View Full Version : Bad Windows Image
Hi,
I keep getting the same error message when i try to launch an application, the error comes up:
[programename.exe] - Bad Image
The application or DLL C:/Windows/system32/.......is not a valid Windows image. Please check your installation disk.
And then the program launches.
I use Webroot Spysweeper and Webroot Desktop Firewall.
My OS is Windows XP SP2.
Thanks,
Dan
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:49:03 PM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Desktop Firewall\WDF.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\avedesk13\AVEDESK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Finderbar 1.5\Finderbar_Engine.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: {63adb92b-cb41-e20a-1c34-27797f624462} - {264426f7-9772-43c1-a02e-14bcb29bda36} - C:\WINDOWS\system32\wqridibx.dll
O2 - BHO: (no name) - {320635D7-379D-48C3-B183-ABD0C4B20E69} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Flash Module - {C87FA4A3-2474-4a3f-B413-67D515905024} - rasmoesa.dll (file missing)
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Program Files\finexer\FindeXer.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [ImageShackUtil] "C:\Program Files\ImageShack\QuickShot\QuickShot.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [System Files Updater] "C:\WINDOWS\FlyakiteOSX\System Files Updater.exe" /S
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [d0ed3d80] rundll32.exe "C:\WINDOWS\system32\fbydlbaw.dll",b
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DesktopIconToy] "C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AVEDESK] "C:\Program Files\avedesk13\AVEDESK.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Finderbar_Engine.lnk = C:\Program Files\Finderbar 1.5\Finderbar_Engine.exe
O4 - Startup: ObjectBar.ini
O4 - Startup: Skylight.lnk = C:\Documents and Settings\Dan\Local Settings\Apps\2.0\LB51DTPY.Q4A\WDJJ69VG.44J\skyl..tion_9ebf2d73f145bd1d_0001.0000_d12826f4ee09ad20\Skylight.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184321644312
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00D26E4.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - cmd.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 9797 bytes
pskelley
2007-11-11, 01:40
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page. I'll need that Kaspersky scan, don't run and post it until I ask you to.
Looks like a Vundo infection which can be tough to remove, I will start by saying the until I say you are clean..
1) Return here: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< rename HJT.exe, call it Dan.exe or whatever you wish. The next log after a restart will show the hidden junk if it is there.
2) Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Thanks
ComboFix Log:
ComboFix 07-11-08.1 - Dan 2007-11-11 16:47:56.3 - NTFSx86
Running from: C:\Documents and Settings\Dan\Desktop\Downloads\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\__c00D26E4.dat
C:\WINDOWS\system32\glesquag.dllbox
C:\WINDOWS\system32\xpdx.sys
.
((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.
2007-11-08 17:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 16:08 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-07 15:52 32,768 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-11-05 18:57 58,368 --a------ C:\WINDOWS\NirCmd.exe
2007-11-05 18:40 85,568 --a------ C:\WINDOWS\system32\fbydlbaw.dll
2007-11-05 15:27 83,008 --a------ C:\WINDOWS\system32\wqridibx.dll
2007-11-05 15:24 1 --a------ C:\WINDOWS\system32\rc.dat
2007-11-05 15:24 1 --a------ C:\WINDOWS\system32\ps1.dat
2007-11-05 15:24 1 --a------ C:\WINDOWS\system32\cookie1.dat
2007-11-03 14:13 52,224 --a------ C:\WINDOWS\system32\rasmoesa.dll
2007-11-03 14:11 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-11-03 14:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-11-03 13:48 <DIR> d-------- C:\Program Files\Photoshop
2007-11-01 18:27 <DIR> dr-hs---- C:\Volume Information
2007-11-01 18:26 <DIR> d-------- C:\WINDOWS\Instant Lock
2007-11-01 18:26 <DIR> d-------- C:\Program Files\Instant Lock
2007-10-31 15:32 <DIR> d-------- C:\Program Files\DriveMounter
2007-10-28 17:42 <DIR> d-------- C:\Program Files\Mac Startup Screen
2007-10-28 17:40 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\Nubs
2007-10-28 17:34 <DIR> d-------- C:\Program Files\Concentrate
2007-10-28 17:27 <DIR> d--h----- C:\WINDOWS\PIF
2007-10-28 17:27 <DIR> d-------- C:\Program Files\Finderbar 1.5
2007-10-28 17:27 46,592 --a------ C:\WINDOWS\zipinst.exe
2007-10-28 17:21 <DIR> d-------- C:\Program Files\ICO-PNG
2007-10-27 13:35 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-10-26 22:29 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\Alien Skin
2007-10-23 21:02 <DIR> d-------- C:\Program Files\RK Launcher
2007-10-23 20:06 <DIR> d-------- C:\Program Files\RocketDock
2007-10-22 20:30 <DIR> d-------- C:\Program Files\Atlantis Xtreme V0.9.1
2007-10-21 12:02 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\HP
2007-10-21 11:47 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-10-20 18:35 <DIR> d-------- C:\Program Files\Star Trek Legacy
2007-10-20 13:20 177,496 --a------ C:\WINDOWS\system32\wdfproc.dll
2007-10-18 13:41 85,848 --a------ C:\WINDOWS\system32\drivers\pwipf6.sys
2007-10-16 17:49 <DIR> d-------- C:\Program Files\Activision
2007-10-16 17:39 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-10-16 17:32 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-10-16 16:39 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\DivX
2007-10-16 16:36 <DIR> d-------- C:\Program Files\Google
2007-10-15 18:24 <DIR> d-------- C:\Program Files\DivX
2007-10-15 13:03 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-10-15 13:03 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-10-15 12:12 <DIR> d-------- C:\Program Files\Xvid
2007-10-15 12:08 28,672 --a------ C:\WINDOWS\system32\Alphablending.dll
2007-10-15 11:06 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-10-15 10:54 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\CandyLabs
2007-10-14 18:10 <DIR> d-------- C:\Program Files\MSBuild
2007-10-14 18:02 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-10-14 17:59 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-10-14 17:58 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 08:14 --------- d-----w C:\Documents and Settings\Dan\Application Data\Azureus
2007-11-09 13:22 --------- d-----w C:\Program Files\Motorola Phone Tools
2007-11-09 13:17 --------- d-----w C:\Program Files\Avanquest update
2007-11-09 09:49 4,624,384 ----a-w C:\WINDOWS\system32\logonuiX.exe
2007-11-09 09:46 163,840 ----a-w C:\WINDOWS\system32\drivers\vidstub.sys
2007-11-08 11:06 --------- d-----w C:\Documents and Settings\Dan\Application Data\LimeWire
2007-11-07 09:45 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-06 09:49 --------- d-----w C:\Program Files\Webroot
2007-11-03 05:10 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-03 01:59 --------- d-----w C:\Program Files\Trillian
2007-10-31 08:57 --------- d-----w C:\Documents and Settings\Dan\Application Data\Matrix Y2K
2007-10-28 09:18 --------- d-----w C:\Program Files\iTunes
2007-10-21 02:45 164 ----a-w C:\install.dat
2007-10-17 11:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Webroot
2007-10-16 07:36 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-10-15 01:53 --------- d-----w C:\Program Files\WS_FTP Pro
2007-10-14 12:36 --------- d-----w C:\Program Files\Common Files\Stardock
2007-10-14 12:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-14 12:30 --------- d-----w C:\Program Files\Macromedia
2007-10-14 12:26 --------- d-----w C:\Program Files\AutoSizer
2007-10-11 08:17 --------- d-----w C:\Program Files\Matrix Y2K
2007-10-10 11:25 --------- d-----w C:\Documents and Settings\Dan\Application Data\SmartFTP
2007-10-09 13:06 --------- d-----w C:\Program Files\Azureus
2007-10-09 02:54 --------- d-----w C:\Documents and Settings\Dan\Application Data\CyberLink
2007-10-02 16:32 --------- d-----w C:\Program Files\Bonjour
2007-10-01 08:40 1,526,072 ----a-w C:\WINDOWS\WRSetup.dll
2007-10-01 08:24 23,864 ----a-w C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-01 08:24 21,816 ----a-w C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-01 08:24 163,640 ----a-w C:\WINDOWS\system32\drivers\ssidrv.sys
2007-09-29 12:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-29 12:26 --------- d-----w C:\Documents and Settings\Dan\Application Data\SpinTop
2007-09-29 12:25 94,208 ----a-w C:\WINDOWS\system32\ScrUnZip.dll
2007-09-29 12:25 908,716 ----a-w C:\WINDOWS\system32\GFC 2006.SCR
2007-09-29 12:25 129,536 ----a-w C:\WINDOWS\system32\IJL15.dll
2007-09-29 10:54 --------- d-----w C:\Program Files\ChaosAbout100
2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 16:07 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-09-28 16:07 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-09-28 16:07 532,480 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-09-28 16:07 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-09-28 16:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 16:07 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-09-28 16:07 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-09-28 16:07 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-09-28 16:07 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-09-28 16:07 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-28 13:23 --------- d-----w C:\Documents and Settings\Dan\Application Data\Talkback
2007-09-28 09:31 --------- d-----w C:\Program Files\iPod
2007-09-26 06:42 58,792 ----a-w C:\WINDOWS\system32\wbload.dll
2007-09-22 12:41 --------- d-----w C:\Program Files\LemonCord
2007-09-22 09:23 --------- d-----w C:\Program Files\Desktop Icon Toy
2007-09-15 03:36 --------- d-----w C:\Program Files\Styler
2007-09-14 12:26 --------- d-----w C:\Program Files\finexer
2007-09-14 12:11 --------- d-----w C:\Documents and Settings\Dan\Application Data\AveDesk
2007-09-14 12:04 --------- d-----w C:\Documents and Settings\Dan\Application Data\FindeXer
2007-09-14 11:32 --------- d-----w C:\Documents and Settings\Dan\Application Data\Styler
2007-09-14 09:46 --------- d-----w C:\Program Files\avedesk13
2007-09-14 09:16 --------- d-----w C:\Program Files\YzShadow
2007-09-14 09:16 --------- d-----w C:\Program Files\WinRoll
2007-09-14 09:16 --------- d-----w C:\Program Files\UberIcon
2007-09-14 09:16 --------- d-----w C:\Program Files\Tiger System Preferences v2
2007-09-12 07:47 --------- d-----w C:\Program Files\Apple Software Update
2007-09-02 07:27 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2007-08-27 09:47 7,852 ----a-w C:\WINDOWS\system32\mcdmsg7.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-02 09:48 92,064 ----a-w C:\Documents and Settings\Dan\mqdmmdm.sys
2007-08-02 09:48 9,232 ----a-w C:\Documents and Settings\Dan\mqdmmdfl.sys
2007-08-02 09:48 79,328 ----a-w C:\Documents and Settings\Dan\mqdmserd.sys
2007-08-02 09:48 66,656 ----a-w C:\Documents and Settings\Dan\mqdmbus.sys
2007-08-02 09:48 6,208 ----a-w C:\Documents and Settings\Dan\mqdmcmnt.sys
2007-08-02 09:48 5,936 ----a-w C:\Documents and Settings\Dan\mqdmwhnt.sys
2007-08-02 09:48 4,048 ----a-w C:\Documents and Settings\Dan\mqdmcr.sys
2007-08-02 09:48 25,600 ----a-w C:\Documents and Settings\Dan\usbsermptxp.sys
2007-08-02 09:48 22,768 ----a-w C:\Documents and Settings\Dan\usbsermpt.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{264426f7-9772-43c1-a02e-14bcb29bda36}]
2007-11-05 15:27 83008 --a------ C:\WINDOWS\system32\wqridibx.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{320635D7-379D-48C3-B183-ABD0C4B20E69}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C87FA4A3-2474-4a3f-B413-67D515905024}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ImageShackUtil"="C:\Program Files\ImageShack\QuickShot\QuickShot.exe" []
"Webroot Desktop Firewall"="C:\Program Files\Webroot\Desktop Firewall\WDF.exe" [2007-10-20 13:20]
"System Files Updater"="C:\WINDOWS\FlyakiteOSX\System Files Updater.exe" [2006-01-15 15:31]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 04:43]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 14:33]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 07:24]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"LogonStudio"="C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 19:38]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 16:44 C:\WINDOWS\KHALMNPR.Exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 15:42]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 17:54]
"d0ed3d80"="C:\WINDOWS\system32\fbydlbaw.dll" [2007-11-05 18:40]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 17:21]
"Windows Logon Application"="C:\WINDOWS\system32\logon.exe" [2007-06-13 19:23]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 17:40]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 01:24]
"DesktopIconToy"="C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 22:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 16:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~2\WINDOW~1\wbsrv.dll 2007-09-24 20:08 229376 C:\PROGRA~1\Stardock\OBJECT~2\WINDOW~1\WbSrv.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"
.
Contents of the 'Scheduled Tasks' folder
"2007-09-11 09:52:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-05 08:00:46 C:\WINDOWS\Tasks\wrSpySweeper_L5D90EFAFC01D49D88C2490292CB7F309.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 17:16:13
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\unpr.sys 2432 bytes executable
C:\WINDOWS\system32\logon.exe 40960 bytes executable
scan completed successfully
hidden files: 2
**************************************************************************
.
Completion time: 2007-11-11 17:20:52 - machine was rebooted
.
--- E O F ---
HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:25:24 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Desktop Firewall\WDF.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\logon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: {63adb92b-cb41-e20a-1c34-27797f624462} - {264426f7-9772-43c1-a02e-14bcb29bda36} - C:\WINDOWS\system32\wqridibx.dll
O2 - BHO: (no name) - {320635D7-379D-48C3-B183-ABD0C4B20E69} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Flash Module - {C87FA4A3-2474-4a3f-B413-67D515905024} - rasmoesa.dll (file missing)
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Program Files\finexer\FindeXer.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [ImageShackUtil] "C:\Program Files\ImageShack\QuickShot\QuickShot.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [System Files Updater] "C:\WINDOWS\FlyakiteOSX\System Files Updater.exe" /S
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [d0ed3d80] "rundll32.exe" "C:\WINDOWS\system32\fbydlbaw.dll",b
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\system32\logon.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DesktopIconToy] "C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184321644312
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 9025 bytes
pskelley
2007-11-11, 14:29
We have a problem, the reason I asked the computer be kept offline is because the junk often has the ability to continue to download more junk and in this case a very dangerous trojan is in your newest HJT log.
First HJT log: Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:49:03 PM, on 8/11/2007
a lot of junk to clean but this item is NOT there.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:25:24 PM, on 11/11/2007
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\system32\logon.exe
http://www.castlecops.com/startuplist-8569.html
http://www.sophos.com/virusinfo/analyses/w32poebotj.html
Allows others to access the computer
Steals information
Downloads code from the internet
Reduces system security
Installs itself in the Registry
Used in DOS attacks
As you can see this is a very bad trojan, I need to give you this information.
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
Please let us know what you have decided to do in your next post.
All of the rest of the junk is also still there except for the small start by combofix. If you should decide to proceed, I need to show you this:
1) Return here: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< rename HJT.exe, call it Dan.exe or whatever you wish. The next log after a restart will show the hidden junk if it is there.You continued with HJT.exe which is what the trash hides from: C:\Program Files\Trend Micro\HijackThis\HJT.exe I suggested Dan.exe but call it anything but HijackThis.exe or HJT.exe.
Thanks
pskelley
2007-11-11, 20:52
My apologies Dan, one of our rootkit experts has pointed out that you also have one or more rootkit infections which does not make the situation any better. This was responsible for that logon.exe not showing in the first log. It was hidden until combofix went to work on it.
When it removed this: C:\WINDOWS\system32\xpdx.sys see the link:
http://www.bleepingcomputer.com/startups/xpdx.sys-18517.html
Then we could see the hidden item.
See this area of the log where combofix checks for rootkits:
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Sorry I missed that, but like I said, it only assures me of the seriousness of this infection.
http://en.wikipedia.org/wiki/Rootkit
Thanks
Bugger, I know how to and will Format the PC if necessary. But if I must take that action, would I be able to connect my External HDD to backup files, just my site and stuff like that, no programs, without it being infected?
Oh, I forgot to mention but after I ran ComboFix the popups went away.
pskelley
2007-11-12, 12:35
Hi Dan, let me comment on this first:
Oh, I forgot to mention but after I ran ComboFix the popups went awayIndeed as I explained, combofix hit the rootkit that was hiding the trojan and removed other items that were probably causing the popups.
As great as combofix is, it will not clean everything, think how hugh the program would have to be. We can see the trojan, andymanchesta has added that one to SDFix (it could also be removed manually) and we can clean the rest of the junk with a little effort. We can also run tools to look for and remove any rootkits. Then we ask, is this computer safe? That is where we run into a problem because we can never be assured of that. I will be glad to help get the computer as clean as possible and that is your decision.
I can say in my case, were it my computer which I use extensively for online banking, etc., I would have to reformat.
Here is information I have that should answer your questions:
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm
Thanks...Phil
OK, thanks for that but can u answer my first question please.
Bugger, I know how to and will Format the PC if necessary. But if I must take that action, would I be able to connect my External HDD to backup files, just my site and stuff like that, no programs, without it being infected?
Thanks,
Dan
Sorry I have changed my mind, I would rather try and clean the PC, rather than formatting it.
pskelley
2007-11-13, 14:22
OK Dan, we can do that, since a bit of time has passed and malware changes quickly, I would like you to remove the version of combofix report and a new HJT log. Please remember to keep the computer offline except when troubleshooting until we have kicked this junk out, it may download more.
Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Thanks
ComboFix Log:
ComboFix 07-11-08.1 - Dan 2007-11-14 15:54:47.4 - NTFSx86
Running from: C:\Documents and Settings\Dan\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\windows\system32\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.
2007-11-14 15:32 30,841 --a------ C:\WINDOWS\system32\dskfhfab.exe
2007-11-13 18:24 31,622 --a------ C:\WINDOWS\system32\tutrge.exe
2007-11-11 17:17 2,432 --a------ C:\WINDOWS\system32\unpr.sys
2007-11-08 17:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 16:08 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-07 15:52 32,768 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-11-05 18:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-05 18:40 85,568 --a------ C:\WINDOWS\system32\fbydlbaw.dll
2007-11-05 15:27 83,008 --a------ C:\WINDOWS\system32\wqridibx.dll
2007-11-05 15:24 1 --a------ C:\WINDOWS\system32\rc.dat
2007-11-05 15:24 1 --a------ C:\WINDOWS\system32\ps1.dat
2007-11-05 15:24 1 --a------ C:\WINDOWS\system32\cookie1.dat
2007-11-03 14:13 52,224 --a------ C:\WINDOWS\system32\rasmoesa.dll
2007-11-03 14:11 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-11-03 14:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-11-03 13:48 <DIR> d-------- C:\Program Files\Photoshop
2007-11-01 18:27 <DIR> dr-hs---- C:\Volume Information
2007-11-01 18:26 <DIR> d-------- C:\WINDOWS\Instant Lock
2007-11-01 18:26 <DIR> d-------- C:\Program Files\Instant Lock
2007-10-31 15:32 <DIR> d-------- C:\Program Files\DriveMounter
2007-10-28 17:42 <DIR> d-------- C:\Program Files\Mac Startup Screen
2007-10-28 17:40 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\Nubs
2007-10-28 17:34 <DIR> d-------- C:\Program Files\Concentrate
2007-10-28 17:27 <DIR> d--h----- C:\WINDOWS\PIF
2007-10-28 17:27 <DIR> d-------- C:\Program Files\Finderbar 1.5
2007-10-28 17:27 46,592 --a------ C:\WINDOWS\zipinst.exe
2007-10-28 17:21 <DIR> d-------- C:\Program Files\ICO-PNG
2007-10-27 13:35 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-10-26 22:29 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\Alien Skin
2007-10-23 21:02 <DIR> d-------- C:\Program Files\RK Launcher
2007-10-23 20:06 <DIR> d-------- C:\Program Files\RocketDock
2007-10-22 20:30 <DIR> d-------- C:\Program Files\Atlantis Xtreme V0.9.1
2007-10-21 12:02 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\HP
2007-10-21 11:47 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-10-20 18:35 <DIR> d-------- C:\Program Files\Star Trek Legacy
2007-10-20 13:20 177,496 --a------ C:\WINDOWS\system32\wdfproc.dll
2007-10-18 13:41 85,848 --a------ C:\WINDOWS\system32\drivers\pwipf6.sys
2007-10-16 17:49 <DIR> d-------- C:\Program Files\Activision
2007-10-16 17:39 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-10-16 17:32 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-10-16 16:39 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\DivX
2007-10-16 16:36 <DIR> d-------- C:\Program Files\Google
2007-10-15 18:24 <DIR> d-------- C:\Program Files\DivX
2007-10-15 13:03 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-10-15 13:03 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-10-15 12:12 <DIR> d-------- C:\Program Files\Xvid
2007-10-15 12:08 28,672 --a------ C:\WINDOWS\system32\Alphablending.dll
2007-10-15 11:06 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-10-15 10:54 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\CandyLabs
2007-10-14 18:10 <DIR> d-------- C:\Program Files\MSBuild
2007-10-14 18:02 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-10-14 17:59 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-10-14 17:58 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 09:01 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-11 08:14 --------- d-----w C:\Documents and Settings\Dan\Application Data\Azureus
2007-11-09 13:22 --------- d-----w C:\Program Files\Motorola Phone Tools
2007-11-09 13:17 --------- d-----w C:\Program Files\Avanquest update
2007-11-09 09:49 4,624,384 ----a-w C:\WINDOWS\system32\logonuiX.exe
2007-11-09 09:46 163,840 ----a-w C:\WINDOWS\system32\drivers\vidstub.sys
2007-11-08 11:06 --------- d-----w C:\Documents and Settings\Dan\Application Data\LimeWire
2007-11-07 09:45 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-06 09:49 --------- d-----w C:\Program Files\Webroot
2007-11-03 01:59 --------- d-----w C:\Program Files\Trillian
2007-10-31 08:57 --------- d-----w C:\Documents and Settings\Dan\Application Data\Matrix Y2K
2007-10-28 09:18 --------- d-----w C:\Program Files\iTunes
2007-10-21 02:45 164 ----a-w C:\install.dat
2007-10-17 11:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Webroot
2007-10-16 07:36 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-10-15 01:53 --------- d-----w C:\Program Files\WS_FTP Pro
2007-10-14 12:36 --------- d-----w C:\Program Files\Common Files\Stardock
2007-10-14 12:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-14 12:30 --------- d-----w C:\Program Files\Macromedia
2007-10-14 12:26 --------- d-----w C:\Program Files\AutoSizer
2007-10-11 08:17 --------- d-----w C:\Program Files\Matrix Y2K
2007-10-10 11:25 --------- d-----w C:\Documents and Settings\Dan\Application Data\SmartFTP
2007-10-09 13:06 --------- d-----w C:\Program Files\Azureus
2007-10-09 02:54 --------- d-----w C:\Documents and Settings\Dan\Application Data\CyberLink
2007-10-02 16:32 --------- d-----w C:\Program Files\Bonjour
2007-10-01 08:40 1,526,072 ----a-w C:\WINDOWS\WRSetup.dll
2007-10-01 08:24 23,864 ----a-w C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-01 08:24 21,816 ----a-w C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-01 08:24 163,640 ----a-w C:\WINDOWS\system32\drivers\ssidrv.sys
2007-09-29 12:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-29 12:26 --------- d-----w C:\Documents and Settings\Dan\Application Data\SpinTop
2007-09-29 12:25 94,208 ----a-w C:\WINDOWS\system32\ScrUnZip.dll
2007-09-29 12:25 908,716 ----a-w C:\WINDOWS\system32\GFC 2006.SCR
2007-09-29 12:25 129,536 ----a-w C:\WINDOWS\system32\IJL15.dll
2007-09-29 10:54 --------- d-----w C:\Program Files\ChaosAbout100
2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 16:07 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-09-28 16:07 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-09-28 16:07 532,480 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-09-28 16:07 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-09-28 16:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 16:07 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-09-28 16:07 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-09-28 16:07 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-09-28 16:07 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-09-28 16:07 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-28 13:23 --------- d-----w C:\Documents and Settings\Dan\Application Data\Talkback
2007-09-28 09:31 --------- d-----w C:\Program Files\iPod
2007-09-26 06:42 58,792 ----a-w C:\WINDOWS\system32\wbload.dll
2007-09-22 12:41 --------- d-----w C:\Program Files\LemonCord
2007-09-22 09:23 --------- d-----w C:\Program Files\Desktop Icon Toy
2007-09-15 03:36 --------- d-----w C:\Program Files\Styler
2007-09-14 12:26 --------- d-----w C:\Program Files\finexer
2007-09-14 12:11 --------- d-----w C:\Documents and Settings\Dan\Application Data\AveDesk
2007-09-14 12:04 --------- d-----w C:\Documents and Settings\Dan\Application Data\FindeXer
2007-09-14 11:32 --------- d-----w C:\Documents and Settings\Dan\Application Data\Styler
2007-09-14 09:46 --------- d-----w C:\Program Files\avedesk13
2007-09-14 09:16 --------- d-----w C:\Program Files\YzShadow
2007-09-14 09:16 --------- d-----w C:\Program Files\WinRoll
2007-09-14 09:16 --------- d-----w C:\Program Files\UberIcon
2007-09-14 09:16 --------- d-----w C:\Program Files\Tiger System Preferences v2
2007-09-02 07:27 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2007-08-27 09:47 7,852 ----a-w C:\WINDOWS\system32\mcdmsg7.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-02 09:48 92,064 ----a-w C:\Documents and Settings\Dan\mqdmmdm.sys
2007-08-02 09:48 9,232 ----a-w C:\Documents and Settings\Dan\mqdmmdfl.sys
2007-08-02 09:48 79,328 ----a-w C:\Documents and Settings\Dan\mqdmserd.sys
2007-08-02 09:48 66,656 ----a-w C:\Documents and Settings\Dan\mqdmbus.sys
2007-08-02 09:48 6,208 ----a-w C:\Documents and Settings\Dan\mqdmcmnt.sys
2007-08-02 09:48 5,936 ----a-w C:\Documents and Settings\Dan\mqdmwhnt.sys
2007-08-02 09:48 4,048 ----a-w C:\Documents and Settings\Dan\mqdmcr.sys
2007-08-02 09:48 25,600 ----a-w C:\Documents and Settings\Dan\usbsermptxp.sys
2007-08-02 09:48 22,768 ----a-w C:\Documents and Settings\Dan\usbsermpt.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{264426f7-9772-43c1-a02e-14bcb29bda36}]
2007-11-05 15:27 83008 --a------ C:\WINDOWS\system32\wqridibx.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{320635D7-379D-48C3-B183-ABD0C4B20E69}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C87FA4A3-2474-4a3f-B413-67D515905024}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ImageShackUtil"="C:\Program Files\ImageShack\QuickShot\QuickShot.exe" []
"Webroot Desktop Firewall"="C:\Program Files\Webroot\Desktop Firewall\WDF.exe" [2007-10-20 13:20]
"System Files Updater"="C:\WINDOWS\FlyakiteOSX\System Files Updater.exe" [2006-01-15 15:31]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 04:43]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 14:33]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 07:24]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"LogonStudio"="C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 19:38]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 16:44 C:\WINDOWS\KHALMNPR.Exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 15:42]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 17:54]
"d0ed3d80"="rundll32.exe" [2004-08-12 23:04 C:\WINDOWS\system32\rundll32.exe]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 17:21]
"Windows Logon Application"="C:\WINDOWS\system32\logon.exe" [2007-06-13 19:23]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"Windows Explorer"="C:\WINDOWS\system32\explorer.exe" []
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 17:40]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 01:24]
"DesktopIconToy"="C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 22:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 16:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~2\WINDOW~1\wbsrv.dll 2007-09-24 20:08 229376 C:\PROGRA~1\Stardock\OBJECT~2\WINDOW~1\WbSrv.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"
.
Contents of the 'Scheduled Tasks' folder
"2007-09-11 09:52:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-12 08:00:22 C:\WINDOWS\Tasks\wrSpySweeper_L5D90EFAFC01D49D88C2490292CB7F309.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 16:02:26
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-14 16:04:12
.
--- E O F ---
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:30 PM, on 14/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Styler\Styler.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dskfhfab.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\Dan.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {63adb92b-cb41-e20a-1c34-27797f624462} - {264426f7-9772-43c1-a02e-14bcb29bda36} - C:\WINDOWS\system32\wqridibx.dll
O2 - BHO: (no name) - {320635D7-379D-48C3-B183-ABD0C4B20E69} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Flash Module - {C87FA4A3-2474-4a3f-B413-67D515905024} - rasmoesa.dll (file missing)
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Program Files\finexer\FindeXer.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [ImageShackUtil] "C:\Program Files\ImageShack\QuickShot\QuickShot.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [System Files Updater] "C:\WINDOWS\FlyakiteOSX\System Files Updater.exe" /S
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [d0ed3d80] "rundll32.exe" "C:\WINDOWS\system32\fbydlbaw.dll",b
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\system32\logon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\system32\explorer.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DesktopIconToy] "C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184321644312
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 9225 bytes
pskelley
2007-11-14, 15:15
Thanks for returning the fresh information, let's start like this:
1) TeaTimer will block changes we must make, use these instruction to turn it off until we are done.
http://russelltexas.com/malware/teatimer.htm
2) To disable SpySweeper: <<< may be old instructions but turn it off until you are done and then back on to continue your realtime protection.
Open the program
On the left, click: Options, then > Program Options
Uncheck: Load at windows startup
Again on the left click: Shields and uncheck all items there.
Uncheck: Home Page Shield
Uncheck: Automatically restore default without notification
3) Thanks to andymanchesta and anyone else who helped with the fix.
Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
This is a start, you have other infections.
Thanks
SDFix:
SDFix: Version 1.114
Run by Dan on Thu 15/11/2007 at 04:09 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\system32\cmds.txt - Deleted
C:\WINDOWS\system32\cookie1.dat - Deleted
C:\WINDOWS\system32\logon.exe - Deleted
C:\WINDOWS\system32\ps1.dat - Deleted
C:\WINDOWS\system32\rasmoesa.dll - Deleted
C:\WINDOWS\system32\rc.dat - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 16:25:11
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:41,63,05,f0,07,12,e5,1a,b4,af,53,f6,e1,25,16,af,da,bc,6c,b1,6b,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:41,63,05,f0,07,12,e5,1a,b4,af,53,f6,e1,25,16,af,da,bc,6c,b1,6b,..
scanning hidden registry entries ...
scanning hidden files ...
C:\Documents and Settings\Dan\Local Settings\Application Data\Microsoft\Messenger\dont.ask.ryda@hotmail.com\SharingMetadata\chevron8653@hotmail.com\DFSR\Staging\CS{5AA6FED8-7CBB-ED5C-EF09-256C4E790D86}\01\29-{5AA6FED8-7CBB-ED5C-EF09-256C4E790D86}-v1-{8B5FECED-7AC1-4D16-BB9C-8A71369F3636}-v29-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
C:\Documents and Settings\Dan\Local Settings\Application Data\Microsoft\Messenger\dont.ask.ryda@hotmail.com\SharingMetadata\chevron8653@hotmail.com\DFSR\Staging\CS{5AA6FED8-7CBB-ED5C-EF09-256C4E790D86}\53\353-{74EE1628-3DE3-44BB-BE92-96BC5C9F44A3}-v353-{74EE1628-3DE3-44BB-BE92-96BC5C9F44A3}-v353-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1400 bytes hidden from API
C:\Documents and Settings\Dan\Local Settings\Application Data\Microsoft\Messenger\dont.ask.ryda@hotmail.com\SharingMetadata\martouf_of_tokra@hotmail.com\DFSR\Staging\CS{372F4939-D34C-5F6B-D909-099612CAD1CF}\01\10-{372F4939-D34C-5F6B-D909-099612CAD1CF}-v1-{8B5FECED-7AC1-4D16-BB9C-8A71369F3636}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
C:\Documents and Settings\Dan\Local Settings\Application Data\Microsoft\Messenger\dont.ask.ryda@hotmail.com\SharingMetadata\martouf_of_tokra@hotmail.com\DFSR\Staging\CS{372F4939-D34C-5F6B-D909-099612CAD1CF}\11\11-{8B5FECED-7AC1-4D16-BB9C-8A71369F3636}-v11-{8B5FECED-7AC1-4D16-BB9C-8A71369F3636}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 4
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"\\??\\C:\\WINDOWS\\system32\\winlogon.exe"="\\??\\C:\\WINDOWS\\system32\\winlogon.exe:*:enabled:@shell32.dll,-1"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
Remaining Files:
---------------
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Thu 12 Aug 2004 100,352 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Sat 22 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Wed 14 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab9217b6e5750f9481b4ee261d21b730\BIT44.tmp"
Wed 14 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ecdaae76294ae865d5456738faf3aa2e\BIT43.tmp"
Tue 6 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BIT3E.tmp"
Finished!
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:46 PM, on 15/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Dan.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {63adb92b-cb41-e20a-1c34-27797f624462} - {264426f7-9772-43c1-a02e-14bcb29bda36} - C:\WINDOWS\system32\wqridibx.dll
O2 - BHO: (no name) - {320635D7-379D-48C3-B183-ABD0C4B20E69} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Program Files\finexer\FindeXer.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [ImageShackUtil] "C:\Program Files\ImageShack\QuickShot\QuickShot.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [System Files Updater] "C:\WINDOWS\FlyakiteOSX\System Files Updater.exe" /S
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [d0ed3d80] "rundll32.exe" "C:\WINDOWS\system32\fbydlbaw.dll",b
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DesktopIconToy] "C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184321644312
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 8455 bytes
pskelley
2007-11-15, 12:45
Thanks for returning your information, let's do this now:
1) see this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.6.0_01\ <<< update your Java program and uninstall all old versions in Add Remove programs.
2) C:\Program Files\Styler\Styler.exe <<< assure me this is a valid program.
3) Please download F-Secure Blacklight:
ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
(fsbl.exe) and save to your C:\ drive.
Open a command window by going to Start > Run and typing: cmd
Copy/paste or type the following in the command window: C:\fsbl.exe /expert
Hit "Enter" to start the program and then close the cmd box.
Accept the user agreement and click "Next".
Click "Scan".
After the scan is complete, click "Next", then "Exit".
BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
The log will have a list of all items found. Do not choose to rename any yet!
I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
Exit Blacklight and post the contents of the log in your next reply.
(don't fix anything, just post the log)
4) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
5) SpySweeper turned off please.
6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: {63adb92b-cb41-e20a-1c34-27797f624462} - {264426f7-9772-43c1-a02e-14bcb29bda36} - C:\WINDOWS\system32\wqridibx.dll
O2 - BHO: (no name) - {320635D7-379D-48C3-B183-ABD0C4B20E69} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [d0ed3d80] "rundll32.exe" "C:\WINDOWS\system32\fbydlbaw.dll",b
Close all programs but HJT and all browser windows, then click on "Fix Checked"
7) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\system32\fbydlbaw.dll <<< delete that file if there.
8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer, post the report from BlackLight, a new HJT log and some feedback. How is the computer running.
Thanks
Styler is a program i use, it is safe. And I don't have time at the moment to follow the steps, ill do it on Saturday night.
thanks,
Dan
Ive hit a snag. i installed the latest java and i opened the cmd window and typed in what you said, hit enter but nothing happened.
and now the computer has slowed down considerably...
pskelley
2007-11-17, 12:37
I have no idea what you have done, I just now executed the same instructions I posted for BlackLight and it worked just as it is supposed to. Try reviewing the instructions.
And I don't have time at the moment to follow the steps, ill do it on Saturday night.Make sure you are not doing this stuff when you are hurried or do not have sufficient time to allow. It only takes one mistake!
Thanks
I followed the instructions again, and when I open the Command window i type in what u said and hit enter. nothing happens though, a new line just comes up saying: C:\Documents and Settings\Dan>
Oh, and after i installed windows updates there is a new folder in the C:\, it called "ceaffa4ae32e019564d438653aaf07" and has two files in it, "mrt.exe._p" and "mrtstub.exe". Underneath the "mrtstub.exe" it says: "Malicious Software Removal Tool Update Stub
Microsoft Corporation"
pskelley
2007-11-18, 13:17
That's part of this tool that I believe Microsoft updates with each critical update. You can run it if you wish.
http://www.microsoft.com/security/malwareremove/default.mspx
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.security&tid=c0b6f0d6-4894-4fe8-9ea2-82a6c4eee208&p=1
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
I'm a little lost on this one, I think we are looking for stuff that is not there. Remove SDFix and combofix completely from your computer, make sure to delete backups and quarantine folders.
Remove anything from BlackLight on your computer, post a new HJT log and describe any malware symptoms you are having. If you are receiving any error messages, post those word for word.
Thanks
Thanks
Done. I have not had any malware symptoms in the last four or five days. The only thing that concerns me is that I run Spysweeper sweeps every few days and it comes up with Trojans "trojan-backdoor-poebot" and "trojan-backdoor-ranky", so I Quarantine them and delete them. but in a day or so later when I sweep again, they are back. I ran the Windows Malicious Software Removal tool but it found no malicious software.
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:04 PM, on 19/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Desktop Firewall\WDF.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\winamp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Styler\Styler.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\gxdbzz.exe
C:\WINDOWS\system32\sqnaf.exe
C:\WINDOWS\system32\jdmsp.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\lpzb.exe
C:\WINDOWS\system32\gwppy.exe
C:\WINDOWS\system32\mngbwhp.exe
C:\Program Files\Trend Micro\HijackThis\Dan.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {63adb92b-cb41-e20a-1c34-27797f624462} - {264426f7-9772-43c1-a02e-14bcb29bda36} - C:\WINDOWS\system32\wqridibx.dll
O2 - BHO: (no name) - {320635D7-379D-48C3-B183-ABD0C4B20E69} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Program Files\finexer\FindeXer.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [ImageShackUtil] "C:\Program Files\ImageShack\QuickShot\QuickShot.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [System Files Updater] "C:\WINDOWS\FlyakiteOSX\System Files Updater.exe" /S
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [d0ed3d80] "rundll32.exe" "C:\WINDOWS\system32\fbydlbaw.dll",b
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\system32\winamp.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DesktopIconToy] "C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184321644312
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 8643 bytes
Thanks,
Dan
pskelley
2007-11-19, 13:43
OK Dan, we definately have a very infected computer still, please keep it offline when you are not troubleshooting.
If you should have Vundofix, please delete it and download the newest version from the link I provide.
Thanks to Atribune and any others who helped with this fix.
http://vundofix.atribune.org/ <<< tutorial
Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"
1) Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your Desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
(wait until you finish to post the reports and logs)
2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: {63adb92b-cb41-e20a-1c34-27797f624462} - {264426f7-9772-43c1-a02e-14bcb29bda36} - C:\WINDOWS\system32\wqridibx.dll
O2 - BHO: (no name) - {320635D7-379D-48C3-B183-ABD0C4B20E69} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [d0ed3d80] "rundll32.exe" "C:\WINDOWS\system32\fbydlbaw.dll",b
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\system32\winamp.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\system32\gxdbzz.exe
C:\WINDOWS\system32\sqnaf.exe
C:\WINDOWS\system32\jdmsp.exe
C:\WINDOWS\system32\lpzb.exe
C:\WINDOWS\system32\gwppy.exe
C:\WINDOWS\system32\mngbwhp.exe
C:\WINDOWS\system32\fbydlbaw.dll
C:\WINDOWS\system32\winamp.exe
If any of those files give you trouble, use this tool and instructions.
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post the Vundofix report and a new HJT log.
Thanks
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:34:35 PM, on 20/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Trend Micro\HijackThis\Dan.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Program Files\finexer\FindeXer.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [ImageShackUtil] "C:\Program Files\ImageShack\QuickShot\QuickShot.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [System Files Updater] "C:\WINDOWS\FlyakiteOSX\System Files Updater.exe" /S
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DesktopIconToy] "C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184321644312
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 7877 bytes
VundoFix V6.6.2
Checking Java version...
Scan started at 5:56:29 PM 20/11/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
pskelley
2007-11-20, 12:57
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:34:35 PM, on 20/11/2007
Your HJT log looks clean, how is the computer running?
Post a Kaspersky scan result:
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
Thanks
Sorry, something is wrong with my IE and everytime i type in a URL it will open it in firefox, which i usually use.
pskelley
2007-11-20, 13:11
I will guess you have Firefox set as the default browser, change that long enough to get that scan run, then change it back.
http://www.wellesley.edu/Computing/Netscape/Browsers/pc_ie-n7x.html
I set IE to default browser but it still opens it in Firefox...
pskelley
2007-11-20, 13:29
I am trying hard to help you here, did you look to see if Firefox is set to default? If you can't run Kaspersky, then update and run SpySweeper. If you have no issues then:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
I know you are trying to help me, and I appreciate it, but I can't get IE to work.
What about if I Download and install the trial version and run that?
pskelley
2007-11-20, 13:54
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
You are running an outdated version of IE, I understand some folks don't want to update, but I did long ago, the new version works fine and affords some additional security protections. Why don't you start with a new version of Internet Explorer?
http://www.microsoft.com/windows/products/winfamily/ie/default.mspx
I already thought of that, but the download link on the MS site doesn't work, when I select my OS it comes up with: We’re sorry, but we were unable to service your request. You may wish to choose from the links below for information about Microsoft products and services.
pskelley
2007-11-20, 14:20
Try here: http://www.microsoft.com/windows/downloads/ie/getitnow.mspx
http://support.microsoft.com/ph/8722
Need More Help?
Contact a Support Professional by Email, Online, or Phone.
Thanks
Can u download it? or is it just my PC? could you please try? and if it works for you can you attach it to the forum so I can download?
Thanks, Dan
By the way, I just did a Spysweep and it came up with "Trojan-killav" and "virtumonde". I Quarantined them and deleted them. Then when I did a check with Spybot S & D it came up with "Microsoft.WindowsSecurityCenter.AntiVirusOverride", "Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify" and "Win32.Delf.uc", which I "fixed".
Thanks, Dan
pskelley
2007-11-20, 14:55
I just sent you a private message:)
Why does Spybot-S&D flag changes in the Windows Security Center?http://www.safer-networking.org/en/faq/46.html
http://www.safer-networking.org/en/faq/index.html
http://forums.spybot.info/showthread.php?t=250
Microsoft.WindowsSecurityCenter.AntivirusOveride
http://forums.spybot.info/showthread.php?p=103253#post103253 (post#2)
http://www.google.com/search?hl=en&q=Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify&btnG=Search
Empty your quarantine folder in SpySweeper and run it again. Can you not post those results so I can see them? I have not used SS in a while.
Unless I am missing something, I see no antivirus program running in realtime? Is SS supplying you with antivirus protection as well as a firewall?
Thanks
SS is running all the time, It runs on start up. And SS doesn't have the AntiVirus version of it. Webroot Desktop Firewall is my firewall.
pskelley
2007-11-21, 12:07
If I am correct then and you have no antivirus program running in realtime, here are three free ones. I run AVG by Grisoft myself.
http://free.grisoft.com/freeweb.php/doc/2/
http://www.avast.com/eng/avast_4_home.html
http://www.free-av.com/
Whatever you install, update it and run a complete system scan right away.
Safe surfing
Sorry, but you are incorrect, I run spysweeper in realtime.
pskelley
2007-11-21, 12:35
Dan, you just told me this:
And SS doesn't have the AntiVirus version of it.If you run SpySweeper in realtime as an anti-spyware tool, that has absolutely nothing to do with having antivirus protection. If you look here:
http://www.google.com/search?hl=en&q=Webroot+antivirus+protection&btnG=Google+Search
Webroot as well as many other companies are releasing complete packages that provide
1) Antivirus protection
2) Firewall protection
3) Spyware protection
and you need to have all three. If the program you have does not supply the antivirus protection, you need to get something installed.
Thanks
I would but my dad wont upgrade, he thinks spysweeper does the job good.
Good News, I have Convinced dad to upgrade to Webroot AntiVirus with Anti Spyware :D
Its doing a Sweep now, Ill Post the details later.
Thanks,
Dan
OK, I forgot to post the details of the the first sweep with the antivirus version of spysweeper, so here is the finds of the second.
Malware: VB-M
Trojan: Wimad-D
Trojan: Fujif-Gen
Spy Cookie: go.com cookie
pskelley
2007-11-23, 13:12
I have no idea what that information is?
Thanks