PDA

View Full Version : a little help please


joemomma21
2007-11-30, 00:18
ComboFix 07-08-09.3 - "Administrator" 2007-11-29 18:03:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.636 [GMT -5:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Internet Explorer\hokenoxa83122.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\system32\c1
C:\WINDOWS\system32\c1\baslook11.exe
C:\WINDOWS\system32\d1
C:\WINDOWS\system32\d1\cby1stp.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\j2
C:\WINDOWS\system32\j2\ppjup83122.exe
C:\WINDOWS\system32\m8
C:\WINDOWS\system32\m8\nsts2dll1.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\core


((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))


2007-11-28 19:53 435,300 --ahs---- C:\WINDOWS\system32\ppqss.ini2
2007-11-28 19:53 329,312 --a------ C:\WINDOWS\system32\ssqpp.dll
2007-11-28 19:51 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-28 19:48 525,436 --a------ C:\Temp\u900Y714.exe
2007-11-28 19:48 2,701 --a------ C:\z.dat
2007-11-28 19:48 172,032 --a------ C:\winlogon.exe
2007-11-28 19:48 134 --a------ C:\n.bat
2007-11-28 19:48 0 --a------ C:\x.dat
2007-11-28 19:48 <DIR> d--hs---- C:\WINDOWS\RGVhZGx5IFRhY3Rpa3o
2007-11-28 19:48 <DIR> d-------- C:\WINDOWS\system32\rMa05yy
2007-11-28 19:48 <DIR> d-------- C:\Temp\abW9
2007-11-28 19:48 <DIR> d-------- C:\Temp
2007-11-28 19:47 37,376 --a------ C:\WINDOWS\system32\ssqpomk.dll
2007-11-24 22:26 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-11-24 22:22 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-24 22:15 0 --a------ C:\WINDOWS\ativpsrm.bin


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-11-28 19:57 --------- d-------- C:\Program Files\Common Files\element5 Shared
2007-11-26 20:56 --------- d-------- C:\Program Files\RAXCO
2007-11-09 03:35 --------- d-------- C:\Program Files\Microsoft Works
2007-11-08 18:12 --------- d-------- C:\Program Files\Half-Life 2 Episode One
2007-11-01 17:27 --------- d-------- C:\Program Files\Viewpoint
2007-10-25 22:34 8460288 --a--c--- C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-22 17:11 --------- d-------- C:\Program Files\AIM6
2007-10-08 20:57 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-10-08 20:34 --------- d-------- C:\Program Files\MySpace
2007-09-29 05:46 47376 --a------ C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-09-29 03:21 9854976 --a------ C:\WINDOWS\system32\atioglx2.dll
2007-09-29 03:07 356352 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-09-29 03:06 268800 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-09-29 03:06 2456064 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-09-29 02:58 43520 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-09-29 02:58 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2007-09-29 02:58 143360 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-09-29 02:58 122880 --a------ C:\WINDOWS\system32\Oemdspif.dll
2007-09-29 02:57 122880 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-09-29 02:56 483328 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-09-29 02:55 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2007-09-29 02:49 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-09-29 02:47 3130720 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-09-29 02:47 172032 --a------ C:\WINDOWS\system32\atiok3x2.dll
2007-09-29 02:36 972072 --a------ C:\WINDOWS\system32\ativva6x.dat
2007-09-29 02:36 3107788 --a------ C:\WINDOWS\system32\ativvaxx.dat
2007-09-29 02:36 3107788 --a------ C:\WINDOWS\system32\ativva5x.dat
2007-09-29 02:36 1593600 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-09-29 02:23 5435392 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-09-29 02:22 376832 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-09-29 02:20 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-09-29 02:19 49152 --a------ C:\WINDOWS\system32\drivers\ati2erec.dll
2007-09-29 02:14 499712 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-01-10 12:15 839690 --a------ C:\WINDOWS\Fonts.\Crack.exe
2007-01-10 12:15 839689 ---hs---- C:\WINDOWS\Fonts.\svchost.exe
2007-01-10 17:15:15 839,689 --sh--w C:\WINDOWS\Fonts\svchost.exe
2005-08-02 21:46:54 187,904 --sha-r C:\WINDOWS\RGVhZGx5IFRhY3Rpa3o\asappsrv.dll
2005-08-02 21:58:38 293,888 --sha-r C:\WINDOWS\RGVhZGx5IFRhY3Rpa3o\command.exe
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\RGVhZGx5IFRhY3Rpa3o\l3p1t3UcKIl1salDuaC.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D2537AE-FBC5-41A4-9950-EAE8AF169B7E}]
2007-11-28 19:53 329312 --a------ C:\WINDOWS\system32\ssqpp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}]
2007-11-28 19:47 37376 --a------ C:\WINDOWS\system32\ssqpomk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 07:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}"= C:\WINDOWS\system32\ssqpomk.dll [2007-11-28 19:47 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa]
antiwpa.dll 2003-05-25 02:11 60416 C:\WINDOWS\system32\antiwpa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpomk]
ssqpomk.dll 2007-11-28 19:47 37376 C:\WINDOWS\system32\ssqpomk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssqpp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]
C:\WINDOWS\Fonts\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTpatch]
C:\WINDOWS\htpatch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
"C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MDM"=2 (0x2)
"IDriverT"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"TabletService"=2 (0x2)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"maya70docserver"=2 (0x2)
"License Management Service ESD"=3 (0x3)
"Bonjour Service"=2 (0x2)
"PDEngine"=3 (0x3)
"PDAgent"=2 (0x2)
"idsvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"cmdService"=2 (0x2)
"Network Monitor"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"AutoExNT"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
"RegistryMechanic"=

R1 mfetdik;McAfee Inc.;C:\WINDOWS\system32\drivers\mfetdik.sys
R2 DS1410D;DS1410D;\??\C:\WINDOWS\system32\drivers\ds1410d.sys
R2 hardlock;hardlock;\??\C:\WINDOWS\system32\drivers\hardlock.sys
R2 Sentinel;Sentinel;C:\WINDOWS\system32\Drivers\SENTINEL.SYS
R3 mfeapfk;McAfee Inc.;C:\WINDOWS\system32\drivers\mfeapfk.sys
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 Sntnlusb;Rainbow USB SuperPro;C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS
S3 UnlockerDriver4;UnlockerDriver4 Driver;\??\C:\WINDOWS\system32\UnlockerDriver4.sys
S3 Wdf01000;Wdf01000;C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
S4 AutoExNT;AutoExNT;C:\WINDOWS\system32\AutoExNT.Exe
S4 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{682076a1-bc5d-11db-a81c-000c6e1ed4c1}]
AutoRun\command- G:\wd_windows_tools\setup.exe


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 18:12:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\\x90\x2022\x20ac|\xff\xff\xff\xff"\x2022\x20ac|\t\x2013\xd4w\2]
"91A14B995DF7C0B42ABAA16065968F3A"="C:\Program Files\Alias\Maya7.0\presets\Ashli\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000001a1

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-11-29 18:16:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-11-29 18:15
C:\ComboFix2.txt ... 2007-08-11 15:01

--- E O F ---
joemomma21
2007-11-30, 01:38
littol help? :bigthumb:
Mr_JAk3
2007-12-02, 15:32
Hello joemomma21 and welcome to the Forums :)

You're badly infected.

Do you have any idea why this Antiwpa is installed on your pc?

C:\WINDOWS\system32\antiwpa.dll


Antiwpa-A modifies system files in an attempt to disable Windows product activation.

http://www.sophos.com/security/analyses/trojantiwpaa.html

One or more of the identified infections is a backdoor trojan :sick:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

I can help you in the cleaning if you don't want to reformat but there is a possibility that we can't get you 100% clean.

Please let us know what you have decided to do in your next post:bigthumb: