Recurring requests for reboot

[thughes4050]

I am experiencing repeated requests for reboot from avast that is not associated with any virus alert each time I start or restart my computer.  What might be causing these requests?

[hap66]

I'm having the same problem, just started this morning as well. Avast requests to reboot at the startup, however I'm getting a warning once pc has rebooted; "avast has detected a change in a program continuing can be dangerous" with this tag "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe"

[Lisandro]

Can you check your ashdisp properties and wait... seems this problem requires Alwil solution...
http://forum.avast.com/index.php?topic=32297.msg270107#msg270107

[hap66]

not sure what to look for in the ashDisp properties or even if I found them. But I tried some troubleshooting of my own: Uninstalled and Reinstalled avast! - after the intial scan it did still ask me to reboot again once it was finished. But the "modified ...ashDisp.exe program warning" didn't pop up. I also downloaded the tool from essexboy from your forum attachment, the RenV.exe, ran it the log didn't show anything except that it ran time and date. Does that mean everthing is fixed or should I restore my system to before the infection?

[oldman]

If the log didn't show anthing, then you probably don't have any modified files.

I'd wait and see if the problem returns. System restore may or may not be a solution as it's not the entire system that is backed up, so you could end up at a previous point, but with the same problem.

You can check your ashdisp at www.virustotal.com

If you have installed avast in the default location copy and paste this line into the submit box on their webpage

C:\Program Files\Alwil Software\Avast4\Ashdisp.exe

[thughes4050]

There are no warnings associated with my system it simply tells me that avast needs to reboot.  I tell it no and go about my business right now and there doesn't seem to be any problems, additional warnings,  or further avast activity.

[hap66]

Yeah System restore didn't work, not much change. avast! is still asking for reboot at random times, but no more warnings about modified programs. I checked the ashdisp at virustotal and it came up with this:

File Ashdisp.exe received on 12.31.2007 19:12:14 (CET)Antivirus Version Last Update Result

AhnLab-V3 2008.1.1.10 2007.12.31 -
AntiVir 7.6.0.46 2007.12.31 -
Authentium 4.93.8 2007.12.30 W32/Virtumonde.OQ
Avast 4.7.1098.0 2007.12.31 -
AVG 7.5.0.516 2007.12.31 Dropper.Agent.GIT
BitDefender 7.2 2007.12.31 Trojan.Dropper.Vundo.D
CAT-QuickHeal 9.00 2007.12.31 -
ClamAV 0.91.2 2007.12.31 Trojan.Dropper-3531
DrWeb 4.44.0.09170 2007.12.31 Trojan.MulDrop.10006
eSafe 7.0.15.0 2007.12.31 -
eTrust-Vet 31.3.5419 2007.12.31 Win32/Trats.A
Ewido 4.0 2007.12.31 Dropper.Agent.dgo
FileAdvisor 1 2007.12.31 -
Fortinet 3.14.0.0 2007.12.31 -
F-Prot 4.4.2.54 2007.12.31 W32/Virtumonde.OQ
F-Secure 6.70.13030.0 2007.12.31 Trojan-Dropper.Win32.Agent.dgo
Ikarus T3.1.1.15 2007.12.31 Trojan-Dropper.Win32.Agent.dgo
Kaspersky 7.0.0.125 2007.12.31 Trojan-Dropper.Win32.Agent.dgo
McAfee 5195 2007.12.28 -
Microsoft 1.3109 2007.12.31 Virus:Win32/Trats.C
NOD32v2 2758 2007.12.31 Win32/TrojanDropper.Agent.DGO
Norman 5.80.02 2007.12.31 -
Panda 9.0.0.4 2007.12.31 -
Prevx1 V2 2007.12.31 -
Rising 20.24.52.00 2007.12.29 -
Sophos 4.24.0 2007.12.31 W32/VirtInf-B
Sunbelt 2.2.907.0 2007.12.30 -
Symantec 10 2007.12.31 W32.Trats!inf
TheHacker 6.2.9.175 2007.12.29 -
VBA32 3.12.2.5 2007.12.29 Trojan-Dropper.Win32.Agent.dgo
VirusBuster 4.3.26:9 2007.12.31 Win32.Trats.Gen
Webwasher-Gateway 6.6.2 2007.12.31 -

Additional information
File size: 445952 bytes
MD5: 3d41044c8737ef95dbfa75c9647c36b5
SHA1: aa8fe969ece2211fc578f21d0df39cfffa20f7ff
PEiD: -

is this a bad thing?

[Lisandro]

is this a bad thing?

Yes... you're infected with Virtumonde.
Maybe this help: http://www.symantec.com/security_response/writeup.jsp?docid=2003-120914-4108-99&tabid=3

[hap66]

Ran the symantec tool, but it came up saying "Adware.VirtuMonde has not been found on your computer." Even checked the registry to delete the said subkeys, but none of the ones listed in the instructions were in there. Is there another way to fix this infection, and is it safe for me to do things like online banking on this computer?

And avast! isn't asking for reboot anymore.

[oldman]

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.



Also download but do not use yet

 

• Download RenV.exe by sUBs to your desktop
  
  

You will also need hijackthis

Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  
• Put a check by Create a desktop icon then click Next again.
  
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
  

[hap66]

I ran the HJT program first then the ComboFix.
Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:48 PM, on 1/2/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\windows\system\hpsysdrv .exe
C:\Program Files\USB Storage RW\udsi.exe
C:\Program Files\USB Storage RW\udsi .exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\ps2 .exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd .exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01 .exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd .exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09 .exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp .exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8.hpwis.com/
F3 - REG:win.ini: load=C:\WINDOWS\System32\mljjj.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_UDSI] "C:\Program Files\USB Storage RW\udsi.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [28292d23] rundll32.exe "C:\WINDOWS\System32\mwsdeowj.dll",b
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\csapsxui.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 7195 bytes

[hap66]

And here is the ComboFix log:

ComboFix 08-01-03.1 - Owner 2008-01-02 12:27:21.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.1.1252.1.1033.18.141 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\hp\KBD\KBD.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\USB Storage RW\udsi.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\WINDOWS\system\hpsysdrv.exe
C:\WINDOWS\system32\cnmmfopq.dll
C:\WINDOWS\system32\cyoiblgp.dll
C:\WINDOWS\system32\fmsvmkon.ini
C:\WINDOWS\system32\gvxmhyrj.dll
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\system32\jdyopxfk.dll
C:\WINDOWS\system32\jjjlm.ini
C:\WINDOWS\system32\jjjlm.ini2
C:\WINDOWS\system32\jwoedswm.ini
C:\WINDOWS\system32\kfxpoydj.ini
C:\WINDOWS\system32\khfffff.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljjj.dll
C:\WINDOWS\system32\mljjj.exe
C:\WINDOWS\system32\mwsdeowj.dll
C:\WINDOWS\system32\nokmvsmf.dll
C:\WINDOWS\system32\ppnyddwd.dll
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\RCX38.tmp
C:\WINDOWS\system32\RCX51.tmp
C:\WINDOWS\system32\RCX55.tmp
C:\WINDOWS\system32\RCX69.tmp
C:\WINDOWS\system32\RCX6A.tmp
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

Code: [Select]

"C:\hp\KBD\KBD .EXE" replaces infected copy of "C:\hp\KBD\KBD.EXE"
"C:\Program Files\Alwil Software\Avast4\ashDisp .exe" replaces infected copy of "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
"C:\Program Files\Common Files\Real\Update_OB\realsched .exe" replaces infected copy of "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe" replaces infected copy of "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01 .exe" replaces infected copy of "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd .exe" replaces infected copy of "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
"C:\Program Files\HP\hpcoretech\hpcmpmgr .exe" replaces infected copy of "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"C:\Program Files\Qwest\QuickCare\bin\sprtcmd .exe" replaces infected copy of "C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe"
"C:\Program Files\USB Storage RW\udsi .exe" replaces infected copy of "C:\Program Files\USB Storage RW\udsi.exe"
"C:\WINDOWS\SMINST\RECGUARD .EXE" replaces infected copy of "C:\WINDOWS\SMINST\RECGUARD.EXE"
"C:\WINDOWS\system\hpsysdrv .exe" replaces infected copy of "C:\WINDOWS\system\hpsysdrv.exe"
"C:\WINDOWS\system32\hkcmd .exe" replaces infected copy of "C:\WINDOWS\system32\hkcmd.exe"
"C:\WINDOWS\system32\igfxtray .exe" replaces infected copy of "C:\WINDOWS\system32\igfxtray.exe"
"C:\WINDOWS\system32\ps2 .exe" replaces infected copy of "C:\WINDOWS\system32\ps2.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe" replaces infected copy of "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe"
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


(((((((((((((((((((((((((   Files Created from 2007-12-03 to 2008-01-03  )))))))))))))))))))))))))))))))
.

2008-01-02 12:25 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-02 12:17 . 2008-01-02 12:17   <DIR>   d--------   C:\Program Files\Trend Micro
2007-12-31 11:16 . 2007-12-31 11:16   1,031,148   --ahs----   C:\WINDOWS\system32\orsqkgfx.ini
2007-12-30 11:57 . 2004-01-09 02:13   380,928   --a------   C:\WINDOWS\system32\actskin4.ocx
2007-12-30 11:57 . 2007-12-04 05:54   95,608   --a------   C:\WINDOWS\system32\AvastSS.scr
2007-12-30 11:57 . 2007-12-04 07:55   94,544   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-30 11:57 . 2007-12-04 07:56   93,264   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-30 11:57 . 2007-12-04 07:51   42,912   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-30 11:57 . 2007-12-04 07:49   26,624   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-30 09:57 . 2008-01-01 11:56   155,648   --a------   C:\WINDOWS\system32\igfxtray.exe
2007-12-30 09:57 . 2008-01-01 11:56   114,688   --a------   C:\WINDOWS\system32\hkcmd.exe
2007-12-30 09:57 . 2008-01-01 11:56   81,920   --a------   C:\WINDOWS\system32\ps2.exe
2007-12-30 09:57 . 2008-01-01 11:56   52,736   --a------   C:\WINDOWS\system\hpsysdrv.exe
2007-12-30 09:57 . 2008-01-03 12:33   182   --a------   C:\WINDOWS\system\hpsysdrv .DAT
2007-12-29 12:06 . 2007-12-29 12:06   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Motive
2007-12-27 14:42 . 2007-12-27 14:42   <DIR>   d--------   C:\Program Files\Google
2007-12-19 09:44 . 2007-12-26 23:41   43,520   --a------   C:\WINDOWS\system32\CmdLineExt03.dll
2007-12-19 09:10 . 2007-12-19 09:10   94,208   --a------   C:\WINDOWS\DIIUnin.exe
2007-12-19 09:10 . 2007-12-19 09:44   35,759   --a------   C:\WINDOWS\DIIUnin.dat
2007-12-19 09:10 . 2007-12-19 09:10   2,829   --a------   C:\WINDOWS\DIIUnin.pif
2007-12-19 09:00 . 2007-12-27 23:41   <DIR>   d--------   C:\Program Files\Diablo II
2007-12-06 13:13 . 2007-12-06 13:13   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\VERITAS
2007-12-06 12:22 . 2007-12-06 12:22   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-12-06 00:34 . 2007-12-06 00:34   248   --a------   C:\WINDOWS\RomeTW.ini
2007-12-05 22:46 . 2007-12-15 12:02   <DIR>   d--------   C:\Program Files\Activision
2007-12-03 09:54 . 2007-12-03 09:54   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Corel

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 19:35   ---------   d-----w   C:\Program Files\USB Storage RW
2008-01-01 19:02   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\MSN6
2007-12-31 00:03   ---------   d-----w   C:\Program Files\AWS
2007-12-29 19:06   ---------   d-----w   C:\Program Files\Easy Internet signup
2007-12-16 16:46   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\U3
2007-12-15 19:39   163,644   ----a-w   C:\WINDOWS\system32\drivers\secdrv.sys
2007-12-15 19:37   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-12-05 06:14   ---------   d-----w   C:\Program Files\Common Files\Real
2007-12-05 06:13   ---------   d-----w   C:\Program Files\Real
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-02 20:45   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-12-02 20:45   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\AdobeAUM
2007-12-02 19:34   ---------   d-----w   C:\Program Files\Common Files\Adobe
2007-12-02 19:23   ---------   d-----w   C:\Program Files\Macromedia
2007-12-02 19:21   ---------   d-----w   C:\Program Files\Common Files\Macromedia
2007-12-01 18:43   ---------   d-----w   C:\Program Files\Common Files\Adobe Systems Shared
2007-12-01 18:43   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Macrovision
2007-12-01 18:39   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2007-11-30 05:39   ---------   d-----w   C:\Program Files\Western Digital Technologies
2007-11-30 05:23   ---------   d-----w   C:\Program Files\Rhapsody
2007-11-30 05:20   8,413   ----a-w   C:\WINDOWS\system32\drivers\mcstrm.sys
2007-11-30 04:47   ---------   d-----w   C:\Program Files\Hewlett-Packard
2007-11-30 04:46   ---------   d-----w   C:\Program Files\HP
2007-11-30 04:26   ---------   d-----w   C:\Program Files\Common Files\HP
2007-11-30 04:23   ---------   d-----w   C:\Program Files\Common Files\Hewlett-Packard
2007-11-29 20:51   ---------   d-----w   C:\Program Files\Alwil Software
2007-11-29 20:38   ---------   d-----w   C:\Program Files\MSN Messenger
2007-11-29 20:38   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\MSNInstaller
2007-11-29 20:36   ---------   d-----w   C:\Program Files\Qwest
2007-11-29 20:31   ---------   d-----w   C:\Program Files\Common Files\supportsoft
2007-11-29 20:31   ---------   d-----w   C:\Program Files\Actiontec
2007-11-29 20:31   ---------   d-----w   C:\Program Files\2Wire
2007-11-29 20:29   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\InstallShield
2007-11-29 09:02   ---------   d-----w   C:\Program Files\Quicken
2007-11-29 09:01   ---------   d-----w   C:\Program Files\Symantec
2007-11-29 09:01   ---------   d-----w   C:\Program Files\Common Files\Symantec Shared
2007-11-29 09:01   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-29 08:04   ---------   d-----w   C:\Program Files\PC-Doctor for Windows
.

[hap66]

more log:

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-03-03 11:44 831557 C:\WINDOWS\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [2008-01-01 11:56 52736]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-01-01 11:56 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-01-01 11:56 114688]
"KYE_UDSI"="C:\Program Files\USB Storage RW\udsi.exe" [2008-01-01 11:56 212992]
"KBD"="C:\HP\KBD\KBD.EXE" [2008-01-01 11:56 61440]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-01-01 11:56 155648]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2008-01-01 11:56 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-03 11:44 4595712]
"nwiz"="nwiz.exe" [2003-03-03 11:44 323584 C:\WINDOWS\system32\nwiz.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2008-01-01 11:56 81920]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 20:35 50176 C:\WINDOWS\ALCXMNTR.EXE]
"QUICKCARE"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [2008-01-01 11:56 198800]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2008-01-01 11:56 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2008-01-01 11:57 212992]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2008-01-01 11:57 229437]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2008-01-01 11:57 188416]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-01 11:57 185896]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-01-01 11:57 79224]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [2003-04-10 04:21:36]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-01 11:42:56]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-04-10 00:04:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 03:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll


*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2007-11-30 22:07:11 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#deskjet5100#MY37E3P1437A.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe+/#Hewlett-Packard#deskjet5100#MY37E3P1437A
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 12:36:59
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
Completion time: 2008-01-03 12:42:02 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-03 19:41:59

[oldman]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File::
C:\WINDOWS\system32\orsqkgfx.ini

This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

Run HJT after everything else is done.

• Copy the entire contents of the Code Box below to Notepad.
  
• Name the file as Log.txt  (Overwrite the existing one)
  
• Change the Save as Type to All Files
  
• and Save it on the desktop
  

Code: [Select]

"C:\hp\KBD\KBD .EXE" replaces infected copy of "C:\hp\KBD\KBD.EXE"
"C:\Program Files\Alwil Software\Avast4\ashDisp .exe" replaces infected copy of "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
"C:\Program Files\Common Files\Real\Update_OB\realsched .exe" replaces infected copy of "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe" replaces infected copy of "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01 .exe" replaces infected copy of "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd .exe" replaces infected copy of "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
"C:\Program Files\HP\hpcoretech\hpcmpmgr .exe" replaces infected copy of "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"C:\Program Files\Qwest\QuickCare\bin\sprtcmd .exe" replaces infected copy of "C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe"
"C:\Program Files\USB Storage RW\udsi .exe" replaces infected copy of "C:\Program Files\USB Storage RW\udsi.exe"
"C:\WINDOWS\SMINST\RECGUARD .EXE" replaces infected copy of "C:\WINDOWS\SMINST\RECGUARD.EXE"
"C:\WINDOWS\system\hpsysdrv .exe" replaces infected copy of "C:\WINDOWS\system\hpsysdrv.exe"
"C:\WINDOWS\system32\hkcmd .exe" replaces infected copy of "C:\WINDOWS\system32\hkcmd.exe"
"C:\WINDOWS\system32\igfxtray .exe" replaces infected copy of "C:\WINDOWS\system32\igfxtray.exe"
"C:\WINDOWS\system32\ps2 .exe" replaces infected copy of "C:\WINDOWS\system32\ps2.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe" replaces infected copy of "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe"





Refering to the picture above, drag Log.txt into RenV.exe and attach the resulting report to your reply.

[oldman]

Hi  hap66

Due to a change in the way combofix is handling this bug, you don't need to do the RENV part. Just can across this.