Another Variation of Win32.BHO.abo

[zippie31]

OK here goes.
The only problem I encountered was when combofix shut down my computer I got a "program is not responding" message for hpcmpmgr.exe
Windows ended the program and everything else went fine.

More info on D:     
In recovery console it gave me the following options
1. D:\MiniNT
2. D:\I386
3. C:\Windows
(of course I chose 3)

Now, the new ComboFix log:

ComboFix 08-01-31.5 - Compaq_Owner 2008-01-31 19:04:27.3 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.112 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFscript.txt
 * Created a new restore point

FILE
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\WXEVO1Q3\WinFixer2006FreeInstall[1].exe
C:\Documents and Settings\Compaq_Owner\My Documents\error.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\datacle.dll . . . . failed to delete
D:\Autorun.inf . . . . failed to delete
C:\WINDOWS\system32\datacle.dll . . . . failed to delete
D:\Autorun.inf . . . . failed to delete

.
(((((((((((((((((((((((((   Files Created from 2008-01-01 to 2008-02-01  )))))))))))))))))))))))))))))))
.

2008-01-30 18:41 . 2007-12-04 09:51   42,912   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-30 18:41 . 2007-12-04 09:49   26,624   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-30 18:41 . 2007-12-04 09:53   23,152   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-30 18:40 . 2007-12-04 07:54   95,608   --a------   C:\WINDOWS\system32\AvastSS.scr
2008-01-30 18:40 . 2007-12-04 09:55   94,544   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-30 18:40 . 2007-12-04 09:56   93,264   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-30 18:39 . 2008-01-30 18:39   <DIR>   d--------   C:\Program Files\Alwil Software
2008-01-30 18:39 . 2007-12-04 08:04   837,496   --a------   C:\WINDOWS\system32\aswBoot.exe
2008-01-30 18:39 . 2004-01-09 04:13   380,928   --a------   C:\WINDOWS\system32\actskin4.ocx
2008-01-30 18:11 . 2008-01-30 18:11   18,884,808   --a------   C:\setupeng.exe
2008-01-29 18:05 . 2008-01-29 18:05   407,680   --a------   C:\aswclnr.exe
2008-01-08 23:20 . 2008-01-13 13:13   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-01-08 23:20 . 2008-01-08 23:20   1,409   --a------   C:\WINDOWS\QTFont.for

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 00:09   ---------   d-----w   C:\Program Files\Plaxo
2008-01-31 04:38   ---------   d-----w   C:\Documents and Settings\Compaq_Owner\Application Data\LimeWire
2008-01-31 04:28   ---------   d-----w   C:\Program Files\EMBARQ Online Security
2008-01-31 03:26   ---------   d-----w   C:\Program Files\Palm
2008-01-31 03:22   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\F-Secure
2008-01-28 23:36   ---------   d-----w   C:\Program Files\PC-Doctor for Windows
2007-12-24 21:08   ---------   d-----w   C:\Documents and Settings\Compaq_Owner\Application Data\Viewpoint
2007-12-24 21:07   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Viewpoint
2005-12-29 02:05   497   ---ha-w   C:\Documents and Settings\Compaq_Owner\hpothb07.dat
2005-09-09 01:32   164   ---ha-w   C:\Documents and Settings\All Users\hpothb07.dat
2005-08-31 02:21   185   ---ha-w   C:\Documents and Settings\All Users\Application Data\hpothb07.dat
2005-08-31 02:18   497   ---ha-w   C:\Documents and Settings\Default User\hpothb07.dat
2005-08-31 02:18   497   ---ha-w   C:\Documents and Settings\Administrator\hpothb07.dat
2005-08-31 02:18   0   ---ha-w   C:\Documents and Settings\NetworkService\hpothb07.dat
2005-08-31 02:18   0   ---ha-w   C:\Documents and Settings\LocalService\hpothb07.dat
2006-06-17 15:00   0   --sha-w   C:\WINDOWS\SMINST\HPCD.sys

[zippie31]

continued...

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3161E80A-10B1-4011-B569-67B5AFF890B9}]
2007-12-03 20:56   102656   --a------   C:\WINDOWS\system32\datacle.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 16:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [2007-12-11 17:21 227914]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-12 14:53 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-10-21 23:41 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-21 00:55 155648]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 10:01 110592]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-22 00:31 180269]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-06-04 21:38 286720]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 22:43 233472]
"VTTimer"="VTTimer.exe" []
"SiSPower"="SiSPower.dll" [2004-09-24 11:49 49152 C:\WINDOWS\system32\SiSPower.dll]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [ ]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 23:54 253952]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-12-04 07:44 176128]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe" [2003-11-12 08:23 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2004-02-02 03:41 495616]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-05-09 10:38 36864]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32 53248]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 22:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-10-22 01:01 98304]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 21:41 196608]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2004-08-03 17:18 1083392]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]

C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\
Palm Registration.lnk - C:\Program Files\Palm\register.exe [2008-01-30 22:26:10 2494464]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]

R0 dueavlel;dueavlel;C:\WINDOWS\system32\drivers\ikuracjg.dat []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-31 23:49:01 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe
"2008-01-26 01:00:01 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (COMPUTER-Compaq_Owner).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2006-12-03 03:33:06 C:\WINDOWS\Tasks\WebReg .job"
- C:\Program Files\Hewlett-Packard\digital imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 19:09:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2008-01-31 19:13:07 - machine was rebooted
ComboFix-quarantined-files.txt  2008-02-01 00:13:02
ComboFix2.txt  2008-01-31 21:50:58
ComboFix3.txt  2008-01-31 16:44:56
.
2008-01-09 08:08:57   --- E O F --- 

[zippie31]

ok so after all that i did another Avast Boot Scan and it detected 2 files

C:\WINDOWS\ikuracjg.old infected by Win32:Agent-PSI (Rtk)
moved to chest

C:\WINDOWS\System32\drivers\cjphnmli.dat  infected by Win32:Agent-NGL (trj)
moved to chest

the file C:\WINDOWS\System32\datacle.dll is still present in the folder, but Avast no longer detects it as being infected.  Good news???

[1975maggie]

Well it does look better. I see one new file avast picked up, along with the renamed file, which avast also got.

So we know at least one of the commands from within the recovery console worked.

We'll have a look at that autorun, then try to unload the last driver.

From this link  http://cid-32d8666f4048075b.skydrive.live.com/browse.aspx/Malware%20files

download, save to your desktop, and run this program

QueryMountPoints

after you download it, double click it to run, please post the results.


Now we see how successful we where in disabling the  evil driver. We'll use use avenger again. Follow the previous Avenger operating instructions, but with the following script

Drivers to unload:
dueavlel

Files to delete:
C:\WINDOWS\System32\datacle.dll 
C:\WINDOWS\system32\drivers\ikuracjg.dat 

Please post the avenger results along with the querymountpoint results, a new combofix log and a new HJT log.

[TedNelly]

Just a couple of things I'm sure 1975maggie would have mentioned

Sun Java Console is out of Date
Sun Java Runtime Environment 6 Update 4
Sun Microsystems, Inc.
Download Sun Java Runtime Environment from the USA

Are you using a Firewall??

[1975maggie]

Thanks tednelly, just getting to that.  zippie31 , here are the instructions for replacing and removing your old java.


Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to "Java Runtime Environment (JRE) 6 Update 4...allows end-users to run Java applications".

Click the download button on the right.

 > If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

 You do not have to install the Java Web Start ActiveX Control


Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u4-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure  and reboot if not prompted to do so.

[zippie31]

OK.  Before I get started with this, I did 2 more boot scans with Avast and now I'm all clean.  I was able to manually delete the datacle.dll file. Does this change anything that I need to do?
Thanks 1975maggie for all your help so far!!!

[1975maggie]

You can run the avenger script if you want. It should unload the driver now. I'm pretty sure it's diabled and the file "C:\WINDOWS\system32\drivers\ikuracjg.dat" is gone as we renamed it and avast caught the renamed file. I don't know if it was replaced though. You can check for the file.

There may also be a line to fix in HJt, the 02 line that refers to "C:\WINDOWS\System32\datacle.dll"

The java update is important, as old java can be an entry point for malware.

You may want to consider this

If you are using windows firewall, please note that it doesn't provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

If you want to post the logs we'll have a look, if you are satisfied then you can clean up the tools you downloaded.


download OTMOVEIT2 from here

http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe



Double click OTMoveIt and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTMoveIt wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself



Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean.

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done


 
 

[zippie31]

all right
in answer to the firewall question, i did have a firewall with my old security software untill I uninstalled it 2 days ago (because it obviously did such a fine job of protecting me!!) After finishing this post, that's my next stop.  I will download something.

I ran the avenger script, I will post the log momentarily. 
Then I ran HJT and fixedthe 02 line referring to datacle.dll
I will post that log also.
After that I downloaded JRE and uninstalled "Java 2 Runtime Environment SE v1.42_03
Then I deleted the Java folder from C:\windows\program files
Installed the new Java
Ran combofix and will post that log

[zippie31]

Avenger log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wajirlym

*******************

Script file located at: \??\C:\WINDOWS\iiugkwmr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Registry key \Registry\Machine\System\CurrentControlSet\Services\dueavelel not found!
Unload of driver dueavelel failed!

Could not process line:
dueavelel
Status: 0xc0000034



File C:\WINDOWS\System32\datacle.dll not found!
Deletion of file C:\WINDOWS\System32\datacle.dll failed!

Could not process line:
C:\WINDOWS\System32\datacle.dll
Status: 0xc0000034



File C:\WINDOWS\System32\drivers\ikuracjg.dat not found!
Deletion of file C:\WINDOWS\System32\drivers\ikuracjg.dat failed!

Could not process line:
C:\WINDOWS\System32\drivers\ikuracjg.dat
Status: 0xc0000034


Completed script processing.

*******************

Finished!  Terminate.

[zippie31]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:04 PM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
HJT log:

C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HiJackThis.exe

[zippie31]

HJT log continued:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dialup24.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3161E80A-10B1-4011-B569-67B5AFF890B9} - C:\WINDOWS\system32\datacle.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster Gold 17\Remind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.dialup24.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9732 bytes

[zippie31]

combofix log:

ComboFix 08-01-31.5 - Compaq_Owner 2008-02-01 13:07:59.4 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.109 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf . . . . failed to delete

.
(((((((((((((((((((((((((   Files Created from 2008-01-01 to 2008-02-01  )))))))))))))))))))))))))))))))
.

2008-02-01 13:03 . 2007-12-14 01:59   69,632   --a------   C:\WINDOWS\system32\javacpl.cpl
2008-02-01 13:02 . 2008-02-01 13:03   <DIR>   d--------   C:\Program Files\Java
2008-02-01 13:02 . 2008-02-01 13:02   <DIR>   d--------   C:\Program Files\Common Files\Java
2008-01-30 18:41 . 2007-12-04 09:51   42,912   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-30 18:41 . 2007-12-04 09:49   26,624   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-30 18:41 . 2007-12-04 09:53   23,152   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-30 18:40 . 2007-12-04 07:54   95,608   --a------   C:\WINDOWS\system32\AvastSS.scr
2008-01-30 18:40 . 2007-12-04 09:55   94,544   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-30 18:40 . 2007-12-04 09:56   93,264   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-30 18:39 . 2008-01-30 18:39   <DIR>   d--------   C:\Program Files\Alwil Software
2008-01-30 18:39 . 2007-12-04 08:04   837,496   --a------   C:\WINDOWS\system32\aswBoot.exe
2008-01-30 18:39 . 2004-01-09 04:13   380,928   --a------   C:\WINDOWS\system32\actskin4.ocx
2008-01-30 18:11 . 2008-01-30 18:11   18,884,808   --a------   C:\setupeng.exe
2008-01-29 18:05 . 2008-01-29 18:05   407,680   --a------   C:\aswclnr.exe
2008-01-08 23:20 . 2008-01-13 13:13   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-01-08 23:20 . 2008-01-08 23:20   1,409   --a------   C:\WINDOWS\QTFont.for

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 18:11   ---------   d-----w   C:\Program Files\Plaxo
2008-01-31 04:38   ---------   d-----w   C:\Documents and Settings\Compaq_Owner\Application Data\LimeWire
2008-01-31 04:28   ---------   d-----w   C:\Program Files\EMBARQ Online Security
2008-01-31 03:26   ---------   d-----w   C:\Program Files\Palm
2008-01-31 03:22   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\F-Secure
2008-01-28 23:36   ---------   d-----w   C:\Program Files\PC-Doctor for Windows
2007-12-24 21:08   ---------   d-----w   C:\Documents and Settings\Compaq_Owner\Application Data\Viewpoint
2007-12-24 21:07   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Viewpoint
2005-12-29 02:05   497   ---ha-w   C:\Documents and Settings\Compaq_Owner\hpothb07.dat
2005-09-09 01:32   164   ---ha-w   C:\Documents and Settings\All Users\hpothb07.dat
2005-08-31 02:21   185   ---ha-w   C:\Documents and Settings\All Users\Application Data\hpothb07.dat
2005-08-31 02:18   497   ---ha-w   C:\Documents and Settings\Default User\hpothb07.dat
2005-08-31 02:18   497   ---ha-w   C:\Documents and Settings\Administrator\hpothb07.dat
2005-08-31 02:18   0   ---ha-w   C:\Documents and Settings\NetworkService\hpothb07.dat
2005-08-31 02:18   0   ---ha-w   C:\Documents and Settings\LocalService\hpothb07.dat
2006-06-17 15:00   0   --sha-w   C:\WINDOWS\SMINST\HPCD.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 16:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [2007-12-11 17:21 227914]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-12 14:53 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-21 00:55 155648]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 10:01 110592]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-22 00:31 180269]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-06-04 21:38 286720]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 22:43 233472]
"VTTimer"="VTTimer.exe" []
"SiSPower"="SiSPower.dll" [2004-09-24 11:49 49152 C:\WINDOWS\system32\SiSPower.dll]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [ ]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 23:54 253952]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-12-04 07:44 176128]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe" [2003-11-12 08:23 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2004-02-02 03:41 495616]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-05-09 10:38 36864]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32 53248]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 22:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-10-22 01:01 98304]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 21:41 196608]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2004-08-03 17:18 1083392]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\
Palm Registration.lnk - C:\Program Files\Palm\register.exe [2008-01-30 22:26:10 2494464]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]

S4 dueavlel;dueavlel;C:\WINDOWS\system32\drivers\ikuracjg.dat []

[zippie31]

combofix log continued:

.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 15:49:01 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe
"2008-01-26 01:00:01 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (COMPUTER-Compaq_Owner).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2006-12-03 03:33:06 C:\WINDOWS\Tasks\WebReg .job"
- C:\Program Files\Hewlett-Packard\digital imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 13:12:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2008-02-01 13:15:35 - machine was rebooted
ComboFix-quarantined-files.txt  2008-02-01 18:15:25
ComboFix2.txt  2008-02-01 00:13:07
ComboFix3.txt  2008-01-31 21:50:58
ComboFix4.txt  2008-01-31 16:44:56
.
2008-01-09 08:08:57   --- E O F --- 

[1975maggie]

Hi zippie31, how's everything?

The driver/service is crippled, we can remove it completely or just leave it. It shouldn't be able to run at all, because the reg key that it ran from is gone and the file is gone.

you can run the querymountpoints if you want, it will show us what is in the autorun.inf. The program runs in seconds.