Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Infections Can't Figure It Out :(


  • This topic is locked This topic is locked
2 replies to this topic

#1 m7r7m

m7r7m

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 27 September 2007 - 10:50 PM

I've run all the Vundo fixers and all have said they've deleted stuff but they just come back on reboot.

Any help would be greatly appreciated

Thanks!
m7r7m

Current Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:48, on 2007-09-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Student\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.uwstout.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1179949544875
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://themiz.uwstout.edu/webinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9148 bytes


Current Combo Fix Log

ComboFix 07-09-21.2 - "Student" 2007-09-27 22:33:51.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1337 [GMT -5:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\htdhhans.dll
C:\WINDOWS\system32\lqafpcag.exe

.
((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-28 )))))))))))))))))))))))))))))))
.

2007-09-26 19:42 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-09-26 17:47 <DIR> d-------- C:\DOCUME~1\Student\APPLIC~1\Hamachi
2007-09-26 17:42 2,131,911 ---hs---- C:\WINDOWS\system32\vybeg.ini2
2007-09-26 17:29 25,544 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-09-26 17:29 <DIR> d-------- C:\Program Files\Hamachi
2007-09-26 17:29 <DIR> d-------- C:\DOCUME~1\SARCAS~1\APPLIC~1\Hamachi
2007-09-26 11:41 2,148,410 ---hs---- C:\WINDOWS\system32\vybeg.bak2
2007-09-26 11:31 <DIR> d-------- C:\VundoFix Backups
2007-09-26 09:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-26 00:33 6,448 ---hs---- C:\WINDOWS\system32\vybeg.bak1
2007-09-25 16:52 6,448 ---hs---- C:\WINDOWS\system32\pqstv.bak1
2007-09-25 16:43 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-25 16:34 84,032 --------- C:\WINDOWS\system32\tisuhpcy.dll
2007-09-23 15:50 85,568 --a------ C:\WINDOWS\system32\ircsepxk.dll
2007-09-23 15:44 2,004,676 ---hs---- C:\WINDOWS\system32\rqtwa.bak2
2007-09-23 08:54 76,864 --a------ C:\WINDOWS\system32\agdntjed.dll
2007-09-23 08:11 6,448 ---hs---- C:\WINDOWS\system32\rqtwa.bak1
2007-09-22 20:46 33,792 --a------ C:\WINDOWS\system32\opnopqr.dll.vir
2007-09-22 19:43 <DIR> d-------- C:\DOCUME~1\Student\Incomplete
2007-09-22 19:43 <DIR> d-------- C:\DOCUME~1\Student\APPLIC~1\LimeWire
2007-09-22 19:42 <DIR> d-------- C:\Program Files\LimeWire
2007-09-21 20:52 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-09-21 20:52 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-09-21 20:52 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-09-21 17:15 <DIR> d-------- C:\DOCUME~1\Student\APPLIC~1\Azureus
2007-09-21 17:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-09-21 17:14 <DIR> d-------- C:\Program Files\Azureus
2007-09-21 16:38 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-09-21 16:17 <DIR> d-------- C:\Program Files\Sierra
2007-09-07 10:33 <DIR> d-------- C:\DOCUME~1\SARCAS~1\APPLIC~1\WinRAR
2007-09-07 10:27 <DIR> d-------- C:\DOCUME~1\SARCAS~1\APPLIC~1\Windows Desktop Search
2007-09-07 09:03 <DIR> d-------- C:\DOCUME~1\Student\APPLIC~1\Windows Desktop Search
2007-09-07 09:02 98,304 --------- C:\WINDOWS\system32\dllcache\nlhtml.dll
2007-09-07 09:02 29,696 --------- C:\WINDOWS\system32\dllcache\mimefilt.dll
2007-09-07 09:02 192,000 --------- C:\WINDOWS\system32\dllcache\offfilt.dll
2007-09-07 09:02 <DIR> d-------- C:\Program Files\Windows Desktop Search
2007-09-03 22:59 <DIR> d-------- C:\Program Files\Diablo II
2007-09-03 22:57 <DIR> d-------- C:\DOCUME~1\SARCAS~1\APPLIC~1\Avant Profiles
2007-09-03 22:53 <DIR> d-------- C:\DOCUME~1\SARCAS~1\APPLIC~1\ATI
2007-09-03 22:52 <DIR> d-------- C:\DOCUME~1\SARCAS~1\APPLIC~1\SampleView
2007-09-03 13:49 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-09-03 13:49 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2007-09-03 12:39 <DIR> d-------- C:\DOCUME~1\Student\APPLIC~1\Costco Photo Viewer US
2007-09-01 21:40 <DIR> d-------- C:\DOCUME~1\Student\APPLIC~1\DivX
2007-09-01 21:39 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-09-01 21:39 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-09-01 21:39 <DIR> d-------- C:\Program Files\DivX
2007-08-31 23:07 <DIR> d-------- C:\My Music
2007-08-31 12:43 3,840 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-31 12:42 <DIR> d-------- C:\DOCUME~1\Student\SmitfraudFix
2007-08-31 11:56 <DIR> d-------- C:\DOCUME~1\Student\APPLIC~1\Lavasoft
2007-08-31 11:55 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-31 11:11 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2007-08-31 11:11 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2007-08-31 11:11 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2007-08-31 10:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-31 01:08 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-31 01:00 <DIR> d-------- C:\DOCUME~1\Student\APPLIC~1\SlySoft
2007-08-31 00:58 <DIR> d-------- C:\Program Files\Elaborate Bytes
2007-08-31 00:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SlySoft
2007-08-31 00:55 <DIR> d-------- C:\Program Files\SlySoft
2007-08-31 00:44 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2007-08-31 00:44 71,578 --a------ C:\WINDOWS\DIIUnin.dat
2007-08-31 00:44 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2007-08-31 00:37 <DIR> d-------- C:\Program Files\Diablo 2
2007-08-31 00:23 <DIR> d-------- C:\Program Files\Trillian
2007-08-31 00:03 <DIR> d-------- C:\DOCUME~1\Student\APPLIC~1\WinRAR
2007-08-31 00:01 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-08-30 23:46 <DIR> d-------- C:\Program Files\Winamp
2007-08-30 17:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-08-30 17:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-08-30 17:14 335 --a------ C:\WINDOWS\nsreg.dat
2007-08-30 17:14 <DIR> d-------- C:\Program Files\Viewpoint
2007-08-30 17:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-08-30 17:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-08-30 14:50 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-08-30 14:50 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll
2007-08-30 13:51 <DIR> d-------- C:\DOCUME~1\Student\APPLIC~1\Avant Profiles
2007-08-30 13:44 <DIR> d-------- C:\Program Files\Avant Browser

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-25 11:23 --------- d-------- C:\Program Files\Symantec AntiVirus
2007-09-21 19:00 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-19 09:06 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-08-13 17:58 --------- d-------- C:\Program Files\Program Shortcuts
.

((((((((((((((((((((((((((((( snapshot_2007-09-25_165815.64 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 526,184 2007-03-15 17:19:58 C:\WINDOWS\system32\XceedCry.dll
----a-w 497,496 2007-03-15 17:23:16 C:\WINDOWS\system32\XceedZip.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 11:59]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 03:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-05-06 16:06]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 11:46]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 17:39]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-02-22 08:03]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-05-24 07:34]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2007-05-24 10:59:49]
Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 00:01:50]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 07:43:54]
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2007-05-23 16:08:00]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46]

C:\DOCUME~1\Student\STARTM~1\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=KATRACK.DLL


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
"C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

R0 hpdskflt;HP Disk Filter Driver;C:\WINDOWS\system32\DRIVERS\hpdskflt.sys
R2 WinDriver;WinDriver;C:\WINDOWS\system32\drivers\WINDRVR.SYS
R3 Accelerometer;Accelerometer;C:\WINDOWS\system32\DRIVERS\Accelerometer.sys
R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys
R3 ATSWPDRV;AuthenTec TruePrint USB Driver (AES2500);C:\WINDOWS\system32\DRIVERS\ATSwpDrv.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys
R3 HBtnKey;HBtnKey;C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-28 03:42:23 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-27 22:39:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????R??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-27 22:43:29 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-27 22:43
C:\ComboFix2.txt ... 2007-09-25 16:58
.
--- E O F ---

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:41 PM

Posted 03 October 2007 - 05:28 PM

Hello m7r7m,

I am SifuMike and I will be helping you.

Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\vybeg.ini2
C:\WINDOWS\system32\vybeg.bak2
C:\WINDOWS\system32\vybeg.bak1
C:\WINDOWS\system32\pqstv.bak1
C:\WINDOWS\system32\tisuhpcy.dll
C:\WINDOWS\system32\ircsepxk.dll
C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\agdntjed.dll
C:\WINDOWS\system32\rqtwa.bak1
C:\WINDOWS\system32\opnopqr.dll.vir



Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:41 PM

Posted 08 October 2007 - 11:10 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users