View Full Version : Valera, pop-ups, maybe Virtumonde?
Dreamedove
2007-10-11, 18:37
Hello,
Thanks in advance for your time and help. I've had this problem for a couple of weeks now-I've run VundoFix and it came back with 3 errors that it was able to remove but i still have pop-ups and a slow machine. I also get explorer errors and a framedyn.dll error. I tried to run the Kaspersky scan 5 times but I keep crashing after a while. Here's my HJT log-please let me know if I can run anything else to assist.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:12 AM, on 10/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.students.rice.edu/students/Default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8l.hpwis.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8l.hpwis.com/
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\cllfguak.dll",sitypnow
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.5\webbuying.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133913623511
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4672/mcfscan.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLABR11\webserver\bin\matlabserver.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\cebeq.html
--
End of file - 9365 bytes
random/random
2007-10-11, 23:43
Download the latest version of ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Dreamedove
2007-10-12, 06:20
Hi,
Thanks for the quick reply-I know you guys must get this a lot, but I truly appreciate the time you've taken to help me-thanks again. I ran combofix like you asked and while it was running i got the error that freeware is unable to run reg.exe but combofix still finished running and produced a log. Just from the combofix everything seems a lot better-my desktop is back, popups have disappeared and windows is recognizing my antivirus!:laugh: Here are the logs...am i clean?!
ComboFix 07-10-12.4 - Achala Talati 2007-10-11 22:19:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.34 [GMT -5:00]
Running from: C:\Documents and Settings\Achala Talati\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Common Files\cebeq.html
C:\Program Files\outlook
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aoburxud.dll
C:\WINDOWS\system32\duxruboa.ini
C:\WINDOWS\system32\ednesfhj.ini
C:\WINDOWS\system32\gcoyemh.dll
C:\WINDOWS\system32\jhfsende.dll
C:\WINDOWS\system32\kjrqfwor.ini
C:\WINDOWS\system32\moppo.bak1
C:\WINDOWS\system32\moppo.bak1
C:\WINDOWS\system32\moppo.bak1
C:\WINDOWS\system32\moppo.bak2
C:\WINDOWS\system32\moppo.bak2
C:\WINDOWS\system32\moppo.bak2
C:\WINDOWS\system32\moppo.ini
C:\WINDOWS\system32\moppo.ini
C:\WINDOWS\system32\moppo.ini
C:\WINDOWS\system32\moppo.ini2
C:\WINDOWS\system32\moppo.ini2
C:\WINDOWS\system32\moppo.ini2
C:\WINDOWS\system32\moppo.tmp
C:\WINDOWS\system32\moppo.tmp
C:\WINDOWS\system32\moppo.tmp
C:\WINDOWS\system32\opnoopn.dll
C:\WINDOWS\system32\oppom.dll
C:\WINDOWS\system32\ovodsuet.ini
C:\WINDOWS\system32\rev1
C:\WINDOWS\system32\rowfqrjk.dll
C:\WINDOWS\system32\ss9
C:\WINDOWS\system32\ss9\rw1000dr.exe
C:\WINDOWS\system32\teusdovo.dll
C:\WINDOWS\system32\uuxywjfr.dll
C:\WINDOWS\system32\vtustqq.dll
C:\WINDOWS\system32\wqhkljki.dll
C:\WINDOWS\system32\z12
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
((((((((((((((((((((((((( Files Created from 2007-09-12 to 2007-10-12 )))))))))))))))))))))))))))))))
.
2007-10-11 22:15 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-11 21:52 <DIR> d-------- C:\WINDOWS\system32\AdCache
2007-10-11 01:47 <DIR> d-------- C:\VundoFix Backups
2007-10-09 17:22 <DIR> d-------- C:\faa25853b5828dcc2a3330
2007-10-08 19:14 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-08 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-04 18:32 <DIR> d-------- C:\WINDOWS\35C03C043F1F42C2A989A757EE691F65.TMP
2007-10-03 18:19 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2007-10-03 18:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-03 18:19 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2007-10-03 18:18 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-10-03 18:18 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-10-03 18:18 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2007-10-03 18:18 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2007-10-03 18:18 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-10-03 18:16 <DIR> d-------- C:\Program Files\McAfee
2007-10-03 18:16 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-10-03 14:53 707,538 --a------ C:\Temp\regit.exe
2007-10-03 14:52 <DIR> d--hs---- C:\WINDOWS\QWNoYWxhICBUYWxhdGk
2007-10-03 14:51 <DIR> d-------- C:\WINDOWS\system32\vMW02a
2007-10-03 14:51 <DIR> d-------- C:\WINDOWS\system32\ep1
2007-10-03 14:51 <DIR> d-------- C:\WINDOWS\system32\abc2
2007-10-03 14:51 <DIR> d-------- C:\Temp\xOe
2007-09-25 16:02 <DIR> d-------- C:\comic4
2007-09-21 10:21 <DIR> d-------- C:\jill1
2007-09-17 18:34 <DIR> d-------- C:\DUKE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-12 02:59 --------- d-----w C:\Program Files\FlashGet
2007-10-11 16:12 --------- d-----w C:\Program Files\Trend Micro
2007-10-11 06:40 --------- d-----w C:\Program Files\Java
2007-10-04 22:35 --------- d-----w C:\Program Files\Yahoo!
2007-10-04 22:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-03 23:00 246 ----a-w C:\Program Files\Common Files\xurac961
2007-09-26 21:59 --------- d-----w C:\Program Files\DOSBox-0.72
2007-09-26 16:45 --------- d--h--w C:\Documents and Settings\Achala Talati\Application Data\Move Networks
2007-09-24 19:36 --------- d-----w C:\Program Files\Google
2007-08-27 06:52 --------- d-----w C:\Documents and Settings\Achala Talati\Application Data\ZoomBrowser EX
2007-08-27 04:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-08-24 00:33 --------- d-----w C:\Program Files\Common Files\Adobe
2007-08-24 00:33 --------- d-----w C:\Documents and Settings\Achala Talati\Application Data\AdobeUM
2007-08-18 06:13 --------- d-----w C:\Program Files\Canon
2007-08-18 06:09 --------- d-----w C:\Program Files\Common Files\Canon
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\QWNoYWxhICBUYWxhdGk\kqhCsqU1KF1osqU1x34.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3722FFBE-591A-4E18-BCC4-5735F89D1488}]
C:\Program Files\Internet Explorer\tegojaniv83122.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82C73385-A76F-4C35-97FC-39AB9DAAF9B2}]
C:\Program Files\Internet Explorer\tegojaniv4444.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F87D7940-FB91-4FE0-8F45-476035F2C7FF}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2003-05-21 15:35 C:\WINDOWS\system32\carpserv.exe]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-02-26 19:25]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-01-24 00:00]
"AutoTBar"="C:\hp\bin\autotbar.exe" []
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 16:34]
"TV Now"="C:\Program Files\HPQ\Notebook Utilities\TvNow.exe" [2003-01-30 13:34]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 09:26]
"QT4HPOT"="C:\Program Files\HPQ\One-Touch\OneTouch.EXE" [2003-01-30 18:02]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-14 07:56]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-14 07:56]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-03-26 14:15]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-10-13 16:04]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-07-14 21:16]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-09-13 16:49]
"SNPSTD2"="C:\WINDOWS\vsnpstd2.exe" [2004-08-30 16:37]
"PRISMSVR.EXE"="C:\WINDOWS\system32\PRISMSVR.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-28 04:14]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2006-07-19 14:35:20]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2004-11-04 20:50:52]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2001-12-03 13:36:42]
RtlWake.lnk - C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe [2004-06-22 19:23:11]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\oppom.dll
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-11 23:00:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????8?8?7?1??????? ??3B?????????????T?B? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-11 23:09:11 - machine was rebooted
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:46 PM, on 10/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.students.rice.edu/students/Default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8l.hpwis.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8l.hpwis.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3722FFBE-591A-4E18-BCC4-5735F89D1488} - C:\Program Files\Internet Explorer\tegojaniv83122.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {82C73385-A76F-4C35-97FC-39AB9DAAF9B2} - C:\Program Files\Internet Explorer\tegojaniv4444.dll (file missing)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {F87D7940-FB91-4FE0-8F45-476035F2C7FF} - (no file)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133913623511
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4672/mcfscan.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLABR11\webserver\bin\matlabserver.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 9943 bytes
random/random
2007-10-12, 21:22
Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
Then close all windows except HijackThis and click Fix Checked
Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
Folder::
C:\WINDOWS\system32\AdCache
C:\VundoFix Backups
C:\temp
C:\WINDOWS\QWNoYWxhICBUYWxhdGk
DirLook::
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\system32\ep1
C:\WINDOWS\system32\abc2
C:\comic4
C:\jill1
C:\DUKE
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3722FFBE-591A-4E18-BCC4-5735F89D1488}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82C73385-A76F-4C35-97FC-39AB9DAAF9B2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F87D7940-FB91-4FE0-8F45-476035F2C7FF}]
Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Dreamedove
2007-10-12, 22:18
Thanks again for your quick reply and help!!-guess I'm only superficially clean:red:
Here are the new logs you've requested. Just for your info, combofix ran and finished but right before the computer rebooted, these errors presented: mircmd.cfexe, restartIT.cfexe, dwwin.exe all failed to initialize. also windowsFormsParking had to end (this last one has only started occurring after I got infected. I don't know if these are relevant, just thought I'd let you know.
ComboFix
ComboFix 07-10-12.4 - Achala Talati 2007-10-12 14:47:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.37 [GMT -5:00]
Running from: C:\Documents and Settings\Achala Talati\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Achala Talati\Desktop\CFscript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\temp
C:\temp\regit.exe
C:\temp\xOe\tOasF.log
C:\VundoFix Backups
C:\VundoFix Backups\slybrqby.ini.bad
C:\VundoFix Backups\vsicyiyh.dll.bad
C:\VundoFix Backups\ybqrbyls.dll.bad
C:\WINDOWS\QWNoYWxhICBUYWxhdGk
C:\WINDOWS\QWNoYWxhICBUYWxhdGk\kqhCsqU1KF1osqU1x34.vbs
C:\WINDOWS\system32\AdCache
C:\WINDOWS\system32\AdCache\B_434_0_0_445800.htm
C:\WINDOWS\system32\AdCache\B_434_0_0_445900.htm
C:\WINDOWS\system32\AdCache\B_434_0_0_446000.htm
C:\WINDOWS\system32\AdCache\B_434_1_0_448500.gif
C:\WINDOWS\system32\AdCache\B_434_1_0_448500.htm
C:\WINDOWS\system32\AdCache\B_434_1_0_448600.gif
C:\WINDOWS\system32\AdCache\B_434_1_0_448600.htm
C:\WINDOWS\system32\AdCache\B_434_1_0_453800.htm
C:\WINDOWS\system32\AdCache\B_434_2_0_526700.htm
C:\WINDOWS\system32\AdCache\B_434_2_0_573300.htm
C:\WINDOWS\system32\AdCache\B_434_2_0_814200.htm
C:\WINDOWS\system32\AdCache\B_434_2_0_815600.htm
C:\WINDOWS\system32\AdCache\B_434_2_0_815900.htm
.
((((((((((((((((((((((((( Files Created from 2007-09-12 to 2007-10-12 )))))))))))))))))))))))))))))))
.
2007-10-11 22:15 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-09 17:22 <DIR> d-------- C:\faa25853b5828dcc2a3330
2007-10-08 19:14 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-08 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-04 18:32 <DIR> d-------- C:\WINDOWS\35C03C043F1F42C2A989A757EE691F65.TMP
2007-10-03 18:19 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2007-10-03 18:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-03 18:19 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2007-10-03 18:18 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-10-03 18:18 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-10-03 18:18 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2007-10-03 18:18 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2007-10-03 18:18 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-10-03 18:16 <DIR> d-------- C:\Program Files\McAfee
2007-10-03 18:16 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-10-03 14:51 <DIR> d-------- C:\WINDOWS\system32\vMW02a
2007-10-03 14:51 <DIR> d-------- C:\WINDOWS\system32\ep1
2007-10-03 14:51 <DIR> d-------- C:\WINDOWS\system32\abc2
2007-09-25 16:02 <DIR> d-------- C:\comic4
2007-09-21 10:21 <DIR> d-------- C:\jill1
2007-09-17 18:34 <DIR> d-------- C:\DUKE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-12 02:59 --------- d-----w C:\Program Files\FlashGet
2007-10-11 16:12 --------- d-----w C:\Program Files\Trend Micro
2007-10-11 06:40 --------- d-----w C:\Program Files\Java
2007-10-04 22:35 --------- d-----w C:\Program Files\Yahoo!
2007-10-04 22:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-03 23:00 246 ----a-w C:\Program Files\Common Files\xurac961
2007-09-26 21:59 --------- d-----w C:\Program Files\DOSBox-0.72
2007-09-26 16:45 --------- d--h--w C:\Documents and Settings\Achala Talati\Application Data\Move Networks
2007-09-24 19:36 --------- d-----w C:\Program Files\Google
2007-08-27 06:52 --------- d-----w C:\Documents and Settings\Achala Talati\Application Data\ZoomBrowser EX
2007-08-27 04:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-08-24 00:33 --------- d-----w C:\Program Files\Common Files\Adobe
2007-08-24 00:33 --------- d-----w C:\Documents and Settings\Achala Talati\Application Data\AdobeUM
2007-08-18 06:13 --------- d-----w C:\Program Files\Canon
2007-08-18 06:09 --------- d-----w C:\Program Files\Common Files\Canon
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\comic4 ----
2007-09-25 16:27 180 --a------ C:\comic4\COMIC.HGH
2007-09-25 16:02 960 --a------ C:\comic4\BIRD2.SHP
2007-09-25 16:02 960 --a------ C:\comic4\BIRD.SHP
2007-09-25 16:02 960 --a------ C:\comic4\BEE.SHP
2007-09-25 16:02 8196 --a------ C:\comic4\BASE.TT2
2007-09-25 16:02 7172 --a------ C:\comic4\COMP.TT2
2007-09-25 16:02 640 --a------ C:\comic4\STAR2.SHP
2007-09-25 16:02 640 --a------ C:\comic4\STAR1.SHP
2007-09-25 16:02 640 --a------ C:\comic4\SAUCER.SHP
2007-09-25 16:02 640 --a------ C:\comic4\ROCK.SHP
2007-09-25 16:02 640 --a------ C:\comic4\GLOBE.SHP
2007-09-25 16:02 640 --a------ C:\comic4\CUBE.SHP
2007-09-25 16:02 640 --a------ C:\comic4\BALL.SHP
2007-09-25 16:02 480 --a------ C:\comic4\STAR3.SHP
2007-09-25 16:02 480 --a------ C:\comic4\FROG.SHP
2007-09-25 16:02 480 --a------ C:\comic4\FB.SHP
2007-09-25 16:02 480 --a------ C:\comic4\BUG.SHP
2007-09-25 16:02 4228 --a------ C:\comic4\CAVE.TT2
2007-09-25 16:02 4100 --a------ C:\comic4\SHED.TT2
2007-09-25 16:02 32569 --a------ C:\comic4\COMIC.EXE
2007-09-25 16:02 16735 --a------ C:\comic4\SYS003.EGA
2007-09-25 16:02 14936 --a------ C:\comic4\SYS004.EGA
2007-09-25 16:02 14595 --a------ C:\comic4\SYS001.EGA
2007-09-25 16:02 14530 --a------ C:\comic4\SYS000.EGA
2007-09-25 16:02 14010 --a------ C:\comic4\SYS002.EGA
2007-09-25 16:02 13024 --a------ C:\comic4\COMIC.DOC
2007-09-25 16:02 1284 --a------ C:\comic4\SPACE2.PT
2007-09-25 16:02 1284 --a------ C:\comic4\SPACE1.PT
2007-09-25 16:02 1284 --a------ C:\comic4\SPACE0.PT
2007-09-25 16:02 1284 --a------ C:\comic4\SHED2.PT
2007-09-25 16:02 1284 --a------ C:\comic4\SHED1.PT
2007-09-25 16:02 1284 --a------ C:\comic4\SHED0.PT
2007-09-25 16:02 1284 --a------ C:\comic4\LAKE2.PT
2007-09-25 16:02 1284 --a------ C:\comic4\LAKE1.PT
2007-09-25 16:02 1284 --a------ C:\comic4\LAKE0.PT
2007-09-25 16:02 1284 --a------ C:\comic4\FOREST2.PT
2007-09-25 16:02 1284 --a------ C:\comic4\FOREST1.PT
2007-09-25 16:02 1284 --a------ C:\comic4\FOREST0.PT
2007-09-25 16:02 1284 --a------ C:\comic4\COMP2.PT
2007-09-25 16:02 1284 --a------ C:\comic4\COMP1.PT
2007-09-25 16:02 1284 --a------ C:\comic4\COMP0.PT
2007-09-25 16:02 1284 --a------ C:\comic4\CAVE2.PT
2007-09-25 16:02 1284 --a------ C:\comic4\CAVE1.PT
2007-09-25 16:02 1284 --a------ C:\comic4\CAVE0.PT
2007-09-25 16:02 1284 --a------ C:\comic4\CASTLE2.PT
2007-09-25 16:02 1284 --a------ C:\comic4\CASTLE1.PT
2007-09-25 16:02 1284 --a------ C:\comic4\CASTLE0.PT
2007-09-25 16:02 1284 --a------ C:\comic4\BASE2.PT
2007-09-25 16:02 1284 --a------ C:\comic4\BASE1.PT
2007-09-25 16:02 1284 --a------ C:\comic4\BASE0.PT
2007-09-25 16:02 11618 --a------ C:\comic4\SYS005.EGA
2007-09-25 16:02 11140 --a------ C:\comic4\FOREST.TT2
2007-09-25 16:02 10756 --a------ C:\comic4\LAKE.TT2
2007-09-25 16:02 10372 --a------ C:\comic4\SPACE.TT2
2007-09-25 16:02 10244 --a------ C:\comic4\CASTLE.TT2
---- Directory of C:\DUKE ----
2007-09-19 18:29 52 --a------ C:\DUKE\SAVEDT.DN1
2007-09-19 18:29 52 --a------ C:\DUKE\SAVED1.DN1
2007-09-19 12:53 80 --a------ C:\DUKE\HIGHS.DN1
2007-09-19 12:53 6 --a------ C:\DUKE\KEYS.DN1
2007-09-19 12:53 2 --a------ C:\DUKE\SPEED.DN1
2007-09-19 12:53 17002 --a------ C:\DUKE\USERDEMO.DN1
2007-09-19 12:53 17002 --a------ C:\DUKE\MY_DEMO.DN1
1998-07-21 22:40 951 --a------ C:\DUKE\NUKUM.TXT
1998-07-21 22:38 10072 --a------ C:\DUKE\VENDOR.DOC
1994-07-15 00:00 5913 --a------ C:\DUKE\ORDER.FRM
1991-11-01 14:00 8064 --a------ C:\DUKE\SOLID3.DN1
1991-11-01 14:00 8064 --a------ C:\DUKE\SOLID2.DN1
1991-11-01 14:00 8064 --a------ C:\DUKE\SOLID1.DN1
1991-11-01 14:00 8064 --a------ C:\DUKE\SOLID0.DN1
1991-11-01 14:00 8064 --a------ C:\DUKE\OBJECT2.DN1
1991-11-01 14:00 8064 --a------ C:\DUKE\OBJECT1.DN1
1991-11-01 14:00 8064 --a------ C:\DUKE\OBJECT0.DN1
1991-11-01 14:00 8064 --a------ C:\DUKE\MAN4.DN1
1991-11-01 14:00 8064 --a------ C:\DUKE\MAN3.DN1
1991-11-01 14:00 8064 --a------ C:\DUKE\MAN2.DN1
1991-11-01 14:00 8064 --a------ C:\DUKE\MAN1.DN1
1991-11-01 14:00 8064 --a------ C:\DUKE\MAN0.DN1
1991-11-01 14:00 8064 --a------ C:\DUKE\BACK3.DN1
1991-11-01 14:00 8064 --a------ C:\DUKE\BACK2.DN1
1991-11-01 14:00 8064 --a------ C:\DUKE\BACK1.DN1
1991-11-01 14:00 8064 --a------ C:\DUKE\BACK0.DN1
1991-11-01 14:00 8064 --a------ C:\DUKE\ANIM5.DN1
1991-11-01 14:00 8064 --a------ C:\DUKE\ANIM4.DN1
1991-11-01 14:00 8064 --a------ C:\DUKE\ANIM3.DN1
1991-11-01 14:00 8064 --a------ C:\DUKE\ANIM2.DN1
1991-11-01 14:00 8064 --a------ C:\DUKE\ANIM1.DN1
1991-11-01 14:00 8064 --a------ C:\DUKE\ANIM0.DN1
1991-11-01 14:00 7808 --a------ C:\DUKE\BORDER.DN1
1991-11-01 14:00 7168 --a------ C:\DUKE\NUMBERS.DN1
1991-11-01 14:00 6158 --a------ C:\DUKE\DUKE1-B.DN1
1991-11-01 14:00 5692 --a------ C:\DUKE\DUKE1.DN1
1991-11-01 14:00 54688 --a------ C:\DUKE\DN1.EXE
1991-11-01 14:00 32000 --a------ C:\DUKE\END.DN1
1991-11-01 14:00 32000 --a------ C:\DUKE\DUKE.DN1
1991-11-01 14:00 32000 --a------ C:\DUKE\DN.DN1
1991-11-01 14:00 32000 --a------ C:\DUKE\CREDITS.DN1
1991-11-01 14:00 32000 --a------ C:\DUKE\BADGUY.DN1
1991-11-01 14:00 23040 --a------ C:\DUKE\WORLDALC.DN1
1991-11-01 14:00 23040 --a------ C:\DUKE\WORLDALB.DN1
1991-11-01 14:00 23040 --a------ C:\DUKE\WORLDALA.DN1
1991-11-01 14:00 23040 --a------ C:\DUKE\WORLDAL9.DN1
1991-11-01 14:00 23040 --a------ C:\DUKE\WORLDAL8.DN1
1991-11-01 14:00 23040 --a------ C:\DUKE\WORLDAL7.DN1
1991-11-01 14:00 23040 --a------ C:\DUKE\WORLDAL6.DN1
1991-11-01 14:00 23040 --a------ C:\DUKE\WORLDAL5.DN1
1991-11-01 14:00 23040 --a------ C:\DUKE\WORLDAL4.DN1
1991-11-01 14:00 23040 --a------ C:\DUKE\WORLDAL3.DN1
1991-11-01 14:00 23040 --a------ C:\DUKE\WORLDAL2.DN1
1991-11-01 14:00 23040 --a------ C:\DUKE\WORLDAL1.DN1
1991-11-01 14:00 20803 --a------ C:\DUKE\DROP9.DN1
1991-11-01 14:00 20803 --a------ C:\DUKE\DROP7.DN1
1991-11-01 14:00 20803 --a------ C:\DUKE\DROP5.DN1
1991-11-01 14:00 20803 --a------ C:\DUKE\DROP3.DN1
1991-11-01 14:00 20803 --a------ C:\DUKE\DROP2.DN1
1991-11-01 14:00 20803 --a------ C:\DUKE\DROP13.DN1
1991-11-01 14:00 20803 --a------ C:\DUKE\DROP11.DN1
1991-11-01 14:00 20803 --a------ C:\DUKE\DROP1.DN1
1991-11-01 14:00 20803 --a------ C:\DUKE\DROP0.DN1
1991-11-01 14:00 2048 --a------ C:\DUKE\FONT2.DN1
1991-11-01 14:00 2048 --a------ C:\DUKE\FONT1.DN1
---- Directory of C:\jill1 ----
2007-09-21 12:03 18422 --a------ C:\jill1\TEMP
2007-09-21 11:42 254 --a------ C:\jill1\JILL1.CFG
2007-09-21 11:42 17986 --a------ C:\jill1\JN1SAVE.2
2007-09-21 11:04 19821 --a------ C:\jill1\JN1SAVE.0
2007-09-21 11:04 18009 --a------ C:\jill1\JN1SAVEM.0
2007-09-21 10:45 20032 --a------ C:\jill1\JN1SAVE.1
2007-09-21 10:45 18149 --a------ C:\jill1\JN1SAVEM.1
2007-09-21 10:21 9930 --a------ C:\jill1\ZEPPELIN.DDT
2007-09-21 10:21 94954 --a------ C:\jill1\JILL1.VCL
2007-09-21 10:21 8951 --a------ C:\jill1\JUPITER.DDT
2007-09-21 10:21 5993 --a------ C:\jill1\SYSOP.DOC
2007-09-21 10:21 5989 --a------ C:\jill1\ORDER.DOC
2007-09-21 10:21 5698 --a------ C:\jill1\IT.DDT
2007-09-21 10:21 5632 --a------ C:\jill1\ORDER-UK.DOC
2007-09-21 10:21 545 --a------ C:\jill1\END1.MAC
2007-09-21 10:21 5311 --a------ C:\jill1\HELPME.DOC
2007-09-21 10:21 4160 --a------ C:\jill1\JILL.DMA
2007-09-21 10:21 3784 --a------ C:\jill1\VENDOR.DOC
2007-09-21 10:21 3680 --a------ C:\jill1\ORDER-DE.DOC
2007-09-21 10:21 345 --a------ C:\jill1\FILE_ID.DIZ
2007-09-21 10:21 260553 --a------ C:\jill1\JILL1.SHA
2007-09-21 10:21 25482 --a------ C:\jill1\INTRO.JN1
2007-09-21 10:21 219216 --a------ C:\jill1\JILL.EXE
2007-09-21 10:21 2091 --a------ C:\jill1\JN1DEMO.MAC
2007-09-21 10:21 20359 --a------ C:\jill1\1.JN1
2007-09-21 10:21 20311 --a------ C:\jill1\6.JN1
2007-09-21 10:21 20292 --a------ C:\jill1\3.JN1
2007-09-21 10:21 19976 --a------ C:\jill1\9.JN1
2007-09-21 10:21 19907 --a------ C:\jill1\50.JN1
2007-09-21 10:21 19197 --a------ C:\jill1\2.JN1
2007-09-21 10:21 19121 --a------ C:\jill1\1.DEM
2007-09-21 10:21 18824 --a------ C:\jill1\0.DEM
2007-09-21 10:21 18800 --a------ C:\jill1\4.JN1
2007-09-21 10:21 18685 --a------ C:\jill1\MAP.JN1
2007-09-21 10:21 17560 --a------ C:\jill1\2.DEM
2007-09-21 10:21 17297 --a------ C:\jill1\LICENSE.DOC
2007-09-21 10:21 16233 --a------ C:\jill1\STEALTH.DDT
2007-09-21 10:21 14336 --a------ C:\jill1\SEVEN.DDT
2007-09-21 10:21 13936 --a------ C:\jill1\HELPME.EXE
2007-09-21 10:21 13525 --a------ C:\jill1\SPIDERS.DDT
2007-09-21 10:21 12160 --a------ C:\jill1\FUNKY.DDT
2007-09-21 10:21 121162 --a------ C:\jill1\CATALOG.EXE
2007-09-21 10:21 10507 --a------ C:\jill1\OMINOUS.DDT
2007-09-21 10:21 10480 --a------ C:\jill1\AUDIO.EPC
2007-09-21 10:21 1046 --a------ C:\jill1\EPIC.ANS
2007-09-21 10:21 10240 --a------ C:\jill1\DAN.DDT
---- Directory of C:\WINDOWS\system32\abc2 ----
2007-09-28 16:29 294667 --a------ C:\WINDOWS\system32\abc2\aisven2.exe
---- Directory of C:\WINDOWS\system32\ep1 ----
---- Directory of C:\WINDOWS\system32\vMW02a ----
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2003-05-21 15:35 C:\WINDOWS\system32\carpserv.exe]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-02-26 19:25]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-01-24 00:00]
"AutoTBar"="C:\hp\bin\autotbar.exe" []
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 16:34]
"TV Now"="C:\Program Files\HPQ\Notebook Utilities\TvNow.exe" [2003-01-30 13:34]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 09:26]
"QT4HPOT"="C:\Program Files\HPQ\One-Touch\OneTouch.EXE" [2003-01-30 18:02]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-14 07:56]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-14 07:56]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-03-26 14:15]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-10-13 16:04]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-07-14 21:16]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-09-13 16:49]
"SNPSTD2"="C:\WINDOWS\vsnpstd2.exe" [2004-08-30 16:37]
"PRISMSVR.EXE"="C:\WINDOWS\system32\PRISMSVR.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-28 04:14]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2006-07-19 14:35:20]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2004-11-04 20:50:52]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2001-12-03 13:36:42]
RtlWake.lnk - C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe [2004-06-22 19:23:11]
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-12 15:00:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????8?8?7?1??????? ??3B?????????????T?B? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-12 15:09:29 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-11 23:09
.
--- E O F ---
Dreamedove
2007-10-12, 22:19
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:10:52 PM, on 10/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.students.rice.edu/students/Default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8l.hpwis.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8l.hpwis.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133913623511
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4672/mcfscan.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLABR11\webserver\bin\matlabserver.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 9382 bytes
random/random
2007-10-12, 23:01
Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
Then close all windows except HijackThis and click Fix Checked
Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
Folder::
C:\WINDOWS\system32\abc2
C:\WINDOWS\system32\abc2
C:\WINDOWS\system32\vMW02a
Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Go here (http://www.eset.eu/online-scanner) to run an online scannner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
Also, please tell me of any remaining problems
Dreamedove
2007-10-13, 07:25
My computer heated up and then I accidently ran the scan while having remove threats checked. The scan then stopped when it read the qoo box and McAfee then caught the viruses in that box and deleted them. I then ran the scan again and got these logs. Everything seems to be running a LOT smoother (load up was a little slow, but maybe that was normal) so thank you so much. does this mean I'm clean? Here are the logs:
ComboFIX
ComboFix 07-10-12.4 - Achala Talati 2007-10-12 16:21:48.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.38 [GMT -5:00]
Running from: C:\Documents and Settings\Achala Talati\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Achala Talati\Desktop\CFscript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\abc2
C:\WINDOWS\system32\abc2\aisven2.exe
C:\WINDOWS\system32\vMW02a
.
((((((((((((((((((((((((( Files Created from 2007-09-12 to 2007-10-12 )))))))))))))))))))))))))))))))
.
2007-10-11 22:15 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-09 17:22 <DIR> d-------- C:\faa25853b5828dcc2a3330
2007-10-08 19:14 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-08 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-04 18:32 <DIR> d-------- C:\WINDOWS\35C03C043F1F42C2A989A757EE691F65.TMP
2007-10-03 18:19 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2007-10-03 18:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-03 18:19 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2007-10-03 18:18 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-10-03 18:18 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-10-03 18:18 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2007-10-03 18:18 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2007-10-03 18:18 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-10-03 18:16 <DIR> d-------- C:\Program Files\McAfee
2007-10-03 18:16 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-10-03 14:51 <DIR> d-------- C:\WINDOWS\system32\ep1
2007-09-25 16:02 <DIR> d-------- C:\comic4
2007-09-21 10:21 <DIR> d-------- C:\jill1
2007-09-17 18:34 <DIR> d-------- C:\DUKE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-12 02:59 --------- d-----w C:\Program Files\FlashGet
2007-10-11 16:12 --------- d-----w C:\Program Files\Trend Micro
2007-10-11 06:40 --------- d-----w C:\Program Files\Java
2007-10-04 22:35 --------- d-----w C:\Program Files\Yahoo!
2007-10-04 22:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-03 23:00 246 ----a-w C:\Program Files\Common Files\xurac961
2007-09-26 21:59 --------- d-----w C:\Program Files\DOSBox-0.72
2007-09-26 16:45 --------- d--h--w C:\Documents and Settings\Achala Talati\Application Data\Move Networks
2007-09-24 19:36 --------- d-----w C:\Program Files\Google
2007-08-27 06:52 --------- d-----w C:\Documents and Settings\Achala Talati\Application Data\ZoomBrowser EX
2007-08-27 04:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-08-24 00:33 --------- d-----w C:\Program Files\Common Files\Adobe
2007-08-24 00:33 --------- d-----w C:\Documents and Settings\Achala Talati\Application Data\AdobeUM
2007-08-18 06:13 --------- d-----w C:\Program Files\Canon
2007-08-18 06:09 --------- d-----w C:\Program Files\Common Files\Canon
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2003-05-21 15:35 C:\WINDOWS\system32\carpserv.exe]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-02-26 19:25]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-01-24 00:00]
"AutoTBar"="C:\hp\bin\autotbar.exe" []
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 16:34]
"TV Now"="C:\Program Files\HPQ\Notebook Utilities\TvNow.exe" [2003-01-30 13:34]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 09:26]
"QT4HPOT"="C:\Program Files\HPQ\One-Touch\OneTouch.EXE" [2003-01-30 18:02]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-14 07:56]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-14 07:56]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-03-26 14:15]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-10-13 16:04]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-07-14 21:16]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-09-13 16:49]
"SNPSTD2"="C:\WINDOWS\vsnpstd2.exe" [2004-08-30 16:37]
"PRISMSVR.EXE"="C:\WINDOWS\system32\PRISMSVR.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-28 04:14]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2006-07-19 14:35:20]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2004-11-04 20:50:52]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2001-12-03 13:36:42]
RtlWake.lnk - C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe [2004-06-22 19:23:11]
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys
R3 CALIAUD;Conexant AMC 3D Environmental Audio;C:\WINDOWS\system32\drivers\caliaud.sys
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.SYS
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\DP83815.SYS
S3 allegro;ESS Allegro Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198x.sys
S3 CE3;Xircom Ethernet Adapter 10/100 Service;C:\WINDOWS\system32\DRIVERS\ce3n5.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-12 16:29:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????8?8?7?1??????? ??3B?????????????T?B? ??????
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-10-12 16:32:29
C:\ComboFix2.txt ... 2007-10-12 15:09
C:\ComboFix3.txt ... 2007-10-11 23:09
.
--- E O F ---
Dreamedove
2007-10-13, 07:27
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:49 AM, on 10/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.students.rice.edu/students/Default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8l.hpwis.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8l.hpwis.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133913623511
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4672/mcfscan.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLABR11\webserver\bin\matlabserver.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 9443 bytes
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2590 (20071012)
# vers_arch_module=1.058 (20070906)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=45a7035104109243817fad2051197ca2
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2007-10-13 05:18:04
# local_time=2007-10-13 12:18:04 (-0600, Central Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=335188
# found=1
# scan_time=5532
C:\qoobox\Quarantine\C\WINDOWS\system32\ss9\rw1000dr.exe.vir Win32/TrojanDownloader.Small.EQN trojan A0638C03C1B9AF722B109F5E42D399E9
Dreamedove
2007-10-13, 08:50
Hi Random,
Just an update. After I posted the logs, i decided to run spybot-oddly enough, I found 19 problems, most cookies but a couple said virtumonde and other trojans (tagasaurus, something else too) after spybot finished running, macafee came up with the error: A0200833.exe as a potentially unwanted program--am I doing something bad or should I not be concerned with this--the computer is still working pretty great.:bigthumb:
I'm sorry for all of the trouble and thank you again
random/random
2007-10-13, 10:52
I need a spybot report to see what it's detecting
To do this:
Run a scan with Spybot
Right click in the results window and click Copy results to clipboard
Then use ctrl+v or right click>paste to paste the results a reply to this topic
Dreamedove
2007-10-13, 17:43
Morning Random,
Of course as soon as I saw your post, I ran spybot and of course, none of the same problems occurred-i swear all 19 were there yesterday. Of course, I was able to fix all of them yesterday as well, so I guess that's good. Here's the current report from spybot only 2 problems and they're cookies:
DoubleClick: [SBI $4CDCC3D5] Tracking cookie (Internet Explorer: Achala Talati) (Cookie, nothing done)
Statcounter: [SBI $4CDCC3D5] Tracking cookie (Internet Explorer: Achala Talati) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---
2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2006-02-19 unins000.exe (51.41.0.0)
2007-10-04 unins001.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-10-04 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-10-04 Includes\DialerC.sbi (*)
2007-08-29 Includes\Hijackers.sbi (*)
2007-10-04 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2007-10-04 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-10-04 Includes\Malware.sbi (*)
2007-10-04 Includes\MalwareC.sbi (*)
2007-09-05 Includes\PUPS.sbi (*)
2007-10-04 Includes\PUPSC.sbi (*)
2007-10-04 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-10-04 Includes\SecurityC.sbi (*)
2007-09-12 Includes\Spybots.sbi (*)
2007-10-04 Includes\SpybotsC.sbi (*)
2007-08-21 Includes\Tracks.uti
2007-10-04 Includes\Trojans.sbi (*)
2007-10-04 Includes\TrojansC.sbi (*)
2008-12-24 Plugins\TCPIPAddress.dll
And macafee didn't come up with an error this time. Anything else I should do? Thanks!
random/random
2007-10-13, 19:26
You now appear to be clean. Congratulations!
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints (http://www.malwarecomplaints.info/index.php), you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.
Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
Turn System Restore off
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.Restart
Turn System Restore on
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Uncheck *Turn off System Restore*.
Click Apply, and then click OK.
Note: only do this once, and not on a regular basis
Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Comodo Firewall (http://www.personalfirewall.comodo.com/)or Zonealarm (http://www.zonelabs.com/store/content/home.jsp)
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
Go here (http://www.update.microsoft.com/microsoftupdate/v6/muoptdefault.aspx) to check for & install updates to Microsoft applications
Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
Keep your non-Microsoft applications updated as well
Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector (http://secunia.com/software_inspector) - I suggest that you run it at least once a month
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
Install SpywareBlaster & make sure to update it regularly
SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster from here (http://www.javacoolsoftware.com/sbdownload.html)
Install and use Spybot Search & Destroy
Instructions are located here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
Make sure you update, reimmunize & scan regularly
Make use of the HOSTS file included with Spybot Search & Destroy
Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
Run Spybot Search & Destroy
Click on Mode, and then place a tick next to Advanced mode
Click Yes
In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
Click on Add Spybot-S&D hosts listNote: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
Click Start > Run Type services.msc & click OK
In the list, find the service called DNS Client & double click on it. On the dropdown box, change the setting from automatic to manual. Click OK & then close the Services windowFor a more detailed explanation of the HOSTS file, click here (http://forum.malwareremoval.com/viewtopic.php?t=22187)
Install a-squared Free & update and scan with it regularly
a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here (http://www.emsisoft.com/en/software/free/)
Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer (http://www.emsisoft.com/en/software/antidialer/) which provides some real time protection against premium rate dialers
Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date
Dreamedove
2007-10-13, 20:04
:sad: AHHH!
Macafee is still detecting Vundo errors:
nqstv.ini, nqstv.bak1, A020691.exe
it's deleting them....should I be concerned? am I jus aquiring them as I"m on the net? Perhaps taking the percautions you've stated will stop them?
I will start doing the steps you've said until I hear from you...I guess otherwise I shall assume I'm clean.
Thank you again for everything!
ahh jus added another one! do i need to delete a quarantine file or something? I'm probably overreacting =)
Dreamedove
2007-10-13, 20:09
Maybe this is a sign my antivirus is working...I guess I shouldn't get all tussled up everytime I see a virus being deleted!
Thank you again Random for your time and effort! I shall follow all of the above advice. Take care and I'll definitely do my part to help the effort.:D:
random/random
2007-10-13, 20:25
I forgot to say that you should delete the quarantine of combofix C:\Qoobox - that's probably where mcafee is finding the viruses
Dreamedove
2007-10-13, 20:50
It was from this folder according to mcafee's log:
C:\WINDOWS\System32\svchost.exe (3 of the Vundos)
But they have been deleted and I just deleted the quarantine folders. Since you've given me a clean bill of health, I won't worry =)
It's incredible to have my computer back...thank you again.
random/random
2007-10-13, 21:36
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.