View Full Version : not-a-virus:RemoteAdmin.Win32.WinVNC-based.c
pcunningham39
09-13-2007, 11:54 AM
I apologize, I am a newbie. I am having issues with these not-a-virus files. I have a Kaspersky scan report, but it is is too long to post Can anyone help me?
Thanks so much
classicsoftware
09-13-2007, 03:43 PM
Welcome to http://www.pcguide.com/ubb/pcgubb.gif forums....
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall...
Use as many posts as needed to post the log...
Then post a hijackthis log.
pcunningham39
09-13-2007, 07:25 PM
Here's the combofix log. I'll download hijack this and do a scan. Thanks for your help. Go Birds
ComboFix 07-09-13.3 - "Pete" 2007-09-13 18:03:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1455 [GMT -4:00]
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-08-13 to 2007-09-13 )))))))))))))))))))))))))))))))
.
2007-09-13 18:02 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-12 12:26 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-12 12:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-12 12:26 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-15 03:09 <DIR> d-------- C:\WINDOWS\system32\Logs
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-09-12 00:08 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor
2007-09-12 00:08 --------- d-------- C:\Program Files\SiteAdvisor
2007-09-09 16:32 --------- d-------- C:\DOCUME~1\Pete\APPLIC~1\SiteAdvisor
2007-09-04 13:56 --------- d-a------ C:\Program Files\Winamp
2007-09-01 09:39 --------- d-------- C:\Program Files\AdwareAlert
2007-08-25 22:45 99944 --a------ C:\WINDOWS\system32\Lfpcl15u.dll
2007-08-25 22:45 99944 --a------ C:\WINDOWS\system32\Lffax15u.dll
2007-08-25 22:45 95848 --a------ C:\WINDOWS\system32\Lcpdf15u.dll
2007-08-25 22:45 94208 --a------ C:\WINDOWS\system32\Vsm32.dll
2007-08-25 22:45 91752 --a------ C:\WINDOWS\system32\Ltaut15u.dll
2007-08-25 22:45 91752 --a------ C:\WINDOWS\system32\Lfpsp15u.dll
2007-08-25 22:45 87656 --a------ C:\WINDOWS\system32\NCSEcwC.dll
2007-08-25 22:45 87656 --a------ C:\WINDOWS\system32\Lfecw15u.dll
2007-08-25 22:45 83560 --a------ C:\WINDOWS\system32\Ltdlgutl15u.dll
2007-08-25 22:45 79464 --a------ C:\WINDOWS\system32\Lttlb15u.dll
2007-08-25 22:45 755304 --a------ C:\WINDOWS\system32\Ltdlgctrl15u.dll
2007-08-25 22:45 75368 --a------ C:\WINDOWS\system32\Ltpdg15u.dll
2007-08-25 22:45 75368 --a------ C:\WINDOWS\system32\Ltbar6w15u.dll
2007-08-25 22:45 75368 --a------ C:\WINDOWS\system32\LfJb215u.dll
2007-08-25 22:45 71272 --a------ C:\WINDOWS\system32\NCScnet.dll
2007-08-25 22:45 69632 --a------ C:\WINDOWS\system32\CcsHook.dll
2007-08-25 22:45 68200 --a------ C:\WINDOWS\system32\Lfjbg15u.dll
2007-08-25 22:45 67176 --a------ C:\WINDOWS\system32\Ltcon15u.dll
2007-08-25 22:45 67176 --a------ C:\WINDOWS\system32\Lfpct15u.dll
2007-08-25 22:45 67176 --a------ C:\WINDOWS\system32\Lfcgm15u.dll
2007-08-25 22:45 657000 --a------ C:\WINDOWS\system32\Ltdlgfile15u.dll
2007-08-25 22:45 632424 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-25 22:45 63080 --a------ C:\WINDOWS\system32\Ltzmv15u.dll
2007-08-25 22:45 63080 --a------ C:\WINDOWS\system32\Ltbar8w15u.dll
2007-08-25 22:45 63080 --a------ C:\WINDOWS\system32\Lczip15u.dll
2007-08-25 22:45 6144 --a------ C:\WINDOWS\system32\AWDCXC32.DLL
2007-08-25 22:45 610363 --a------ C:\WINDOWS\system32\PDC_SDK.dll
2007-08-25 22:45 58984 --a------ C:\WINDOWS\system32\Ltdlgcom15u.dll
2007-08-25 22:45 58984 --a------ C:\WINDOWS\system32\Lfcmx15u.dll
2007-08-25 22:45 57344 --a------ C:\WINDOWS\system32\MFC80ENU.dll
2007-08-25 22:45 554600 --a------ C:\WINDOWS\system32\msvcp80.dll
2007-08-25 22:45 55400 --a------ C:\WINDOWS\system32\lfgbr15u.dll
2007-08-25 22:45 54888 --a------ C:\WINDOWS\system32\Ltnet15u.dll
2007-08-25 22:45 54888 --a------ C:\WINDOWS\system32\Lfdrw15u.dll
2007-08-25 22:45 54376 --a------ C:\WINDOWS\system32\Lftfx15u.dll
2007-08-25 22:45 53248 --a------ C:\WINDOWS\system32\PIEHid.dll
2007-08-25 22:45 497256 --a------ C:\WINDOWS\system32\Ltdlgimgefx15u.dll
2007-08-25 22:45 484968 --a------ C:\WINDOWS\system32\Ltkrn15u.dll
2007-08-25 22:45 461968 --a------ C:\WINDOWS\system32\Ltfpx15u.dll
2007-08-25 22:45 448104 --a------ C:\WINDOWS\system32\Ltimgsfx15u.dll
2007-08-25 22:45 444008 --a------ C:\WINDOWS\system32\Ltbar415u.dll
2007-08-25 22:45 44136 --a------ C:\WINDOWS\system32\Ltbar15u.dll
2007-08-25 22:45 44136 --a------ C:\WINDOWS\system32\lffpx15u.dll
2007-08-25 22:45 433664 --a------ C:\WINDOWS\system32\DC120V154_32.dll
2007-08-25 22:45 42600 --a------ C:\WINDOWS\system32\Ltlst15u.dll
2007-08-25 22:45 42600 --a------ C:\WINDOWS\system32\Ltbar7w15u.dll
2007-08-25 22:45 423528 --a------ C:\WINDOWS\system32\Lfcmw15u.dll
2007-08-25 22:45 41576 --a------ C:\WINDOWS\system32\Lfptk15u.dll
2007-08-25 22:45 41576 --a------ C:\WINDOWS\system32\Lfmpg15u.dll
2007-08-25 22:45 41064 --a------ C:\WINDOWS\system32\Ltimgopt15u.dll
2007-08-25 22:45 40552 --a------ C:\WINDOWS\system32\Lfpsd15u.dll
2007-08-25 22:45 386664 --a------ C:\WINDOWS\system32\Lfcmp15u.dll
2007-08-25 22:45 38504 --a------ C:\WINDOWS\system32\Lfvpg15u.dll
2007-08-25 22:45 38504 --a------ C:\WINDOWS\system32\Lfflc15u.dll
2007-08-25 22:45 368640 --a------ C:\WINDOWS\system32\DCSProBack.dll
2007-08-25 22:45 368640 --a------ C:\WINDOWS\system32\DCSPro3SLR.dll
2007-08-25 22:45 357992 --a------ C:\WINDOWS\system32\Ltimgcor15u.dll
2007-08-25 22:45 353896 --a------ C:\WINDOWS\system32\Lfsvg15u.dll
2007-08-25 22:45 349800 --a------ C:\WINDOWS\system32\Ltdlgclr15u.dll
2007-08-25 22:45 34920 --a------ C:\WINDOWS\system32\Lfgif15u.dll
2007-08-25 22:45 34408 --a------ C:\WINDOWS\system32\Lfacs15u.dll
2007-08-25 22:45 339968 --a------ C:\WINDOWS\system32\acpdfcrext.dll
2007-08-25 22:45 32360 --a------ C:\WINDOWS\system32\Lfshp15u.dll
2007-08-25 22:45 32360 --a------ C:\WINDOWS\system32\Lfnap15u.dll
2007-08-25 22:45 32360 --a------ C:\WINDOWS\system32\Lfica15u.dll
2007-08-25 22:45 317032 --a------ C:\WINDOWS\system32\Ltsqlite15u.dll
2007-08-25 22:45 30312 --a------ C:\WINDOWS\system32\Lfxpm15u.dll
2007-08-25 22:45 30312 --a------ C:\WINDOWS\system32\Lfbmp15u.dll
2007-08-25 22:45 27752 --a------ C:\WINDOWS\system32\Lfwmf15u.dll
2007-08-25 22:45 27240 --a------ C:\WINDOWS\system32\Lfcal15u.dll
2007-08-25 22:45 26728 --a------ C:\WINDOWS\system32\Lfeps15u.dll
2007-08-25 22:45 26624 --a------ C:\WINDOWS\system32\AWRESX32.DLL
2007-08-25 22:45 263784 --a------ C:\WINDOWS\system32\Ltdis15u.dll
2007-08-25 22:45 262144 --a------ C:\WINDOWS\system32\acpdfcrdb.dll
2007-08-25 22:45 26112 --a------ C:\WINDOWS\system32\Ctl3d95.dll
2007-08-25 22:45 259688 --a------ C:\WINDOWS\system32\Lvkrn15u.dll
2007-08-25 22:45 259688 --a------ C:\WINDOWS\system32\Ltefx15u.dll
2007-08-25 22:45 259688 --a------ C:\WINDOWS\system32\Lfdgn15u.dll
2007-08-25 22:45 24680 --a------ C:\WINDOWS\system32\Lfrtf15u.dll
2007-08-25 22:45 24680 --a------ C:\WINDOWS\system32\Lfiff15u.dll
2007-08-25 22:45 24576 --a------ C:\WINDOWS\system32\AWCODC32.DLL
2007-08-25 22:45 23656 --a------ C:\WINDOWS\system32\Lftxt15u.dll
2007-08-25 22:45 23656 --a------ C:\WINDOWS\system32\Lfpcx15u.dll
2007-08-25 22:45 23656 --a------ C:\WINDOWS\system32\Lfabi15u.dll
2007-08-25 22:45 235112 --a------ C:\WINDOWS\system32\Ltdlgkrn15u.dll
2007-08-25 22:45 235112 --a------ C:\WINDOWS\system32\Lfj2k15u.dll
2007-08-25 22:45 23144 --a------ C:\WINDOWS\system32\Lfdcr15u.dll
2007-08-25 22:45 226920 --a------ C:\WINDOWS\system32\Lfafp15u.dll
2007-08-25 22:45 22632 --a------ C:\WINDOWS\system32\Lfxwd15u.dll
2007-08-25 22:45 22632 --a------ C:\WINDOWS\system32\Lfclp15u.dll
2007-08-25 22:45 22632 --a------ C:\WINDOWS\system32\Lfani15u.dll
2007-08-25 22:45 22632 --a------ C:\WINDOWS\system32\Lcmrc15u.dll
2007-08-25 22:45 2242152 --a------ C:\WINDOWS\system32\Ltwvc15u.dll
2007-08-25 22:45 2219152 --a------ C:\WINDOWS\system32\Ltwvc215u.dll
2007-08-25 22:45 22120 --a------ C:\WINDOWS\system32\Lflma15u.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
pcunningham39
09-13-2007, 07:26 PM
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2006-03-30 14:31]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 21:52]
"HPHmon03"="C:\WINDOWS\system32\hphmon03.exe" [2001-10-25 10:55]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"WinVNC"="C:\Program Files\RealVNC\WinVNC\winvnc.exe" [2003-03-05 13:49]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 9.exe" [2003-08-11 04:07]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-10 06:00 C:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"adwarealert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" [2007-02-13 11:44]
"SIE2004"="C:\Program Files\Winferno\SIEPIE\SIEPulse.exe" []
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-02-08 22:39]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-06-26 18:50]
"DXDllRegExe"="dxdllreg.exe" []
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 19:15]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-07-13 16:14]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2006-12-21 22:54]
"ErrorRepairPro"="C:\Program Files\Error Repair Professional\autostart.exe" []
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2005-11-28 12:12:14]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-03-22 16:39:43]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyle s
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sonic CinePlayer Quick Launch.lnk]
backup=C:\WINDOWS\pss\Sonic CinePlayer Quick Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Pete^Start Menu^Programs^Startup^Microsoft Greetings Reminders.lnk]
backup=C:\WINDOWS\pss\Microsoft Greetings Reminders.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
"C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_7 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"WinampAgent"="C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
"BJCFD"=C:\Program Files\BroadJump\Client Foundation\CFD.exe
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cine msup.sys
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sy s
R2 MedentAdminService;Medent Admin Service;c:\medent\bin\AdminService.exe
R2 MedentPrintService;Medent Print Service;c:\medent\bin\PrintService.exe
R3 Angel;Angel MPEG Device;C:\WINDOWS\system32\DRIVERS\Angel.sys
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 Dot4 HPH09;Dot4 HPH09;C:\WINDOWS\system32\DRIVERS\hphid409.sys
R3 Dot4Print HPH09;Print Class Driver for IEEE-1284.4 HPH09;C:\WINDOWS\system32\DRIVERS\hphipr09.sys
R3 Dot4Storage HPH09;Storage Class Driver for IEEE-1284.4 (HPH09);C:\WINDOWS\system32\Drivers\hphs2k09.sys
R3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\drivers\BVRPMPR5.SY S
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 NAL;Nal Service ;\??\C:\WINDOWS\system32\Drivers\iqvw32.sys
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{539723a4-0182-11dc-aecb-00123f7651e3}]
AutoRun\command- G:\LaunchU3.exe -a
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-08-15 05:25:11 C:\WINDOWS\Tasks\McDefragTask.job"
"2007-09-01 05:00:19 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-09-13 05:55:30 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
************************************************** ************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-13 18:06:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2007-09-13 18:07:06
.
--- E O F ---
pcunningham39
09-13-2007, 07:39 PM
herLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:20 PM, on 9/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\medent\bin\AdminService.exe
c:\medent\bin\PrintService.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\WinVNC\winvnc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\hphmon03.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 9.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Pete\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [MPSExe] "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" /embedding
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 9.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [adwarealert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKLM\..\Run: [SIE2004] "C:\Program Files\Winferno\SIEPIE\SIEPulse.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp
pcunningham39
09-13-2007, 07:40 PM
Here's the second part
Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [ErrorRepairPro] C:\Program Files\Error Repair Professional\autostart.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra 'Tools' menuitem: PC Confidential - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {61847089-A2B2-410D-AACA-78159B7D6F81} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {B7D4917E-7C0F-40F9-8FCE-330AEA909D0E} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {E5761F9C-B95A-4027-8950-546A00BD0B5A} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Medent Admin Service (MedentAdminService) - Unknown owner - c:\medent\bin\AdminService.exe
O23 - Service: Medent Print Service (MedentPrintService) - Unknown owner - c:\medent\bin\PrintService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\winvnc.exe
--
End of file - 11900 bytes
e's the hijackthis log
classicsoftware
09-13-2007, 10:36 PM
Is the system running any better after the combofix?
Can you give me part of the kaspersky log that indicates what the virus is?
pcunningham39
09-14-2007, 12:02 PM
I haven't been on the computer enough to compare performance after combofix. Here's part of the Kaspersky log. Thanks again.
C:\Documents and Settings\Pete\Desktop\vnc-3.3.7-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\Documents and Settings\Pete\Desktop\vnc-3.3.7-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\Documents and Settings\Pete\Desktop\vnc-3.3.7-x86_win32.exe/data0004 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\Documents and Settings\Pete\Desktop\vnc-3.3.7-x86_win32.exe Inno: infected - 3 skipped
C:\Documents and Settings\Pete\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Pete\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Pete\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Pete\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Pete\Local Settings\Temp\Perflib_Perfdata_a28.dat Object is locked skipped
C:\Documents and Settings\Pete\Local Settings\Temp\Perflib_Perfdata_ccc.dat Object is locked skipped
C:\Documents and Settings\Pete\Local Settings\Temp\~DF49FD.tmp Object is locked skipped
C:\Documents and Settings\Pete\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Pete\ntuser.dat Object is locked skipped
C:\Documents and Settings\Pete\ntuser.dat.LOG Object is locked skipped
C:\hpcmerr.log Object is locked skipped
C:\Program Files\AdwareAlert\Quarantine\04-05-2007-11-26-00\10027.qit\WinVNC\othread2.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\Program Files\AdwareAlert\Quarantine\04-05-2007-11-26-00\10027.qit\WinVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\Program Files\AdwareAlert\Quarantine\04-05-2007-11-26-00\10027.qit\WinVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\Program Files\RealVNC\WinVNC\othread2.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\Program Files\RealVNC\WinVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\Program Files\RealVNC\WinVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
vBulletin v3.6.1, Copyright ©2000-2010, Jelsoft Enterprises Ltd.