Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Alert: Trojan-spy.win3@mx And Various Others


  • Please log in to reply
12 replies to this topic

#1 danmelbog

danmelbog

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 16 October 2007 - 11:00 PM

These are the problems I am having:
Alerts comming from right hand bottom of screen. "! System Alert: Trojan-Spy.Win 32@mx" and "System Alert: Malware threats" I also have pop ups in middle of screen that has "Internet Explorer Alert" at the top of the dialog box. Inside the box it says "Spyware found" "Networm-iVirus@fp" and "PSW.Virtrojan.PSW" It has taken me two days to follow all the instructions because I keep getting popups everytime I go to a web site to do a scan. During some of the scan virus were scaned but the progam said they were unable to delete it. Here is my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:34 PM, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\zfwemsai.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\txewthap.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ArtChk] C:\WINDOWS\system32\artchker.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - S-1-5-18 Startup: HP Organize.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: HP Organize.lnk = ? (User 'Default user')
O4 - Startup: HP Organize.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192149644062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192206549093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\progyc.html

--
End of file - 11011 bytes

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 18 October 2007 - 01:49 PM

Hi danmelbog and Welcome to the Bleeping Computer!

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

#3 danmelbog

danmelbog
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 18 October 2007 - 06:13 PM

SmitFraudFix v2.240

Scan done at 19:11:51.59, Thu 10/18/2007
Run from C:\Documents and Settings\HP_Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\HP_Owner


C:\Documents and Settings\HP_Owner\Application Data


Start Menu


C:\DOCUME~1\HP_Owner\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Common Files\\progyc.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 64.203.254.30
DNS Server Search Order: 64.203.254.31

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4D7E5A08-4F51-48D2-BF54-5125E3F61203}: DhcpNameServer=64.203.254.30 64.203.254.31
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4D7E5A08-4F51-48D2-BF54-5125E3F61203}: DhcpNameServer=64.203.254.30 64.203.254.31
HKLM\SYSTEM\CS3\Services\Tcpip\..\{4D7E5A08-4F51-48D2-BF54-5125E3F61203}: DhcpNameServer=64.203.254.30 64.203.254.31
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=64.203.254.30 64.203.254.31
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=64.203.254.30 64.203.254.31
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=64.203.254.30 64.203.254.31


Scanning for wininet.dll infection


End

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 18 October 2007 - 09:52 PM

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

#5 danmelbog

danmelbog
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 21 October 2007 - 03:21 PM

I edited this post because after posting I deleted Spysubtract out of my computer. After doing so Norton Dected the "Trojon Horse" and deleted it. That stopped the Message at the bottom right of the screen but not the ones that pop up in the middle that say Internet Explorer Warning. I also forgot to mention the little box in the middle that pops up that says Error. Won't come off screen and when it is on screen Computer will not shut down or restart. Thank you so much for helping me with all this. Payday is Friday. If we can get this gone I will send a gift to you through paypal. Thanks again.

SmitFraudFix v2.240

Scan done at 16:06:40.46, Sun 10/21/2007
Run from C:\Documents and Settings\HP_Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


DNS

HKLM\SYSTEM\CS3\Services\Tcpip\..\{4D7E5A08-4F51-48D2-BF54-5125E3F61203}: DhcpNameServer=64.203.254.30 64.203.254.31
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=64.203.254.30 64.203.254.31


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:20:13 PM, on 10/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 2130 bytes

Edited by danmelbog, 21 October 2007 - 06:21 PM.


#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 21 October 2007 - 06:57 PM

Allrighty,lets see what we can get done here.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#7 danmelbog

danmelbog
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 22 October 2007 - 06:33 AM

ComboFix 07-10-21.1** - HP_Owner 2007-10-21 21:29:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.-1.#IND [GMT -4:00]
Running from: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\FVX6JHFU\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\HP_Owner\Desktop\Live Safety Center.lnk
C:\Documents and Settings\HP_Owner\Desktop\Online Security Guide.lnk
C:\Documents and Settings\HP_Owner\Favorites\Online Security Guide.lnk
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Program Files\Hammer.dll
C:\Program Files\Temporary
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.5\wbuninst.exe
C:\Program Files\WinAble
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\xOe
C:\Temp\xOe\tOasF.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\a8
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\system32\dkmxunhe.dll
C:\WINDOWS\system32\dljqkmah.dll
C:\WINDOWS\system32\dzjgfrlb.dllbox
C:\WINDOWS\system32\ehnuxmkd.ini
C:\WINDOWS\system32\elmwiuxk.ini
C:\WINDOWS\system32\hamkqjld.ini
C:\WINDOWS\system32\kxuiwmle.dll
C:\WINDOWS\system32\kyxnqkhl.dllbox
C:\WINDOWS\system32\naagzacr.dllbox
C:\WINDOWS\system32\ngogdnbf.dllbox
C:\WINDOWS\system32\okhwkjfc.dllbox
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qtutv.bak2
C:\WINDOWS\system32\qtutv.ini
C:\WINDOWS\system32\qtutv.ini2
C:\WINDOWS\system32\qtutv.tmp
C:\WINDOWS\system32\riaepndk.dllbox
C:\WINDOWS\system32\viescujz.dllbox
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\system32\vtutq.dll
C:\WINDOWS\system32\vxljythx.dll
C:\WINDOWS\system32\whpconap.dll
C:\WINDOWS\system32\wuhilrd.dll
C:\WINDOWS\system32\zfwemsai.dllbox
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-09-22 to 2007-10-22 )))))))))))))))))))))))))))))))
.

2007-10-21 21:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-18 19:11 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-18 19:11 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-18 19:11 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-18 19:11 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-18 19:11 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-16 22:48 6,058,496 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-16 22:48 2,455,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-16 22:48 459,264 --a--c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-16 22:48 383,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-16 22:48 267,776 --a--c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-16 22:48 63,488 --a--c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-16 22:48 52,224 --a--c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-16 22:48 13,824 --a--c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-16 20:51 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-10-16 20:00 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-16 16:43 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-16 16:42 <DIR> d-------- C:\Documents and Settings\HP_Owner\.housecall6.6
2007-10-15 23:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-15 22:15 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\InterMute
2007-10-15 22:15 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\InterMute
2007-10-15 22:15 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\InterMute
2007-10-15 22:13 <DIR> d-------- C:\Program Files\interMute
2007-10-15 22:06 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-10-15 22:06 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-15 22:06 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Motive
2007-10-15 22:06 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Motive
2007-10-15 22:06 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Motive
2007-10-15 18:01 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Grisoft
2007-10-15 18:01 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Grisoft
2007-10-15 18:01 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Grisoft
2007-10-15 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-15 18:00 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-15 17:41 4,562 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-15 16:25 <DIR> d-------- C:\WINDOWS\pss
2007-10-15 16:09 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-10-15 15:57 <DIR> d-------- C:\Program Files\Windows Defender
2007-10-15 07:27 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-15 07:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-15 07:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 22:11 <DIR> d-------- C:\Program Files\Norton 360
2007-10-14 22:09 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-14 22:09 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-14 15:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2007-10-14 14:53 118,784 --a------ C:\WINDOWS\system32\artchker.exe
2007-10-14 14:53 45,056 --a------ C:\WINDOWS\system32\katzpyoip.exe
2007-10-14 14:53 45,056 --a------ C:\WINDOWS\system32\katzppd.exe
2007-10-14 14:53 44,922 --a------ C:\WINDOWS\system32\IKatzuUninstall.exe
2007-10-14 14:52 <DIR> d-------- C:\WINDOWS\system32\que1
2007-10-14 14:52 <DIR> d-------- C:\WINDOWS\system32\kat1
2007-10-14 14:52 <DIR> d-------- C:\WINDOWS\system32\ipd2
2007-10-14 14:52 <DIR> d-------- C:\WINDOWS\system32\comms2
2007-10-14 14:52 <DIR> d-------- C:\Temp
2007-10-14 14:52 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-14 14:47 <DIR> d-------- C:\WINDOWS\Sun
2007-10-14 14:38 <DIR> d-------- C:\Program Files\Google
2007-10-14 14:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-14 03:22 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-13 22:23 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-13 17:53 <DIR> d-------- C:\Program Files\lx_cats
2007-10-13 17:52 <DIR> d-------- C:\Program Files\Lexmark Toolbar
2007-10-13 17:52 <DIR> d-------- C:\Program Files\Lexmark 3400 Series
2007-10-13 17:51 <DIR> d-------- C:\Lexmark
2007-10-13 17:24 1,104 --a------ C:\WINDOWS\checkip.dat
2007-10-13 17:22 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-10-13 17:22 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-10-13 16:57 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-10-13 16:57 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-10-13 16:57 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-10-13 16:57 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-10-13 16:57 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-10-13 16:57 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-10-13 16:57 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-10-13 16:57 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-10-13 16:56 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-10-13 16:56 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-10-13 15:20 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-10-12 03:30 159,744 --a------ C:\WINDOWS\system32\igfxres.dll
2007-10-12 03:02 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-11 20:46 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-11 20:46 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-11 20:39 <DIR> d---s---- C:\Documents and Settings\HP_Owner\UserData
2007-10-11 18:50 <DIR> d-------- C:\WINDOWS\system32\Lang
2007-10-11 18:50 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-10-11 18:49 <DIR> d-------- C:\Documents and Settings\HP_Owner\WINDOWS
2007-10-11 18:49 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Symantec
2007-10-11 18:49 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Symantec
2007-10-11 18:49 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Symantec
2007-10-11 18:49 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\SampleView
2007-10-11 18:49 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\SampleView
2007-10-11 18:49 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\SampleView
2007-10-11 18:49 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Apple Computer
2007-10-11 18:49 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Apple Computer
2007-10-11 18:49 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Apple Computer
2007-10-11 18:48 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2007-10-11 18:47 <DIR> d-------- C:\Program Files\muvee Technologies
2007-10-11 18:47 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2007-10-11 18:47 21,060 --a------ C:\WINDOWS\system32\drivers\iviaspi.sys
2007-10-11 18:47 10,368 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2007-10-11 18:46 <DIR> d-------- C:\Program Files\InterVideo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-22 01:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-21 20:29 3,997 ----a-w C:\WINDOWS\viassary-hp.reg
2007-10-21 20:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-17 00:28 --------- d-----w C:\Program Files\iTunes
2007-10-16 20:39 --------- d-----w C:\Program Files\Java
2007-10-15 03:33 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-15 03:33 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-15 03:33 --------- d-----w C:\Program Files\Symantec
2007-10-14 20:18 --------- d-----w C:\Program Files\Microsoft Works
2007-10-14 19:57 246 ----a-w C:\Program Files\Common Files\lawun
2007-10-12 00:39 --------- d-----w C:\Program Files\Easy Internet signup
2007-10-11 22:50 4,240 --sha-r C:\WINDOWS\system32\drivers\HP_PJ510AA-ABA A730N_YW_Pavi_QMXK436_E44NAheBLU5_4_IGrouper_SASUSTeK Computer INC._V1.xx_B3.05_T040726_WXH2_L409_M504_J300_7Intel_8Pentium 4_93_111063044_N10EC8139_P_Z11C1048C_K_A_U80862658_G80862582.MRK
2007-10-11 22:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 18:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 18:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 18:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 18:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 18:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 18:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 18:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-13 22:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-13 22:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-13 22:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-13 22:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-13 22:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-13 22:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-13 22:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-13 22:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-13 22:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 23:18 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-28 09:06 135 ----a-w C:\Program Files\Common Files\progyc.html
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01684B6C-72C9-42AD-9B37-DD8CCCAAA454}]
C:\Program Files\Windows NT\holetuvyd4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{065F3A60-83C4-4C37-8E71-AC7584E2F46C}]
C:\Program Files\Windows NT\holetuvyd83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E5F2CAF-49A0-474F-A9B2-2F17DB01AF92}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3615993E-7FA6-41B1-ACE7-4FA94CD1BEC9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37c8625a-7899-4f2f-9536-9d47f8ff9b99}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{426392BC-BC6C-411D-96EE-F93A8C636CC2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89AD4D75-2429-462e-BD4E-443F233F6033}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C943EC3-EB6D-46EA-ACC6-3C880E7D0559}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A500A638-41FE-4FEB-9A67-E4F9CEED4A78}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4F6294B-A48B-4278-B118-56B512B4C101}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 15:51]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 21:53]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 21:42]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 23:02]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 17:03]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-04-21 21:28]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 23:43]
"VTTimer"="VTTimer.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 20:06 C:\WINDOWS\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 21:58 C:\WINDOWS\SOUNDMAN.EXE]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 19:57]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-06 04:05 C:\WINDOWS\ALCWZRD.EXE]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2003-12-18 02:31]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 15:55]
"lxcymon.exe"="C:\Program Files\Lexmark 3400 Series\lxcymon.exe" [2006-03-06 13:48]
"EzPrint"="C:\Program Files\Lexmark 3400 Series\ezprint.exe" [2006-02-07 01:10]
"LXCYCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-02-24 07:54]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-07 17:20]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-14 14:38]
"ArtChk"="C:\WINDOWS\system32\artchker.exe" [2007-10-14 14:53]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
HP Organize.lnk - C:\Program Files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-08-07 17:29:30]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-10-14 14:38:33]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 08:31:38]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2004-08-07 17:33:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnonnk]
nnnonnk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\okhwkjfc]
okhwkjfc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtutq.dll

R3 lxcy_device;lxcy_device;C:\WINDOWS\system32\lxcycoms.exe -service

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 00:39:37 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2007-10-21 20:46:42 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
"2007-10-22 11:28:44 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-22 07:28:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-22 7:31:00 - machine was rebooted
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:50 AM, on 10/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {01684B6C-72C9-42AD-9B37-DD8CCCAAA454} - C:\Program Files\Windows NT\holetuvyd4444.dll (file missing)
O2 - BHO: (no name) - {065F3A60-83C4-4C37-8E71-AC7584E2F46C} - C:\Program Files\Windows NT\holetuvyd83122.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E5F2CAF-49A0-474F-A9B2-2F17DB01AF92} - (no file)
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {3615993E-7FA6-41B1-ACE7-4FA94CD1BEC9} - (no file)
O2 - BHO: (no name) - {426392BC-BC6C-411D-96EE-F93A8C636CC2} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9C943EC3-EB6D-46EA-ACC6-3C880E7D0559} - (no file)
O2 - BHO: (no name) - {A500A638-41FE-4FEB-9A67-E4F9CEED4A78} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {E4F6294B-A48B-4278-B118-56B512B4C101} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ArtChk] C:\WINDOWS\system32\artchker.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192149644062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192206549093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: nnnonnk - nnnonnk.dll (file missing)
O20 - Winlogon Notify: okhwkjfc - okhwkjfc.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11345 bytes

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 22 October 2007 - 05:40 PM

Running from: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\FVX6JHFU\ComboFix[1].exe



Can you download ComboFix to the Desktop and then double click the icon on the desktop to run the tool.

As it stands,ComboFix was run from Temporary Internet Files and that limits its use.

Please scan again and post the new results.

#9 danmelbog

danmelbog
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 22 October 2007 - 06:28 PM

I will rerun again. I forgot to mention in the last comment that Everything has been working Perfect since I did that scan. I will do it again to be sure and so that you can check it.

#10 danmelbog

danmelbog
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 22 October 2007 - 06:33 PM

I can't seem to get it to download on to desk top. Is there a web site I could get it from that will allow me to do that?

ComboFix 07-10-23.1 - HP_Owner 2007-10-22 19:29:48.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.229 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\0TXFSFPZ\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-23 to 2007-10-23 )))))))))))))))))))))))))))))))
.

2007-10-22 12:57 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Move Networks
2007-10-21 21:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-18 19:11 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-18 19:11 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-18 19:11 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-18 19:11 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-18 19:11 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-16 22:48 6,058,496 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-16 22:48 2,455,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-16 22:48 459,264 --a--c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-16 22:48 383,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-16 22:48 267,776 --a--c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-16 22:48 63,488 --a--c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-16 22:48 52,224 --a--c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-16 22:48 13,824 --a--c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-16 20:51 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-10-16 20:00 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-16 16:43 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-16 16:42 <DIR> d-------- C:\Documents and Settings\HP_Owner\.housecall6.6
2007-10-15 22:15 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\InterMute
2007-10-15 22:13 <DIR> d-------- C:\Program Files\interMute
2007-10-15 22:06 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-10-15 22:06 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-15 22:06 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Motive
2007-10-15 18:01 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Grisoft
2007-10-15 18:00 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-15 17:41 4,562 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-15 16:25 <DIR> d-------- C:\WINDOWS\pss
2007-10-15 16:09 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-10-15 15:57 <DIR> d-------- C:\Program Files\Windows Defender
2007-10-15 07:27 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-15 07:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 22:11 <DIR> d-------- C:\Program Files\Norton 360
2007-10-14 22:09 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-14 22:09 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-14 15:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2007-10-14 14:53 118,784 --a------ C:\WINDOWS\system32\artchker.exe
2007-10-14 14:53 45,056 --a------ C:\WINDOWS\system32\katzpyoip.exe
2007-10-14 14:53 45,056 --a------ C:\WINDOWS\system32\katzppd.exe
2007-10-14 14:53 44,922 --a------ C:\WINDOWS\system32\IKatzuUninstall.exe
2007-10-14 14:52 <DIR> d-------- C:\WINDOWS\system32\que1
2007-10-14 14:52 <DIR> d-------- C:\WINDOWS\system32\kat1
2007-10-14 14:52 <DIR> d-------- C:\WINDOWS\system32\ipd2
2007-10-14 14:52 <DIR> d-------- C:\WINDOWS\system32\comms2
2007-10-14 14:52 <DIR> d-------- C:\Temp
2007-10-14 14:52 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-14 14:47 <DIR> d-------- C:\WINDOWS\Sun
2007-10-14 14:38 <DIR> d-------- C:\Program Files\Google
2007-10-14 03:22 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-13 22:23 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-13 17:53 <DIR> d-------- C:\Program Files\lx_cats
2007-10-13 17:52 <DIR> d-------- C:\Program Files\Lexmark Toolbar
2007-10-13 17:52 <DIR> d-------- C:\Program Files\Lexmark 3400 Series
2007-10-13 17:51 <DIR> d-------- C:\Lexmark
2007-10-13 17:24 1,104 --a------ C:\WINDOWS\checkip.dat
2007-10-13 17:22 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-10-13 17:22 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-10-13 16:57 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-10-13 16:57 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-10-13 16:57 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-10-13 16:57 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-10-13 16:57 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-10-13 16:57 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-10-13 16:57 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-10-13 16:57 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-10-13 16:56 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-10-13 16:56 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-10-13 15:20 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-10-12 03:30 159,744 --a------ C:\WINDOWS\system32\igfxres.dll
2007-10-12 03:02 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-11 20:46 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-11 20:46 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-11 20:39 <DIR> d---s---- C:\Documents and Settings\HP_Owner\UserData
2007-10-11 18:50 <DIR> d-------- C:\WINDOWS\system32\Lang
2007-10-11 18:50 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-10-11 18:49 <DIR> d-------- C:\Documents and Settings\HP_Owner\WINDOWS
2007-10-11 18:49 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Symantec
2007-10-11 18:49 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\SampleView
2007-10-11 18:49 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Apple Computer
2007-10-11 18:48 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2007-10-11 18:48 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2007-10-11 18:48 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SampleView
2007-10-11 18:48 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Apple Computer
2007-10-11 18:47 <DIR> d-------- C:\Program Files\muvee Technologies
2007-10-11 18:47 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2007-10-11 18:47 21,060 --a------ C:\WINDOWS\system32\drivers\iviaspi.sys
2007-10-11 18:47 10,368 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2007-10-11 18:46 <DIR> d-------- C:\Program Files\InterVideo
2007-10-11 18:46 204,800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2007-10-11 18:46 200,704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2007-10-11 18:46 192,512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2007-10-11 18:46 192,512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2007-10-11 18:46 188,416 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2007-10-11 18:46 20,480 --a------ C:\WINDOWS\system32\IVIresize.dll
2007-10-11 18:43 <DIR> d-------- C:\Documents and Settings\Default User\WINDOWS
2007-10-11 18:43 182 --a------ C:\WINDOWS\system\hpsysdrv.DAT
2007-10-11 18:40 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2007-10-11 18:40 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2007-10-11 18:40 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-10-11 18:40 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-22 11:30 3,997 ----a-w C:\WINDOWS\viassary-hp.reg
2007-10-21 20:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-17 00:28 --------- d-----w C:\Program Files\iTunes
2007-10-16 20:39 --------- d-----w C:\Program Files\Java
2007-10-15 03:33 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-15 03:33 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-15 03:33 --------- d-----w C:\Program Files\Symantec
2007-10-14 20:18 --------- d-----w C:\Program Files\Microsoft Works
2007-10-14 19:57 246 ----a-w C:\Program Files\Common Files\lawun
2007-10-12 00:39 --------- d-----w C:\Program Files\Easy Internet signup
2007-10-11 22:50 4,240 --sha-r C:\WINDOWS\system32\drivers\HP_PJ510AA-ABA A730N_YW_Pavi_QMXK436_E44NAheBLU5_4_IGrouper_SASUSTeK Computer INC._V1.xx_B3.05_T040726_WXH2_L409_M504_J300_7Intel_8Pentium 4_93_111063044_N10EC8139_P_Z11C1048C_K_A_U80862658_G80862582.MRK
2007-10-11 22:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 18:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 18:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 18:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 18:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 18:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 18:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 18:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-13 22:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-13 22:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-13 22:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-13 22:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-13 22:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-13 22:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-13 22:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-13 22:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-13 22:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 23:18 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-28 09:06 135 ----a-w C:\Program Files\Common Files\progyc.html
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01684B6C-72C9-42AD-9B37-DD8CCCAAA454}]
C:\Program Files\Windows NT\holetuvyd4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{065F3A60-83C4-4C37-8E71-AC7584E2F46C}]
C:\Program Files\Windows NT\holetuvyd83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E5F2CAF-49A0-474F-A9B2-2F17DB01AF92}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3615993E-7FA6-41B1-ACE7-4FA94CD1BEC9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{426392BC-BC6C-411D-96EE-F93A8C636CC2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C943EC3-EB6D-46EA-ACC6-3C880E7D0559}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A500A638-41FE-4FEB-9A67-E4F9CEED4A78}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4F6294B-A48B-4278-B118-56B512B4C101}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 15:51]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 21:53]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 21:42]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 23:02]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 17:03]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-04-21 21:28]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 23:43]
"VTTimer"="VTTimer.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 20:06 C:\WINDOWS\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 21:58 C:\WINDOWS\SOUNDMAN.EXE]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 19:57]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-06 04:05 C:\WINDOWS\ALCWZRD.EXE]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2003-12-18 02:31]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 15:55]
"lxcymon.exe"="C:\Program Files\Lexmark 3400 Series\lxcymon.exe" [2006-03-06 13:48]
"EzPrint"="C:\Program Files\Lexmark 3400 Series\ezprint.exe" [2006-02-07 01:10]
"LXCYCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-02-24 07:54]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-07 17:20]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-14 14:38]
"ArtChk"="C:\WINDOWS\system32\artchker.exe" [2007-10-14 14:53]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
HP Organize.lnk - C:\Program Files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-08-07 17:29:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnonnk]
nnnonnk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\okhwkjfc]
okhwkjfc.dll

R3 lxcy_device;lxcy_device;C:\WINDOWS\system32\lxcycoms.exe -service

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 00:39:37 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2007-10-22 11:31:40 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-10-22 23:28:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-23 19:31:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-23 19:31:38
C:\ComboFix2.txt ... 2007-10-22 07:31
.
--- E O F ---

#11 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 23 October 2007 - 02:42 AM

Im not sure I understand??

Try to select C: to save it to instead of the desktop.

#12 danmelbog

danmelbog
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 23 October 2007 - 06:33 AM

Sorry, Having a blonde momment. I was clicking the wrong button. Here it is.

ComboFix 07-10-23.1 - HP_Owner 2007-10-24 7:29:07.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.210 [GMT -4:00]
Running from: C:\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-24 to 2007-10-24 )))))))))))))))))))))))))))))))
.

2007-10-24 07:28 1,392,911 --a------ C:\ComboFix.exe
2007-10-22 12:57 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Move Networks
2007-10-21 21:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-18 19:11 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-18 19:11 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-18 19:11 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-18 19:11 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-18 19:11 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-16 22:48 6,058,496 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-16 22:48 2,455,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-16 22:48 459,264 --a--c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-16 22:48 383,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-16 22:48 267,776 --a--c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-16 22:48 63,488 --a--c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-16 22:48 52,224 --a--c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-16 22:48 13,824 --a--c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-16 20:51 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-10-16 20:00 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-16 16:43 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-16 16:42 <DIR> d-------- C:\Documents and Settings\HP_Owner\.housecall6.6
2007-10-15 22:15 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\InterMute
2007-10-15 22:13 <DIR> d-------- C:\Program Files\interMute
2007-10-15 22:06 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-10-15 22:06 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-15 22:06 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Motive
2007-10-15 18:01 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Grisoft
2007-10-15 18:00 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-15 17:41 4,562 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-15 16:25 <DIR> d-------- C:\WINDOWS\pss
2007-10-15 16:09 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-10-15 15:57 <DIR> d-------- C:\Program Files\Windows Defender
2007-10-15 07:27 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-15 07:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 22:11 <DIR> d-------- C:\Program Files\Norton 360
2007-10-14 22:09 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-14 22:09 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-14 15:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2007-10-14 14:53 118,784 --a------ C:\WINDOWS\system32\artchker.exe
2007-10-14 14:53 45,056 --a------ C:\WINDOWS\system32\katzpyoip.exe
2007-10-14 14:53 45,056 --a------ C:\WINDOWS\system32\katzppd.exe
2007-10-14 14:53 44,922 --a------ C:\WINDOWS\system32\IKatzuUninstall.exe
2007-10-14 14:52 <DIR> d-------- C:\WINDOWS\system32\que1
2007-10-14 14:52 <DIR> d-------- C:\WINDOWS\system32\kat1
2007-10-14 14:52 <DIR> d-------- C:\WINDOWS\system32\ipd2
2007-10-14 14:52 <DIR> d-------- C:\WINDOWS\system32\comms2
2007-10-14 14:52 <DIR> d-------- C:\Temp
2007-10-14 14:52 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-14 14:47 <DIR> d-------- C:\WINDOWS\Sun
2007-10-14 14:38 <DIR> d-------- C:\Program Files\Google
2007-10-14 03:22 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-13 22:23 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-13 17:53 <DIR> d-------- C:\Program Files\lx_cats
2007-10-13 17:52 <DIR> d-------- C:\Program Files\Lexmark Toolbar
2007-10-13 17:52 <DIR> d-------- C:\Program Files\Lexmark 3400 Series
2007-10-13 17:51 <DIR> d-------- C:\Lexmark
2007-10-13 17:24 1,104 --a------ C:\WINDOWS\checkip.dat
2007-10-13 17:22 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-10-13 17:22 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-10-13 16:57 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-10-13 16:57 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-10-13 16:57 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-10-13 16:57 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-10-13 16:57 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-10-13 16:57 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-10-13 16:57 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-10-13 16:57 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-10-13 16:56 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-10-13 16:56 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-10-13 15:20 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-10-12 03:30 159,744 --a------ C:\WINDOWS\system32\igfxres.dll
2007-10-12 03:02 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-11 20:46 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-11 20:46 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-11 20:39 <DIR> d---s---- C:\Documents and Settings\HP_Owner\UserData
2007-10-11 18:50 <DIR> d-------- C:\WINDOWS\system32\Lang
2007-10-11 18:50 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-10-11 18:49 <DIR> d-------- C:\Documents and Settings\HP_Owner\WINDOWS
2007-10-11 18:49 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Symantec
2007-10-11 18:49 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\SampleView
2007-10-11 18:49 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Apple Computer
2007-10-11 18:48 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2007-10-11 18:48 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2007-10-11 18:48 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SampleView
2007-10-11 18:48 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Apple Computer
2007-10-11 18:47 <DIR> d-------- C:\Program Files\muvee Technologies
2007-10-11 18:47 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2007-10-11 18:47 21,060 --a------ C:\WINDOWS\system32\drivers\iviaspi.sys
2007-10-11 18:47 10,368 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2007-10-11 18:46 <DIR> d-------- C:\Program Files\InterVideo
2007-10-11 18:46 204,800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2007-10-11 18:46 200,704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2007-10-11 18:46 192,512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2007-10-11 18:46 192,512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2007-10-11 18:46 188,416 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2007-10-11 18:46 20,480 --a------ C:\WINDOWS\system32\IVIresize.dll
2007-10-11 18:43 <DIR> d-------- C:\Documents and Settings\Default User\WINDOWS
2007-10-11 18:43 182 --a------ C:\WINDOWS\system\hpsysdrv.DAT
2007-10-11 18:40 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2007-10-11 18:40 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2007-10-11 18:40 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-24 07:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-22 11:30 3,997 ----a-w C:\WINDOWS\viassary-hp.reg
2007-10-17 00:28 --------- d-----w C:\Program Files\iTunes
2007-10-16 20:39 --------- d-----w C:\Program Files\Java
2007-10-15 03:33 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-15 03:33 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-15 03:33 --------- d-----w C:\Program Files\Symantec
2007-10-14 20:18 --------- d-----w C:\Program Files\Microsoft Works
2007-10-14 19:57 246 ----a-w C:\Program Files\Common Files\lawun
2007-10-12 00:39 --------- d-----w C:\Program Files\Easy Internet signup
2007-10-11 22:50 4,240 --sha-r C:\WINDOWS\system32\drivers\HP_PJ510AA-ABA A730N_YW_Pavi_QMXK436_E44NAheBLU5_4_IGrouper_SASUSTeK Computer INC._V1.xx_B3.05_T040726_WXH2_L409_M504_J300_7Intel_8Pentium 4_93_111063044_N10EC8139_P_Z11C1048C_K_A_U80862658_G80862582.MRK
2007-10-11 22:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 18:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 18:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 18:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 18:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 18:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 18:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 18:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-13 22:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-13 22:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-13 22:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-13 22:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-13 22:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-13 22:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-13 22:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-13 22:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-13 22:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 23:18 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-28 09:06 135 ----a-w C:\Program Files\Common Files\progyc.html
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01684B6C-72C9-42AD-9B37-DD8CCCAAA454}]
C:\Program Files\Windows NT\holetuvyd4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{065F3A60-83C4-4C37-8E71-AC7584E2F46C}]
C:\Program Files\Windows NT\holetuvyd83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E5F2CAF-49A0-474F-A9B2-2F17DB01AF92}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3615993E-7FA6-41B1-ACE7-4FA94CD1BEC9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{426392BC-BC6C-411D-96EE-F93A8C636CC2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C943EC3-EB6D-46EA-ACC6-3C880E7D0559}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A500A638-41FE-4FEB-9A67-E4F9CEED4A78}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4F6294B-A48B-4278-B118-56B512B4C101}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 15:51]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 21:53]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 21:42]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 23:02]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 17:03]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-04-21 21:28]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 23:43]
"VTTimer"="VTTimer.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 20:06 C:\WINDOWS\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 21:58 C:\WINDOWS\SOUNDMAN.EXE]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 19:57]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-06 04:05 C:\WINDOWS\ALCWZRD.EXE]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2003-12-18 02:31]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 15:55]
"lxcymon.exe"="C:\Program Files\Lexmark 3400 Series\lxcymon.exe" [2006-03-06 13:48]
"EzPrint"="C:\Program Files\Lexmark 3400 Series\ezprint.exe" [2006-02-07 01:10]
"LXCYCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-02-24 07:54]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-07 17:20]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-14 14:38]
"ArtChk"="C:\WINDOWS\system32\artchker.exe" [2007-10-14 14:53]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
HP Organize.lnk - C:\Program Files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-08-07 17:29:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnonnk]
nnnonnk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\okhwkjfc]
okhwkjfc.dll

R3 lxcy_device;lxcy_device;C:\WINDOWS\system32\lxcycoms.exe -service

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 00:39:37 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2007-10-24 06:20:02 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
"2007-10-24 11:28:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-24 07:30:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-24 7:30:52
C:\ComboFix2.txt ... 2007-10-23 19:31
C:\ComboFix3.txt ... 2007-10-22 07:31
.
--- E O F ---

#13 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 23 October 2007 - 01:13 PM

Copy the text below to notepad and save it to the desktop with the name CFScript.txt

File::
C:\WINDOWS\system32\artchker.exe
C:\WINDOWS\system32\katzpyoip.exe
C:\WINDOWS\system32\katzppd.exe
C:\WINDOWS\system32\IKatzuUninstall.exe
C:\WINDOWS\system32\msxml3a.dll
Folder::
C:\WINDOWS\system32\que1
C:\WINDOWS\system32\kat1
C:\WINDOWS\system32\ipd2
C:\WINDOWS\system32\comms2
C:\Temp
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01684B6C-72C9-42AD-9B37-DD8CCCAAA454}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{065F3A60-83C4-4C37-8E71-AC7584E2F46C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E5F2CAF-49A0-474F-A9B2-2F17DB01AF92}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3615993E-7FA6-41B1-ACE7-4FA94CD1BEC9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{426392BC-BC6C-411D-96EE-F93A8C636CC2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C943EC3-EB6D-46EA-ACC6-3C880E7D0559}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A500A638-41FE-4FEB-9A67-E4F9CEED4A78}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4F6294B-A48B-4278-B118-56B512B4C101}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnonnk] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\okhwkjfc]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ArtChk"=-

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the tool and begin the script.


Once completed,post the new CombFix log and a fresh HijackThis log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users