71.dll (Rogue.Multiple) -> Delete on reboot.
D:\WINDOWS\system32\autodis.dll (Spyware.BZub) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{020487cc-fc04-4b1e-863f-d9801796230b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhceqlj0ec6p (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhceqlj0ec6p (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{389992b5-9fad-42a7-a7aa-8cfb256e7676} (Spyware.BZub) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{389992b5-9fad-42a7-a7aa-8cfb256e7676} (Spyware.BZub) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runsql (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netsv32 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netzip (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vlc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdmon (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netx (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netw (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msctrl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msctrl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msavsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msavsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msscan.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msscan.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiemon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiemon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msfw.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msfw.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{020487cc-fc04-4b1e-863f-d9801796230b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\D:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhceqlj0ec6p (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net64 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcaqlj0ec6p (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssadv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssadv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
D:\Program Files\Microsoft Security Adviser (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\append.dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\xlib254.dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\rhceqlj0ec6p\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Files Infected:
D:\WINDOWS\runsql.exe (Trojan.Downloader) -> Delete on reboot.
D:\WINDOWS\sv.exe (Trojan.Downloader) -> Delete on reboot.
D:\WINDOWS\svzip.exe (Trojan.Downloader) -> Delete on reboot.
D:\WINDOWS\vlc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\WINDOWS\wdmon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\WINDOWS\svx.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\WINDOWS\svw.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\WINDOWS\svc.exe (Trojan.Downloader) -> Delete on reboot.
D:\Program Files\Microsoft Security Adviser\msctrl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Program Files\Microsoft Security Adviser\msavsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Program Files\Microsoft Security Adviser\msscan.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Program Files\Microsoft Security Adviser\msiemon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Program Files\Microsoft Security Adviser\msfw.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Program Files\Microsoft Security Adviser\mssadv.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\wndutl32.dll (Trojan.FakeAlert) -> Delete on reboot.
D:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25caf.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25caa.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cab.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cac.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cad.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cae.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cag.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cah.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cai.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25cap.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25caq.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\60325cahp25car.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\QooBox\Quarantine\D\WINDOWS\system32\blphcaqlj0ec6p.scr.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\blphcaqlj0ec6p.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\0.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\1.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\2.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\3.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\4.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\5.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\7.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\PCHealthCenter\e (Trojan.Fakealert) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\rhceqlj0ec6p.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\rhceqlj0ec6p.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\rhceqlj0ec6p\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
D:\Program Files\MSA\msa0.dat (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
D:\Program Files\MSA\msa1.dat (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
D:\Program Files\MSA\MSA.ooo (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
D:\WINDOWS\svhoster.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\1054j.exe (Backdoor.Bot) -> Delete on reboot.
D:\WINDOWS\system32\autodis.dll (Spyware.BZub) -> Delete on reboot.
D:\WINDOWS\system32\pphcaqlj0ec6p.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\config.cfg (Malware.Trace) -> Quarantined and deleted successfully.
D:\Documents and Settings\Default\Application Data\~tmp.html (Malware.Trace) -> Quarantined and deleted successfully.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ComboFix 08-09-01.03 - Default 2008-09-03 5:05:45.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.642 [GMT -4:00]
Running from: D:\Documents and Settings\Default\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Program Files\PCHealthCenter
D:\WINDOWS\system32\ativvax.dll
.
---- Previous Run -------
.
D:\Program Files\PCHealthCenter
D:\Program Files\PCHealthCenter\Ù‹exe
D:\Program Files\PCHealthCenter\0.exe
D:\Program Files\PCHealthCenter\0.gif
D:\Program Files\PCHealthCenter\1.exe
D:\Program Files\PCHealthCenter\1.gif
D:\Program Files\PCHealthCenter\1.ico
D:\Program Files\PCHealthCenter\2.exe
D:\Program Files\PCHealthCenter\2.gif
D:\Program Files\PCHealthCenter\2.ico
D:\Program Files\PCHealthCenter\3.exe
D:\Program Files\PCHealthCenter\3.gif
D:\Program Files\PCHealthCenter\4.exe
D:\Program Files\PCHealthCenter\5.exe
D:\Program Files\PCHealthCenter\7.exe
D:\Program Files\PCHealthCenter\xe
D:\WINDOWS\system32\ati2dvag(3.dll
D:\WINDOWS\system32\blphcaqlj0ec6p.scr
D:\WINDOWS\system32\lphcaqlj0ec6p.exe
D:\WINDOWS\system32\phcaqlj0ec6p.bmp

.
((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 )))))))))))))))))))))))))))))))
.

2008-09-03 05:12 . 2008-09-03 05:12 <DIR> d-------- D:\Program Files\PCHealthCenter
2008-09-03 05:12 . 2008-09-03 05:12 625,208 --a------ D:\WINDOWS\system32\phcaqlj0ec6p.bmp
2008-09-03 05:12 . 2008-09-03 05:12 203,776 --a------ D:\WINDOWS\system32\lphcaqlj0ec6p.exe
2008-09-03 05:12 . 2008-09-03 05:12 118,784 --a------ D:\WINDOWS\system32\blphcaqlj0ec6p.scr
2008-09-03 05:12 . 2008-09-03 05:12 81,920 --a------ D:\WINDOWS\system32\zovqtqly.exe
2008-09-03 05:02 . 2008-09-03 05:02 81,920 --a------ D:\WINDOWS\system32\wpwlafup.exe
2008-09-03 04:50 . 2008-09-03 04:50 81,920 --a------ D:\WINDOWS\system32\fejsxgpk.exe
2008-09-02 12:15 . 2008-09-02 12:15 203,776 --a------ D:\WINDOWS\system32\xcpmpubi.exe
2008-09-02 12:15 . 2008-09-02 12:15 98,304 --a------ D:\WINDOWS\system32\tulkfmfw.exe
2008-09-02 11:43 . 2008-09-02 11:43 98,304 --a------ D:\WINDOWS\system32\ngxilahw.exe
2008-09-02 11:26 . 2008-09-02 11:26 98,304 --a------ D:\WINDOWS\system32\utevadir.exe
2008-09-02 08:59 . 2008-09-02 08:59 <DIR> d-------- D:\Program Files\CCleaner
2008-09-02 08:54 . 2008-09-02 08:54 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
2008-09-02 08:54 . 2008-09-02 08:54 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-09-02 08:54 . 2008-09-02 08:54 <DIR> d-------- D:\Documents and Settings\Default\Application Data\SUPERAntiSpyware.com
2008-09-02 08:54 . 2008-09-02 08:54 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-02 08:41 . 2008-09-02 23:13 <DIR> d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-09-02 08:41 . 2008-09-02 00:16 38,528 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-02 08:41 . 2008-09-02 00:16 17,200 --a------ D:\WINDOWS\system32\drivers\mbam.sys
2008-09-02 08:35 . 2008-09-03 05:12 <DIR> d-------- D:\Program Files\MSA
2008-09-01 20:02 . 2008-09-01 20:02 203,776 --a------ D:\WINDOWS\system32\bwbyxszu.exe
2008-08-22 12:19 . 2008-08-22 12:18 40,960 -r-hs---- D:\WINDOWS\system32\6to4svcl.exe
2008-08-22 12:19 . 2008-08-22 12:20 144 --ahs---- D:\WINDOWS\system32\1884727700.dat
2008-08-18 20:12 . 2008-08-18 20:12 <DIR> d-------- D:\Program Files\Sun
2008-08-18 18:23 . 2008-08-18 20:26 <DIR> d-------- D:\WINDOWS\system32\CatRoot_bak
2008-08-14 12:51 . 2008-08-14 12:51 53,248 --a------ D:\WINDOWS\vobwpobw.exe
2008-08-04 15:49 . 2008-08-04 15:49 <DIR> d-------- D:\Documents and Settings\Default\Application Data\Malwarebytes
2008-08-04 15:49 . 2008-08-04 15:49 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-04 14:37 . 2008-08-04 14:37 <DIR> d-------- D:\Program Files\brwireg
2008-08-04 14:37 . 2008-08-04 14:37 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\fsxadsbu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-27 18:54 --------- d-----w D:\Program Files\XoftSpySE
2008-08-23 17:45 --------- d-----w D:\Program Files\MySpace
2008-08-23 17:43 --------- d-----w D:\Program Files\Lavasoft
2008-08-22 16:51 --------- d-----w D:\Program Files\Common Files\Symantec Shared
2008-08-19 14:25 --------- d-----w D:\Program Files\Microsoft Silverlight
2008-08-19 00:11 --------- d-----w D:\Program Files\Java
2008-07-29 02:48 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-07-29 02:48 --------- d-----w D:\Program Files\Logitech
2008-07-29 02:48 --------- d-----w D:\Program Files\Common Files\Logitech
2008-07-22 17:57 --------- d-----w D:\Program Files\RegCure
2008-07-22 16:14 --------- d-----w D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-22 15:13 --------- d-----w D:\Program Files\Norton AntiVirus
2008-07-22 02:27 --------- d-----w D:\Program Files\Diablo II
2008-07-22 01:22 --------- d-----w D:\Program Files\PlayOnline
2008-07-21 23:05 --------- d-----w D:\Program Files\each logo type
2008-07-21 23:05 --------- d-----w D:\Documents and Settings\Default\Application Data\each logo type
2008-07-21 23:05 --------- d-----w D:\Documents and Settings\All Users\Application Data\bat glue time dash
2008-07-21 21:52 --------- d-----w D:\Program Files\LimeWire
2008-07-05 16:04 --------- d-----w D:\Documents and Settings\Default\Application Data\CyberLink
2008-07-05 16:03 --------- d-----w D:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-05 15:52 --------- d-----w D:\Program Files\CyberLink
.

------- Sigcheck -------

2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 D:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 D:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 D:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d D:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e D:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 D:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 D:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 D:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-09-02_11.55.30.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-12-31 12:00:00 91,648 ----a-w D:\WINDOWS\system32\certcl.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94250E81-34BF-4A61-B913-8E8FDEBEF855}]
2002-12-31 08:00 91648 --a------ D:\WINDOWS\system32\certcl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"~YÕA~"="Ù‹exe" [X]
"@"="xe" [X]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2002-12-31 15360]
"MonSetAdm"="D:\WINDOWS\system32\fejsxgpk.exe" [2008-09-03 81920]
"smartchk"="D:\WINDOWS\system32\wpwlafup.exe" [2008-09-03 81920]
"hlpstr"="D:\WINDOWS\system32\zovqtqly.exe" [2008-09-03 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"~YÕA~"="Ù‹exe" [X]
"@"="xe" [X]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="D:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" [2008-05-27 413696]
"osCheck"="D:\Program Files\Norton AntiVirus\osCheck.exe" [2007-02-07 771704]
"ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="D:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"UpdatePPShortCut"="D:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2007-08-16 218408]
"hlpchkutil"="D:\WINDOWS\vobwpobw.exe" [2008-08-14 53248]
"lphcaqlj0ec6p"="D:\WINDOWS\system32\lphcaqlj0ec6p.exe" [2008-09-03 203776]
"C-Media Mixer"="Mixer.exe" [2001-11-15 D:\WINDOWS\mixer.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"QcsL60w10k"="D:\Documents and Settings\All Users\Application Data\fsxadsbu\tgzudydo.exe" [2008-08-04 61440]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"procchkact"= {5A8DF54F-3C3A-F718-BF1B-008624137EAF} - D:\Program Files\brwireg\procchkact.dll [2008-08-04 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComAplApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcaqlj0ec6p
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhceqlj0ec6p

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-12-31 08:00 15360 D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2003-08-19 06:43 57344 D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-04-19 13:26 484904 D:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Time Dash Second Regs]
--a------ 2008-09-02 23:01 5051904 D:\Documents and Settings\All Users\Application Data\bat glue time dash\bags bend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2003-12-01 11:38 892928 D:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2006-02-21 21:05 344064 D:\WINDOWS\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"D:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"D:\\Program Files\\Yahoo!\\UPnP\\yupnpsrv.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"D:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"D:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;D:\WINDOWS\system32\drivers\si3112r.sys [2003-05-09 89749]
R0 SiWinAcc;SiWinAcc;D:\WINDOWS\system32\drivers\SiWinAcc.sys [2003-02-12 9600]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};D:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51 13560]
S0 uckkagnh;uckkagnh;D:\WINDOWS\system32\drivers\lztqajog.dat [ ]
S3 LCcfltr;Logitech USB Filter Driver;D:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-11-07 14092]
S3 XDva020;XDva020;D:\WINDOWS\system32\XDva020.sys [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"D:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-IPC Configuration Utility - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - D:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\bravk493.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - D:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - D:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF -: plugin - D:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-03 05:12:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


D:\WINDOWS\system32\blphcaqlj0ec6p.scr 118784 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uckkagnh]
"ImagePath"="system32\drivers\lztqajog.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\D:\Program Files\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\ati2evxx.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\Program Files\PCHealthCenter\0.exe
D:\Program Files\PCHealthCenter\1.exe
D:\Program Files\PCHealthCenter\2.exe
D:\Program Files\PCHealthCenter\3.exe
D:\Program Files\PCHealthCenter\4.exe
D:\Program Files\PCHealthCenter\7.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
.
**************************************************************************
.
Completion time: 2008-09-03 5:22:10 - machine was rebooted [Default]
ComboFix-quarantined-files.txt 2008-09-03 09:22:04
ComboFix2.txt 2008-09-02 15:56:01

Pre-Run: 122,723,901,440 bytes free
Post-Run: 122,709,278,720 bytes free

265 --- E O F --- 2008-08-19 14:25:12
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 13590
  		   Posted 9-4-2008 4:21 (GMT +1)    Quote: MS anti virus, (multiple trojan, maybe?)Alert an admin about: MS anti virus, (multiple trojan, maybe?)
Just curious - are your antivirus updated ?


Open notepad and copy/paste the text in the quotebox below into it:


Quote:
 
Killall::
 
Snapshot::
 
 
File::
D:\WINDOWS\system32\phcaqlj0ec6p.bmp
D:\WINDOWS\system32\lphcaqlj0ec6p.exe
D:\WINDOWS\system32\blphcaqlj0ec6p.scr
D:\WINDOWS\system32\zovqtqly.exe
D:\WINDOWS\system32\wpwlafup.exe
D:\WINDOWS\system32\fejsxgpk.exe
D:\WINDOWS\system32\xcpmpubi.exe
D:\WINDOWS\system32\tulkfmfw.exe
D:\WINDOWS\system32\ngxilahw.exe
D:\WINDOWS\system32\utevadir.exe
D:\WINDOWS\system32\bwbyxszu.exe
D:\WINDOWS\system32\6to4svcl.exe
D:\WINDOWS\system32\1884727700.dat
D:\WINDOWS\vobwpobw.exe
D:\WINDOWS\system32\certcl.dll
D:\WINDOWS\system32\drivers\lztqajog.dat
 
Folder::
D:\Program Files\PCHealthCenter
D:\Program Files\MSA
D:\Program Files\brwireg
D:\Documents and Settings\All Users\Application Data\fsxadsbu
D:\Documents and Settings\All Users\Application Data\bat glue time dash
 
Driver::
uckkagnh

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94250E81-34BF-4A61-B913-8E8FDEBEF855}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"~YÕA~
"=-
"@"=-
"MonSetAdm"=-
"smartchk"=-
"hlpstr"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"QcsL60w10k"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"procchkact"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Time Dash Second Regs]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uckkagnh]
 
 
Save this as:
CFScript
 
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post fresh combofix  log.


Do NOT post your problem in someone elses thread.
Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Back to Top
 

Baskanos
New Member


Date Joined Sep 2008
Total Posts : 5
  		   Posted 9-4-2008 9:48 (GMT +1)    Quote: MS anti virus, (multiple trojan, maybe?)Alert an admin about: MS anti virus, (multiple trojan, maybe?)
no i had some issues with norton taking extra money and canceled last renewel cycle. can you suggest a good anti virus other than norton. cheaper the better. kinda on a budget.


ComboFix 08-09-03.06 - Default 2008-09-04 0:39:07.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.662 [GMT -4:00]
Running from: D:\Documents and Settings\Default\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Default\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\All Users\Application Data\bat glue time dash
D:\Documents and Settings\All Users\Application Data\bat glue time dash\bags bend.exe
D:\Documents and Settings\All Users\Application Data\fsxadsbu
D:\Documents and Settings\All Users\Application Data\fsxadsbu\tgzudydo.exe
D:\Program Files\brwireg
D:\Program Files\brwireg\procchkact.dll
D:\Program Files\MSA
D:\Program Files\MSA\MSA.cpl
D:\Program Files\MSA\MSA.exe
D:\Program Files\MSA\MSA.ooo
D:\Program Files\MSA\msa0.dat
D:\Program Files\MSA\msa1.dat
D:\Program Files\PCHealthCenter
D:\Program Files\PCHealthCenter\Ù‹exe
D:\Program Files\PCHealthCenter\0.exe
D:\Program Files\PCHealthCenter\0.gif
D:\Program Files\PCHealthCenter\1.exe
D:\Program Files\PCHealthCenter\1.gif
D:\Program Files\PCHealthCenter\1.ico
D:\Program Files\PCHealthCenter\2.exe
D:\Program Files\PCHealthCenter\2.gif
D:\Program Files\PCHealthCenter\2.ico
D:\Program Files\PCHealthCenter\3.exe
D:\Program Files\PCHealthCenter\3.gif
D:\Program Files\PCHealthCenter\4.exe
D:\Program Files\PCHealthCenter\5.exe
D:\Program Files\PCHealthCenter\7.exe
D:\Program Files\PCHealthCenter\xe
D:\WINDOWS\system32\1884727700.dat
D:\WINDOWS\system32\6to4svcl.exe
D:\WINDOWS\system32\blphcaqlj0ec6p.scr
D:\WINDOWS\system32\bwbyxszu.exe
D:\WINDOWS\system32\certcl.dll
D:\WINDOWS\system32\fejsxgpk.exe
D:\WINDOWS\system32\ngxilahw.exe
D:\WINDOWS\system32\tulkfmfw.exe
D:\WINDOWS\system32\utevadir.exe
D:\WINDOWS\system32\wpwlafup.exe
D:\WINDOWS\system32\xcpmpubi.exe
D:\WINDOWS\system32\zovqtqly.exe
D:\WINDOWS\vobwpobw.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UCKKAGNH
-------\Service_uckkagnh


((((((((((((((((((((((((( Files Created from 2008-08-04 to 2008-09-04 )))))))))))))))))))))))))))))))
.

2008-09-04 00:33 . 2008-09-04 00:33 90,112 --a------ D:\WINDOWS\system32\ozwncpkh.exe
2008-09-02 08:59 . 2008-09-02 08:59 <DIR> d-------- D:\Program Files\CCleaner
2008-09-02 08:54 . 2008-09-02 08:54 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
2008-09-02 08:54 . 2008-09-02 08:54 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-09-02 08:54 . 2008-09-02 08:54 <DIR> d-------- D:\Documents and Settings\Default\Application Data\SUPERAntiSpyware.com
2008-09-02 08:54 . 2008-09-02 08:54 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-02 08:41 . 2008-09-02 23:13 <DIR> d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-09-02 08:41 . 2008-09-02 00:16 38,528 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-02 08:41 . 2008-09-02 00:16 17,200 --a------ D:\WINDOWS\system32\drivers\mbam.sys
2008-08-18 20:12 . 2008-08-18 20:12 <DIR> d-------- D:\Program Files\Sun
2008-08-18 18:23 . 2008-08-18 20:26 <DIR> d-------- D:\WINDOWS\system32\CatRoot_bak
2008-08-04 15:49 . 2008-08-04 15:49 <DIR> d-------- D:\Documents and Settings\Default\Application Data\Malwarebytes
2008-08-04 15:49 . 2008-08-04 15:49 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-27 18:54 --------- d-----w D:\Program Files\XoftSpySE
2008-08-23 17:45 --------- d-----w D:\Program Files\MySpace
2008-08-23 17:43 --------- d-----w D:\Program Files\Lavasoft
2008-08-22 16:51 --------- d-----w D:\Program Files\Common Files\Symantec Shared
2008-08-19 14:25 --------- d-----w D:\Program Files\Microsoft Silverlight
2008-08-19 00:11 --------- d-----w D:\Program Files\Java
2008-07-29 02:48 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-07-29 02:48 --------- d-----w D:\Program Files\Logitech
2008-07-29 02:48 --------- d-----w D:\Program Files\Common Files\Logitech
2008-07-22 17:57 --------- d-----w D:\Program Files\RegCure
2008-07-22 16:14 --------- d-----w D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-22 15:13 --------- d-----w D:\Program Files\Norton AntiVirus
2008-07-22 02:27 --------- d-----w D:\Program Files\Diablo II
2008-07-22 01:22 --------- d-----w D:\Program Files\PlayOnline
2008-07-21 23:05 --------- d-----w D:\Program Files\each logo type
2008-07-21 23:05 --------- d-----w D:\Documents and Settings\Default\Application Data\each logo type
2008-07-21 21:52 --------- d-----w D:\Program Files\LimeWire
2008-07-05 16:04 --------- d-----w D:\Documents and Settings\Default\Application Data\CyberLink
2008-07-05 16:03 --------- d-----w D:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-05 15:52 --------- d-----w D:\Program Files\CyberLink
.

------- Sigcheck -------

2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 D:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 D:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 D:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d D:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e D:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 D:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 D:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 D:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"~YÕA~"="Ù‹exe" [X]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2002-12-31 15360]
"EnAplCom"="D:\WINDOWS\system32\ozwncpkh.exe" [2008-09-04 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"~YÕA~"="Ù‹exe" [X]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="D:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" [2008-05-27 413696]
"osCheck"="D:\Program Files\Norton AntiVirus\osCheck.exe" [2007-02-07 771704]
"ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="D:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"UpdatePPShortCut"="D:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2007-08-16 218408]
"lphcaqlj0ec6p"="D:\WINDOWS\system32\lphcaqlj0ec6p.exe" [BU]
"C-Media Mixer"="Mixer.exe" [2001-11-15 D:\WINDOWS\mixer.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComAplApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcaqlj0ec6p
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhceqlj0ec6p

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-12-31 08:00 15360 D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2003-08-19 06:43 57344 D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-04-19 13:26 484904 D:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2003-12-01 11:38 892928 D:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2006-02-21 21:05 344064 D:\WINDOWS\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"D:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"D:\\Program Files\\Yahoo!\\UPnP\\yupnpsrv.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"D:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"D:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;D:\WINDOWS\system32\drivers\si3112r.sys [2003-05-09 89749]
R0 SiWinAcc;SiWinAcc;D:\WINDOWS\system32\drivers\SiWinAcc.sys [2003-02-12 9600]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};D:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51 13560]
S3 LCcfltr;Logitech USB Filter Driver;D:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-11-07 14092]
S3 XDva020;XDva020;D:\WINDOWS\system32\XDva020.sys [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"D:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-hlpchkutil - D:\WINDOWS\vobwpobw.exe



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-04 00:45:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\D:\Program Files\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\ati2evxx.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Symantec\LiveUpdate\AluSche