fabvegas
(new user)
Sat Mar 01 2008 09:52 PM
Help with this file in Hijack log crypt32set fuwarxyus.dll

I posted this in another thread then I noticed the Hijack this thread. Sorry, I think the post more properly belongs here. I am running a Windows Media Center XP edition - I am on SP2. The file Fuwarxyus.dll keeps showing up even if I kill it using Hijack This. I have a multitude of issues that pop up from time to time and I believe they are all related to that file. I'm looking for any help I can get. My most pressing issue at this point is that I have multiple instances of iexplorer.exe upon startup. Any help is appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 1:48:46 PM, on 3/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\BNB.tmp
C:\Program Files\a-squared Anti-Malware\a2HiJackFree.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: IexploreOmea - {09628AAA-66AD-4FA2-82E2-698185B66463} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: Omea - {35402C01-1777-4159-9ABA-3480BA70D90A} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O8 - Extra context menu item: Clip and Edit - res://C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll/1000
O8 - Extra context menu item: Clip and Save - res://C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll/1001
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Subscribe to Feed - res://C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll/1002
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {35402C01-1777-4159-9ABA-3480BA70D901} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra 'Tools' menuitem: Omea Add-on Options… - {35402C01-1777-4159-9ABA-3480BA70D901} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Subscribe to Feed - {35402C01-1777-4159-9ABA-3480BA70D903} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Clip and Edit - {35402C01-1777-4159-9ABA-3480BA70D905} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Clip and Save - {35402C01-1777-4159-9ABA-3480BA70D907} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Annotate - {35402C01-1777-4159-9ABA-3480BA70D909} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178838328640
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179249765562
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: crypt32set - C:\WINDOWS\Media\fuwarxyus.dll
O20 - Winlogon Notify: LogCrypt - LogCrypt.dll (file missing)
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - Unknown owner - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service (file missing)

Pancake
(HijackThis Helper)
Sat Mar 01 2008 10:48 PM
Re: Help with this file in Hijack log crypt32set fuwarxyus.dll

Ok.We also need to download ComboFix.exe.

Please visit this webpage for download links, and instructions for running the tool


When the tool is finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log so that we can continue to do any further cleaning that your system may require.

Caution: Never run and remove files with Combofix unless supervised by a security analyst.

fabvegas
(new user)
Sat Mar 01 2008 11:53 PM
Re: Help with this file in Hijack log crypt32set fuwarxyus.dll

Thank you for your assistance:

Here is the combo box log:
ComboFix 08-03-01.3 - HP_Administrator 2008-03-01 15:38:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1251 [GMT -8:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\Quarantine
C:\WINDOWS\Media\fuwarxyus.dll
C:\WINDOWS\system32\2_exception.nls
C:\WINDOWS\system32\drivers\Xmx43.sys
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_RUNTIME
-------\LEGACY_SMTPDRV
-------\LEGACY_XMX43
-------\smtpdrv
-------\Xmx43


((((((((((((((((((((((((( Files Created from 2008-02-01 to 2008-03-01 )))))))))))))))))))))))))))))))
.

2008-03-01 15:44 . 2008-03-01 15:44 26,240 --a------ C:\WINDOWS\system32\drivers\Jct05.sys
2008-03-01 15:44 . 2008-03-01 15:44 11,776 --a------ C:\WINDOWS\system32\WLCtrl32.dl_
2008-03-01 11:13 . 2008-03-01 11:13 0 --a------ C:\ComboFix.exe
2008-03-01 10:38 . 2008-03-01 13:39 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-02-27 22:45 . 2008-02-27 22:45 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-27 22:45 . 2008-02-27 22:45 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-26 11:00 . 2008-02-26 11:00 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\JetBrains
2008-02-26 10:59 . 2008-02-26 10:59 <DIR> d-------- C:\Program Files\JetBrains
2008-02-16 10:04 . 2008-03-01 13:37 11,776 --a------ C:\WINDOWS\system32\WLCtrl32.dll
2008-02-14 17:02 . 2008-02-14 17:02 3,085,135 --a------ C:\WINDOWS\system32\Screenclean.scr
2008-02-03 11:20 . 2008-02-03 11:20 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-23 03:24 10,240 ----a-w C:\WINDOWS\system32\drivers\STLD.SYS
2008-02-16 18:04 --------- d-----w C:\Program Files\McAfee
2008-01-29 04:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-29 04:56 --------- d-----w C:\Program Files\McAfee.com
2008-01-29 04:56 --------- d-----w C:\Program Files\Common Files\McAfee
2008-01-29 04:19 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-01-25 22:11 --------- d-----w C:\Program Files\42 Bit Scanner
2008-01-25 22:10 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2008-01-25 07:01 --------- d-----w C:\Program Files\Root Kit Detector
2008-01-24 21:40 --------- d-----w C:\Program Files\Java
2008-01-24 21:21 --------- d-----w C:\Program Files\Coupons
2008-01-14 19:17 53,684 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-14 19:17 3,772,192 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-14 19:17 2,468 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-14 19:17 14,880 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-14 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-13 20:51 --------- d-----w C:\Program Files\F-Group
2008-01-13 20:11 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\GlarySoft
2008-01-13 20:03 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\RegSweep
2008-01-13 19:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-13 19:33 --------- d-----w C:\Program Files\PC-Doctor 5 for Windows
2008-01-13 18:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-10 21:18 --------- d-----w C:\Program Files\CSS Tab Designer 2
2008-01-10 21:02 --------- d-----w C:\Program Files\CSS Menu Generator
2008-01-09 17:31 --------- d-----w C:\Program Files\Netscape
2008-01-09 17:31 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Netscape
2008-01-09 17:23 --------- d-----w C:\Program Files\Opera
2008-01-09 14:34 --------- d-----w C:\Program Files\Safari
2008-01-09 14:34 --------- d-----w C:\Program Files\Apple Software Update
2008-01-09 14:34 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Apple Computer
2008-01-09 14:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-07 22:35 --------- d-----w C:\Program Files\Zebra
2008-01-07 21:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-07 21:32 --------- d-----w C:\Program Files\Number Five
2008-01-07 21:32 --------- d-----w C:\Program Files\Common Files\Number Five
2007-12-21 21:25 216,064 ----a-w C:\WINDOWS\iun3404.exe
2007-05-16 21:37 251 ----a-w C:\Program Files\wt3d.ini
2007-05-12 20:49 92,064 ----a-w C:\Documents and Settings\HP_Administrator\mqdmmdm.sys
2007-05-12 20:49 9,232 ----a-w C:\Documents and Settings\HP_Administrator\mqdmmdfl.sys
2007-05-12 20:49 79,328 ----a-w C:\Documents and Settings\HP_Administrator\mqdmserd.sys
2007-05-12 20:49 66,656 ----a-w C:\Documents and Settings\HP_Administrator\mqdmbus.sys
2007-05-12 20:49 6,208 ----a-w C:\Documents and Settings\HP_Administrator\mqdmcmnt.sys
2007-05-12 20:49 5,936 ----a-w C:\Documents and Settings\HP_Administrator\mqdmwhnt.sys
2007-05-12 20:49 4,048 ----a-w C:\Documents and Settings\HP_Administrator\mqdmcr.sys
2007-05-12 20:49 25,600 ----a-w C:\Documents and Settings\HP_Administrator\usbsermptxp.sys
2007-05-12 20:49 22,768 ----a-w C:\Documents and Settings\HP_Administrator\usbsermpt.sys
2006-02-19 10:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2007-05-11 00:51 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TivoNotify"="C:\Program Files\TiVo\Desktop\TiVoNotify.exe" [2007-08-06 10:13 375808]
"TivoServer"="C:\Program Files\TiVo\Desktop\TiVoServer.exe" [2007-08-06 10:14 1492480]
"TivoTransfer"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2007-08-06 10:12 1192960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PaperPort PTD"="c:\progra~1\scansoft\paperp~1\pptd40nt.exe" [2001-10-15 15:15 29184]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-08-28 01:59 8466432]
"nwiz"="nwiz.exe" [2007-08-28 01:59 1626112 C:\WINDOWS\system32\nwiz.exe]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2008-01-07 17:56 1816208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32set]
C:\WINDOWS\Media\fuwarxyus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LogCrypt]
LogCrypt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll 2008-03-01 13:37 11776 C:\WINDOWS\system32\WLCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 13:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 01:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2006-02-15 14:34 249856 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2006-07-06 06:15 151552 C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-08-28 01:59 8466432 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-08-28 01:59 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2005-07-22 14:14 237568 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2007-10-25 03:57 16855552 C:\WINDOWS\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"NVSvc"=2 (0x2)
"IDriverT"=3 (0x3)
"IAANTMON"=2 (0x2)
"HP Status Server"=3 (0x3)
"HP Port Resolver"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\WINDOWS\\system32\\spoolsv.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 Jct05;Jct05;C:\WINDOWS\system32\Drivers\Jct05.sys [2008-03-01 15:44]
R2 n5lpt.sys;N5 Print Device;C:\WINDOWS\system32\Drivers\n5lpt.sys [2006-05-04 13:45]
R2 Stld;Stld;C:\WINDOWS\system32\drivers\Stld.sys [2009-04-22 19:24]
R2 TivoBeacon2;TiVo Beacon;"C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service []
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;C:\WINDOWS\system32\drivers\cxfalcon.sys [2006-04-20 06:35]
R3 pmxscan;Visioneer USB Kernel;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 21:58]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wn5301.sys [2005-10-05 09:44]
S0 Qvh18;Qvh18;C:\WINDOWS\system32\Drivers\Qvh18.sys []
S2 key5usb;KeyFive USB Reader;C:\WINDOWS\system32\Drivers\key5usb.sys [2007-11-01 15:28]
S3 ff91BD;ff91BD;C:\WINDOWS\system32\ff91BD.sys [2008-01-28 08:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - JCT05
.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 09:00:01 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 15:44:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\WLCtrl32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\TEMP\BN3.tmp
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-03-01 15:47:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-01 23:47:37
.
2008-02-13 03:14:20 --- E O F ---


And the new Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:52:51 PM, on 3/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\BN3.tmp
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: IexploreOmea - {09628AAA-66AD-4FA2-82E2-698185B66463} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: Omea - {35402C01-1777-4159-9ABA-3480BA70D90A} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O8 - Extra context menu item: Clip and Edit - res://C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll/1000
O8 - Extra context menu item: Clip and Save - res://C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll/1001
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Subscribe to Feed - res://C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll/1002
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {35402C01-1777-4159-9ABA-3480BA70D901} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra 'Tools' menuitem: Omea Add-on Options… - {35402C01-1777-4159-9ABA-3480BA70D901} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Subscribe to Feed - {35402C01-1777-4159-9ABA-3480BA70D903} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Clip and Edit - {35402C01-1777-4159-9ABA-3480BA70D905} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Clip and Save - {35402C01-1777-4159-9ABA-3480BA70D907} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Annotate - {35402C01-1777-4159-9ABA-3480BA70D909} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178838328640
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179249765562
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: crypt32set - C:\WINDOWS\Media\fuwarxyus.dll (file missing)
O20 - Winlogon Notify: LogCrypt - LogCrypt.dll (file missing)
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - Unknown owner - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service (file missing)

Contact Us | Privacy statement Main website
Hitwise Top 10 Award Winner - Jan-Mar 2005

About us | Contact us | Link to us | Terms & Conditions | Privacy Policy
© Copyright IPC Media Limited, All rights reserved