BleepingComputer.com: blocked task manager and regedit and show hidden files option

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

blocked task manager and regedit and show hidden files option blocked regedit and task manager

#1 User is offline   Mjames 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 2
  • Joined: 20-November 08

Posted 20 November 2008 - 06:24 PM

Hi, my computer has infected by virus, the virus created the file CF17156.exe as appear in the log file of COMBOFIX,. The virus blocked the task manager and Register editor, secondly the option show hidden folder can not be save I need every time to choose it. Could you please help me with this problem. I deleted Beisn.exe which the originally file that infected me. Can any one help me to sort the problem?

the following is the log of ComboFix

ComboFix 08-11-17.01 - 2008-11-21 0:15:25.18 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.640 [GMT 2:00]
Running from: D:\ComboFix.exe
Command switches used :: c:\documents and settings\Maged\Desktop\CFScript
* Created a new restore point

FILE ::
c:\windows\system32\CF17156.exe
c:\windows\system32\drivers\nfmnhi.sys
.

((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.

2008-11-20 17:42 . 2008-11-20 03:51 1,602,969 --a------ C:\SDFix.exe
2008-11-20 15:49 . 2008-11-20 15:49 <DIR> d--hs---- c:\documents and settings\NetworkService
2008-11-20 15:49 . 2008-11-20 15:49 <DIR> d--hs---- c:\documents and settings\LocalService
2008-11-20 04:11 . 2008-11-20 04:11 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-18 18:44 . 2008-11-18 18:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-18 18:43 . 2008-11-19 18:02 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-18 18:43 . 2008-11-19 18:02 <DIR> d-------- c:\documents and settings\Maged\Application Data\SUPERAntiSpyware.com
2008-11-18 18:34 . 2008-11-18 18:34 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-18 18:13 . 2008-11-18 18:34 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-18 17:51 . 2008-11-19 18:11 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-18 17:51 . 2008-11-19 18:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-18 17:02 . 2008-11-18 17:02 <DIR> d-------- c:\program files\Trend Micro
2008-11-18 13:03 . 2008-11-18 13:03 <DIR> d-------- c:\windows\Recent
2008-11-18 13:03 . 2008-11-18 13:03 <DIR> d-------- c:\windows\Cookies
2008-11-17 20:48 . 2008-11-17 20:48 4,024 --a------ c:\windows\system32\tmp.reg
2008-11-17 20:47 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-17 20:47 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-17 20:47 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-11-17 20:47 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-11-17 20:47 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-17 20:47 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-11-17 20:47 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-11-17 20:47 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-17 20:47 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-17 20:47 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-17 11:42 . 2008-11-17 11:42 <DIR> d-------- c:\program files\AnVir Task Manager Pro
2008-11-17 11:41 . 2008-11-17 11:41 <DIR> d-------- c:\program files\Common Files\Download Manager
2008-11-12 19:49 . 2008-10-24 13:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 19:45 . 2008-09-04 19:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-10-30 18:36 . 2008-10-30 18:41 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-10-29 06:44 . 2008-10-30 18:20 <DIR> d-------- c:\program files\Recovery Toolbox for RAR
2008-10-24 08:35 . 2008-10-15 18:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-23 12:21 . 2008-10-23 12:22 <DIR> d-------- c:\documents and settings\Maged\.idlerc
2008-10-23 10:50 . 2004-08-04 15:00 1,039,955 --a--c--- c:\windows\system32\dllcache\cmnresm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 16:34 --------- d-----w c:\program files\Java
2008-11-15 09:20 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2008-11-09 10:37 --------- d-----w c:\program files\Common Files\Adobe
2008-10-28 17:57 --------- d-----w c:\program files\Free Download Manager
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 10:40 --------- d-----w c:\documents and settings\Maged\Application Data\gtk-2.0
2008-10-13 15:05 --------- d-----w c:\program files\Veritask Software
2008-10-13 12:47 8,959 ----a-w c:\windows\system32\drivers\U3sHlpDr.sys
2008-10-13 12:47 --------- d-----w c:\documents and settings\All Users\Application Data\TST Biometrics
2008-10-13 11:20 --------- d-----w c:\program files\ImageJ
2008-10-12 19:08 --------- d-----w c:\program files\Gimp-2.0
2008-10-12 19:02 --------- d-----w c:\program files\Priore
2008-10-10 09:22 --------- d-----w c:\documents and settings\Maged\Application Data\FinalBurner .ISO
2008-10-10 09:20 --------- d-----w c:\documents and settings\Maged\Application Data\ImgBurn
2008-10-10 09:14 --------- d-----w c:\program files\ImgBurn
2008-10-10 09:14 --------- d-----w c:\documents and settings\Maged\Application Data\DeepBurner
2008-10-10 09:10 --------- d-----w c:\program files\Astonsoft
2008-10-10 08:54 --------- d-----w c:\program files\CDBurnerXP
2008-10-10 08:54 --------- d-----w c:\documents and settings\Maged\Application Data\Canneverbe_Limited
2008-10-07 19:28 --------- d-----w c:\program files\Windows Live Safety Center
2008-10-05 17:15 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-05-23 11:02 44,120 ----a-w c:\documents and settings\Maged\Application Data\GDIPFONTCACHEV1.DAT
2007-12-30 22:45 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-11-18_16.35.39.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-11-28 20:55:58 118,784 ----a-w c:\windows\system32\igfxpers.exe
+ 2005-11-28 20:55:58 188,416 ----a-w c:\windows\system32\igfxpers.exe
- 2008-06-09 22:21:01 135,168 ----a-w c:\windows\system32\java.exe
+ 2008-11-18 16:34:28 144,792 ----a-w c:\windows\system32\java.exe
- 2008-06-09 22:21:04 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2008-11-18 16:34:28 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-06-09 23:32:34 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2008-11-18 16:34:28 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-11-20 22:20:06 16,384 ----atw c:\windows\temp\Perflib_Perfdata_cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 172032]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 159744]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 188416]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-17 831577]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 421888]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2005-11-30 151552]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 196608]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 745542]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 680006]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 561152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-12 255528]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3813376]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 483328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-18 210328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 117616]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-10 c:\windows\RTHDCPL.exe]
"TPSMain"="TPSMain.exe" [2005-08-03 c:\windows\system32\TPSMain.exe]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-03-11 c:\windows\system32\TDispVol.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 c:\windows\agrsmmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-12-07 1744896]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 161184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iPMS.exe]
"Debugger"=dummy.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iPMS20.exe]
"Debugger"=dummy.dat

[HKLM\~\startupfolder\C:^Documents and Settings^Maged^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\Maged\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\ImageJ\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLLoginProxy.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\Toshiba.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe"=
"c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\tosBtProc.exe"=
"c:\\WINDOWS\\ALCMTR.EXE"=
"c:\\Program Files\\Toshiba\\Toshiba Applet\\thotkey.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=
"c:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"c:\\WINDOWS\\AGRSMMSG.exe"=
"c:\\Program Files\\TOSHIBA\\Tvs\\TvsTray.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\WINDOWS\\system32\\ctfmon.exe"=
"c:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"=
"c:\\Program Files\\TOSHIBA\\TOSHIBA Controls\\TFncKy.exe"=
"c:\\WINDOWS\\RTHDCPL.EXE"=
"c:\\WINDOWS\\VFIND.exe"=
"c:\\WINDOWS\\system32\\CF22634.exe"=
"c:\\WINDOWS\\system32\\igfxpers.exe"=

R2 U3sHlpDr;U3sHlpDr;\??\c:\windows\System32\Drivers\U3sHlpDr.sys [2008-10-13 8959]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\nfmnhi.sys []
S3 SVRPEDRV;SVRPEDRV;\??\c:\docume~1\Maged\LOCALS~1\Temp\RarSFX0\S10VWF\PEDrv.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04a3c793-c050-11dc-9581-0018dea43156}]
\Shell\Auto\command - app.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL app.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{449b00d2-868a-11da-a583-00a0d1df1b4d}]
\Shell\AutoRun\command - browser.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-11-20 c:\windows\Tasks\User_Feed_Synchronization-{0BE07DAD-2789-4A5B-95AC-ED3C97B2E235}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-21 00:21:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
c:\program files\Toshiba\TOSHIBA Controls\TFncKy.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\TPSBattM.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
.
**************************************************************************
.
Completion time: 2008-11-21 0:30:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-20 22:30:24
ComboFix2.txt 2008-11-20 19:12:04
ComboFix3.txt 2008-11-20 18:26:47
ComboFix4.txt 2008-11-20 16:10:01
ComboFix5.txt 2008-11-20 22:14:45

Pre-Run: 31,933,108,224 bytes free
Post-Run: 31,724,781,568 bytes free

230 --- E O F --- 2008-11-13 07:23:03

#2 User is offline   Mjames 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 2
  • Joined: 20-November 08

Posted 23 November 2008 - 03:28 AM

Hi,

My computer was infected. The virus disable the task manager, register edit and firewall
and can not install some antivirus on my machine or open website like trend micro,
when I access on internet the virus download three files in my Temp folder. I attach the
HijackThis log file and the Combofix as well. Another point, I have linux this computer,
Can this virus hidden on linux?

Thanks


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:26 AM, on 11/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKUS\S-1-5-19\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 4482 bytes
____________________________________________________________________________________________________________________________

ComboFix 08-11-17.01 - Maged 2008-11-22 22:46:16.34 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.675 [GMT 2:00]
Running from: D:\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-10-22 to 2008-11-22 )))))))))))))))))))))))))))))))
.

2008-11-22 22:13 . 2008-11-22 22:13 <DIR> d-------- C:\rsit
2008-11-22 22:07 . 2008-11-22 22:12 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-22 21:49 . 2008-11-22 21:49 <DIR> d-------- C:\Rustbfix
2008-11-22 21:32 . 2008-11-22 21:32 <DIR> d-------- C:\VundoFix Backups
2008-11-22 21:22 . 2008-11-22 21:22 <DIR> d-------- c:\documents and settings\Maged\Application Data\Malwarebytes
2008-11-22 21:22 . 2008-11-22 21:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-22 19:23 . 2008-11-22 19:23 7,680 --ahs---- c:\windows\system32\Thumbs.db
2008-11-22 09:00 . 2008-11-22 20:10 <DIR> d-------- C:\SDFix
2008-11-21 10:41 . 2008-11-21 10:41 <DIR> d-------- c:\program files\Lavasoft
2008-11-21 10:40 . 2008-11-21 11:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-21 03:06 . 2008-11-22 20:13 <DIR> d-------- c:\windows\system32\CatRoot2
2008-11-20 15:49 . 2008-11-20 15:49 <DIR> d--hs---- c:\documents and settings\NetworkService
2008-11-20 15:49 . 2008-11-20 15:49 <DIR> d--hs---- c:\documents and settings\LocalService
2008-11-18 18:44 . 2008-11-18 18:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-18 18:43 . 2008-11-21 21:01 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-18 18:43 . 2008-11-21 21:01 <DIR> d-------- c:\documents and settings\Maged\Application Data\SUPERAntiSpyware.com
2008-11-18 18:13 . 2008-11-18 18:34 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-18 17:51 . 2008-11-21 19:41 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-18 17:51 . 2008-11-21 19:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-18 17:02 . 2008-11-18 17:02 <DIR> d-------- c:\program files\Trend Micro
2008-11-18 13:03 . 2008-11-18 13:03 <DIR> d-------- c:\windows\Recent
2008-11-18 13:03 . 2008-11-18 13:03 <DIR> d-------- c:\windows\Cookies
2008-11-17 20:48 . 2008-11-17 20:48 4,024 --a------ c:\windows\system32\tmp.reg
2008-11-17 20:47 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-17 20:47 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-17 20:47 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-11-17 20:47 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-11-17 20:47 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-17 20:47 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-11-17 20:47 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-11-17 20:47 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-17 20:47 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-12 19:49 . 2008-10-24 13:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 19:45 . 2008-09-04 19:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-10-30 18:36 . 2008-11-22 22:38 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-10-29 06:44 . 2008-10-30 18:20 <DIR> d-------- c:\program files\Recovery Toolbox for RAR
2008-10-24 08:35 . 2008-10-15 18:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-23 12:21 . 2008-10-23 12:22 <DIR> d-------- c:\documents and settings\Maged\.idlerc
2008-10-23 10:50 . 2004-08-04 15:00 1,039,955 --a--c--- c:\windows\system32\dllcache\cmnresm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-21 17:26 --------- d-----w c:\program files\ImageJ
2008-11-21 17:24 --------- d-----w c:\program files\Java
2008-11-15 09:20 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2008-11-09 10:37 --------- d-----w c:\program files\Common Files\Adobe
2008-10-28 17:57 --------- d-----w c:\program files\Free Download Manager
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 12:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 12:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 12:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 12:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 12:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 10:40 --------- d-----w c:\documents and settings\Maged\Application Data\gtk-2.0
2008-10-13 15:05 --------- d-----w c:\program files\Veritask Software
2008-10-13 12:47 8,959 ----a-w c:\windows\system32\drivers\U3sHlpDr.sys
2008-10-13 12:47 --------- d-----w c:\documents and settings\All Users\Application Data\TST Biometrics
2008-10-12 19:02 --------- d-----w c:\program files\Priore
2008-10-10 09:22 --------- d-----w c:\documents and settings\Maged\Application Data\FinalBurner .ISO
2008-10-10 09:20 --------- d-----w c:\documents and settings\Maged\Application Data\ImgBurn
2008-10-10 09:14 --------- d-----w c:\program files\ImgBurn
2008-10-10 09:14 --------- d-----w c:\documents and settings\Maged\Application Data\DeepBurner
2008-10-10 09:10 --------- d-----w c:\program files\Astonsoft
2008-10-10 08:54 --------- d-----w c:\documents and settings\Maged\Application Data\Canneverbe_Limited
2008-10-07 19:28 --------- d-----w c:\program files\Windows Live Safety Center
2008-10-05 17:15 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-09-30 14:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-05-23 11:02 44,120 ----a-w c:\documents and settings\Maged\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 172032]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 159744]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 188416]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-17 831577]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 421888]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2005-11-30 151552]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 196608]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 745542]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 680006]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 561152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-12 255528]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3813376]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 483328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 117616]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-10 c:\windows\RTHDCPL.exe]
"TPSMain"="TPSMain.exe" [2005-08-03 c:\windows\system32\TPSMain.exe]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-03-11 c:\windows\system32\TDispVol.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 c:\windows\agrsmmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-12-07 1814528]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 161184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iPMS.exe]
"Debugger"=dummy.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iPMS20.exe]
"Debugger"=dummy.dat

[HKLM\~\startupfolder\C:^Documents and Settings^Maged^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\Maged\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\AGRSMMSG.exe"=
"c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\TosAVRC.exe"=
"c:\\WINDOWS\\system32\\igfxpers.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\Program Files\\Toshiba\\Toshiba Applet\\thotkey.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe"=
"c:\\WINDOWS\\system32\\TPSMain.exe"=
"c:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"=
"c:\\Program Files\\TOSHIBA\\TOSHIBA Controls\\TFncKy.exe"=
"c:\\Program Files\\TOSHIBA\\Tvs\\TvsTray.exe"=

R2 U3sHlpDr;U3sHlpDr;\??\c:\windows\System32\Drivers\U3sHlpDr.sys [2008-10-13 8959]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\nfmnhi.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04a3c793-c050-11dc-9581-0018dea43156}]
\Shell\Auto\command - app.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL app.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{449b00d2-868a-11da-a583-00a0d1df1b4d}]
\Shell\AutoRun\command - browser.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-11-22 c:\windows\Tasks\User_Feed_Synchronization-{0BE07DAD-2789-4A5B-95AC-ED3C97B2E235}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = iexplore

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-22 22:49:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-22 22:54:31
ComboFix-quarantined-files.txt 2008-11-22 20:54:29
ComboFix2.txt 2008-11-22 17:47:35
ComboFix3.txt 2008-11-22 16:47:32
ComboFix4.txt 2008-11-22 16:23:53
ComboFix5.txt 2008-11-22 20:46:05

Pre-Run: 32,073,842,688 bytes free
Post-Run: 32,061,071,360 bytes free

198 --- E O F --- 2008-11-13 07:23:03

#3 User is offline   kahdah 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 10,658
  • Joined: 27-October 06
  • Gender:Male
  • Location:Florida

Posted 06 December 2008 - 08:20 AM

Hello Mjames

Welcome to BleepingComputer :thumbsup:
========================
PLease do not run Combofix unless asked to that file :
c:\windows\system32\CF17156.exe is part of Combofix not malware.
==========================
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users