Win32/Spy.Ursnif.A virus

Unknown · June 2009

I'm running XP and have been receiving the following error message from eset NOD32 for four days now:

Object:
C:\WINDOWS\system32\winlogon.exe
Threat:
Win32/Spy.Ursnif.A Virus
Comment:
Event occurred during at attempt to run the file by the application:
C:\Program Files\Google\Update\GoogleUpdate.exe.

When I try to clean or delete, I am informed that this object cannot be cleaned. I tried running malwarebytes without effect. I read someone recommending ComboFix, but it is stressed that that not be used without guidance. I'm getting the feeling this is not good news for me and my privacy (Gulp!), so here is my plea for help. Thanks in advance.

Katana · June 2009

Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

==============================WARNING==============================
There is some evidence of what may be a very nasty infection.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:

If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
Take any other steps you think appropriate for an attempted identity theft.

==============================WARNING==============================

Step 1

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Step 2

Installed Programs

Please could you give me a list of the programs that are installed.

Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

Combofix Log
Installed Programs List

geomoo · June 2009

(I'm having to write this a second time. Apparently I was logged off. Ugh.)

Thanks for the reply and help. Tonight I can't get the infected computer on line. I'm writing this from my mac book. I had already downloaded ComboFix yesterday, without running it yet. I assume I can transfer the log to disk and send it to you from this computer. Probably the same thing with the HiJack log. I had not downloaded the windows recovery program, however. Is it necessary or just for protection? Perhaps I can take the chance without it. Or will it be possible to download the windows recovery program and/or the hijack program to this computer and save it to disk for uploading onto the infected computer? Will I need to zip it? I can do these things, but I am on the edge of what I know the entire time.

I still have hopes of getting the infected computer on line. If I don't, I won't do anything else until I hear from you. Is it possible you can still help me out without the infected computer being able to get on line?

Thanks again. Your help is a life-saver. I'd have no chance without it.

geomoo · June 2009

Okay, I got back on line and here are the requested logs.

ComboFix log:

ComboFix 09-06-28.01 - George 06/28/2009 23:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.642 [GMT -4:00]
Running from: c:\documents and settings\George\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Pat Adler\Local Settings\Temporary Internet Files\CSC2.1U-EN-561-I.sbr.sgn
c:\documents and settings\Pat Adler\Local Settings\Temporary Internet Files\CSC2.1U-EN-827-F.sbr.sgn
c:\documents and settings\Pat Adler\Local Settings\Temporary Internet Files\CSC2.1U-EN-952-I.sbr.sgn
c:\documents and settings\Pat Adler\Local Settings\Temporary Internet Files\CSC2.1U-EN-952-I.sbr.sgn.unsgn
c:\documents and settings\Pat Adler\nah_log.dat
c:\documents and settings\Visitor\Local Settings\Temporary Internet Files\CSC2.1U-EN-602-F.sbr.sgn
c:\windows\system32\AutoRun.inf

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-29 )))))))))))))))))))))))))))))))
.

2009-06-28 16:03 . 2009-06-28 16:03

d

w- c:\program files\Trend Micro
2009-06-28 03:17 . 2009-06-28 03:17

d

w- c:\documents and settings\George\Application Data\Malwarebytes
2009-06-28 02:43 . 2009-06-28 02:43

d

w- c:\documents and settings\Pat Adler\Application Data\Malwarebytes
2009-06-28 02:43 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-28 02:43 . 2009-06-28 02:43

d

w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-28 02:43 . 2009-06-28 02:43

d

w- c:\program files\Malwarebytes' Anti-Malware
2009-06-28 02:43 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-26 02:33 . 2009-06-26 02:33

d

w- c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
2009-06-25 12:24 . 2009-06-25 12:24

d

w- c:\documents and settings\George\Local Settings\Application Data\ESET
2009-06-19 03:34 . 2009-06-19 03:34

d-sh--w- c:\documents and settings\Pat Adler\PrivacIE
2009-06-13 13:35 . 2009-06-13 13:35

d-sh--w- c:\documents and settings\George\PrivacIE
2009-06-11 13:31 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-11 13:31 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-13 13:54 . 2008-05-31 16:03 43160 ----a-w- c:\documents and settings\George\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-13 12:58 . 2007-08-14 20:38

d

w- c:\program files\MSN Messenger
2009-06-09 12:37 . 2009-05-15 19:53 988328 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-02 01:53 . 2007-09-23 16:01

d

w- c:\program files\Google
2009-05-15 20:23 . 2006-09-01 20:18 43160 ----a-w- c:\documents and settings\Pat Adler\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-15 20:20 . 2009-05-15 20:20

d

w- c:\program files\NetLibrary
2009-05-15 19:53 . 2009-05-15 19:53

d

w- c:\program files\MSBuild
2009-05-15 19:53 . 2009-05-15 19:53

d

w- c:\program files\Reference Assemblies
2009-05-15 19:26 . 2007-07-16 12:03

d

w- c:\program files\Windows Media Connect 2
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 17:25 . 2009-05-11 02:14

d

w- c:\documents and settings\Pat Adler\Application Data\Move Networks
2009-05-07 15:32 . 2004-08-04 12:00 345600

w- c:\windows\system32\localspl.dll
2009-05-07 10:23 . 2006-09-07 01:54

d

w- c:\program files\CMS Peripherals
2009-05-07 02:00 . 2009-05-07 02:00

d

w- c:\program files\Citrix
2009-05-07 02:00 . 2009-05-07 02:00 70984 ----a-w- c:\documents and settings\Pat Adler\g2mdlhlpx.exe
2009-05-06 23:27 . 2009-05-06 23:27

d

w- c:\program files\Coupons
2009-05-05 19:10 . 2009-05-05 19:10

d

w- c:\documents and settings\Visitor\Application Data\ESET
2009-05-05 02:29 . 2009-05-05 02:29

d

w- c:\documents and settings\George\Application Data\ESET
2009-05-05 02:28 . 2006-09-01 19:59

d

w- c:\program files\ESET
2009-05-05 02:25 . 2009-05-05 02:25

d

w- c:\documents and settings\Pat Adler\Application Data\ESET
2009-05-05 02:22 . 2009-05-05 02:22

d

w- c:\documents and settings\All Users\Application Data\ESET
2009-04-17 12:26 . 2004-08-04 12:00 1847168

w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-09 19:21 . 2009-04-09 19:21 55768 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2009-04-09 19:21 . 2009-04-09 19:21 33096 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2009-04-09 19:21 . 2009-04-09 19:21 133000 ----a-w- c:\windows\system32\drivers\epfw.sys
2009-04-09 19:18 . 2009-04-09 19:18 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-04-09 19:10 . 2009-04-09 19:10 113960 ----a-w- c:\windows\system32\drivers\eamon.sys
.

Sigcheck

[7] 2004-08-04 12:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-11-29 01:03 295424 63999D0ABD8DABFD76A9C07F6E104868 c:\windows\system32\termsrv.dll

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-26 212992]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-06-07 9129984]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-23 7626752]
"THGuard"="c:\program files\TrojanHunter 4.5\THGuard.exe" [2006-05-31 1120256]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-03 185784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-07 196608]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-04-09 2029640]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-06-23 1519616]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-06-23 86016]

c:\documents and settings\Pat Adler\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [4/9/2009 3:18 PM 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [4/9/2009 3:19 PM 731840]
S2 gupdate1c9e324cb036076;Google Update Service (gupdate1c9e324cb036076);c:\program files\Google\Update\GoogleUpdate.exe [6/1/2009 9:52 PM 133104]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S3 esihdrv;esihdrv;\??\c:\docume~1\PATADL~1\LOCALS~1\Temp\esihdrv.sys --> c:\docume~1\PATADL~1\LOCALS~1\Temp\esihdrv.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2008-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 17:42]

2009-06-29 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-02 01:52]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL
HKLM-Run-SigmatelSysTrayApp - sttray.exe

.

Supplementary Scan

.
uStart Page = hxxp://mystart.incredimail.com/english/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\George\Application Data\Mozilla\Firefox\Profiles\uvlvfgr2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.dailykos.com/
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-28 23:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

DLLs Loaded Under Running Processes

- - - - - - - > 'explorer.exe'(2556)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.

Other Running Processes

.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-06-29 23:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-29 03:51

Pre-Run: 229,105,733,632 bytes free
Post-Run: 234,596,958,208 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

195 --- E O F --- 2009-06-12 03:04

HiJackThis log:

32 Bit HP CIO Components Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 7.1.0
Amazon MP3 Downloader 1.0.3
Apple Software Update
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
DING!
Google Earth
Google Update Helper
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
HP Customer Participation Program 10.0
HP Imaging Device Functions 10.0
HP Photosmart All-In-One Driver Software 10.0 Rel .2
HP Photosmart Essential 2.5
HP Smart Web Printing
HP Solution Center 10.0
HP Update
Intel Audio Studio 2.0
Intel(R) Active Client Manager 2.0 HECI Driver
Intel(R) PRO Network Connections
J2SE Runtime Environment 5.0 Update 6
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office XP Small Business
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.11)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero PhotoShow Express
Nero Suite
NetLibrary Media Center
Netscape Browser (remove only)
NVIDIA Drivers
NVIDIA nStant Media
OCR Software by I.R.I.S. 10.0
OverDrive Media Console
Personal License Update Wizard for Windows Media Player
QuickTime
RealPlayer
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Shop for HP Supplies
SigmaTel Audio
TrojanHunter 4.5
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Wallpaper Stationery
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
ZENcast Organizer

Katana · June 2009

Step 1

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
```
FCopy::
c:\windows\ServicePackFiles\i386\termsrv.dll|c:\windows\system32\termsrv.dll
Driver::
esihdrv
ADS::
```
Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Step 2

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

Combofix Log
Kaspersky Log
How are things running now ?

Additional Notes

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

There is a newer version of Adobe Acrobat Reader available.

Please go to this link Adobe Acrobat Reader Download Link
Click Download
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download Java SE Runtime Environment (JRE) . ( don't install it yet )

Scroll down to where it says "Java SE Runtime Environment (JRE)".
Click the "Download" button to the right.
- Platform = Windows
- Language = Multi Language
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Now download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.

Now install the Java SE Runtime Environment (JRE) package you downloaded
(it comes with a toolbar pre-selected, so make sure you uncheck the box)

You can delete JavaRa (zip and exe)

Remove Programs

Older versions of some programs have vulnerabilities that malware can use to infect your system.

Now click Start---Control Panel. Double click Add or Remove Programs (XP) / Programs and Features (Vista) . If any of the following programs are still listed there,
click on the program to highlight it, and click on remove.

Adobe Reader 7.1.0
J2SE Runtime Environment 5.0 Update 6

Now close the Control Panel.

geomoo · June 2009

Thanks again. I feel like a blind person being led by the sighted. IOW, I would be lost without your help. As I explain below, I'll still need help getting the JRE loaded. Thanks in advance for the next round.

I met with weird behavior in the Kaspersky. While downloading the database, the display became very flickery. The download was taking a long time, so I closed the browser and started again. This time, the download was almost instantaneous (as though it simply checked for the download and found it already done). After and during the scan, the display was again patchy. It was difficult to be sure if I was missing something with the display primarily only filling in when the mouse hovered, but I was not successful saving the log. I was told to turn off the pop up blocker, which I thought I had done. I re-ran the scan, but had the same problem. For that log, I simply copied out (literally with pen and paper) the part of the log I saw. There was only one line visible in what I think was the log.

In attempting to install the Java SE Runtime Environment (JRE), I met the error message "download failed." The first reason given was "verification failed." When I turned off the verification as instructed and tried the download again, I got the message that maximum number of retries was exceeded with the specification "[3]." There was no recommendation for how to fix this problem. This issue is defined on the SDM on-line help page as either resulting from a mismatch between expected file type as text/html versus non-html or from exceeding the max number of downloads.

It seems nothing I have done has gone smoothly with everything showing some anomaly or other. When I started the computer this morning, before going through the second ComboFix, the virus was gone and one other usual startup error message did not appear (something about run dll not being found), but the computer did not register any input. After shutting down using the on/off button on the computer, I restarted and the computer ran normally. And the computer is working faster. I haven't really used it except to work on these issues, so I can't give a more complete report than that.

Here is what I copied from the Kaspersky log. It may contain a mistake because I copied it to pen and paper then typed it in here:

File Name
C:\SystemVolumeInformation\_restore{F319918C-1703-425F-B3F3-05F2ACD6C3BC}-\RP443\A0045818.DLL

Threat Name: not-a-virus:Monitor.Win32.Agent.C

Number: 1

ComboFix file:

ComboFix 09-06-28.02 - George 06/29/2009 7:04.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.668 [GMT -4:00]
Running from: c:\documents and settings\George\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\George\Desktop\CFScript.txt
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.

FCopy

c:\windows\ServicePackFiles\i386\termsrv.dll --> c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

\Legacy_ESIHDRV

\Service_esihdrv

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-29 )))))))))))))))))))))))))))))))
.

2009-06-29 03:51 . 2009-06-29 03:51

dc----w- c:\windows\system32\dllcache\cache
2009-06-28 16:03 . 2009-06-28 16:03

d

w- c:\program files\Trend Micro
2009-06-28 03:17 . 2009-06-28 03:17

d

w- c:\documents and settings\George\Application Data\Malwarebytes
2009-06-28 02:43 . 2009-06-28 02:43

d

w- c:\documents and settings\Pat Adler\Application Data\Malwarebytes
2009-06-28 02:43 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-28 02:43 . 2009-06-28 02:43

d

w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-28 02:43 . 2009-06-28 02:43

d

w- c:\program files\Malwarebytes' Anti-Malware
2009-06-28 02:43 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-26 02:33 . 2009-06-26 02:33

d

w- c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
2009-06-25 12:24 . 2009-06-25 12:24

d

w- c:\documents and settings\George\Local Settings\Application Data\ESET
2009-06-19 03:34 . 2009-06-19 03:34

d-sh--w- c:\documents and settings\Pat Adler\PrivacIE
2009-06-13 13:35 . 2009-06-13 13:35

d-sh--w- c:\documents and settings\George\PrivacIE
2009-06-11 13:31 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-11 13:31 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-13 13:54 . 2008-05-31 16:03 43160 ----a-w- c:\documents and settings\George\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-13 12:58 . 2007-08-14 20:38

d

w- c:\program files\MSN Messenger
2009-06-09 12:37 . 2009-05-15 19:53 988328 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-02 01:53 . 2007-09-23 16:01

d

w- c:\program files\Google
2009-05-15 20:23 . 2006-09-01 20:18 43160 ----a-w- c:\documents and settings\Pat Adler\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-15 20:20 . 2009-05-15 20:20

d

w- c:\program files\NetLibrary
2009-05-15 19:53 . 2009-05-15 19:53

d

w- c:\program files\MSBuild
2009-05-15 19:53 . 2009-05-15 19:53

d

w- c:\program files\Reference Assemblies
2009-05-15 19:26 . 2007-07-16 12:03

d

w- c:\program files\Windows Media Connect 2
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 17:25 . 2009-05-11 02:14

d

w- c:\documents and settings\Pat Adler\Application Data\Move Networks
2009-05-07 15:32 . 2004-08-04 12:00 345600

w- c:\windows\system32\localspl.dll
2009-05-07 10:23 . 2006-09-07 01:54

d

w- c:\program files\CMS Peripherals
2009-05-07 02:00 . 2009-05-07 02:00

d

w- c:\program files\Citrix
2009-05-07 02:00 . 2009-05-07 02:00 70984 ----a-w- c:\documents and settings\Pat Adler\g2mdlhlpx.exe
2009-05-06 23:27 . 2009-05-06 23:27

d

w- c:\program files\Coupons
2009-05-05 19:10 . 2009-05-05 19:10

d

w- c:\documents and settings\Visitor\Application Data\ESET
2009-05-05 02:29 . 2009-05-05 02:29

d

w- c:\documents and settings\George\Application Data\ESET
2009-05-05 02:28 . 2006-09-01 19:59

d

w- c:\program files\ESET
2009-05-05 02:25 . 2009-05-05 02:25

d

w- c:\documents and settings\Pat Adler\Application Data\ESET
2009-05-05 02:22 . 2009-05-05 02:22

d

w- c:\documents and settings\All Users\Application Data\ESET
2009-04-17 12:26 . 2004-08-04 12:00 1847168

w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-09 19:21 . 2009-04-09 19:21 55768 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2009-04-09 19:21 . 2009-04-09 19:21 33096 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2009-04-09 19:21 . 2009-04-09 19:21 133000 ----a-w- c:\windows\system32\drivers\epfw.sys
2009-04-09 19:18 . 2009-04-09 19:18 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-04-09 19:10 . 2009-04-09 19:10 113960 ----a-w- c:\windows\system32\drivers\eamon.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-06-29_03.49.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-29 03:51 . 2008-10-16 19:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-29 03:51 . 2008-04-14 00:12 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-29 03:51 . 2008-04-14 00:12 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-29 03:51 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-29 03:51 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-29 03:51 . 2008-04-14 00:12 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-29 03:51 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-29 03:51 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-29 03:51 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-29 03:51 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2006-08-22 16:47 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\termsrv.dll
+ 2009-06-29 03:51 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-29 03:51 . 2009-05-13 05:15 915456 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-29 03:51 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-29 03:51 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-29 03:51 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-29 03:51 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-29 03:51 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-29 03:51 . 2008-04-14 00:11 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-29 03:51 . 2008-04-14 00:12 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-29 03:51 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-29 03:51 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-29 03:51 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-26 212992]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-06-07 9129984]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-23 7626752]
"THGuard"="c:\program files\TrojanHunter 4.5\THGuard.exe" [2006-05-31 1120256]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-03 185784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-07 196608]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-04-09 2029640]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-06-23 1519616]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-06-23 86016]

c:\documents and settings\Pat Adler\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [4/9/2009 3:18 PM 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [4/9/2009 3:19 PM 731840]
S2 gupdate1c9e324cb036076;Google Update Service (gupdate1c9e324cb036076);c:\program files\Google\Update\GoogleUpdate.exe [6/1/2009 9:52 PM 133104]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2008-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 17:42]

2009-06-29 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-02 01:52]
.
.

Supplementary Scan

.
uStart Page = hxxp://mystart.incredimail.com/english/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\George\Application Data\Mozilla\Firefox\Profiles\uvlvfgr2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.dailykos.com/
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-29 07:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

DLLs Loaded Under Running Processes

- - - - - - - > 'explorer.exe'(3420)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.

Other Running Processes

.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-06-29 7:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-29 11:13
ComboFix2.txt 2009-06-29 03:51

Pre-Run: 234,578,378,752 bytes free
Post-Run: 234,499,264,512 bytes free

206 --- E O F --- 2009-06-12 03:04

Katana · June 2009

I'll still need help getting the JRE loaded

I suspect it is a problem with the Sun servers, try again tomorrow and see if it works then

I met with weird behavior in the Kaspersky

Your not the first to say that recently, I have had a few other people have trouble with it.

Here is what I copied from the Kaspersky log

That's fine, the file it found is in System Restore and we will be flushing that shortly

Uninstall Combofix

This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

Right, there is no sign of infection now

Run the machine as you would normally and let me know if there are any problems still.
Let me know how you get on with Java also.

geomoo · June 2009

My wife was raving about her "new" fast computer yesterday. I took all the credit, but I'm going to mail you a hot fudge sundae in thanks.

So, got the same results with JRE. If I can find time, I'll try doing the whole procedure from the beginning. I'm leaving town for a couple of weeks today, so if I don't get it done, I may have to start a new thread for it, unless you would notice a new post from me here in two weeks?

This morning, eset scared me with the same warning of the ursnif.A infestation, but when I said delete it, eset did not balk, so I assume that was some kind of residue that eset could clean up?

Believe it or not, there are 3 other older computers here with such virus problems that someone in my family stopped using them. Now I think I know where I can get them running again so I can donate them as working computers. IOW, I'll be back.

Thanks so much for your help.

Katana wrote:

I suspect it is a problem with the Sun servers, try again tomorrow and see if it works then

Your not the first to say that recently, I have had a few other people have trouble with it.

That's fine, the file it found is in System Restore and we will be flushing that shortly

Uninstall Combofix
This will clear your System Volume Information restore points and remove all the infected files that were quarantined

Click START then RUN

Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

Right, there is no sign of infection now
Run the machine as you would normally and let me know if there are any problems still.
Let me know how you get on with Java also.

Katana · June 2009

geomoo wrote:

1) unless you would notice a new post from me here in two weeks?

2) This morning, eset scared me with the same warning of the ursnif.A infestation, but when I said delete it, eset did not balk, so I assume that was some kind of residue that eset could clean up?

3) I'll be back.

Thanks so much for your help.

1) I'll still be here

2) curious, if you can find the ESET log, I'd like to see where it found it.
It probably was just a left over, but I don't know where it was hiding.
3) Glad to hear it, that means I've done my job well

Whilst we appreciate that you may be busy, it has been 16 days or more since we heard from you. This topic is now closed.

If you are not the user who started this thread, you must start your own Thread instead

Win32/Spy.Ursnif.A virus

Comments