Yet Another Virtumonde

B

bobcloclimar

New member
I've tried removing this manually (some previous experience), though ssqrq.dll keeps on getting respawned by some means whenever I reboot. It's normally called by rundll32 and lsass, so it's irremovable when Windows is running; it's also been keeping tabs on the registry so I can't edit out the references.

I have Norton installed, but I think it's been affected, so I'm not running it right now.

HJT log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:45:45 AM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrq.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: test.lnk.disabled (User 'SYSTEM')
O4 - .DEFAULT Startup: test.lnk.disabled (User 'Default user')
O4 - Startup: test.lnk.disabled
O4 - Global Startup: BTTray.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AgDataUpdateSvc - Analytical Graphics, Inc. - C:\Program Files\AGI\STK 7\bin\AgDataUpdateSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6751 bytes
 
Hi

First rename the hijackthis.exe file ...

From C:\HJT\HijackThis.exe

To C:\HJT\Problems.exe

Then ...

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

steam
 
CF Log:

ComboFix 08-01-18.4 - Bobcloclimar 2008-01-17 18:34:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.188 [GMT -8:00]
Running from: C:\Documents and Settings\Bobcloclimar\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\AIM\aim .exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Google\Secure Access\GoogleSecureAccess .exe
C:\Program Files\Google\Secure Access\GoogleSecureAccess.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Default Settings\cpqset .exe
C:\Program Files\HPQ\Default Settings\cpqset.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr .exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched .exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\osCheck.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\WINDOWS\curity~1
C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
C:\WINDOWS\ime\imkr6_1\IMEKRMIG .EXE
C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst .exe
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP .EXE
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\system32\ssqrq.dll

Code: 
 <pre>
C:\Program Files\AIM\aim .exe ---> QooBox
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe ---> QooBox
C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe ---> QooBox
C:\Program Files\Common Files\Symantec Shared\ccApp .exe ---> QooBox
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe ---> QooBox
C:\Program Files\Google\Secure Access\GoogleSecureAccess .exe ---> QooBox
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe ---> QooBox
C:\Program Files\HPQ\Default Settings\cpqset .exe ---> QooBox
C:\Program Files\HPQ\Quick Launch Buttons\EabServr .exe ---> QooBox
C:\Program Files\Java\jre1.6.0_01\bin\jusched .exe ---> QooBox
C:\Program Files\Messenger\msmsgs .exe ---> QooBox
C:\Program Files\QuickTime\qttask .exe ---> QooBox
C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE ---> QooBox
C:\WINDOWS\ime\imkr6_1\IMEKRMIG .EXE ---> QooBox
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst .exe ---> QooBox
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP .EXE ---> QooBox
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe ---> QooBox
</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-17 18:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-17 18:22 . 2008-01-17 18:23 3,917,590 --a------ C:\susi-enhanced.wmv
2008-01-17 06:24 . 2004-08-04 00:00 4,639 -ra------ C:\WINDOWS\system32\ssqrq.exe
2008-01-16 18:15 . 2008-01-16 18:15 247,315 --a------ C:\HK40K.jpg
2008-01-16 06:53 . 2008-01-16 07:24 219,875,328 --a------ C:\StarCraft-Ghost.avi
2008-01-14 19:09 . 2008-01-17 18:29 <DIR> d-------- C:\HJT
2008-01-13 03:03 . 2008-01-15 21:43 735 --a------ C:\WINDOWS\wininit.ini
2008-01-13 02:28 . 2008-01-13 03:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 02:19 . 2008-01-13 02:20 7,467,056 --a------ C:\Program Files\spybotsd15.exe
2008-01-13 02:19 . 2008-01-13 02:19 356,864 --a------ C:\WINDOWS\system32\OLD55.tmp
2008-01-13 01:49 . 2008-01-14 17:22 <DIR> d-------- C:\WINDOWS\system32\isolate
2008-01-12 18:02 . 2008-01-12 18:02 1,036,288 --a------ C:\1848002.divx
2008-01-12 17:27 . 2008-01-12 17:27 8,602,966 --a------ C:\1988490.divx
2008-01-10 07:12 . 2008-01-10 07:12 20,115,430 --a------ C:\2046117.divx
2008-01-10 07:10 . 2008-01-10 07:11 35,844,310 --a------ C:\2046277.divx
2008-01-10 07:01 . 2008-01-10 07:01 3,318,278 --a------ C:\2051083.divx
2008-01-09 15:44 . 2008-01-09 15:44 1,319 --a------ C:\chart.py
2008-01-08 17:26 . 2008-01-08 17:27 1,687,638 --a------ C:\TitanRules.pdf
2008-01-06 15:35 . 2008-01-06 21:10 51,959,252 --a------ C:\1731357.divx
2008-01-06 13:50 . 2008-01-06 13:50 72,632,624 --a------ C:\1966655.divx
2008-01-06 12:42 . 2008-01-06 12:42 105,300,778 --a------ C:\1558932.divx
2008-01-06 09:59 . 2008-01-06 10:00 105,956,652 --a------ C:\1556236.divx
2008-01-05 03:43 . 2008-01-05 03:43 25,639,554 --a------ C:\1685642.divx
2008-01-04 21:18 . 2008-01-04 21:18 25,530,368 --a------ C:\1898891.divx
2008-01-04 18:41 . 2008-01-04 18:42 139,849,868 --a------ C:\1973259.divx
2008-01-04 18:21 . 2008-01-04 18:21 15,237,922 --a------ C:\1435140.divx
2008-01-03 08:58 . 2008-01-03 08:58 84,841,064 --a------ C:\1467956.divx
2007-12-21 07:47 . 2007-12-21 16:40 98,114,706 --a------ C:\1254553.divx
2007-12-18 17:18 . 2007-12-18 17:19 3,490 --a------ C:\115
2007-12-18 06:09 . 2007-12-18 06:10 7,110,438 --a------ C:\$SystemUpdate_12-2007.zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 02:44 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-18 02:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-18 02:40 --------- d-----w C:\Program Files\QuickTime
2008-01-18 02:40 --------- d-----w C:\Program Files\AIM
2008-01-18 02:39 --------- d-----w C:\Documents and Settings\Bobcloclimar\Application Data\.purple
2008-01-15 05:29 --------- d-----w C:\Program Files\iTunes
2008-01-15 03:08 223,128 ----a-w C:\WINDOWS\system32\drivers\dtscsi.sys
2008-01-15 03:08 --------- d-----w C:\Program Files\DAEMON Tools
2008-01-15 02:01 --------- d-----w C:\Documents and Settings\Bobcloclimar\Application Data\IGN_DLM
2008-01-13 21:57 --------- d-----w C:\Program Files\Java
2008-01-06 02:06 --------- d-----w C:\Documents and Settings\Bobcloclimar\Application Data\OpenOffice.org2
2008-01-01 23:17 --------- d-----w C:\Program Files\XviD
2007-12-18 14:10 7,110,438 ----a-w C:\$SystemUpdate_12-2007.zip
2007-12-11 01:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-05 14:25 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-05 14:25 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-05 14:25 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-05 14:25 --------- d-----w C:\Program Files\Symantec
2007-12-01 07:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 07:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 07:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-12-01 07:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-12-01 07:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-12-01 07:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-12-01 07:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-12-01 07:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-12-01 07:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-15 01:56 24,526,113 ----a-w C:\Miro_Installer.exe
2006-01-25 20:55 604,908,520 ----a-w C:\Program Files\3dmark06_v102_installer.exe
2005-11-22 21:05 302,680 ----a-w C:\Program Files\ac3filter_0_70b.exe
2005-11-22 16:22 11,867,552 ----a-w C:\Program Files\RealPlayer10-5GOLD_bb.exe
2005-11-15 21:35 26,168,320 ----a-w C:\Program Files\small-miktex-2.4.1705.exe
2003-07-26 19:03 988,398 ----a-w C:\Program Files\wrar320.exe
.
Code: 
<pre>
----a-w         4,670,968 2008-01-15 03:18:07  C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [ ]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [ ]

C:\Documents and Settings\Bobcloclimar\Start Menu\Programs\Startup\
test.lnk.disabled [2008-01-15 17:44:13]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"{244EBF35-134D-4d21-8351-7D009E479B01}"=C:\Program Files\Google\Secure Access\GoogleSecureAccess.exe
"AIM"=C:\Program Files\AIM\aim.exe -cnetwait.odl
"igndlm.exe"=C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Steam"=
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
"hpWirelessAssistant"="%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"688828a0"=rundll32.exe "C:\WINDOWS\system32\hcdtgxcy.dll",b
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
"eabconfg.cpl"=C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
"Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"IMEKRMIG6.1"=C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

R2 RA MSP430 FET 1.1;MSP430 FET Debug Interface 1.1;C:\WINDOWS\system32\drivers\RA_MSPFETP430IF_1_1.sys [2004-09-24 16:08]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-06-10 06:59]
R3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 12:53]
S3 AgDataUpdateSvc;AgDataUpdateSvc;"C:\Program Files\AGI\STK 7\bin\AgDataUpdateSvc.exe" [2005-11-15 23:08]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-14 14:19:36 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Bobcloclimar.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2008-01-14 14:19:22 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 18:46:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-17 18:52:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 02:52:05
.
2008-01-14 01:24:54 --- E O F ---
 
HJT Log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:08:16 PM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\Problems.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: test.lnk.disabled (User 'SYSTEM')
O4 - .DEFAULT Startup: test.lnk.disabled (User 'Default user')
O4 - Startup: test.lnk.disabled
O4 - Global Startup: BTTray.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AgDataUpdateSvc - Analytical Graphics, Inc. - C:\Program Files\AGI\STK 7\bin\AgDataUpdateSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6810 bytes
 
Hi

Norton was infected. but has been replaced from a clean backup, so it should be OK now.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code: 
File::
C:\WINDOWS\system32\ssqrq.exe
C:\WINDOWS\system32\OLD55.tmp

RenV::
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe

Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

do you know what any of these are ?

2008-01-12 18:02 . 2008-01-12 18:02 1,036,288 --a------ C:\1848002.divx
2008-01-12 17:27 . 2008-01-12 17:27 8,602,966 --a------ C:\1988490.divx
2008-01-10 07:12 . 2008-01-10 07:12 20,115,430 --a------ C:\2046117.divx
2008-01-10 07:10 . 2008-01-10 07:11 35,844,310 --a------ C:\2046277.divx
2008-01-10 07:01 . 2008-01-10 07:01 3,318,278 --a------ C:\2051083.divx
2008-01-06 15:35 . 2008-01-06 21:10 51,959,252 --a------ C:\1731357.divx
2008-01-06 13:50 . 2008-01-06 13:50 72,632,624 --a------ C:\1966655.divx
2008-01-06 12:42 . 2008-01-06 12:42 105,300,778 --a------ C:\1558932.divx
2008-01-06 09:59 . 2008-01-06 10:00 105,956,652 --a------ C:\1556236.divx
2008-01-05 03:43 . 2008-01-05 03:43 25,639,554 --a------ C:\1685642.divx
2008-01-04 21:18 . 2008-01-04 21:18 25,530,368 --a------ C:\1898891.divx
2008-01-04 18:41 . 2008-01-04 18:42 139,849,868 --a------ C:\1973259.divx
2008-01-04 18:21 . 2008-01-04 18:21 15,237,922 --a------ C:\1435140.divx
2008-01-03 08:58 . 2008-01-03 08:58 84,841,064 --a------ C:\1467956.divx
2007-12-21 07:47 . 2007-12-21 16:40 98,114,706 --a------ C:\1254553.divx

2007-12-18 17:18 . 2007-12-18 17:19 3,490 --a------ C:\115

steam
 
steamwiz said:
do you know what any of these are ?

2008-01-12 18:02 . 2008-01-12 18:02 1,036,288 --a------ C:\1848002.divx
2008-01-12 17:27 . 2008-01-12 17:27 8,602,966 --a------ C:\1988490.divx
2008-01-10 07:12 . 2008-01-10 07:12 20,115,430 --a------ C:\2046117.divx
2008-01-10 07:10 . 2008-01-10 07:11 35,844,310 --a------ C:\2046277.divx
2008-01-10 07:01 . 2008-01-10 07:01 3,318,278 --a------ C:\2051083.divx
2008-01-06 15:35 . 2008-01-06 21:10 51,959,252 --a------ C:\1731357.divx
2008-01-06 13:50 . 2008-01-06 13:50 72,632,624 --a------ C:\1966655.divx
2008-01-06 12:42 . 2008-01-06 12:42 105,300,778 --a------ C:\1558932.divx
2008-01-06 09:59 . 2008-01-06 10:00 105,956,652 --a------ C:\1556236.divx
2008-01-05 03:43 . 2008-01-05 03:43 25,639,554 --a------ C:\1685642.divx
2008-01-04 21:18 . 2008-01-04 21:18 25,530,368 --a------ C:\1898891.divx
2008-01-04 18:41 . 2008-01-04 18:42 139,849,868 --a------ C:\1973259.divx
2008-01-04 18:21 . 2008-01-04 18:21 15,237,922 --a------ C:\1435140.divx
2008-01-03 08:58 . 2008-01-03 08:58 84,841,064 --a------ C:\1467956.divx
2007-12-21 07:47 . 2007-12-21 16:40 98,114,706 --a------ C:\1254553.divx

2007-12-18 17:18 . 2007-12-18 17:19 3,490 --a------ C:\115

steam
Click to expand...

These are all media/game related files that predate the infection.

New logs will be up shortly.
 
CF Log:
ComboFix 08-01-18.4 - Virogtheconq 2008-01-18 16:56:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.239 [GMT -8:00]
Running from: C:\Documents and Settings\Virogtheconq\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Virogtheconq\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\OLD55.tmp
C:\WINDOWS\system32\ssqrq.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\OLD55.tmp
C:\WINDOWS\system32\ssqrq.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.

2008-01-17 18:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 18:15 . 2008-01-16 18:15 247,315 --a------ C:\HK40K.jpg
2008-01-16 06:53 . 2008-01-16 07:24 219,875,328 --a------ C:\StarCraft-Ghost.avi
2008-01-14 19:09 . 2008-01-18 16:45 <DIR> d-------- C:\HJT
2008-01-13 03:03 . 2008-01-15 21:43 735 --a------ C:\WINDOWS\wininit.ini
2008-01-13 02:28 . 2008-01-13 03:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 02:19 . 2008-01-13 02:20 7,467,056 --a------ C:\Program Files\spybotsd15.exe
2008-01-13 01:49 . 2008-01-14 17:22 <DIR> d-------- C:\WINDOWS\system32\isolate
2008-01-12 18:02 . 2008-01-12 18:02 1,036,288 --a------ C:\1848002.divx
2008-01-12 17:27 . 2008-01-12 17:27 8,602,966 --a------ C:\1988490.divx
2008-01-10 07:12 . 2008-01-10 07:12 20,115,430 --a------ C:\2046117.divx
2008-01-10 07:10 . 2008-01-10 07:11 35,844,310 --a------ C:\2046277.divx
2008-01-10 07:01 . 2008-01-10 07:01 3,318,278 --a------ C:\2051083.divx
2008-01-09 15:44 . 2008-01-09 15:44 1,319 --a------ C:\chart.py
2008-01-08 17:26 . 2008-01-08 17:27 1,687,638 --a------ C:\TitanRules.pdf
2008-01-06 15:35 . 2008-01-06 21:10 51,959,252 --a------ C:\1731357.divx
2008-01-06 13:50 . 2008-01-06 13:50 72,632,624 --a------ C:\1966655.divx
2008-01-06 12:42 . 2008-01-06 12:42 105,300,778 --a------ C:\1558932.divx
2008-01-06 09:59 . 2008-01-06 10:00 105,956,652 --a------ C:\1556236.divx
2008-01-05 03:43 . 2008-01-05 03:43 25,639,554 --a------ C:\1685642.divx
2008-01-04 21:18 . 2008-01-04 21:18 25,530,368 --a------ C:\1898891.divx
2008-01-04 18:41 . 2008-01-04 18:42 139,849,868 --a------ C:\1973259.divx
2008-01-04 18:21 . 2008-01-04 18:21 15,237,922 --a------ C:\1435140.divx
2008-01-03 08:58 . 2008-01-03 08:58 84,841,064 --a------ C:\1467956.divx
2007-12-21 07:47 . 2007-12-21 16:40 98,114,706 --a------ C:\1254553.divx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 00:53 --------- d-----w C:\Documents and Settings\Virogtheconq\Application Data\.purple
2008-01-18 02:44 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-18 02:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-18 02:40 --------- d-----w C:\Program Files\QuickTime
2008-01-18 02:40 --------- d-----w C:\Program Files\AIM
2008-01-15 05:29 --------- d-----w C:\Program Files\iTunes
2008-01-15 03:08 223,128 ----a-w C:\WINDOWS\system32\drivers\dtscsi.sys
2008-01-15 03:08 --------- d-----w C:\Program Files\DAEMON Tools
2008-01-15 02:01 --------- d-----w C:\Documents and Settings\Virogtheconq\Application Data\IGN_DLM
2008-01-13 21:57 --------- d-----w C:\Program Files\Java
2008-01-06 02:06 --------- d-----w C:\Documents and Settings\Virogtheconq\Application Data\OpenOffice.org2
2008-01-01 23:17 --------- d-----w C:\Program Files\XviD
2007-12-18 14:10 7,110,438 ----a-w C:\$SystemUpdate_12-2007.zip
2007-12-11 01:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-05 14:25 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-05 14:25 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-05 14:25 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-05 14:25 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-05 14:25 --------- d-----w C:\Program Files\Symantec
2007-12-01 07:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 07:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 07:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-12-01 07:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-12-01 07:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-12-01 07:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-12-01 07:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-12-01 07:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-12-01 07:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-15 01:56 24,526,113 ----a-w C:\Miro_Installer.exe
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-31 03:55 625,032 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-31 03:55 242,056 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 10:16 3,058,688 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 01:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-28 01:39 230,912 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-28 01:37 2,109,440 ------w C:\WINDOWS\system32\dllcache\wmvcore.dll
2007-10-26 03:36 8,454,656 ------w C:\WINDOWS\system32\dllcache\shell32.dll
2006-01-25 20:55 604,908,520 ----a-w C:\Program Files\3dmark06_v102_installer.exe
2005-11-22 21:05 302,680 ----a-w C:\Program Files\ac3filter_0_70b.exe
2005-11-22 16:22 11,867,552 ----a-w C:\Program Files\RealPlayer10-5GOLD_bb.exe
2005-11-15 21:35 26,168,320 ----a-w C:\Program Files\small-miktex-2.4.1705.exe
2003-07-26 19:03 988,398 ----a-w C:\Program Files\wrar320.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-17_18.51.50.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-18 02:33:33 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-19 00:55:47 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-18 02:33:33 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-19 00:55:47 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-18 02:33:33 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-19 00:55:47 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-18 02:33:34 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-19 00:55:47 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-18 02:33:34 5,533,696 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-19 00:55:47 5,533,696 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-18 02:33:34 286,720 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-19 00:55:47 286,720 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [ ]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [ ]

C:\Documents and Settings\Virogtheconq\Start Menu\Programs\Startup\
test.lnk.disabled [2008-01-15 17:44:13]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"{244EBF35-134D-4d21-8351-7D009E479B01}"=C:\Program Files\Google\Secure Access\GoogleSecureAccess.exe
"AIM"=C:\Program Files\AIM\aim.exe -cnetwait.odl
"igndlm.exe"=C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Steam"=
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
"hpWirelessAssistant"="%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"688828a0"=rundll32.exe "C:\WINDOWS\system32\hcdtgxcy.dll",b
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
"eabconfg.cpl"=C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
"Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"IMEKRMIG6.1"=C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

R2 RA MSP430 FET 1.1;MSP430 FET Debug Interface 1.1;C:\WINDOWS\system32\drivers\RA_MSPFETP430IF_1_1.sys [2004-09-24 16:08]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-06-10 06:59]
R3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 12:53]
S3 AgDataUpdateSvc;AgDataUpdateSvc;"C:\Program Files\AGI\STK 7\bin\AgDataUpdateSvc.exe" [2005-11-15 23:08]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-14 14:19:36 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Virogtheconq.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2008-01-14 14:19:22 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 17:00:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-18 17:01:12
ComboFix-quarantined-files.txt 2008-01-19 01:01:03
.
2008-01-14 01:24:54 --- E O F ---
 
New HJT log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:11:49 PM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\Problems.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: test.lnk.disabled (User 'SYSTEM')
O4 - .DEFAULT Startup: test.lnk.disabled (User 'Default user')
O4 - Startup: test.lnk.disabled
O4 - Global Startup: BTTray.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AgDataUpdateSvc - Analytical Graphics, Inc. - C:\Program Files\AGI\STK 7\bin\AgDataUpdateSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6942 bytes
 
Hi

Your logs are clean now, however on looking at your latest logs, these files appear to have been casualties of the infection ...

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll
C:\Program Files\Norton AntiVirus\osCheck.exe

These files were found to be infected along with a lot of other files, the infected files have been deleted & where possible replaced with a clean copy, unfortunately there were no clean copies for some files ...

If any of the above files are missing, you may have to reinstall Norton ...

steam
 
Well, two of them do appear to be missing. Unfortunate, but seeing as my subscription just expired, perhaps it's time to switch to another program.

Thanks for your help!
 
You must log in or register to reply here.
Back
Top