how-to block ads
|
Annmarie
brain cooties
Premium,Mod
join:2000-11-11
Ronkonkoma, NY
clubs:
 ·Optimum Online
Host:
Electronics
| HJT Log - fake alerts
I have very little time to clean this up so excuse me for being abrupt. Co workers laptop, Windows XP running Symantec client suddenly began getting nasty pop ups and what appeared to be Windows security alerts. Someone used his laptop while he was out of the office.
Between he and I we followed the FAQ procedure to the T. His words "found and cleaned tons of stuff but that one keeps showing up". That "one" is the .jpg I posted - it pops up with different trojan names.
I snuck (sneaked?) the laptop out of the office so I could clean it at home. I have to get it back tonight before the security cameras go back on.
Here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:51 PM, on 9/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\zehchwhk\lyhshubi.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\fozixwjc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\vptray.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\fozixwjc.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ApiSrv] C:\WINDOWS\system32\fozixwjc.exe
O4 - HKCU\..\Run: [cmdinfo] C:\WINDOWS\system32\ujyhuhgd.exe
O4 - HKCU\..\Run: [setsh] C:\WINDOWS\system32\xcxebazm.exe
O4 - HKLM\..\Policies\Explorer\Run: [iQkkP4fm85] C:\Documents and Settings\All Users\Application Data\zehchwhk\lyhshubi.exe
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - »www.symantec.com/techsupp/asa/ss···tlsr.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - »https://70.90.17.225/Remote/msrdp.cab
O16 - DPF: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} (NPRemvuPluginControl) - »24.46.98.45:8888/common/NPRemvu.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 7563 bytes | |
Annmarie
brain cooties
Premium,Mod
join:2000-11-11
Ronkonkoma, NY
clubs:
·Optimum Online
Host:
Electronics
| Combofix log:
ComboFix 08-09-03.02 - STravis 2008-09-03 22:58:17.1 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\STravis\My Documents\ComboFix.exe
[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
((((((((((((((((((((((((( Files Created from 2008-08-04 to 2008-09-04 )))))))))))))))))))))))))))))))
.
2008-09-03 21:44 . 2008-09-03 21:44 86,016 --a------ C:\WINDOWS\system32\ujyhuhgd.exe
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\STravis\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-03 20:21 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-03 19:52 . 2008-09-03 19:54 d-------- C:\Program Files\EsetOnlineScanner
2008-09-03 11:44 . 2008-09-03 15:05 127 --a------ C:\WINDOWS\wininit.ini
2008-09-02 23:20 . 2008-09-02 23:20 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-02 23:06 . 2008-09-02 23:06 d-------- C:\Documents and Settings\All Users\Application Data\zehchwhk
2008-09-02 23:06 . 2008-09-02 23:06 81,920 --a------ C:\WINDOWS\system32\fozixwjc.exe
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\scripting
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\en
2008-08-18 16:25 . 2008-08-18 21:18 d-------- C:\WINDOWS\system32\bits
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\l2schemas
2008-08-18 16:17 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-08-18 16:12 . 2007-02-28 05:53 2,137,600 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-18 15:54 . 2008-04-13 20:12 7,680 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2008-08-18 15:52 . 2006-12-28 15:01 19,569 --a------ C:\WINDOWS\[u]0[/u]02942_.tmp
2008-08-17 23:17 . 2008-08-19 21:27 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-14 22:10 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-04 02:53 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-04 02:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-03 23:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-03 16:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-03 03:20 --------- d-----w C:\Program Files\Lavasoft
2008-09-03 03:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-11 19:36 --------- d-----w C:\Documents and Settings\STravis\Application Data\Audacity
2008-08-01 11:46 --------- d-----w C:\Program Files\Google
2007-03-05 14:02 24,192 ----a-w C:\Documents and Settings\STravis\usbsermptxp.sys
2007-03-05 14:02 22,768 ----a-w C:\Documents and Settings\STravis\usbsermpt.sys
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 176,128 2005-10-07 04:13:38 C:\Program Files\Apoint\bak\Apoint.exe
----a-w 153,136 2007-03-09 22:53:56 C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe
----a-w 153,136 2007-03-12 17:49:26 C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe
----a-w 52,896 2006-07-20 00:26:04 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 52,896 2006-07-20 00:26:04 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
----a-w 49,152 2005-12-10 01:29:52 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe
----a-w 389,120 2006-07-17 02:29:54 C:\Program Files\Dell Support\bak\DSAgnt.exe
----a-w 132,496 2007-09-25 05:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe
----a-w 1,694,208 2004-10-13 16:24:37 C:\Program Files\Messenger\bak\msmsgs.exe
----a-w 8,720,384 2007-12-19 01:47:24 C:\Program Files\MySpace\IM\bak\MySpaceIM.exe
----a-w 282,624 2006-09-01 19:57:48 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 125,168 2006-09-28 01:33:44 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe
----a-w 125,168 2006-09-28 01:33:44 C:\Program Files\Symantec AntiVirus\VPTray.exe
----a-w 166,304 2007-11-07 00:09:54 C:\Program Files\Zune\bak\ZuneLauncher.exe
----a-w 158,624 2008-04-29 23:56:20 C:\Program Files\Zune\ZuneLauncher.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\ctfmon.exe
----a-w 77,824 2005-12-13 07:41:08 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 118,784 2005-12-13 07:45:00 C:\WINDOWS\system32\bak\igfxpers.exe
----a-w 98,304 2005-12-13 07:44:18 C:\WINDOWS\system32\bak\igfxtray.exe
----a-w 1,347,584 2005-12-19 13:08:42 C:\WINDOWS\system32\bak\WLTRAY.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"ApiSrv"="C:\WINDOWS\system32\fozixwjc.exe" [2008-09-02 81920]
"cmdinfo"="C:\WINDOWS\system32\ujyhuhgd.exe" [2008-09-03 86016]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 C:\WINDOWS\stsystra.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"iQkkP4fm85"="C:\Documents and Settings\All Users\Application Data\zehchwhk\lyhshubi.exe" [2008-09-02 65536]
C:\Documents and Settings\STravis\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-01-29 951640]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 49152]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-10-06 24576]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 40704]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 61856]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 245664]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9e35fbb-fdda-11dc-934f-0016cf72068b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
Notify-dimsntfy - (no file)
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.dell.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dell.com/
O8 -: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 -: &Translate English Word - C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 -: Backward Links - C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 -: Cached Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 -: Similar Pages - C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 -: Translate Page into English - C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 -: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} - hxxp://24.46.98.45:8888/common/NPRemvu.cab
C:\WINDOWS\Downloaded Program Files\NPRemvu.inf
C:\WINDOWS\NPRemvu.ocx
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-09-03 23:21:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Zune\ZuneNss.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
C:\WINDOWS\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2008-09-03 23:30:39 - machine was rebooted [STravis]
ComboFix-quarantined-files.txt 2008-09-04 03:29:35
Pre-Run: 37,850,038,272 bytes free
Post-Run: 37,776,023,552 bytes free
152 --- E O F --- 2008-09-03 19:06:11 | |
Annmarie
brain cooties
Premium,Mod
join:2000-11-11
Ronkonkoma, NY
clubs:
·Optimum Online
Host:
Electronics
| reply to Annmarie
Fresh combofix log ran in Safe Mode:
ComboFix 08-09-04.08 - STravis 2008-09-04 23:38:46.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.784 [GMT -4:00]
Running from: C:\Documents and Settings\STravis\Desktop\ComboFix.exe
[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
((((((((((((((((((((((((( Files Created from 2008-08-05 to 2008-09-05 )))))))))))))))))))))))))))))))
.
2008-09-04 18:07 . 2006-09-18 17:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-09-04 18:07 . 2006-09-18 17:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-09-04 18:06 . 2008-09-04 18:07 d-------- C:\Program Files\Symantec
2008-09-04 18:04 . 2008-09-04 18:04 94,208 --a------ C:\WINDOWS\system32\ynejmroz.exe
2008-09-04 10:12 . 2008-09-04 10:12 94,208 --a------ C:\WINDOWS\system32\xcxebazm.exe
2008-09-04 09:51 . 2008-09-04 09:51 d-------- C:\Program Files\Windows Defender
2008-09-04 08:55 . 2008-09-04 08:55 d-------- C:\Program Files\Trend Micro
2008-09-03 21:44 . 2008-09-03 21:44 86,016 --a------ C:\WINDOWS\system32\ujyhuhgd.exe
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\STravis\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-03 20:21 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-03 19:52 . 2008-09-04 16:18 d-------- C:\Program Files\EsetOnlineScanner
2008-09-03 11:44 . 2008-09-03 15:05 127 --a------ C:\WINDOWS\wininit.ini
2008-09-02 23:20 . 2008-09-02 23:20 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-02 23:06 . 2008-09-02 23:06 d-------- C:\Documents and Settings\All Users\Application Data\zehchwhk
2008-09-02 23:06 . 2008-09-02 23:06 81,920 --a------ C:\WINDOWS\system32\fozixwjc.exe
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\scripting
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\en
2008-08-18 16:25 . 2008-08-18 21:18 d-------- C:\WINDOWS\system32\bits
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\l2schemas
2008-08-18 16:17 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-08-18 16:12 . 2007-02-28 05:53 2,137,600 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-18 15:54 . 2008-04-13 20:12 7,680 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2008-08-18 15:52 . 2006-12-28 15:01 19,569 --a------ C:\WINDOWS\[u]0[/u]02942_.tmp
2008-08-17 23:17 . 2008-08-19 21:27 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-14 22:10 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-05 03:34 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-05 03:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-05 03:23 57,344 ----a-w C:\WINDOWS\system32\userinit.exe
2008-09-05 02:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-04 22:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-04 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-03 16:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-03 03:20 --------- d-----w C:\Program Files\Lavasoft
2008-09-03 03:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-11 19:36 --------- d-----w C:\Documents and Settings\STravis\Application Data\Audacity
2008-08-01 11:46 --------- d-----w C:\Program Files\Google
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 14:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2007-03-05 14:02 24,192 ----a-w C:\Documents and Settings\STravis\usbsermptxp.sys
2007-03-05 14:02 22,768 ----a-w C:\Documents and Settings\STravis\usbsermpt.sys
.
------- Sigcheck -------
2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2008-09-04 23:23 57344 b5bfcf3c4dfe120d2bb0f9736a17c065 C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((( snapshot@2008-09-03_23.29.04.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-04 21:11:41 25,214 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\ARPPRODUCTICON.exe
+ 2008-09-04 22:07:58 25,214 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\ARPPRODUCTICON.exe
- 2008-03-04 21:11:39 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-09-04 22:07:58 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2008-03-04 21:11:40 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-09-04 22:07:58 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2006-09-28 01:35:04 34,600 ----a-w C:\WINDOWS\system32\cba.dll
+ 2006-09-28 00:35:04 34,600 ----a-w C:\WINDOWS\system32\cba.dll
- 2006-08-07 21:01:56 12,992 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
+ 2006-08-07 20:01:56 12,992 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
- 2006-08-07 21:02:02 110,784 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
+ 2006-08-07 20:02:02 110,784 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
- 2006-08-07 21:02:18 31,936 ----a-w C:\WINDOWS\system32\drivers\symids.sys
+ 2006-08-07 20:02:18 31,936 ----a-w C:\WINDOWS\system32\drivers\symids.sys
- 2006-08-07 21:02:14 28,352 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
+ 2006-08-07 20:02:14 28,352 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
- 2006-08-07 21:02:22 24,768 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
+ 2006-08-07 20:02:22 24,768 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
- 2006-08-07 21:02:26 195,776 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
+ 2006-08-07 20:02:26 195,776 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
+ 2004-08-04 10:00:00 24,576 ----a-w C:\WINDOWS\system32\init32.exe
- 2007-03-15 22:19:28 1,476,992 ------w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 22:06:36 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.DLL
- 2006-09-28 01:35:04 83,696 ----a-w C:\WINDOWS\system32\loc32vc0.dll
+ 2006-09-28 00:35:04 83,696 ----a-w C:\WINDOWS\system32\loc32vc0.dll
- 2003-03-19 03:12:12 1,047,552 ----a-w C:\WINDOWS\system32\mfc71u.dll
+ 2003-03-19 02:12:12 1,047,552 ----a-w C:\WINDOWS\system32\mfc71u.dll
- 2008-08-05 18:11:01 15,888,504 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-08-05 15:11:02 15,888,504 ----a-w C:\WINDOWS\system32\MRT.exe
- 2006-09-28 01:35:06 46,896 ----a-w C:\WINDOWS\system32\msgsys.dll
+ 2006-09-28 00:35:06 46,896 ----a-w C:\WINDOWS\system32\msgsys.dll
- 2006-09-28 01:33:54 43,760 ----a-w C:\WINDOWS\system32\NavLogon.dll
+ 2006-09-28 00:33:54 43,760 ----a-w C:\WINDOWS\system32\NavLogon.dll
- 2006-09-28 01:35:06 83,752 ----a-w C:\WINDOWS\system32\nts.dll
+ 2006-09-28 00:35:06 83,752 ----a-w C:\WINDOWS\system32\nts.dll
- 2006-09-28 01:35:08 83,752 ----a-w C:\WINDOWS\system32\pds.dll
+ 2006-09-28 00:35:08 83,752 ----a-w C:\WINDOWS\system32\pds.dll
- 2006-08-07 21:02:32 534,208 ----a-w C:\WINDOWS\system32\SymNeti.dll
+ 2006-08-07 20:02:32 534,208 ----a-w C:\WINDOWS\system32\SymNeti.dll
- 2006-08-07 21:02:30 161,472 ----a-w C:\WINDOWS\system32\SymRedir.dll
+ 2006-08-07 20:02:30 161,472 ----a-w C:\WINDOWS\system32\SymRedir.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 176,128 2005-10-07 04:13:38 C:\Program Files\Apoint\bak\Apoint.exe
----a-w 153,136 2007-03-09 22:53:56 C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe
----a-w 153,136 2007-03-12 17:49:26 C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe
----a-w 52,896 2006-07-20 00:26:04 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 52,896 2006-07-19 23:26:04 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
----a-w 49,152 2005-12-10 01:29:52 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe
----a-w 389,120 2006-07-17 02:29:54 C:\Program Files\Dell Support\bak\DSAgnt.exe
----a-w 132,496 2007-09-25 05:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe
----a-w 1,694,208 2004-10-13 16:24:37 C:\Program Files\Messenger\bak\msmsgs.exe
----a-w 8,720,384 2007-12-19 01:47:24 C:\Program Files\MySpace\IM\bak\MySpaceIM.exe
----a-w 282,624 2006-09-01 19:57:48 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 125,168 2006-09-28 01:33:44 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe
----a-w 125,168 2006-09-28 00:33:44 C:\Program Files\Symantec AntiVirus\VPTray.exe
----a-w 166,304 2007-11-07 00:09:54 C:\Program Files\Zune\bak\ZuneLauncher.exe
----a-w 158,624 2008-04-29 23:56:20 C:\Program Files\Zune\ZuneLauncher.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\ctfmon.exe
----a-w 77,824 2005-12-13 07:41:08 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 118,784 2005-12-13 07:45:00 C:\WINDOWS\system32\bak\igfxpers.exe
----a-w 98,304 2005-12-13 07:44:18 C:\WINDOWS\system32\bak\igfxtray.exe
----a-w 1,347,584 2005-12-19 13:08:42 C:\WINDOWS\system32\bak\WLTRAY.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"ApiSrv"="C:\WINDOWS\system32\fozixwjc.exe" [2008-09-02 81920]
"cmdinfo"="C:\WINDOWS\system32\ujyhuhgd.exe" [2008-09-03 86016]
"setsh"="C:\WINDOWS\system32\xcxebazm.exe" [2008-09-04 94208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 C:\WINDOWS\stsystra.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"iQkkP4fm85"="C:\Documents and Settings\All Users\Application Data\zehchwhk\lyhshubi.exe" [2008-09-02 65536]
C:\Documents and Settings\STravis\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-01-29 951640]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 49152]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-10-06 24576]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 40704]
S2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 61856]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 245664]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9e35fbb-fdda-11dc-934f-0016cf72068b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
*Newly Created Service* - MDMXSDK
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.dell.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dell.com/
O16 -: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} - hxxp://24.46.98.45:8888/common/NPRemvu.cab
C:\WINDOWS\Downloaded Program Files\NPRemvu.inf
C:\WINDOWS\NPRemvu.ocx
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-09-04 23:42:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2008-09-04 23:48:55
ComboFix-quarantined-files.txt 2008-09-05 03:47:52
ComboFix2.txt 2008-09-04 03:30:40
Pre-Run: 37,492,264,960 bytes free
Post-Run: 37,495,316,480 bytes free
219 --- E O F --- 2008-09-03 19:06:11 | |
bcastner
Premium,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
 ·Verizon Online DSL
edit:
September 5th, @09:51AM
| reply to Annmarie
First Steps
:!: The following instructions are only for this Forum member. Please do not use these instructions on another computer system. You can seriously damage your system by following the instructions below without guided assistance. You assuredly will make a cleanup of your system more difficult.
Please download ATF Cleaner
It does not require any installation.. It is set up to clean Windows TEMP folders, as well as IE, FireFox and Opera, Temporary Internet Files and Cookies.
• Double-click ATF-Cleaner.exe to run the program.
First Step:
• Under Main choose: Select All
• Click the Empty Selected button.
Next, if you use Firefox (and some Mozilla-based browsers)
• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
Next, if you use the Opera browser
• Click Opera at the top and choose: Select All
• Click the Empty Selected button. :!: Click Exit on the Main menu to close the program.
Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:
• Close all programs so that you are at your desktop.
• Double-click on the My Computer icon.
• Select the Tools menu and click Folder Options.
• After the new window appears select the View tab.
• Put a checkmark in the checkbox labeled Display the contents of system folders.
• Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
• Remove the checkmark from the checkbox labeled Hide protected operating system files.
• Press the Apply button and then the OK button and exit My Computer.
• Now your computer is configured to show all hidden files.
TeaTimer is an excellent tool for the prevention of spyware but it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose Yes at the Warning prompt.
• Expand the Tools menu.
• Click Resident.
• Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
• In the File menu click Exit to exit Spybot Search & Destroy.
• Download and Unzip to your Desktop: »www.techsupportforum.com/sectool···imer.zip
• Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
Malware Removal Steps
1. Open HijackThis again, System scan only. Checkmark these items:
O4 - HKCU\..\Run: [ApiSrv] C:\WINDOWS\system32\fozixwjc.exe
O4 - HKCU\..\Run: [cmdinfo] C:\WINDOWS\system32\ujyhuhgd.exe
O4 - HKCU\..\Run: [setsh] C:\WINDOWS\system32\xcxebazm.exe
O4 - HKLM\..\Policies\Explorer\Run: [iQkkP4fm85] C:\Documents and Settings\All Users\Application Data\zehchwhk\lyhshubi.exe
Click "Fix checked" and when the log panel clears exit HijackThis.
2. Download -- but do not yet run -- ComboFix©
Download this file -- to your Desktop -- from any of these sources:
Right-click on the header of the Code box below, where on the right side it says: "Copy to clipboard" or use your Mouse to do a Copy/Paste:
Open a new Notepad session - (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Be sure your Notepad document now matches what you see in the Code Box. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .
• Disconnect from the Internet.
• Disable your Antivirus. If the Antivirus software you use has any Script Blocking features, be certain to disable these as well.
Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any Disclaimers to start the fix.
Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown in this little picture:
When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
•!• A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
3. Use Add or Remove Programs and Uninstall your current installation of Malwarebyte's Anti-malware. Then please download MalwareBytes Anti-malware (MBAM) again from one of the following links:
Once downloaded, close all programs and Windows on your computer (including this one.)
Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program.
On the Scanner tab, make sure the the Perform quick scan option is Un-selected and then click on the Scan button to start scanning your computer.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan.
When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click Show Results. Make sure all entries have a checkmark at their far left. You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window. Remember where you saved the log file, as we will want to see it later.
4. Run HijackThis again, and save the log file.
Submit to the Forum:
• The MBAM log results;
• The contents of C:\Combofix.txt;
• The new HijackThis log.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
Annmarie
brain cooties
Premium,Mod
join:2000-11-11
Ronkonkoma, NY
clubs:
·Optimum Online
Host:
Electronics
| Thank you so much for responding. I have printed out your instructions and will follow them exactly as written.
1. I have to do this tonight since we are at work now and prying eyes won't allow this to happen just yet.
2. This is a vital office laptop - what are the chances, even if I follow the steps explicitly - that it will die a sorry death. A format will effect both my co workers and my job status. As it is, the employee who caused this to happen ( used the computer and stopped all virus/malware protection) will be fired. Before that happens I need to ascertain a date if possible.
3. Once I bring this laptop home I need to allow it access to my wireless network. Should I be worried about my home machines which have virus protection as well as several malware protection apps in real time.
FYI - our work computers came with the Symantec client which we are not allowed to uninstall. I prefer AVG but that is not going to happen. We all run SpyBot on a daily schedule as well as AdAware on a daily basis. I insist on it or I will not clean the computers. I will now be running ESET also as recommended by lilhurricane. CCleaner is run before shutdown each night.
I will post back once I have completed your instructions. | |
bcastner
Premium,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
| reply to Annmarie
#1. We should be able to clean this completely without major trauma (or surgery).
#2. This malware infection does not spread through network shares. Your home network machines will be fine.
Best regards,
Bill Castner
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
Annmarie
brain cooties
Premium,Mod
join:2000-11-11
Ronkonkoma, NY
clubs:
·Optimum Online
Host:
Electronics
edit:
September 6th, @11:21AM
| ISSUE!
Procedure went fine up to this point:
Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown in this little picture:
When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
•!• A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
!! When the CF scan completed I did File and Exit but did NOT get a the "save changes" question. The log simply blinked away. There is a log.txt file in My Documents but it is dated 9/4/08 and I can only assume it is from the pre-cleanup procedures.
Might that log.txt be somewhere else? I will look but I am not going to perform any more scans until I hear back.
EDIT: no current log.txt and Malwarebytes asks for a reboot to finish the uninstall of current installation. Will a reboot be OK?
Also, since the AV is managed by the main corporate office there is no disable feature so I simply uninstalled it and will reinstall once the machine is clean. It found no issues when this all began so I am less than thrilled with it to begin with. | |
Annmarie
brain cooties
Premium,Mod
join:2000-11-11
Ronkonkoma, NY
clubs: | I found the combofix.txt file so I am OK on that but am still concerned on the reboot. Have stopped at that part. Did not reboor or download a fresh copy of malwarebytes yet. | |
Annmarie
brain cooties
Premium,Mod
join:2000-11-11
Ronkonkoma, NY
clubs:
·Optimum Online
Host:
Electronics
| reply to Annmarie
(1)
MBAM log results after uninstall old and reinstall new:
Malwarebytes' Anti-Malware 1.26
Database version: 1120
Windows 5.1.2600 Service Pack 2
9/6/2008 11:42:01 PM
mbam-log-2008-09-06 (23-42-01).txt
Scan type: Full Scan (C:\|)
Objects scanned: 92965
Time elapsed: 41 minute(s), 51 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
(2)
Combofix.txt:
ComboFix 08-09-04.08 - STravis 2008-09-06 10:40:41.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.476 [GMT -4:00]
Running from: C:\Documents and Settings\STravis\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\STravis\Desktop\CFscript.txt
* Created a new restore point
[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\zehchwhk
C:\Documents and Settings\All Users\Application Data\zehchwhk\lyhshubi.exe
C:\WINDOWS\system32\fozixwjc.exe
C:\WINDOWS\system32\ujyhuhgd.exe
C:\WINDOWS\system32\xcxebazm.exe
C:\WINDOWS\system32\ynejmroz.exe
.
((((((((((((((((((((((((( Files Created from 2008-08-06 to 2008-09-06 )))))))))))))))))))))))))))))))
.
2008-09-05 00:04 . 2008-09-06 10:30 d-------- C:\Program Files\Symantec
2008-09-04 23:53 . 2008-09-04 23:53 90,112 --a------ C:\WINDOWS\system32\gbuvidsp.exe
2008-09-04 09:51 . 2008-09-04 09:51 d-------- C:\Program Files\Windows Defender
2008-09-04 08:55 . 2008-09-04 08:55 d-------- C:\Program Files\Trend Micro
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\STravis\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-03 20:21 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-03 19:52 . 2008-09-04 16:18 d-------- C:\Program Files\EsetOnlineScanner
2008-09-03 11:44 . 2008-09-03 15:05 127 --a------ C:\WINDOWS\wininit.ini
2008-09-02 23:20 . 2008-09-02 23:20 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\scripting
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\en
2008-08-18 16:25 . 2008-08-18 21:18 d-------- C:\WINDOWS\system32\bits
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\l2schemas
2008-08-18 16:17 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-08-18 16:12 . 2007-02-28 05:53 2,137,600 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-18 15:54 . 2008-04-13 20:12 7,680 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2008-08-18 15:52 . 2006-12-28 15:01 19,569 --a------ C:\WINDOWS\[u]0[/u]02942_.tmp
2008-08-17 23:17 . 2008-08-19 21:27 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-14 22:10 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-06 14:30 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-06 14:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-06 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-06 14:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-06 13:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-05 03:23 57,344 ----a-w C:\WINDOWS\system32\userinit.exe
2008-09-03 16:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-03 03:20 --------- d-----w C:\Program Files\Lavasoft
2008-09-03 03:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-11 19:36 --------- d-----w C:\Documents and Settings\STravis\Application Data\Audacity
2008-08-01 11:46 --------- d-----w C:\Program Files\Google
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 14:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2007-03-05 14:02 24,192 ----a-w C:\Documents and Settings\STravis\usbsermptxp.sys
2007-03-05 14:02 22,768 ----a-w C:\Documents and Settings\STravis\usbsermpt.sys
.
------- Sigcheck -------
2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2008-09-04 23:23 57344 b5bfcf3c4dfe120d2bb0f9736a17c065 C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((( snapshot_2008-09-04_23.47.30.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-04 22:07:58 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-09-05 04:05:37 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 176,128 2005-10-07 04:13:38 C:\Program Files\Apoint\bak\Apoint.exe
----a-w 153,136 2007-03-09 22:53:56 C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe
----a-w 153,136 2007-03-12 17:49:26 C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe
----a-w 52,896 2006-07-20 00:26:04 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 49,152 2005-12-10 01:29:52 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe
----a-w 389,120 2006-07-17 02:29:54 C:\Program Files\Dell Support\bak\DSAgnt.exe
----a-w 132,496 2007-09-25 05:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe
----a-w 1,694,208 2004-10-13 16:24:37 C:\Program Files\Messenger\bak\msmsgs.exe
----a-w 8,720,384 2007-12-19 01:47:24 C:\Program Files\MySpace\IM\bak\MySpaceIM.exe
----a-w 282,624 2006-09-01 19:57:48 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 125,168 2006-09-28 01:33:44 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe
----a-w 166,304 2007-11-07 00:09:54 C:\Program Files\Zune\bak\ZuneLauncher.exe
----a-w 158,624 2008-04-29 23:56:20 C:\Program Files\Zune\ZuneLauncher.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\ctfmon.exe
----a-w 77,824 2005-12-13 07:41:08 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 118,784 2005-12-13 07:45:00 C:\WINDOWS\system32\bak\igfxpers.exe
----a-w 98,304 2005-12-13 07:44:18 C:\WINDOWS\system32\bak\igfxtray.exe
----a-w 1,347,584 2005-12-19 13:08:42 C:\WINDOWS\system32\bak\WLTRAY.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"AdmApiCmd"="C:\WINDOWS\system32\gbuvidsp.exe" [2008-09-04 90112]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 C:\WINDOWS\stsystra.exe]
C:\Documents and Settings\STravis\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-01-29 951640]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 49152]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-10-06 24576]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 40704]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 61856]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 245664]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9e35fbb-fdda-11dc-934f-0016cf72068b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
*Newly Created Service* - ERASERUTILDRV10822
*Newly Created Service* - NAVENG
*Newly Created Service* - NAVEX15
*Newly Created Service* - SAVRT
*Newly Created Service* - SAVRTPEL
*Newly Created Service* - SPBBCDRV
*Newly Created Service* - SYMEVENT
*Newly Created Service* - SYMREDRV
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
Notify-NavLogon - (no file)
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-09-06 10:43:31
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-09-06 10:49:18
ComboFix-quarantined-files.txt 2008-09-06 14:48:15
ComboFix2.txt 2008-09-05 03:48:56
ComboFix3.txt 2008-09-04 03:30:40
Pre-Run: 40,361,709,568 bytes free
Post-Run: 40,347,242,496 bytes free
179 --- E O F --- 2008-09-06 13:16:35
(3)
New HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:26 PM, on 9/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\gbuvidsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.giants.com/index2.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdmApiCmd] C:\WINDOWS\system32\gbuvidsp.exe
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - »www.symantec.com/techsupp/asa/ss···tlsr.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - »https://70.90.17.225/Remote/msrdp.cab
O16 - DPF: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} (NPRemvuPluginControl) - »24.46.98.45:8888/common/NPRemvu.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 5575 bytes
FYI: as I clicked spell check before hitting post now the security alert graphic popped up like in my first post. Oy! | |
bcastner
Premium,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
edit:
September 7th, @06:04PM
| reply to Annmarie
If MBAM or Combofix request or force a reboot, allow them to do so. Some malware infectors can only be removed during the reboot process, as they are then in an inactive state.
1. Open HijackThis again, System scan only. Checkmark these items:
O4 - HKCU\..\Run: [AdmApiCmd] C:\WINDOWS\system32\gbuvidsp.exe
Click "Fix checked" and when the log panel clears exit HijackThis.
2. We need to run Combofix again.
Right-click on the header of the Code box below, where on the right side it says: "Copy to clipboard" or as above use your Mouse to do a Copy/Paste:
Open a new Notepad session - (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .
• Disconnect from the Internet.
• Disable your Antivirus. If the Antivirus software you use has any Script Blocking features, be certain to disable these as well.
Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any Disclaimers to start the fix.
Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown in this little picture:
When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
•!• A caution - Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
3. Run MBAM again, just as instructed earlier above. It should report a clean result.
4. Run HijackThis again, and save the log file.
Submit to the Forum:
• You new MBAM log result;
• The contents of C:\Combofix.txt;
• The new HijackThis log.
Now, a favor. I want you to submit for anlysis this file:
c:\windows\system32\userinit.exe
I regularly submit (on-line) files to be scanned for malware. These two sites are my favorites, and use multiple AV programs for their scans -- up to 32 different major AV products are used to scan the file:
• Jotti's Virus Scan
»virusscan.jotti.org/
• VirusTotal
»www.virustotal.com/
These servers can be busy, but the whole process is surprisingly fast for such extensive AV testing. There is the added "Good Citizenship" factor -- if the file is found suspicious it automatically alerts the antivirus vendors of a new malware to include in their definition files.
Submit to both, and report the results back to the Forum. I appreciate this extra step on your part.
Bill Castner
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
Annmarie
brain cooties
Premium,Mod
join:2000-11-11
Ronkonkoma, NY
clubs:
·Optimum Online
Host:
Electronics
| reply to Annmarie
(1) MBAM Log results:
Malwarebytes' Anti-Malware 1.26
Database version: 1103
Windows 5.1.2600 Service Pack 2
9/7/2008 8:12:06 PM
mbam-log-2008-09-07 (20-12-06).txt
Scan type: Full Scan (C:\|)
Objects scanned: 92797
Time elapsed: 41 minute(s), 4 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
2. Contents of Combofix.txt
ComboFix 08-09-04.08 - STravis 2008-09-07 19:00:39.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.606 [GMT -4:00]
Running from: C:\Documents and Settings\STravis\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\STravis\Desktop\CFScript.txt
* Created a new restore point
[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 )))))))))))))))))))))))))))))))
.
2008-09-06 22:53 . 2008-09-06 22:53 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-06 22:53 . 2008-09-02 00:26 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-06 22:53 . 2008-09-02 00:25 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-05 00:04 . 2008-09-06 10:30 d-------- C:\Program Files\Symantec
2008-09-04 23:53 . 2008-09-04 23:53 90,112 --a------ C:\WINDOWS\system32\gbuvidsp.exe
2008-09-04 09:51 . 2008-09-04 09:51 d-------- C:\Program Files\Windows Defender
2008-09-04 08:55 . 2008-09-04 08:55 d-------- C:\Program Files\Trend Micro
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\STravis\Application Data\Malwarebytes
2008-09-03 20:21 . 2008-09-03 20:21 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 19:52 . 2008-09-04 16:18 d-------- C:\Program Files\EsetOnlineScanner
2008-09-03 11:44 . 2008-09-03 15:05 127 --a------ C:\WINDOWS\wininit.ini
2008-09-02 23:20 . 2008-09-02 23:20 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\scripting
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\system32\en
2008-08-18 16:25 . 2008-08-18 21:18 d-------- C:\WINDOWS\system32\bits
2008-08-18 16:25 . 2008-08-18 16:25 d-------- C:\WINDOWS\l2schemas
2008-08-18 16:17 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-08-18 16:12 . 2007-02-28 05:53 2,137,600 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-18 15:54 . 2008-04-13 20:12 7,680 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2008-08-18 15:52 . 2006-12-28 15:01 19,569 --a------ C:\WINDOWS\[u]0[/u]02942_.tmp
2008-08-17 23:17 . 2008-08-19 21:27 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-14 22:10 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 22:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-07 14:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-07 14:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-06 14:30 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-06 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-05 03:23 57,344 ----a-w C:\WINDOWS\system32\userinit.exe
2008-09-03 16:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-03 03:20 --------- d-----w C:\Program Files\Lavasoft
2008-09-03 03:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-11 19:36 --------- d-----w C:\Documents and Settings\STravis\Application Data\Audacity
2008-08-01 11:46 --------- d-----w C:\Program Files\Google
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 14:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2007-03-05 14:02 24,192 ----a-w C:\Documents and Settings\STravis\usbsermptxp.sys
2007-03-05 14:02 22,768 ----a-w C:\Documents and Settings\STravis\usbsermpt.sys
.
------- Sigcheck -------
2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2008-09-04 23:23 57344 b5bfcf3c4dfe120d2bb0f9736a17c065 C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((( snapshot_2008-09-04_23.47.30.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-04 22:07:58 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-09-05 04:05:37 40,960 ----a-r C:\WINDOWS\Installer\{33CFCF98-F8D6-4549-B469-6F4295676D83}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2006-11-02 09:46:05 363,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPCDMCLH.DLL
+ 2006-11-02 09:46:11 251,904 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFIME50.DLL
+ 2006-11-02 09:46:05 19,968 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFRES50.DLL
+ 2006-11-02 09:46:11 1,515,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZ3ALHN.DLL
+ 2006-11-02 09:46:05 1,253,888 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZ3RLHN.DLL
+ 2006-11-02 09:46:11 365,568 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZEVLHN.DLL
+ 2006-09-18 21:44:24 562,176 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZSSLHN.DLL
+ 2006-09-18 21:44:24 3,447,808 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZSTLHN.DLL
+ 2006-11-02 09:46:11 2,725,376 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZUILHN.DLL
- 2004-08-04 05:56:48 264,704 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\unidrv.dll
+ 2006-11-02 09:46:13 372,736 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRV.DLL
- 2004-08-04 05:56:48 197,120 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\unidrvui.dll
+ 2006-11-02 09:46:11 740,864 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRVUI.DLL
- 2004-08-04 05:56:36 619,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\unires.dll
+ 2006-11-02 09:41:12 761,344 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIRES.DLL
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 176,128 2005-10-07 04:13:38 C:\Program Files\Apoint\bak\Apoint.exe
----a-w 153,136 2007-03-09 22:53:56 C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe
----a-w 153,136 2007-03-12 17:49:26 C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe
----a-w 52,896 2006-07-20 00:26:04 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 49,152 2005-12-10 01:29:52 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe
----a-w 389,120 2006-07-17 02:29:54 C:\Program Files\Dell Support\bak\DSAgnt.exe
----a-w 132,496 2007-09-25 05:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe
----a-w 1,694,208 2004-10-13 16:24:37 C:\Program Files\Messenger\bak\msmsgs.exe
----a-w 8,720,384 2007-12-19 01:47:24 C:\Program Files\MySpace\IM\bak\MySpaceIM.exe
----a-w 282,624 2006-09-01 19:57:48 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 125,168 2006-09-28 01:33:44 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe
----a-w 166,304 2007-11-07 00:09:54 C:\Program Files\Zune\bak\ZuneLauncher.exe
----a-w 158,624 2008-04-29 23:56:20 C:\Program Files\Zune\ZuneLauncher.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\ctfmon.exe
----a-w 77,824 2005-12-13 07:41:08 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 118,784 2005-12-13 07:45:00 C:\WINDOWS\system32\bak\igfxpers.exe
----a-w 98,304 2005-12-13 07:44:18 C:\WINDOWS\system32\bak\igfxtray.exe
----a-w 1,347,584 2005-12-19 13:08:42 C:\WINDOWS\system32\bak\WLTRAY.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 C:\WINDOWS\stsystra.exe]
C:\Documents and Settings\STravis\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-01-29 951640]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 49152]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-10-06 24576]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 40704]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 61856]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 245664]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9e35fbb-fdda-11dc-934f-0016cf72068b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-09-07 19:03:25
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2008-09-07 19:08:33
ComboFix-quarantined-files.txt 2008-09-07 23:07:30
ComboFix2.txt 2008-09-06 14:49:19
ComboFix3.txt 2008-09-05 03:48:56
ComboFix4.txt 2008-09-04 03:30:40
Pre-Run: 40,295,854,080 bytes free
Post-Run: 40,281,223,168 bytes free
171 --- E O F --- 2008-09-06 13:16:35
3.new HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:51 PM, on 9/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.giants.com/index2.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - »www.symantec.com/techsupp/asa/ss···tlsr.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - »https://70.90.17.225/Remote/msrdp.cab
O16 - DPF: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} (NPRemvuPluginControl) - »24.46.98.45:8888/common/NPRemvu.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec |
|
