View Full Version : Malware (Spyware Guard 2008 + others)
DarkWolff
2008-12-23, 22:27
Hello,
My laptop is currently infected with Malware/Spyware. I got infected last night; about 20 IE windows popped up at once and my system slowed down to a crawl. Ad-aware failed to remove everything, and Spybot S&D fails to start (though the resident will run and block some processes).
I did a search and found another post with a similar problem (Link (http://forums.spybot.info/showthread.php?t=41747&highlight=spyware+guard+2008)), but Malwarebytes' Anti-Malware refuses to start as well.
Can someone help? I managed to stop Spyware Guard 2009 from starting by opening the exe in notepad and blanking it out; fooling whatever keeps reinstalling it into thinking it's still there, but obviously this is not an optimal solution.
I originally posted here (http://forums.spybot.info/showthread.php?p=270453#post270453), but after searching realized I should probably be posting here instead).
DarkWolff
2008-12-24, 19:24
Ok since everyone seems to be doing this, I've posted HijackThis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:37 PM, on 12/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\DOCUME~1\LORDKA~1\LOCALS~1\Temp\winloggn.exe
C:\WINDOWS\system32\winscenter.exe
C:\DOCUME~1\LORDKA~1\LOCALS~1\Temp\winlogin.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Lord Kandar\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [079ff997] rundll32.exe "C:\WINDOWS\system32\ddtmqwmg.dll",b
O4 - HKLM\..\Run: [jsf8j34rgfght] C:\DOCUME~1\LORDKA~1\LOCALS~1\Temp\winloggn.exe
O4 - HKLM\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 - HKLM\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\LORDKA~1\LOCALS~1\Temp\winlogin.exe
O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\Lord Kandar\Application Data\Twain\Twain.exe
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Lord Kandar\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [jsf8j34rgfght] C:\DOCUME~1\LORDKA~1\LOCALS~1\Temp\winloggn.exe
O4 - HKCU\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 - HKCU\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\LORDKA~1\LOCALS~1\Temp\winlogin.exe
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\Lord Kandar\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Lord Kandar\Application Data\Microsoft\Windows\wlkie.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\LORDKA~1\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O21 - SSODL: ieModule - {DFA7459B-8240-4211-B235-A6ED63892661} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
O21 - SSODL: InternetConnection - {16A2A6F4-D90F-4DCC-8271-9B77515B2729} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\qevkciionx.dll
O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jkse73hedfdgf.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FCI (fci) - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: ICF (icf) - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 8131 bytes
Hi DarkWolff
Looking over your log, it seems you don't have any evidence of an anti-virus software.
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:
1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/ww.homepage) - Free edition of the AVG anti-virus program for Windows.
You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.
After that, rename HijackThis.exe to DarkWolff.exe and post back a fresh HijackThis log, please :)
DarkWolff
2008-12-29, 18:49
I'm having problems getting on the internet on the infected laptop (I'm on another atm). I can't seem to view most webpages. I'll keep trying.
If you are able to use another computer during entire cleaning process, you can keep infected computer offline and transfer logs/tools via usb stick or similar :)
DarkWolff
2008-12-29, 20:41
Thanks, that's exactly what I did. :) I'm waiting for the scan to complete now.
OK, thank you for update :)
DarkWolff
2008-12-29, 21:53
Here's the log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:44:18 PM, on 12/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\DOCUME~1\LORDKA~1\LOCALS~1\Temp\winlogin.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\DOCUME~1\LORDKA~1\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avnotify.exe
C:\Documents and Settings\Lord Kandar\Desktop\DarkWolff.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O2 - BHO: (no name) - {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - C:\WINDOWS\system32\qoMfDuVP.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [079ff997] rundll32.exe "C:\WINDOWS\system32\ddtmqwmg.dll",b
O4 - HKLM\..\Run: [jsf8j34rgfght] C:\DOCUME~1\LORDKA~1\LOCALS~1\Temp\winloggn.exe
O4 - HKLM\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 - HKLM\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\LORDKA~1\LOCALS~1\Temp\winlogin.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\Lord Kandar\Application Data\Twain\Twain.exe
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Lord Kandar\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [jsf8j34rgfght] C:\DOCUME~1\LORDKA~1\LOCALS~1\Temp\winloggn.exe
O4 - HKCU\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 - HKCU\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\LORDKA~1\LOCALS~1\Temp\winlogin.exe
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\Lord Kandar\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Lord Kandar\Application Data\Microsoft\Windows\wlkie.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\LORDKA~1\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O20 - AppInit_DLLs: xpzogn.dll
O20 - Winlogon Notify: jmqunul - jmqunul32.dll (file missing)
O20 - Winlogon Notify: qoMfDuVP - qoMfDuVP.dll (file missing)
O21 - SSODL: ieModule - {DFA7459B-8240-4211-B235-A6ED63892661} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
O21 - SSODL: InternetConnection - {16A2A6F4-D90F-4DCC-8271-9B77515B2729} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\qevkciionx.dll
O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll (file missing)
O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jkse73hedfdgf.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FCI (fci) - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: ICF (icf) - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 9021 bytes
DarkWolff
2008-12-29, 21:56
I forgot to mention; I tried running spybot after the scan to see if it would run, but it still wouldn't.
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
We need first to disable TeaTimer that it doesn''t interfere with fixes. You can re-enable it when you''re clean again:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
DarkWolff
2008-12-29, 22:54
Ok I downloaded the tool, but I can't start Spybot to turn off TeaTimer. Should I just end the process for TeaTimer?
DarkWolff
2008-12-29, 23:09
Ok, I unloaded TeaTimer from the taskmanager. I tried to run ComboFix, but the same thing that happens to Spybot S&D happens to it; it doesn't run. If I leave the process window from the task manager open, it show combofix.exe for a split second before it unloads.
Then delete your copy of combofix first.
After that:
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
--------------------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
DarkWolff
2008-12-30, 19:36
Thanks. ComboFix is running now. I'll post a scan when it's done.
Note: ComboFix couldn't download the Windows Recovery Tool. Is this ok?
Yes as infection prevents it.
I will give instructions for that after first combofix run.
DarkWolff
2008-12-30, 19:55
Ok it's all down. I noticed the fake Windows Security Center is gone now. Spybot will run now, but I didn't do a scan yet so these logs will be accurate.
ComboFix 08-12-29.02 - Lord Kandar 2008-12-30 12:39:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1706 [GMT -5:00]
Running from: c:\documents and settings\Lord Kandar\Desktop\Combo-Fix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dll
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Lord Kandar\Application Data\gadcom
c:\documents and settings\Lord Kandar\Application Data\SpeedRunner
c:\documents and settings\Lord Kandar\Application Data\SpeedRunner\config.cfg
c:\documents and settings\Lord Kandar\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Lord Kandar\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Lord Kandar\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Microsoft Common
c:\program files\Microsoft Common\svchost.exe
c:\program files\Mjcore
c:\program files\Mjcore\Mjcore.dll
c:\program files\Spyware Guard 2008
c:\program files\Spyware Guard 2008\conf.cfg
c:\program files\Spyware Guard 2008\mbase.vdb
c:\program files\Spyware Guard 2008\quarantine.vdb
c:\program files\Spyware Guard 2008\queue.vdb
c:\program files\Spyware Guard 2008\spywareguard.exe
c:\program files\Spyware Guard 2008\vbase.vdb
c:\windows\reged.exe
c:\windows\spoolsystem.exe
c:\windows\sys.com
c:\windows\syscert.exe
c:\windows\sysexplorer.exe
c:\windows\system32\dfLklUvw.ini
c:\windows\system32\dfLklUvw.ini2
c:\windows\system32\drivers\71985e90.sys
c:\windows\system32\drivers\ati7ytxx.sys
c:\windows\system32\drivers\TDSSmqlt.sys
c:\windows\system32\gmwqmtdd.ini
c:\windows\system32\jkse73hedfdgf.dll
c:\windows\system32\TDSShrxx.dll
c:\windows\system32\TDSSkhyp.log
c:\windows\system32\TDSSkkai.log
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSmtvd.dat
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSvkql.dll
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\winscenter.exe
c:\windows\Temp\1116707112.exe
c:\windows\vmreg.dll
----- BITS: Possible infected sites -----
hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_TDSSserv.sys
-------\Legacy_TDSSserv.sys
-------\Legacy_ati7ytxx
-------\Legacy_fci
-------\Legacy_icf
-------\Service_ati7ytxx
-------\Service_fci
-------\Service_icf
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.
2008-12-29 12:12 . 2008-12-29 12:12 <DIR> d-------- c:\program files\Avira
2008-12-29 12:12 . 2008-12-29 12:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-23 12:48 . 2008-12-23 12:51 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-23 12:48 . 2008-12-23 12:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-22 22:37 . 2008-12-23 14:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-22 22:08 . 2008-12-23 14:30 <DIR> d-------- c:\documents and settings\Lord Kandar\Application Data\Twain
2008-12-22 22:03 . 2008-12-22 23:49 <DIR> d-------- c:\program files\Webtools
2008-12-22 21:58 . 2008-12-22 21:58 45,056 --a------ c:\windows\system32\pmNhIApp.dll
2008-12-17 19:33 . 2008-12-17 19:33 <DIR> d-------- c:\program files\GPLGS
2008-12-17 19:29 . 2008-12-17 19:29 <DIR> d-------- c:\program files\Acro Software
2008-12-17 19:29 . 2007-07-12 22:33 87,552 --a------ c:\windows\system32\cpwmon2k.dll
2008-12-09 19:48 . 2008-12-09 19:48 <DIR> d-------- c:\documents and settings\Lord Kandar\Application Data\Xilisoft Corporation
2008-12-09 19:40 . 2008-12-09 19:40 0 --a------ c:\windows\muveeapp.INI
2008-12-09 19:36 . 2008-12-09 19:36 <DIR> d-------- c:\documents and settings\Lord Kandar\Application Data\muvee Technologies
2008-12-09 19:08 . 2008-12-09 19:30 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-29 15:13 . 2008-11-29 15:13 0 --a------ c:\windows\ativpsrm.bin
2008-11-29 15:12 . 2008-10-28 21:05 593,920 --a------ c:\windows\system32\ati2sgag.exe
2008-11-29 15:11 . 2008-11-29 15:11 <DIR> d-------- C:\ATI
2008-11-03 22:39 . 2008-12-18 22:37 <DIR> d-------- C:\mugen-hi
2008-11-03 22:25 . 2008-11-03 22:25 <DIR> d-------- C:\backup
2008-11-02 22:38 . 2008-11-02 22:38 <DIR> d-------- c:\program files\Fighter Factory
2008-11-01 19:19 . 2008-11-01 19:20 <DIR> d-------- C:\temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 19:52 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-16 01:27 --------- d-----w c:\program files\Magic Set Editor 2
2008-11-25 12:14 --------- d-----w c:\program files\SystemRequirementsLab
2008-11-25 12:14 --------- d-----w c:\documents and settings\Lord Kandar\Application Data\SystemRequirementsLab
2008-11-09 17:30 --------- d-----w c:\documents and settings\Lord Kandar\Application Data\BitTorrent
2008-11-07 00:21 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-29 03:10 3,341,824 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-10-29 01:18 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2007-05-23 01:25 30 ----a-w c:\documents and settings\Lord Kandar\haha.bat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-07-25 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-22 229438]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 565309]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xpzogn.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7ytxx.sys]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-10 24652]
S1 71985e90;71985e90;c:\windows\system32\drivers\71985e90.sys []
S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\DRIVERS\SaiHFF0C.sys [2008-11-01 56576]
S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\DRIVERS\SaiUFF0C.sys [2008-11-01 19584]
.
Contents of the 'Scheduled Tasks' folder
2006-12-17 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2005-03-03 13:04]
2008-12-29 c:\windows\Tasks\sdfaalpd.job
- c:\windows\system32\rundll32.exe [2004-08-09 21:00]
.
- - - - ORPHANS REMOVED - - - -
BHO-{c5bf49a2-94f3-42bd-f434-3604812c897d} - c:\windows\system32\jkse73hedfdgf.dll
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKCU-Run-rs32net - c:\windows\System32\rs32net.exe
HKCU-Run-Twain - c:\documents and settings\Lord Kandar\Application Data\Twain\Twain.exe
HKCU-Run-gadcom - c:\documents and settings\Lord Kandar\Application Data\gadcom\gadcom.exe
HKCU-Run-jsf8j34rgfght - c:\docume~1\LORDKA~1\LOCALS~1\Temp\winloggn.exe
HKCU-Run-xsjfn83jkemfofght - c:\docume~1\LORDKA~1\LOCALS~1\Temp\winlogin.exe
HKCU-Run-SpeedRunner - c:\documents and settings\Lord Kandar\Application Data\SpeedRunner\SpeedRunner.exe
HKCU-Run-SfKg6wIP - c:\documents and settings\Lord Kandar\Application Data\Microsoft\Windows\wlkie.exe
HKCU-Run-Jnskdfmf9eldfd - c:\docume~1\LORDKA~1\LOCALS~1\Temp\csrssc.exe
HKLM-Run-079ff997 - c:\windows\system32\ddtmqwmg.dll
SharedTaskScheduler-{D5BF49A2-94F1-42BD-F434-3604812C807D} - c:\windows\system32\tyshb36rfjdf.dll
SharedTaskScheduler-{C5BF49A2-94F3-42BD-F434-3604812C897D} - c:\windows\system32\jkse73hedfdgf.dll
ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\qoMfDuVP.dll
Notify-jmqunul - jmqunul32.dll
Notify-qoMfDuVP - qoMfDuVP.dll
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Lord Kandar\Application Data\Mozilla\Firefox\Profiles\nxyf6nhz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9FC132B-096D-460B-B7D5-1DB0FAE0C062", "AllAccess");
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 12:46:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?5?2?1??????? ???B?????????????H<C? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\HPQ\Shared\hpqwmi.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-12-30 12:50:26 - machine was rebooted [Lord Kandar]
ComboFix-quarantined-files.txt 2008-12-30 17:50:23
Pre-Run: 34,310,045,696 bytes free
Post-Run: 34,378,854,400 bytes free
235
DarkWolff
2008-12-30, 19:55
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:54 PM, on 12/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Lord Kandar\Desktop\DarkWolff.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O20 - AppInit_DLLs: xpzogn.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 6322 bytes
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
See this link how to install recovery console manually:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Re-run combofix and post back a fresh combofix log, please.
DarkWolff
2008-12-30, 20:29
Ok ComboFix managed to install the recovery console, and it's scanning now. I'll post the log when finished.
BTW, The computer's performance has increased dramatically and we're not even done. Thank you so much for your help. I really appreciate it.
DarkWolff
2008-12-30, 20:37
ComboFix 08-12-29.02 - Lord Kandar 2008-12-30 13:24:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1592 [GMT -5:00]
Running from: c:\documents and settings\Lord Kandar\Desktop\Combo-Fix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\akivufol.ini
c:\windows\system32\vivuyayo.dll
c:\windows\Temp\tmp3.tmp
----- BITS: Possible infected sites -----
hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.
2008-12-29 12:12 . 2008-12-29 12:12 <DIR> d-------- c:\program files\Avira
2008-12-29 12:12 . 2008-12-29 12:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-23 12:48 . 2008-12-23 12:51 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-23 12:48 . 2008-12-30 12:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-22 22:37 . 2008-12-23 14:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-22 22:08 . 2008-12-23 14:30 <DIR> d-------- c:\documents and settings\Lord Kandar\Application Data\Twain
2008-12-22 22:03 . 2008-12-22 23:49 <DIR> d-------- c:\program files\Webtools
2008-12-22 21:58 . 2008-12-22 21:58 45,056 --a------ c:\windows\system32\pmNhIApp.dll
2008-12-17 19:33 . 2008-12-17 19:33 <DIR> d-------- c:\program files\GPLGS
2008-12-17 19:29 . 2008-12-17 19:29 <DIR> d-------- c:\program files\Acro Software
2008-12-17 19:29 . 2007-07-12 22:33 87,552 --a------ c:\windows\system32\cpwmon2k.dll
2008-12-09 19:48 . 2008-12-09 19:48 <DIR> d-------- c:\documents and settings\Lord Kandar\Application Data\Xilisoft Corporation
2008-12-09 19:40 . 2008-12-09 19:40 0 --a------ c:\windows\muveeapp.INI
2008-12-09 19:36 . 2008-12-09 19:36 <DIR> d-------- c:\documents and settings\Lord Kandar\Application Data\muvee Technologies
2008-12-09 19:08 . 2008-12-09 19:30 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-29 15:13 . 2008-11-29 15:13 0 --a------ c:\windows\ativpsrm.bin
2008-11-29 15:12 . 2008-10-28 21:05 593,920 --a------ c:\windows\system32\ati2sgag.exe
2008-11-29 15:11 . 2008-11-29 15:11 <DIR> d-------- C:\ATI
2008-11-03 22:39 . 2008-12-18 22:37 <DIR> d-------- C:\mugen-hi
2008-11-03 22:25 . 2008-11-03 22:25 <DIR> d-------- C:\backup
2008-11-02 22:38 . 2008-11-02 22:38 <DIR> d-------- c:\program files\Fighter Factory
2008-11-01 19:19 . 2008-11-01 19:20 <DIR> d-------- C:\temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 19:52 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-16 01:27 --------- d-----w c:\program files\Magic Set Editor 2
2008-11-25 12:14 --------- d-----w c:\program files\SystemRequirementsLab
2008-11-25 12:14 --------- d-----w c:\documents and settings\Lord Kandar\Application Data\SystemRequirementsLab
2008-11-09 17:30 --------- d-----w c:\documents and settings\Lord Kandar\Application Data\BitTorrent
2008-11-07 00:21 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-29 03:10 3,341,824 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-10-29 01:18 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2007-05-23 01:25 30 ----a-w c:\documents and settings\Lord Kandar\haha.bat
.
((((((((((((((((((((((((((((( snapshot@2008-12-30_12.49.59.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-30 17:37:45 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-30 18:03:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-30 17:37:45 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-30 18:03:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-30 17:38:06 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008123020081231\index.dat
+ 2008-12-30 18:03:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008123020081231\index.dat
- 2008-12-30 17:37:45 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-30 18:03:31 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-30 18:09:18 97,545 --sha-w c:\windows\system32\dijuboru.dll
+ 2008-09-30 18:03:59 61,096 --sha-w c:\windows\system32\gokisoso.dll
+ 2008-09-30 18:03:59 61,096 --sha-w c:\windows\system32\hezigotu.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{255626bf-365b-4ad4-a240-60d4239cca45}]
2008-09-30 13:03 61096 --ahs---- c:\windows\system32\hezigotu.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"prunnet"="c:\windows\system32\prunnet.exe" [BU]
"rs32net"="c:\windows\System32\rs32net.exe" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-07-25 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-22 229438]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"juvufukivo"="c:\windows\system32\gokisoso.dll" [2008-09-30 61096]
"079ff997"="c:\windows\system32\lofuvika.dll" [BU]
"CPM04acca0b"="c:\windows\system32\dijuboru.dll" [2008-12-30 97545]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 565309]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\dijuboru.dll" [2008-12-30 97545]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dijuboru.dll [2008-12-30 97545]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jmqunul]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMfDuVP]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\dijuboru.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\vivuyayo.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7ytxx.sys]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-10 24652]
S1 71985e90;71985e90;c:\windows\system32\drivers\71985e90.sys []
S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\DRIVERS\SaiHFF0C.sys [2008-11-01 56576]
S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\DRIVERS\SaiUFF0C.sys [2008-11-01 19584]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{548b5b08-0ae7-11dd-9df6-00c09ff5f01c}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - system.exe
\Shell\Open\command - system.exe
.
Contents of the 'Scheduled Tasks' folder
2006-12-17 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2005-03-03 13:04]
2008-12-30 c:\windows\Tasks\sdfaalpd.job
- c:\windows\system32\rundll32.exe [2004-08-09 21:00]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Lord Kandar\Application Data\Mozilla\Firefox\Profiles\nxyf6nhz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9FC132B-096D-460B-B7D5-1DB0FAE0C062", "AllAccess");
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 13:31:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?5?2?1??????? ???B?????????????H<C? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Completion time: 2008-12-30 13:34:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-30 18:34:44
Pre-Run: 34,394,677,248 bytes free
Post-Run: 34,353,704,960 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
207
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
You will now be presented with a screen similar to the one below:
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
DarkWolff
2008-12-30, 20:43
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 6.0.1
AOL Instant Messenger
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI Parental Control & Encoder
Avira AntiVir Personal - Free Antivirus
BitTorrent 5.0.8
Bluetooth by hp
Conexant AC-97 Audio
Conexant Data Fax Modem with SmartCP
CutePDF Writer 2.7
DivX Codec
DivX Converter
DivX Player
DivX Web Player
EA Download Manager
Easy Internet Sign-up
ESPNMotion
FairStars Audio Converter 1.54
Fighter Factory 1.0.12.2005 (Update Pack 3)
FrostWire 4.13.1.6 BETA
GemMaster Mystic
HijackThis 2.0.2
HP Dual TV Tuner / Digital Video Recorder Driver
HP Help and Support
HP Software Update
HP Wireless Assistant 1.01 A2
InterVideo WinDVD
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 2
Java(TM) SE Runtime Environment 6 Update 1
Magic Set Editor 2 - 0.3.7 beta
Magic The Gathering
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Money 2005
Microsoft Office Professional Edition 2003
Microsoft Office Visio Professional 2003
Mozilla Firefox (3.0.5)
muvee autoProducer 4.0 - SE
Otto
Quick Launch Buttons 5.10 A2
QuickTime
Serious Sam: The Second Encounter
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Encoders
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
SPORE™
Spybot - Search & Destroy
Super DVD Creator 9.5
Synaptics Pointing Device Driver
System Requirements Lab
Texas Instruments PCIxx21/x515 drivers.
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369)
Ventrilo Client
version1.2
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Winamp (remove only)
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885464
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890546
Windows XP Hotfix - KB891220
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892559
Windows XP Media Center Edition 2005 KB888316
WinRAR archiver
WinZip
World of Warcraft
Zone Deluxe Games
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
BitTorrent 5.0.8
FrostWire 4.13.1.6 BETA
I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Please run a new uninstall list scan when finished and post the log back here.
DarkWolff
2008-12-30, 20:51
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 6.0.1
AOL Instant Messenger
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI Parental Control & Encoder
Avira AntiVir Personal - Free Antivirus
Bluetooth by hp
Conexant AC-97 Audio
Conexant Data Fax Modem with SmartCP
CutePDF Writer 2.7
DivX Codec
DivX Converter
DivX Player
DivX Web Player
EA Download Manager
Easy Internet Sign-up
ESPNMotion
FairStars Audio Converter 1.54
Fighter Factory 1.0.12.2005 (Update Pack 3)
GemMaster Mystic
HijackThis 2.0.2
HP Dual TV Tuner / Digital Video Recorder Driver
HP Help and Support
HP Software Update
HP Wireless Assistant 1.01 A2
InterVideo WinDVD
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 2
Java(TM) SE Runtime Environment 6 Update 1
Magic Set Editor 2 - 0.3.7 beta
Magic The Gathering
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Money 2005
Microsoft Office Professional Edition 2003
Microsoft Office Visio Professional 2003
Mozilla Firefox (3.0.5)
muvee autoProducer 4.0 - SE
Otto
Quick Launch Buttons 5.10 A2
QuickTime
Serious Sam: The Second Encounter
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Encoders
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
SPORE™
Spybot - Search & Destroy
Super DVD Creator 9.5
Synaptics Pointing Device Driver
System Requirements Lab
Texas Instruments PCIxx21/x515 drivers.
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369)
Ventrilo Client
version1.2
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Winamp (remove only)
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885464
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890546
Windows XP Hotfix - KB891220
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892559
Windows XP Media Center Edition 2005 KB888316
WinRAR archiver
WinZip
World of Warcraft
Zone Deluxe Games
Open notepad and copy/paste the text in the codebox below into it:
File::
c:\windows\system32\pmNhIApp.dll
c:\windows\system32\dijuboru.dll
c:\windows\system32\gokisoso.dll
c:\windows\system32\hezigotu.dll
c:\windows\Tasks\sdfaalpd.job
Folder::
c:\Program Files\BitTorrent
c:\Program Files\FrostWire
Driver::
71985e90
Registry::
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7ytxx.sys]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=-
"c:\\Program Files\\FrostWire\\FrostWire.exe"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{255626bf-365b-4ad4-a240-60d4239cca45}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{548b5b08-0ae7-11dd-9df6-00c09ff5f01c}]
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
DarkWolff
2008-12-30, 21:14
ComboFix 08-12-29.02 - Lord Kandar 2008-12-30 14:00:52.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1578 [GMT -5:00]
Running from: c:\documents and settings\Lord Kandar\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Lord Kandar\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
c:\windows\system32\dijuboru.dll
c:\windows\system32\gokisoso.dll
c:\windows\system32\hezigotu.dll
c:\windows\system32\pmNhIApp.dll
c:\windows\Tasks\sdfaalpd.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\BitTorrent
c:\program files\BitTorrent\addrmap.dat
c:\program files\BitTorrent\plugin.inf
c:\program files\FrostWire
c:\program files\FrostWire\hs_err_pid200.log
c:\program files\FrostWire\hs_err_pid2556.log
c:\program files\FrostWire\hs_err_pid3112.log
c:\program files\FrostWire\hs_err_pid3456.log
c:\program files\FrostWire\hs_err_pid3608.log
c:\program files\FrostWire\hs_err_pid3752.log
c:\program files\FrostWire\hs_err_pid504.log
c:\windows\system32\dijuboru.dll
c:\windows\system32\gokisoso.dll
c:\windows\system32\hezigotu.dll
c:\windows\system32\pmNhIApp.dll
c:\windows\Tasks\sdfaalpd.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_71985e90
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.
2008-12-29 12:12 . 2008-12-29 12:12 <DIR> d-------- c:\program files\Avira
2008-12-29 12:12 . 2008-12-29 12:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-23 12:48 . 2008-12-23 12:51 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-23 12:48 . 2008-12-30 12:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-22 22:37 . 2008-12-23 14:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-22 22:08 . 2008-12-23 14:30 <DIR> d-------- c:\documents and settings\Lord Kandar\Application Data\Twain
2008-12-22 22:03 . 2008-12-22 23:49 <DIR> d-------- c:\program files\Webtools
2008-12-17 19:33 . 2008-12-17 19:33 <DIR> d-------- c:\program files\GPLGS
2008-12-17 19:29 . 2008-12-17 19:29 <DIR> d-------- c:\program files\Acro Software
2008-12-17 19:29 . 2007-07-12 22:33 87,552 --a------ c:\windows\system32\cpwmon2k.dll
2008-12-09 19:48 . 2008-12-09 19:48 <DIR> d-------- c:\documents and settings\Lord Kandar\Application Data\Xilisoft Corporation
2008-12-09 19:40 . 2008-12-09 19:40 0 --a------ c:\windows\muveeapp.INI
2008-12-09 19:36 . 2008-12-09 19:36 <DIR> d-------- c:\documents and settings\Lord Kandar\Application Data\muvee Technologies
2008-12-09 19:08 . 2008-12-09 19:30 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-29 15:13 . 2008-11-29 15:13 0 --a------ c:\windows\ativpsrm.bin
2008-11-29 15:12 . 2008-10-28 21:05 593,920 --a------ c:\windows\system32\ati2sgag.exe
2008-11-29 15:11 . 2008-11-29 15:11 <DIR> d-------- C:\ATI
2008-11-03 22:39 . 2008-12-18 22:37 <DIR> d-------- C:\mugen-hi
2008-11-03 22:25 . 2008-11-03 22:25 <DIR> d-------- C:\backup
2008-11-02 22:38 . 2008-11-02 22:38 <DIR> d-------- c:\program files\Fighter Factory
2008-11-01 19:19 . 2008-11-01 19:20 <DIR> d-------- C:\temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 19:52 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-16 01:27 --------- d-----w c:\program files\Magic Set Editor 2
2008-11-25 12:14 --------- d-----w c:\program files\SystemRequirementsLab
2008-11-25 12:14 --------- d-----w c:\documents and settings\Lord Kandar\Application Data\SystemRequirementsLab
2008-11-09 17:30 --------- d-----w c:\documents and settings\Lord Kandar\Application Data\BitTorrent
2008-11-07 00:21 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-29 03:10 3,341,824 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-10-29 01:18 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2007-05-23 01:25 30 ----a-w c:\documents and settings\Lord Kandar\haha.bat
.
((((((((((((((((((((((((((((( snapshot@2008-12-30_12.49.59.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-30 17:37:45 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-30 18:03:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-30 17:37:45 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-30 18:03:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-30 17:38:06 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008123020081231\index.dat
+ 2008-12-30 18:03:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008123020081231\index.dat
- 2008-12-30 17:37:45 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-30 18:03:31 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"prunnet"="c:\windows\system32\prunnet.exe" [BU]
"rs32net"="c:\windows\System32\rs32net.exe" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-07-25 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-22 229438]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"079ff997"="c:\windows\system32\lofuvika.dll" [BU]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 565309]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jmqunul]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMfDuVP]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\HPQ\\Quick Launch Buttons\\eabservr.exe"=
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-10 24652]
S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\DRIVERS\SaiHFF0C.sys [2008-11-01 56576]
S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\DRIVERS\SaiUFF0C.sys [2008-11-01 19584]
.
Contents of the 'Scheduled Tasks' folder
2006-12-17 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2005-03-03 13:04]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-juvufukivo - c:\windows\system32\gokisoso.dll
HKLM-Run-CPM04acca0b - c:\windows\system32\dijuboru.dll
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Lord Kandar\Application Data\Mozilla\Firefox\Profiles\nxyf6nhz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9FC132B-096D-460B-B7D5-1DB0FAE0C062", "AllAccess");
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 14:11:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?5?2?1??`???? ???B?????????????H<C? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\HPQ\Shared\hpqwmi.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-12-30 14:13:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-30 19:13:40
Pre-Run: 34,420,551,680 bytes free
Post-Run: 34,378,596,352 bytes free
198
DarkWolff
2008-12-30, 21:16
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:35 PM, on 12/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Lord Kandar\Desktop\DarkWolff.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [079ff997] rundll32.exe "C:\WINDOWS\system32\lofuvika.dll",b
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O20 - Winlogon Notify: jmqunul - C:\WINDOWS\
O20 - Winlogon Notify: qoMfDuVP - C:\WINDOWS\
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 6491 bytes
Please do this in safe mode:
Open notepad and copy/paste the text in the codebox below into it:
Folder::
c:\documents and settings\Lord Kandar\Application Data\Twain
c:\program files\Webtools
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"prunnet"=-
"rs32net"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"079ff997"=-
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 565309]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jmqunul]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMfDu]
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
DarkWolff
2008-12-30, 21:32
I can't seem to start the computer in safe mode. I press f8, choose safe mode, then windows (not the recovery), but it stays after trying to load multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\system32\drivers\btkrnl.sys
OK, then just disable AntiVir from task bar and run CFScript in normal mode, please.
DarkWolff
2008-12-30, 21:34
Ok will do.
DarkWolff
2008-12-30, 21:43
ComboFix 08-12-29.02 - Lord Kandar 2008-12-30 14:37:37.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1619 [GMT -5:00]
Running from: c:\documents and settings\Lord Kandar\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Lord Kandar\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Lord Kandar\Application Data\Twain
c:\program files\Webtools
.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.
2008-12-29 12:12 . 2008-12-29 12:12 <DIR> d-------- c:\program files\Avira
2008-12-29 12:12 . 2008-12-29 12:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-23 12:48 . 2008-12-23 12:51 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-23 12:48 . 2008-12-30 12:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-22 22:37 . 2008-12-23 14:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-17 19:33 . 2008-12-17 19:33 <DIR> d-------- c:\program files\GPLGS
2008-12-17 19:29 . 2008-12-17 19:29 <DIR> d-------- c:\program files\Acro Software
2008-12-17 19:29 . 2007-07-12 22:33 87,552 --a------ c:\windows\system32\cpwmon2k.dll
2008-12-09 19:48 . 2008-12-09 19:48 <DIR> d-------- c:\documents and settings\Lord Kandar\Application Data\Xilisoft Corporation
2008-12-09 19:40 . 2008-12-09 19:40 0 --a------ c:\windows\muveeapp.INI
2008-12-09 19:36 . 2008-12-09 19:36 <DIR> d-------- c:\documents and settings\Lord Kandar\Application Data\muvee Technologies
2008-12-09 19:08 . 2008-12-09 19:30 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-29 15:13 . 2008-11-29 15:13 0 --a------ c:\windows\ativpsrm.bin
2008-11-29 15:12 . 2008-10-28 21:05 593,920 --a------ c:\windows\system32\ati2sgag.exe
2008-11-29 15:11 . 2008-11-29 15:11 <DIR> d-------- C:\ATI
2008-11-03 22:39 . 2008-12-18 22:37 <DIR> d-------- C:\mugen-hi
2008-11-03 22:25 . 2008-11-03 22:25 <DIR> d-------- C:\backup
2008-11-02 22:38 . 2008-11-02 22:38 <DIR> d-------- c:\program files\Fighter Factory
2008-11-01 19:19 . 2008-11-01 19:20 <DIR> d-------- C:\temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 19:52 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-23 03:26 14,336 ----a-w c:\windows\system32\svchost.exe
2008-12-23 03:26 14,336 ----a-w c:\windows\system32\dllcache\svchost.exe
2008-12-16 01:27 --------- d-----w c:\program files\Magic Set Editor 2
2008-11-25 12:14 --------- d-----w c:\program files\SystemRequirementsLab
2008-11-25 12:14 --------- d-----w c:\documents and settings\Lord Kandar\Application Data\SystemRequirementsLab
2008-11-09 17:30 --------- d-----w c:\documents and settings\Lord Kandar\Application Data\BitTorrent
2008-11-07 00:21 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-29 03:10 3,341,824 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-10-29 03:10 3,341,824 ----a-w c:\windows\system32\dllcache\ati2mtag.sys
2008-10-29 02:23 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-10-29 02:22 314,880 ----a-w c:\windows\system32\ati2dvag.dll
2008-10-29 02:11 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-10-29 02:11 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-10-29 02:11 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-10-29 02:11 147,456 ----a-w c:\windows\system32\Oemdspif.dll
2008-10-29 02:10 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-10-29 02:10 10,973,184 ----a-w c:\windows\system32\atioglxx.dll
2008-10-29 02:09 585,728 ----a-w c:\windows\system32\ati2evxx.exe
2008-10-29 02:07 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-10-29 01:57 4,041,472 ----a-w c:\windows\system32\ati3duag.dll
2008-10-29 01:49 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-10-29 01:41 2,472,832 ----a-w c:\windows\system32\ativvaxx.dll
2008-10-29 01:25 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-10-29 01:21 389,120 ----a-w c:\windows\system32\atikvmag.dll
2008-10-29 01:19 44,032 ----a-w c:\windows\system32\atiadlxx.dll
2008-10-29 01:19 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-10-29 01:18 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-10-29 01:18 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-10-29 01:12 577,536 ----a-w c:\windows\system32\ati2cqag.dll
2008-10-21 17:51 118,784 ----a-w c:\windows\system32\atibrtmon.exe
2008-10-02 23:46 81,920 ----a-w c:\windows\system32\frapsvid.dll
2008-09-09 23:47 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-09 23:46 1,954 ----a-w c:\windows\system32\ealregsnapshot1.reg
2007-05-23 01:25 30 ----a-w c:\documents and settings\Lord Kandar\haha.bat
.
((((((((((((((((((((((((((((( snapshot@2008-12-30_12.49.59.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-30 17:37:45 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-30 18:03:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-30 17:37:45 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-30 18:03:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-30 17:38:06 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008123020081231\index.dat
+ 2008-12-30 18:03:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008123020081231\index.dat
- 2008-12-30 17:37:45 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-30 18:03:31 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-07-25 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-22 229438]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 565309]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMfDuVP]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\HPQ\\Quick Launch Buttons\\eabservr.exe"=
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-10 24652]
S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\DRIVERS\SaiHFF0C.sys [2008-11-01 56576]
S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\DRIVERS\SaiUFF0C.sys [2008-11-01 19584]
.
Contents of the 'Scheduled Tasks' folder
2006-12-17 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2005-03-03 13:04]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Lord Kandar\Application Data\Mozilla\Firefox\Profiles\nxyf6nhz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9FC132B-096D-460B-B7D5-1DB0FAE0C062", "AllAccess");
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 14:39:23
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?5?2?1??????? ???B?????????????H<C? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-30 14:40:09
ComboFix-quarantined-files.txt 2008-12-30 19:39:57
ComboFix2.txt 2008-12-30 19:13:43
Pre-Run: 34,400,878,592 bytes free
Post-Run: 34,390,163,456 bytes free
172
DarkWolff
2008-12-30, 21:44
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:44:15 PM, on 12/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Lord Kandar\Desktop\DarkWolff.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O20 - Winlogon Notify: qoMfDuVP - C:\WINDOWS\
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 6208 bytes
I'd like you to check a file for malware.
Go to VirusTotal (http://www.virustotal.com) or Jotti's (http://virusscan.jotti.org/)
c:\windows\system32\svchost.exe
Copy/Paste the first file on the list into the white Upload a file box.
Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Save the complete results in a Notepad/Word document on your desktop.
Post back results when ready, please.
DarkWolff
2008-12-30, 22:02
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
Fortinet - - -
GData - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - BlockReason.0
Additional information
MD5: 8f078ae4ed187aaabc0a305146de6716
SHA1: da0ff4006859a7580aba81f486f692dead2014fe
SHA256: 16593943861d03d508f37f60e41240dee14221e76f625835487f73d5010ac18a
DarkWolff
2008-12-30, 22:03
Here's the link if you want a more readable version: http://www.virustotal.com/analisis/239f9c6c69a3d0503ca1d50e58cea855
That appears to be fine.
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select ''Run as administrator'' to perform this scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)
DarkWolff
2008-12-30, 22:07
Will do.
DarkWolff
2008-12-30, 23:22
Update: Scan is still running (55%).
DarkWolff
2008-12-31, 00:21
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, December 30, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, December 30, 2008 18:10:45
Records in database: 1533181
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
Scan statistics:
Files scanned: 66552
Threat name: 11
Infected objects: 12
Suspicious objects: 0
Duration of the scan: 01:54:48
File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\svhost.exe Infected: Trojan-Banker.Win32.Banker.ackb 1
C:\Program Files\Online Services\AOL90US\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\Qoobox\Quarantine\C\Program Files\Mjcore\Mjcore.dll.vir Infected: Trojan.Win32.BHO.ilw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\71985e90.sys.vir Infected: Rootkit.Win32.Pakes.gg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_71985e90_.sys.zip Infected: Rootkit.Win32.Pakes.gg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_ati7ytxx_.sys.zip Infected: Rootkit.Win32.Protector.cd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\__.zip Infected: Backdoor.Win32.TDSS.bkw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jkse73hedfdgf.dll.vir Infected: Trojan.Win32.Pakes.mgk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSShrxx.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoiqt.dll.vir Infected: Backdoor.Win32.TDSS.blh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSvkql.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSxfum.dll.vir Infected: Trojan.Win32.Agent.arvz 1
The selected area was scanned.
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
We can attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.
Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post.
DarkWolff
2008-12-31, 18:38
Hello,
If possible, I'd like to try to remove the Trojan. I don't use the laptop for sensitive info and only use it for gaming, so I think I'll be ok for now.
I will reformat the laptop soon though; likely by the end of January.
DarkWolff
2008-12-31, 18:41
Just as an aside, there is some (gaming based) data that I'd want to save on the laptop, which is also part of why I'd like to try to clean it.
Open notepad and copy/paste the text in the codebox below into it:
DirLook::
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
DarkWolff
2008-12-31, 18:56
ComboFix 08-12-30.02 - Lord Kandar 2008-12-31 11:52:50.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1647 [GMT -5:00]
Running from: c:\documents and settings\Lord Kandar\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Lord Kandar\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))
.
2008-12-31 11:47 . 2008-12-31 11:47 <DIR> d--hs---- C:\found.000
2008-12-29 12:12 . 2008-12-29 12:12 <DIR> d-------- c:\program files\Avira
2008-12-29 12:12 . 2008-12-29 12:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-23 12:48 . 2008-12-23 12:51 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-23 12:48 . 2008-12-30 12:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-22 22:37 . 2008-12-23 14:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-17 19:33 . 2008-12-17 19:33 <DIR> d-------- c:\program files\GPLGS
2008-12-17 19:29 . 2008-12-17 19:29 <DIR> d-------- c:\program files\Acro Software
2008-12-17 19:29 . 2007-07-12 22:33 87,552 --a------ c:\windows\system32\cpwmon2k.dll
2008-12-09 19:48 . 2008-12-09 19:48 <DIR> d-------- c:\documents and settings\Lord Kandar\Application Data\Xilisoft Corporation
2008-12-09 19:40 . 2008-12-09 19:40 0 --a------ c:\windows\muveeapp.INI
2008-12-09 19:36 . 2008-12-09 19:36 <DIR> d-------- c:\documents and settings\Lord Kandar\Application Data\muvee Technologies
2008-12-09 19:08 . 2008-12-09 19:30 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-29 15:13 . 2008-11-29 15:13 0 --a------ c:\windows\ativpsrm.bin
2008-11-29 15:12 . 2008-10-28 21:05 593,920 --a------ c:\windows\system32\ati2sgag.exe
2008-11-29 15:11 . 2008-11-29 15:11 <DIR> d-------- C:\ATI
2008-11-03 22:39 . 2008-12-18 22:37 <DIR> d-------- C:\mugen-hi
2008-11-03 22:25 . 2008-11-03 22:25 <DIR> d-------- C:\backup
2008-11-02 22:38 . 2008-11-02 22:38 <DIR> d-------- c:\program files\Fighter Factory
2008-11-01 19:19 . 2008-11-01 19:20 <DIR> d-------- C:\temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 19:52 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-23 03:26 14,336 ----a-w c:\windows\system32\svchost.exe
2008-12-23 03:26 14,336 ----a-w c:\windows\system32\dllcache\svchost.exe
2008-12-16 01:27 --------- d-----w c:\program files\Magic Set Editor 2
2008-11-25 12:14 --------- d-----w c:\program files\SystemRequirementsLab
2008-11-25 12:14 --------- d-----w c:\documents and settings\Lord Kandar\Application Data\SystemRequirementsLab
2008-11-09 17:30 --------- d-----w c:\documents and settings\Lord Kandar\Application Data\BitTorrent
2008-11-07 00:21 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-29 03:10 3,341,824 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-10-29 03:10 3,341,824 ----a-w c:\windows\system32\dllcache\ati2mtag.sys
2008-10-29 02:23 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-10-29 02:22 314,880 ----a-w c:\windows\system32\ati2dvag.dll
2008-10-29 02:11 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-10-29 02:11 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-10-29 02:11 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-10-29 02:11 147,456 ----a-w c:\windows\system32\Oemdspif.dll
2008-10-29 02:10 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-10-29 02:10 10,973,184 ----a-w c:\windows\system32\atioglxx.dll
2008-10-29 02:09 585,728 ----a-w c:\windows\system32\ati2evxx.exe
2008-10-29 02:07 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-10-29 01:57 4,041,472 ----a-w c:\windows\system32\ati3duag.dll
2008-10-29 01:49 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-10-29 01:41 2,472,832 ----a-w c:\windows\system32\ativvaxx.dll
2008-10-29 01:25 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-10-29 01:21 389,120 ----a-w c:\windows\system32\atikvmag.dll
2008-10-29 01:19 44,032 ----a-w c:\windows\system32\atiadlxx.dll
2008-10-29 01:19 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-10-29 01:18 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-10-29 01:18 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-10-29 01:12 577,536 ----a-w c:\windows\system32\ati2cqag.dll
2008-10-21 17:51 118,784 ----a-w c:\windows\system32\atibrtmon.exe
2008-10-02 23:46 81,920 ----a-w c:\windows\system32\frapsvid.dll
2008-09-09 23:47 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-09 23:46 1,954 ----a-w c:\windows\system32\ealregsnapshot1.reg
2007-05-23 01:25 30 ----a-w c:\documents and settings\Lord Kandar\haha.bat
.
((((((((((((((((((((((((((((( snapshot@2008-12-30_12.49.59.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-30 17:37:45 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-30 18:03:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-30 17:37:45 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-30 18:03:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-30 17:38:06 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008123020081231\index.dat
+ 2008-12-30 18:03:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008123020081231\index.dat
- 2008-12-30 17:37:45 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-30 18:03:31 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-07-25 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-22 229438]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 565309]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMfDuVP]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\HPQ\\Quick Launch Buttons\\eabservr.exe"=
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-10 24652]
S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\DRIVERS\SaiHFF0C.sys [2008-11-01 56576]
S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\DRIVERS\SaiUFF0C.sys [2008-11-01 19584]
.
Contents of the 'Scheduled Tasks' folder
2006-12-17 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2005-03-03 13:04]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Lord Kandar\Application Data\Mozilla\Firefox\Profiles\nxyf6nhz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9FC132B-096D-460B-B7D5-1DB0FAE0C062", "AllAccess");
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-31 11:54:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?5?2?1??????? ???B?????????????H<C? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-31 11:55:22
ComboFix-quarantined-files.txt 2008-12-31 16:55:09
ComboFix2.txt 2008-12-30 19:40:09
ComboFix3.txt 2008-12-30 19:13:43
Pre-Run: 34,315,837,440 bytes free
Post-Run: 34,358,587,392 bytes free
169
Are you sure that you copied everything to CFScript, including DirLook::
?
DarkWolff
2008-12-31, 19:06
No, I'm not sure. I'll do it again.
DarkWolff
2008-12-31, 19:09
ComboFix 08-12-30.02 - Lord Kandar 2008-12-31 12:07:17.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1632 [GMT -5:00]
Running from: c:\documents and settings\Lord Kandar\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Lord Kandar\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))
.
2008-12-31 11:47 . 2008-12-31 11:47 <DIR> d--hs---- C:\found.000
2008-12-29 12:12 . 2008-12-29 12:12 <DIR> d-------- c:\program files\Avira
2008-12-29 12:12 . 2008-12-29 12:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-23 12:48 . 2008-12-23 12:51 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-23 12:48 . 2008-12-30 12:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-22 22:37 . 2008-12-23 14:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-17 19:33 . 2008-12-17 19:33 <DIR> d-------- c:\program files\GPLGS
2008-12-17 19:29 . 2008-12-17 19:29 <DIR> d-------- c:\program files\Acro Software
2008-12-17 19:29 . 2007-07-12 22:33 87,552 --a------ c:\windows\system32\cpwmon2k.dll
2008-12-09 19:48 . 2008-12-09 19:48 <DIR> d-------- c:\documents and settings\Lord Kandar\Application Data\Xilisoft Corporation
2008-12-09 19:40 . 2008-12-09 19:40 0 --a------ c:\windows\muveeapp.INI
2008-12-09 19:36 . 2008-12-09 19:36 <DIR> d-------- c:\documents and settings\Lord Kandar\Application Data\muvee Technologies
2008-12-09 19:08 . 2008-12-09 19:30 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-29 15:13 . 2008-11-29 15:13 0 --a------ c:\windows\ativpsrm.bin
2008-11-29 15:12 . 2008-10-28 21:05 593,920 --a------ c:\windows\system32\ati2sgag.exe
2008-11-29 15:11 . 2008-11-29 15:11 <DIR> d-------- C:\ATI
2008-11-03 22:39 . 2008-12-18 22:37 <DIR> d-------- C:\mugen-hi
2008-11-03 22:25 . 2008-11-03 22:25 <DIR> d-------- C:\backup
2008-11-02 22:38 . 2008-11-02 22:38 <DIR> d-------- c:\program files\Fighter Factory
2008-11-01 19:19 . 2008-11-01 19:20 <DIR> d-------- C:\temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 19:52 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-23 03:26 14,336 ----a-w c:\windows\system32\svchost.exe
2008-12-23 03:26 14,336 ----a-w c:\windows\system32\dllcache\svchost.exe
2008-12-16 01:27 --------- d-----w c:\program files\Magic Set Editor 2
2008-11-25 12:14 --------- d-----w c:\program files\SystemRequirementsLab
2008-11-25 12:14 --------- d-----w c:\documents and settings\Lord Kandar\Application Data\SystemRequirementsLab
2008-11-09 17:30 --------- d-----w c:\documents and settings\Lord Kandar\Application Data\BitTorrent
2008-11-07 00:21 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-29 03:10 3,341,824 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-10-29 03:10 3,341,824 ----a-w c:\windows\system32\dllcache\ati2mtag.sys
2008-10-29 02:23 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-10-29 02:22 314,880 ----a-w c:\windows\system32\ati2dvag.dll
2008-10-29 02:11 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-10-29 02:11 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-10-29 02:11 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-10-29 02:11 147,456 ----a-w c:\windows\system32\Oemdspif.dll
2008-10-29 02:10 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-10-29 02:10 10,973,184 ----a-w c:\windows\system32\atioglxx.dll
2008-10-29 02:09 585,728 ----a-w c:\windows\system32\ati2evxx.exe
2008-10-29 02:07 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-10-29 01:57 4,041,472 ----a-w c:\windows\system32\ati3duag.dll
2008-10-29 01:49 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-10-29 01:41 2,472,832 ----a-w c:\windows\system32\ativvaxx.dll
2008-10-29 01:25 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-10-29 01:21 389,120 ----a-w c:\windows\system32\atikvmag.dll
2008-10-29 01:19 44,032 ----a-w c:\windows\system32\atiadlxx.dll
2008-10-29 01:19 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-10-29 01:18 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-10-29 01:18 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-10-29 01:12 577,536 ----a-w c:\windows\system32\ati2cqag.dll
2008-10-21 17:51 118,784 ----a-w c:\windows\system32\atibrtmon.exe
2008-10-02 23:46 81,920 ----a-w c:\windows\system32\frapsvid.dll
2008-09-09 23:47 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-09 23:46 1,954 ----a-w c:\windows\system32\ealregsnapshot1.reg
2007-05-23 01:25 30 ----a-w c:\documents and settings\Lord Kandar\haha.bat
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\Microsoft\Protect ----
2008-12-22 22:14 3059712 --a------ c:\documents and settings\All Users\Application Data\Microsoft\Protect\svhost.exe
2008-12-22 22:13 5 --a------ c:\documents and settings\All Users\Application Data\Microsoft\Protect\track.sys
((((((((((((((((((((((((((((( snapshot@2008-12-30_12.49.59.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-30 17:37:45 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-30 18:03:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-30 17:37:45 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-30 18:03:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-30 17:38:06 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008123020081231\index.dat
+ 2008-12-30 18:03:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008123020081231\index.dat
- 2008-12-30 17:37:45 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-30 18:03:31 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-07-25 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-22 229438]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 565309]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMfDuVP]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\HPQ\\Quick Launch Buttons\\eabservr.exe"=
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-10 24652]
S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\DRIVERS\SaiHFF0C.sys [2008-11-01 56576]
S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\DRIVERS\SaiUFF0C.sys [2008-11-01 19584]
*Newly Created Service* - catchme
.
Contents of the 'Scheduled Tasks' folder
2006-12-17 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2005-03-03 13:04]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Lord Kandar\Application Data\Mozilla\Firefox\Profiles\nxyf6nhz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9FC132B-096D-460B-B7D5-1DB0FAE0C062", "AllAccess");
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-31 12:07:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?5?2?1??????? ???B?????????????H<C? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-31 12:08:47
ComboFix-quarantined-files.txt 2008-12-31 17:08:26
ComboFix2.txt 2008-12-31 16:55:23
ComboFix3.txt 2008-12-30 19:40:09
ComboFix4.txt 2008-12-30 19:13:43
Pre-Run: 34,346,803,200 bytes free
Post-Run: 34,337,107,968 bytes free
176
Open notepad and copy/paste the text in the codebox below into it:
Folder::
c:\documents and settings\All Users\Application Data\Microsoft\Protect
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
DarkWolff
2008-12-31, 20:52
ComboFix 08-12-30.02 - Lord Kandar 2008-12-31 13:48:20.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1596 [GMT -5:00]
Running from: c:\documents and settings\Lord Kandar\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Lord Kandar\Desktop\Combo-Fix.exe c:\documents and settings\Lord Kandar\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))
.
2008-12-31 11:47 . 2008-12-31 11:47 <DIR> d--hs---- C:\found.000
2008-12-29 12:12 . 2008-12-29 12:12 <DIR> d-------- c:\program files\Avira
2008-12-29 12:12 . 2008-12-29 12:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-23 12:48 . 2008-12-23 12:51 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-23 12:48 . 2008-12-30 12:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-22 22:37 . 2008-12-23 14:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-17 19:33 . 2008-12-17 19:33 <DIR> d-------- c:\program files\GPLGS
2008-12-17 19:29 . 2008-12-17 19:29 <DIR> d-------- c:\program files\Acro Software
2008-12-17 19:29 . 2007-07-12 22:33 87,552 --a------ c:\windows\system32\cpwmon2k.dll
2008-12-09 19:48 . 2008-12-09 19:48 <DIR> d-------- c:\documents and settings\Lord Kandar\Application Data\Xilisoft Corporation
2008-12-09 19:40 . 2008-12-09 19:40 0 --a------ c:\windows\muveeapp.INI
2008-12-09 19:36 . 2008-12-09 19:36 <DIR> d-------- c:\documents and settings\Lord Kandar\Application Data\muvee Technologies
2008-12-09 19:08 . 2008-12-09 19:30 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-29 15:13 . 2008-11-29 15:13 0 --a------ c:\windows\ativpsrm.bin
2008-11-29 15:12 . 2008-10-28 21:05 593,920 --a------ c:\windows\system32\ati2sgag.exe
2008-11-29 15:11 . 2008-11-29 15:11 <DIR> d-------- C:\ATI
2008-11-03 22:39 . 2008-12-18 22:37 <DIR> d-------- C:\mugen-hi
2008-11-03 22:25 . 2008-11-03 22:25 <DIR> d-------- C:\backup
2008-11-02 22:38 . 2008-11-02 22:38 <DIR> d-------- c:\program files\Fighter Factory
2008-11-01 19:19 . 2008-11-01 19:20 <DIR> d-------- C:\temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 19:52 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-23 03:26 14,336 ----a-w c:\windows\system32\svchost.exe
2008-12-23 03:26 14,336 ----a-w c:\windows\system32\dllcache\svchost.exe
2008-12-16 01:27 --------- d-----w c:\program files\Magic Set Editor 2
2008-11-25 12:14 --------- d-----w c:\program files\SystemRequirementsLab
2008-11-25 12:14 --------- d-----w c:\documents and settings\Lord Kandar\Application Data\SystemRequirementsLab
2008-11-09 17:30 --------- d-----w c:\documents and settings\Lord Kandar\Application Data\BitTorrent
2008-11-07 00:21 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-29 03:10 3,341,824 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-10-29 03:10 3,341,824 ----a-w c:\windows\system32\dllcache\ati2mtag.sys
2008-10-29 02:23 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-10-29 02:22 314,880 ----a-w c:\windows\system32\ati2dvag.dll
2008-10-29 02:11 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-10-29 02:11 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-10-29 02:11 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-10-29 02:11 147,456 ----a-w c:\windows\system32\Oemdspif.dll
2008-10-29 02:10 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-10-29 02:10 10,973,184 ----a-w c:\windows\system32\atioglxx.dll
2008-10-29 02:09 585,728 ----a-w c:\windows\system32\ati2evxx.exe
2008-10-29 02:07 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-10-29 01:57 4,041,472 ----a-w c:\windows\system32\ati3duag.dll
2008-10-29 01:49 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-10-29 01:41 2,472,832 ----a-w c:\windows\system32\ativvaxx.dll
2008-10-29 01:25 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-10-29 01:21 389,120 ----a-w c:\windows\system32\atikvmag.dll
2008-10-29 01:19 44,032 ----a-w c:\windows\system32\atiadlxx.dll
2008-10-29 01:19 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-10-29 01:18 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-10-29 01:18 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-10-29 01:12 577,536 ----a-w c:\windows\system32\ati2cqag.dll
2008-10-21 17:51 118,784 ----a-w c:\windows\system32\atibrtmon.exe
2008-10-02 23:46 81,920 ----a-w c:\windows\system32\frapsvid.dll
2008-09-09 23:47 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-09 23:46 1,954 ----a-w c:\windows\system32\ealregsnapshot1.reg
2007-05-23 01:25 30 ----a-w c:\documents and settings\Lord Kandar\haha.bat
.
((((((((((((((((((((((((((((( snapshot@2008-12-30_12.49.59.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-30 17:37:45 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-30 18:03:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-30 17:37:45 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-30 18:03:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-30 17:38:06 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008123020081231\index.dat
+ 2008-12-30 18:03:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008123020081231\index.dat
- 2008-12-30 17:37:45 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-30 18:03:31 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-07-25 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-22 229438]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 565309]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMfDuVP]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\HPQ\\Quick Launch Buttons\\eabservr.exe"=
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-10 24652]
S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\DRIVERS\SaiHFF0C.sys [2008-11-01 56576]
S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\DRIVERS\SaiUFF0C.sys [2008-11-01 19584]
.
Contents of the 'Scheduled Tasks' folder
2006-12-17 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2005-03-03 13:04]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Lord Kandar\Application Data\Mozilla\Firefox\Profiles\nxyf6nhz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9FC132B-096D-460B-B7D5-1DB0FAE0C062", "AllAccess");
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-31 13:49:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?5?2?1??????? ???B?????????????H<C? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-31 13:50:50
ComboFix-quarantined-files.txt 2008-12-31 18:50:38
ComboFix2.txt 2008-12-31 17:08:47
ComboFix3.txt 2008-12-31 16:55:23
ComboFix4.txt 2008-12-30 19:40:09
ComboFix5.txt 2008-12-31 18:46:59
Pre-Run: 36,908,584,960 bytes free
Post-Run: 36,898,136,064 bytes free
171
And please check again if you copied Folder:: because ComboFix didn't remove anything :)
DarkWolff
2008-12-31, 21:19
ComboFix 08-12-30.02 - Lord Kandar 2008-12-31 14:16:28.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1647 [GMT -5:00]
Running from: c:\documents and settings\Lord Kandar\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Lord Kandar\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Protect
c:\documents and settings\All Users\Application Data\Microsoft\Protect\svhost.exe
c:\documents and settings\All Users\Application Data\Microsoft\Protect\track.sys
.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))
.
2008-12-31 11:47 . 2008-12-31 11:47 <DIR> d--hs---- C:\found.000
2008-12-29 12:12 . 2008-12-29 12:12 <DIR> d-------- c:\program files\Avira
2008-12-29 12:12 . 2008-12-29 12:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-23 12:48 . 2008-12-23 12:51 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-23 12:48 . 2008-12-30 12:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-22 22:37 . 2008-12-23 14:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-17 19:33 . 2008-12-17 19:33 <DIR> d-------- c:\program files\GPLGS
2008-12-17 19:29 . 2008-12-17 19:29 <DIR> d-------- c:\program files\Acro Software
2008-12-17 19:29 . 2007-07-12 22:33 87,552 --a------ c:\windows\system32\cpwmon2k.dll
2008-12-09 19:48 . 2008-12-09 19:48 <DIR> d-------- c:\documents and settings\Lord Kandar\Application Data\Xilisoft Corporation
2008-12-09 19:40 . 2008-12-09 19:40 0 --a------ c:\windows\muveeapp.INI
2008-12-09 19:36 . 2008-12-09 19:36 <DIR> d-------- c:\documents and settings\Lord Kandar\Application Data\muvee Technologies
2008-12-09 19:08 . 2008-12-09 19:30 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-29 15:13 . 2008-11-29 15:13 0 --a------ c:\windows\ativpsrm.bin
2008-11-29 15:12 . 2008-10-28 21:05 593,920 --a------ c:\windows\system32\ati2sgag.exe
2008-11-29 15:11 . 2008-11-29 15:11 <DIR> d-------- C:\ATI
2008-11-03 22:39 . 2008-12-18 22:37 <DIR> d-------- C:\mugen-hi
2008-11-03 22:25 . 2008-11-03 22:25 <DIR> d-------- C:\backup
2008-11-02 22:38 . 2008-11-02 22:38 <DIR> d-------- c:\program files\Fighter Factory
2008-11-01 19:19 . 2008-11-01 19:20 <DIR> d-------- C:\temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 19:52 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-23 03:26 14,336 ----a-w c:\windows\system32\svchost.exe
2008-12-23 03:26 14,336 ----a-w c:\windows\system32\dllcache\svchost.exe
2008-12-16 01:27 --------- d-----w c:\program files\Magic Set Editor 2
2008-11-25 12:14 --------- d-----w c:\program files\SystemRequirementsLab
2008-11-25 12:14 --------- d-----w c:\documents and settings\Lord Kandar\Application Data\SystemRequirementsLab
2008-11-09 17:30 --------- d-----w c:\documents and settings\Lord Kandar\Application Data\BitTorrent
2008-11-07 00:21 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-29 03:10 3,341,824 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-10-29 03:10 3,341,824 ----a-w c:\windows\system32\dllcache\ati2mtag.sys
2008-10-29 02:23 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-10-29 02:22 314,880 ----a-w c:\windows\system32\ati2dvag.dll
2008-10-29 02:11 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-10-29 02:11 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-10-29 02:11 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-10-29 02:11 147,456 ----a-w c:\windows\system32\Oemdspif.dll
2008-10-29 02:10 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-10-29 02:10 10,973,184 ----a-w c:\windows\system32\atioglxx.dll
2008-10-29 02:09 585,728 ----a-w c:\windows\system32\ati2evxx.exe
2008-10-29 02:07 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-10-29 01:57 4,041,472 ----a-w c:\windows\system32\ati3duag.dll
2008-10-29 01:49 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-10-29 01:41 2,472,832 ----a-w c:\windows\system32\ativvaxx.dll
2008-10-29 01:25 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-10-29 01:21 389,120 ----a-w c:\windows\system32\atikvmag.dll
2008-10-29 01:19 44,032 ----a-w c:\windows\system32\atiadlxx.dll
2008-10-29 01:19 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-10-29 01:18 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-10-29 01:18 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-10-29 01:12 577,536 ----a-w c:\windows\system32\ati2cqag.dll
2008-10-21 17:51 118,784 ----a-w c:\windows\system32\atibrtmon.exe
2008-10-02 23:46 81,920 ----a-w c:\windows\system32\frapsvid.dll
2008-09-09 23:47 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-09 23:46 1,954 ----a-w c:\windows\system32\ealregsnapshot1.reg
2007-05-23 01:25 30 ----a-w c:\documents and settings\Lord Kandar\haha.bat
.
((((((((((((((((((((((((((((( snapshot@2008-12-30_12.49.59.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-30 17:37:45 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-30 18:03:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-30 17:37:45 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-30 18:03:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-30 17:38:06 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008123020081231\index.dat
+ 2008-12-30 18:03:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008123020081231\index.dat
- 2008-12-30 17:37:45 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-30 18:03:31 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-07-25 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-22 229438]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 565309]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMfDuVP]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\HPQ\\Quick Launch Buttons\\eabservr.exe"=
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-10 24652]
S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\DRIVERS\SaiHFF0C.sys [2008-11-01 56576]
S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\DRIVERS\SaiUFF0C.sys [2008-11-01 19584]
.
Contents of the 'Scheduled Tasks' folder
2006-12-17 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2005-03-03 13:04]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Lord Kandar\Application Data\Mozilla\Firefox\Profiles\nxyf6nhz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9FC132B-096D-460B-B7D5-1DB0FAE0C062", "AllAccess");
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-31 14:18:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?5?2?1??????? ???B?????????????H<C? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-31 14:18:52
ComboFix-quarantined-files.txt 2008-12-31 19:18:41
ComboFix2.txt 2008-12-31 18:50:51
ComboFix3.txt 2008-12-31 17:08:47
ComboFix4.txt 2008-12-31 16:55:23
ComboFix5.txt 2008-12-31 19:15:48
Pre-Run: 36,882,935,808 bytes free
Post-Run: 36,869,300,224 bytes free
177
DarkWolff
2008-12-31, 21:27
None yet. Is there something I should be looking for?
Well I mean same symptoms you had when you started this thread :)
DarkWolff
2008-12-31, 21:30
Oh no, they are all gone! :)
Great :)
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Please download JavaRa (http://sourceforge.net/project/downloading.php?groupname=javara&filename=JavaRa.zip&use_mirror=osdn) and unzip it to your desktop.
***Please close any instances of Internet Explorer before continuing!***
Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.
Then download and install Java Runtime Environment (JRE) 6 Update 11 (http://java.sun.com/javase/downloads/index.jsp)
Looking over your log, it seems you don''t have any evidence of a third party firewall.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:
1) Comodo (http://www.personalfirewall.comodo.com/download_firewall.html) (Uncheck during installation "Install COMODO Antivirus (Recommended)"!, "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) PC Tools (http://www.pctools.com/firewall/download/)
4) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
Next we remove all used tools.
Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.
Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft''s Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Malwarebytes'' Anti-Malware - Malwarebytes'' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:
Malwarebytes'' Anti-Malware Setup Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1644)
Malwarebytes'' Anti-Malware Scanning Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1645)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here (http://malwareremoval.com/forum/viewtopic.php?t=22187)
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)
Happy surfing and stay clean! :bigthumb:
DarkWolff
2008-12-31, 21:58
Thanks for all your help! I'll be sure to follow these steps immediately.
I originally was very lax with security on that laptop as I didn't do much surfing on it, and didn't surf on it. Now I see that was a mistake, and intend to be more diligent in the future.
Thanks again for all your help! :2thumb:
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.