Hi All,

So we got the fake email stating it was from UPS. My boss downloaded the virus, ran it, and

sent it to another lady in our office who ran it. So I am here with 2 infected PC's.

The PC's were running Mcafee, and are Windows XP O.S. One of the computers I believe is

fixed.

I first noticed something wrong when I seen XP Antivirus software that it had installed. I

have NEVER seen this software before. I looked at my MSconfig and noticed in the startup

items "buritos.exe" I called mcafee they gave me garbage support, and told me to uninstall

and re-install. LOL that sounds about right from mcafee!

I uninstalled mcafee completely with the tool they gave me, and installed AVG Free Edition.

I ran AVG on one of the PC's and it found 10 threats, cleaned them out. I re-ran AVG and it

found 2 threats, cleaned them out. I am currently in the process of another scan on that PC.

I have included a HiJackThis log on the PC I think may have been cleaned. Can someone please

help me and review the log and let me know if I am in fact clean of the UPS Virus?
___

Now the second PC. Wow, where do I start? Okay this PC was the one originally infected. This

one is acting goofy. Whenever I try to log in to my windows user account, it accepts the

password, says "loading your profile.." then all of a sudden it says "saving your settings"

and logs me right back out to the log in welcome screen. It doesn't even load the desktop or

anything. I have tried to control + alt + delete the get to the manual log in box, and when I

tried using my Administrator account it will not log me in. I have tried in all different

modes - safe mode, and regular mode, and I still cant get past the login screen. This is

gonna be fun!!! Anyone got any suggestions here?

I have the SDfix and ComboFix directions that I want to try on the other PC that is still

infected for sure, but I cant get passed this log in issue. Please help! The funny thing is

ComboFix has the same Round Red Icon with the X in the middle as the "XP Antivirus Software"

that was installed By this UPS virus. =\ freaks me out.

___

Here is the HiJackThis log from the PC that I believe is clean. Can someone please review it

and let me know if I am in fact clean? I should mention this computer has a old SQL server I

believe and Is on a network.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:12 AM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\D25F.tmp
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\TJH\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = eMachines Computers Home Page
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn2\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -

C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} -

C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program

Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} -

C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program

Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [jmupjtl] C:\WINDOWS\jmupjtl.EXE
O4 - HKLM\..\Run: [Run RunOnce] D:\RunOnce.exe C:\UPS\UOWS\ShipUPS.EXE
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat

6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache

Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL

Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -

C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)

- http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program

Files\AVG\AVG8\avgpp.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O20 - AppInit_DLLs: cru629.dat??r?5.1,avgrsstx.dll
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache

Group\Apache2\bin\Apache.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. -

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd -

C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. -

C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner -

C:\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\db\slserver52\bin\swagent.ex

e
O23 - Service: ColdFusion MX ODBC Server - Unknown owner -

C:\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\db\slserver52\bin\swstrtr.ex

e
O23 - Service: Macromedia JRun Admin Server - Macromedia Inc. - C:\JRun4\bin\jrunsvc.exe
O23 - Service: Macromedia JRun CFusion Server - Macromedia Inc. - C:\JRun4\bin\jrunsvc.exe
O23 - Service: Macromedia JRun Default Server - Macromedia Inc. - C:\JRun4\bin\jrunsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\kechcec.exe (file

missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program

Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7294 bytes


Any help is greatly appreciated!! Thanks!

Hi... Welcome to PCHF.

Forum Rules require that HJT logs must be analyzed by experienced Security Team Analysts. This is for your protection... and to give you our best service.

Our Security Team is always very busy-- and as we live all over the Earth...
Time-Zones are also an important factor.

Your patience is greatly appreciated.

Thank You

sounds good thanks!

Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.

OH NO!

invalid system disk
replace the disk then press any key

after running combo fix, and I cant get to the recovery console by pressing F8 because no windows is found?

PLEASE ADVISE

Sorry false alarm!!

Never mind! Windows ended up starting after I pulled my flash drive out.
I have included the ComboFix.txt and HJT Log.

I am a dummy though! I forgot to turn off my AVG Free 8.0 before running combofix as it clearly stated in your directions. I am sorry! Let me know if I need to re-scan with combofix.


Here is the combo fix Log:

ComboFix 08-07-24.1 - Mary3 2008-07-25 9:28:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.667 [GMT -7:00]
Running from: C:\Documents and Settings\Mary3\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mary3\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mary3\Local Settings\Temporary Internet Files\igoza.dll
C:\Documents and Settings\Mary3\Local Settings\Temporary Internet Files\mereqipemi.exe
C:\Program Files\cmapp
C:\Program Files\fcengine
C:\Program Files\fcengine\patterns.dat
C:\Program Files\fcengine\Uninstall.exe
C:\WINDOWS\system32\crypts.dll
C:\WINDOWS\system32\DelSelf.bat
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\system32\wsnpoem\video.dll.cla

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDOWS_OVERLAY_COMPONENTS
-------\Service_Windows Overlay Components


((((((((((((((((((((((((( Files Created from 2008-06-25 to 2008-07-25 )))))))))))))))))))))))))))))))
.

2008-07-24 09:27 . 2008-07-24 09:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-23 15:19 . 2008-07-23 20:09 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-23 15:01 . 2008-07-24 09:47 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-23 15:01 . 2008-07-25 08:59 <DIR> d-------- C:\Documents and Settings\Mary3\Application Data\AVGTOOLBAR
2008-07-23 15:01 . 2008-07-23 15:01 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-23 15:01 . 2008-07-23 15:01 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-23 15:00 . 2008-07-23 15:00 <DIR> d-------- C:\Program Files\AVG
2008-07-23 15:00 . 2008-07-23 15:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-23 14:45 . 2008-07-23 14:45 <DIR> d-------- C:\Documents and Settings\Mary3\Application Data\McAfee
2008-07-23 14:45 . 2008-07-23 14:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-23 14:38 . 2008-07-23 14:38 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\McAfee
2008-07-23 13:48 . 2008-07-23 13:48 <DIR> d--h----- C:\BJPrinter
2008-07-23 13:45 . 2008-07-23 13:48 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-23 13:42 . 2008-07-23 13:42 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-07-23 13:40 . 2008-07-23 13:40 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SACore
2008-07-23 13:39 . 2008-07-23 13:39 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
2008-07-23 13:22 . 2008-07-23 13:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-07-23 13:20 . 2008-07-23 13:20 61,224 --a------ C:\Documents and Settings\Mary3\GoToAssistDownloadHelper.exe
2008-07-23 12:35 . 2008-07-23 12:35 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-07-23 12:32 . 2008-07-23 12:32 19,465 --a------ C:\Program Files\Common Files\pedukym.dll
2008-07-23 12:32 . 2008-07-23 12:32 19,297 --a------ C:\Documents and Settings\Mary3\Application Data\uhisabezu.dll
2008-07-23 12:32 . 2008-07-23 12:32 19,007 --a------ C:\Documents and Settings\Mary3\Application Data\xegeto.dat
2008-07-23 12:32 . 2008-07-23 12:32 14,631 --a------ C:\Documents and Settings\Mary3\Application Data\muderum.sys
2008-07-23 12:32 . 2008-07-23 12:32 11,438 --a------ C:\Documents and Settings\All Users\Application Data\isofox.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-07-23 20:45 --------- d-----w C:\Program Files\Yahoo!
2008-07-23 20:45 --------- d-----w C:\Program Files\Common Files\Scanner
2008-07-23 19:32 19,081 ----a-w C:\WINDOWS\obanobib.bin
2008-07-23 19:32 18,331 ----a-w C:\Program Files\Common Files\iqufubu._dl
2008-07-23 19:32 14,335 ----a-w C:\WINDOWS\ikuj.bin
2008-07-23 19:32 13,458 ----a-w C:\WINDOWS\egykig.dll
2008-07-23 19:32 11,538 ----a-w C:\WINDOWS\utinuv.reg
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SunKistEM"="C:\Program Files\eMachines Bay Reader\shwiconem.exe" [2004-03-12 05:18 135168]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-23 15:00 1232152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 00:56 53760 C:\WINDOWS\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=cru629.dat??r?5.1,avgrsstx.dl l

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\WINDOW~2\INSTAL~1\MP3POW~1\CLMP3Enc.AC M

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BounceBack Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BounceBack Launcher.lnk
backup=C:\WINDOWS\pss\BounceBack Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=C:\WINDOWS\pss\Monitor Apache Servers.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^UPS WorldShip PLD Reminder Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\UPS WorldShip PLD Reminder Utility.lnk
backup=C:\WINDOWS\pss\UPS WorldShip PLD Reminder Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mary3^Start Menu^Programs^Startup^E-mail.lnk]
path=C:\Documents and Settings\Mary3\Start Menu\Programs\Startup\E-mail.lnk
backup=C:\WINDOWS\pss\E-mail.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient 2.6]
--a------ 2004-02-27 11:29 61440 C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup 2.5]
--a------ 2004-05-10 13:39 188416 C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Apache Group\\Apache2\\bin\\Apache.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-23 15:01]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-23 15:00]
R2 portD;CMS PortIO Service;C:\WINDOWS\system32\DRIVERS\portd2k.sys [2004-02-23 09:40]
S3 ColdFusion MX ODBC Agent;ColdFusion MX ODBC Agent;C:\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\db\slserver52\bin\swagent.exe ColdFusion MX ODBC Agent []
S3 Macromedia JRun Admin Server;Macromedia JRun Admin Server;C:\JRun4\bin\jrunsvc.exe [2003-07-16 11:55]
S3 Macromedia JRun CFusion Server;Macromedia JRun CFusion Server;C:\JRun4\bin\jrunsvc.exe [2003-07-16 11:55]
S3 Macromedia JRun Default Server;Macromedia JRun Default Server;C:\JRun4\bin\jrunsvc.exe [2003-07-16 11:55]
S3 PciTest;WinMTA PCI Service;C:\WINDOWS\SYSTEM32\DRIVERS\pcitest.sys [2003-11-25 22:58]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{969B3B70-8765-11D5-9809-0050BACBF861}]
rundll32.exe advpack.dll,LaunchINFSection C:\Program Files\Windows Media Player\Installer\MP3PowerEncoder\Cyber.inf,PerUser Stub
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-jmupjtl - C:\WINDOWS\jmupjtl.EXE
MSConfigStartUp-MBkLogOnHook - C:\Program Files\McAfee\MBK\LogOnHook.exe
MSConfigStartUp-Run RunOnce - D:\RunOnce.exe
MSConfigStartUp-buritos - buritos.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Search Bar =
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.emachines.com/
R1 -: HKCU-SearchURL,(Default) = about:blank
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000


************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 09:40:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\BRSS01A.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
************************************************** ************************
.
Completion time: 2008-07-25 9:47:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-25 16:47:32

Pre-Run: 67,262,971,904 bytes free
Post-Run: 67,893,616,640 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

175 --- E O F --- 2008-07-24 22:56:07



HERE IS THE HIJACK THIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:53 AM, on 7/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\TJH\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = eMachines Computers Home Page
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O20 - AppInit_DLLs: cru629.dat??r?5.1,avgrsstx.dll
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\db\slserver52\bin\swstrtr.exe
O23 - Service: Macromedia JRun Admin Server - Macromedia Inc. - C:\JRun4\bin\jrunsvc.exe
O23 - Service: Macromedia JRun CFusion Server - Macromedia Inc. - C:\JRun4\bin\jrunsvc.exe
O23 - Service: Macromedia JRun Default Server - Macromedia Inc. - C:\JRun4\bin\jrunsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6339 bytes

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*

=====================

Is your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version if required.

Before installing go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then install the newest version.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6u6 (Java SE Downloads).