Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log Inside Please Help


  • This topic is locked This topic is locked
16 replies to this topic

#1 Kikbuty

Kikbuty

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Temecula
  • Local time:03:57 AM

Posted 29 January 2008 - 01:54 AM

Second attempt at registering.
Odd the HJT that I got from trend micro was the wrong version.
Anyway.

My many thanks to those who help those who need help.

Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:41 PM, on 1/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\INTERN~1\REMIEX~1.EXE
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\5f321.exe
C:\WINDOWS\system32\Ro.exe
C:\WINDOWS\system32\usbplay.exe
C:\WINDOWS\system32\AF388\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\INTERN~1\REMIEX~1.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\MSOffice\Office\FINDFAST.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\AF388\ctfmon.exe
C:\WINDOWS\system32\AF388\ctfmon.exe
C:\WINDOWS\system32\AF388\ctfmon.exe
C:\WINDOWS\system32\AF388\ctfmon.exe
C:\WINDOWS\system32\AF388\ctfmon.exe
C:\WINDOWS\system32\AF388\ctfmon.exe
C:\WINDOWS\system32\AF388\ctfmon.exe
C:\WINDOWS\system32\AF388\ctfmon.exe
C:\WINDOWS\system32\AF388\ctfmon.exe
C:\WINDOWS\system32\AF388\ctfmon.exe
C:\WINDOWS\system32\AF388\ctfmon.exe
C:\WINDOWS\system32\ticw.exe
C:\Documents and Settings\Owner\Desktop\hi jack\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe usbhelp.exe
O1 - Hosts: 127.0.0.2 localhost
O2 - BHO: sosHlpr Class - {00C104F7-0F5C-470C-ABCF-A5B2E70752F1} - C:\WINDOWS\system32\abskey.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: ff Class - {B9751A53-4494-4d7c-9732-AE3058D8145F} - C:\WINDOWS\system32\45f1.dll
O2 - BHO: (no name) - {C86488AF-13D5-4FEF-9DDF-9FB88698CFC1} - (no file)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {2DEA8791-C2B7-48E1-8992-8E8E6A6FE789} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SSLDyn] C:\WINDOWS\SSLDyn.exE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKLM\..\Policies\Explorer\Run: [bq22uz] rundll32 "C:\WINDOWS\Downlo~1\bq22uz.dll",start
O4 - HKLM\..\Policies\Explorer\Run: [d08i] rundll32 "C:\WINDOWS\Downlo~1\d08i.dll",Run
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.8.2.23/aces/aces-en_US.cab
O16 - DPF: Double Deuce Poker by pogo -
O16 - DPF: First Class Solitaire by pogo -
O16 - DPF: Fortune Bingo by pogo -
O16 - DPF: High Stakes Poker by pogo -
O16 - DPF: Keno by pogo -
O16 - DPF: Showbiz Slots 2 by pogo -
O16 - DPF: Squelchies by pogo -
O16 - DPF: Texas Hold'em Poker by pogo -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/bejewel...aploader_v6.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Fax 2Client (ms_2fax) - Unknown owner - C:\WINDOWS\system32\5f321.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Serviceusbhelp - Unknown owner - C:\WINDOWS\system32\usbplay.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Yahoo Service (YahooSvr) - Unknown owner - C:\WINDOWS\system32\AF388\svchost.exe

--
End of file - 9619 bytes

BC AdBot (Login to Remove)

 


#2 Kikbuty

Kikbuty
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Temecula
  • Local time:03:57 AM

Posted 29 January 2008 - 02:02 AM

just had 2 popups after posting

http:{ i added this to prevent link }//class.caiyi8.{ i added this to prevent link }com/
and
error message in window for link below.
---------------------------
Microsoft Internet Explorer
---------------------------
发现您的电脑已经感染广告软件,Windows优化大师强力建议您立即进行系统优化!
---------------------------
OK
---------------------------


http:{ i added this to prevent link }//wopti.e78.{ i added this to prevent link }com/channel.php?c=10196&u=1001&b=1_150x120

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:57 AM

Posted 30 January 2008 - 10:07 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 Kikbuty

Kikbuty
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Temecula
  • Local time:03:57 AM

Posted 31 January 2008 - 12:45 PM

Buckeye Sam,

Thanks for your reply. I d/l the tool but then my (not the kids) computer died & I had to replace the power supply. When it rains it pours. :thumbsup:

I did not realize how much traffic this forum has. I had a difficult time finding my own post! :blink:

In the meantime I have been trying to run the 'STINGER' programs and the computer keeps freezing even when I am off line.

One tool I have been using is Steve Goulds CLEANUP. It removes loads of temporary files, sometimes hundreds of megabytes worth. It also reduces the number of files to be scanned when doing virus checking.
It may be a good tool to include in the HJT tutorial/ preparation page.

Now that my pc is working I can get to the kids.

(off topic) BUCKEYE? You from Ohio? I was born & lived in Cincinnatti for my first 2 years of life, so consider myself to be a Buckeye as well.

Kikbuty

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:57 AM

Posted 31 January 2008 - 04:52 PM

I've used Cleanup before. It's a good little program.
Yes, I'm in Ohio, right in Columbus.

Just post back with that log when you get time to run Combofix and we'll get you fixed up. :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 Kikbuty

Kikbuty
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Temecula
  • Local time:03:57 AM

Posted 10 February 2008 - 04:22 PM

Sam, I'm sorry for the delay. It is my kids computer after all. If it were mine I probably would have replied within the hour!
Here is my log.
I really appreciate your help.

-----------------------------------
ComboFix 08-02.01.1 - Owner 2007-02-11 10:59:00.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\My Documents\dad's files\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ahesbb74.dll
C:\WINDOWS\system32\drivers\ahesbb74.sys
C:\WINDOWS\system32\drivers\awi37pln.sys
C:\Documents and Settings\All Users\Application Data\microsoft\office\system
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\finder.dll
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\HykMkUYBAI_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\jsGqfwBiWF_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\kCkwUp84Rk_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\nYsXqAKrka_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\QZzJm24wTD_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\S51SV5xRBq_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\sysloader.exe
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\Wi7wXvf18M_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\userdata
C:\Documents and Settings\All Users\Application Data\microsoft\office\userdata\_keepfile
C:\Documents and Settings\All Users\Application Data\microsoft\office\userdata\信 图铃 彩铃 和弦 点歌 梦网
C:\Documents and Settings\All Users\Application Data\microsoft\office\userdata\NUWfkMC0rS.dll
C:\Documents and Settings\All Users\Application Data\microsoft\pctools
C:\Documents and Settings\All Users\Application Data\microsoft\pctools\pctools.dll
C:\Documents and Settings\All Users\Application Data\t
C:\Documents and Settings\Owner\Favorites\4bb6~1.lnk
C:\Documents and Settings\Owner\Favorites\7BFA~1.URL
C:\privilege.dat
C:\Program Files\ad4all
C:\Program Files\ad4all\Install.exe
C:\Program Files\ad4all\install.ini
C:\Program Files\ad4all\link1\eachlink.htm
C:\Program Files\ad4all\link1\eachlink.ico
C:\Program Files\ad4all\link1\ebaylink.ico
C:\Program Files\ad4all\link1\install.ini
C:\Program Files\ad4all\link1\Thumbs.db
C:\Program Files\Common Files\cpush
C:\Program Files\Common Files\cpush\cpush.dll
C:\Program Files\Incesoft\XiaoiAlerts
C:\Program Files\Incesoft\XiaoiAlerts\Capture.dll
C:\Program Files\Incesoft\XiaoiAlerts\config.dat
C:\Program Files\Incesoft\XiaoiAlerts\MSNMessengerLib.dll
C:\Program Files\Incesoft\XiaoiAlerts\MSNPlugin.dll
C:\Program Files\Incesoft\XiaoiAlerts\resource.dll
C:\Program Files\Incesoft\XiaoiAlerts\Uninstall.exe
C:\Program Files\Incesoft\XiaoiAlerts\XiaoiAlerts.exe
C:\Program Files\Incesoft\XiaoiAlerts\XiaoiDesktop.exe
C:\Program Files\Incesoft\XiaoiAlerts\XiaoiUpdater.exe
C:\Program Files\osao\bfnb.dll
C:\Program Files\osao\dhpd.dll
C:\Program Files\osao\gksg.dll
C:\Program Files\osao\uygu.dll
C:\Program Files\osao\ycky.dll
C:\U.exe
C:\WINDOWS\avpsrv.exe
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\DbgHlp32.exe
C:\WINDOWS\Downloaded Program Files.\a2r80qa.dll
C:\WINDOWS\Downloaded Program Files.\bac08.dll
C:\WINDOWS\Downloaded Program Files.\bq22uz.dll
C:\WINDOWS\Downloaded Program Files.\c93o.dll
C:\WINDOWS\Downloaded Program Files.\d08i.dll
C:\WINDOWS\Downloaded Program Files.\d3jehce.dll
C:\WINDOWS\Downloaded Program Files.\dm1v.dll
C:\WINDOWS\Downloaded Program Files.\euh.dll
C:\WINDOWS\Downloaded Program Files.\fii5rf.dll
C:\WINDOWS\Downloaded Program Files.\fmv.dll
C:\WINDOWS\Downloaded Program Files.\fygsciln.dll
C:\WINDOWS\Downloaded Program Files.\hg3.dll
C:\WINDOWS\Downloaded Program Files.\hn78vk.dll
C:\WINDOWS\Downloaded Program Files.\i8vbpxz.dll
C:\WINDOWS\Downloaded Program Files.\jgrk7.dll
C:\WINDOWS\Downloaded Program Files.\lsu6ag.dll
C:\WINDOWS\Downloaded Program Files.\nabok.dll
C:\WINDOWS\Downloaded Program Files.\o22o.dll
C:\WINDOWS\Downloaded Program Files.\oxen7zo.dll
C:\WINDOWS\Downloaded Program Files.\oz12y7d.dll
C:\WINDOWS\Downloaded Program Files.\psd2gmo.dll
C:\WINDOWS\Downloaded Program Files.\qcm.dll
C:\WINDOWS\Downloaded Program Files.\rwd9.dll
C:\WINDOWS\Downloaded Program Files.\uatps9wq.dll
C:\WINDOWS\Downloaded Program Files.\uzsidb.dll
C:\WINDOWS\Downloaded Program Files.\vy861o9i.dll
C:\WINDOWS\Downloaded Program Files.\xaojla13.dll
C:\WINDOWS\Downloaded Program Files.\yjzj.dll
C:\WINDOWS\Downloaded Program Files.\zku4mw.dll
C:\WINDOWS\Downloaded Program Files.\zmc8rkmy.dll
C:\WINDOWS\e01.bmp
C:\WINDOWS\fn00321.log
C:\WINDOWS\kvsc3.exe
C:\WINDOWS\lotushlp.exe
C:\WINDOWS\msimms32.exe
C:\WINDOWS\NVDispDrv.exe
C:\WINDOWS\system\dvl
C:\WINDOWS\system\lvl
C:\WINDOWS\system32\45f1.dlltmp
C:\WINDOWS\system32\641.dll
C:\WINDOWS\system32\ad_2517.exe
C:\WINDOWS\system32\adurl.ini
C:\WINDOWS\system32\ahesbb74.dll
C:\WINDOWS\system32\ahesbb74.dllmmc.pkm
C:\WINDOWS\system32\avpsrv.dll
C:\WINDOWS\system32\bho.dll
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\DbgHlp32.dll
C:\WINDOWS\system32\dllcache\svchost.exe
C:\WINDOWS\system32\dodolook591.exe
C:\WINDOWS\system32\drivers\acpidisk.sys
C:\WINDOWS\system32\drivers\ahesbb74.sys
C:\WINDOWS\system32\drivers\awi37pln.sys
C:\WINDOWS\system32\drivers\comint32.sys
C:\WINDOWS\system32\DRIVERS\msconkt.sys
C:\WINDOWS\system32\drivers\mxdispdr.sys
C:\WINDOWS\system32\drivers\usbhelp.sys
C:\WINDOWS\system32\drivers\usbplay.sys
C:\WINDOWS\system32\drivers\usbshow.sys
C:\WINDOWS\system32\flym.dll
C:\WINDOWS\system32\GDDJI32.dll
C:\WINDOWS\system32\gddthxi32.dll
C:\WINDOWS\system32\gdgfsji32.dll
C:\WINDOWS\system32\gdhnxai32.dll
C:\WINDOWS\system32\GDJX2I32.dll
C:\WINDOWS\system32\gdqqhxi32.dll
C:\WINDOWS\system32\gdqqsgi32.dll
C:\WINDOWS\system32\gdtli32.dll
C:\WINDOWS\system32\gdwdi32.dll
C:\WINDOWS\system32\GDWLI32.dll
C:\WINDOWS\system32\GDWMI32.dll
C:\WINDOWS\system32\gdzhtui32.dll
C:\WINDOWS\system32\gdzyhxi32.dll
C:\WINDOWS\system32\gdzyzji32.dll
C:\WINDOWS\system32\GenProtect.dll
C:\WINDOWS\system32\ini.~tmp
C:\WINDOWS\system32\jbkjevcwow.dll
C:\WINDOWS\system32\key.~tmp
C:\WINDOWS\system32\kvsc3.dll
C:\WINDOWS\system32\LotusHlp.dll
C:\WINDOWS\system32\lyloader.exe
C:\WINDOWS\system32\lyloadmr.exe
C:\WINDOWS\system32\lymangr.dll
C:\WINDOWS\system32\mhsha1.dat
C:\WINDOWS\system32\msdeg32.dll
C:\WINDOWS\system32\msimms32.dll
C:\WINDOWS\system32\mstacim.sig
C:\WINDOWS\system32\nvdispdrv.dll
C:\WINDOWS\system32\setyahoo.ini
C:\WINDOWS\system32\SHQ.DLL
C:\WINDOWS\system32\SHQMANGR.DLL
C:\WINDOWS\system32\SSLDyn.dll
C:\WINDOWS\system32\svchost.dat
C:\WINDOWS\system32\svchost.dll
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\system32\usbhelp.exe
C:\WINDOWS\system32\usbplay.exe
C:\WINDOWS\system32\usbshow.dll
C:\WINDOWS\system32\VAOTVDI.DLL
C:\WINDOWS\system32\wbem\DFZWXSGUKB.MDA
C:\WINDOWS\system32\WSockDrv32.dll
C:\WINDOWS\system32\ygkkmthzx.dll
C:\WINDOWS\TEMP\~my1.tmp
C:\WINDOWS\tempaq
C:\WINDOWS\upxdnd.exe
C:\WINDOWS\WSockDrv32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_AHESBB74
-------\LEGACY_COMINT32
-------\LEGACY_MXDISPDR
-------\LEGACY_OULTRAF
-------\LEGACY_PCIHARDDISK
-------\LEGACY_SERVICEUSBHELP
-------\LEGACY_SYSLOADER
-------\LEGACY_YAHOOSVR
-------\ahesbb74
-------\mxdispdr
-------\oUltraf
-------\PciHardDisk
-------\Serviceusbhelp
-------\sysloader
-------\YahooSvr


((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-01-18 02:49 . 2008-01-18 02:49 159,744 --a------ C:\WINDOWS\system32\ticw.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 17:14 53,248 ----a-r C:\WINDOWS\0f21.exe
2008-02-01 19:14 --------- d-----w C:\Program Files\Incesoft
2008-02-01 19:13 --------- d-----w C:\Program Files\osao
2008-01-22 21:23 12,544 ----a-w C:\WINDOWS\system32\drivers\zwdu.sys
2007-12-25 18:56 18,152 ----a-w C:\WINDOWS\SSLDyn.exE
2007-12-15 00:22 49,250 --sha-w C:\WINDOWS\235780WO.DLL
2007-12-14 06:41 77,824 ----a-w C:\WINDOWS\system32\drivers\pcibus.sys
2007-12-14 04:45 --------- d-----w C:\Program Files\Conquer 2.0
2007-12-01 07:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 07:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 07:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-12-01 07:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-12-01 07:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-12-01 07:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-12-01 07:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-12-01 07:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-12-01 07:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-02-11 18:51 37,888 ----a-w C:\Program Files\Common Files\m1.exe
2005-01-06 19:05 89,088 ----a-w C:\Program Files\Common Files\m2.exe
2005-01-04 00:48 47,205 ----a-w C:\Program Files\avp.exe
2005-01-03 19:34 46,592 ----a-w C:\Program Files\Common Files\WIN.exe
2005-01-03 05:27 39,424 ----a-w C:\Program Files\ver.txt
2005-12-29 22:54 249,344 --sh--w C:\WINDOWS\system32\AF388\ctfmon.exe
2005-01-04 22:03 44,032 --sh--w C:\WINDOWS\system32\AF388\svchost.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00C104F7-0F5C-470C-ABCF-A5B2E70752F1}]
2007-11-13 15:03 106496 --a------ C:\WINDOWS\system32\abskey.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C86488AF-13D5-4FEF-9DDF-9FB88698CFC1}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-03-03 15:44 831557 C:\WINDOWS\system32\nview.dll]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-01-03 08:43 313472]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-01-09 12:40 1460560]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [ ]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 15:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 08:59 126976]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2005-01-09 11:25 70245]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2005-01-09 11:27 70245]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 18:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 20:42 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-03 15:44 4595712]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 14:57 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-07 21:42 78437]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 09:03 155648]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"SSLDyn"="C:\WINDOWS\SSLDyn.exE" [2007-12-25 10:56 18152]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-18 23:03 771704]
"myyqcnju"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 30309]
BTTray.lnk - C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe [2004-10-01 14:12:18 565861]
Microsoft Office Fast Start.lnk - C:\MSOffice\Office\FASTBOOT.EXE [1995-09-26 23:00:00 15461]
Microsoft Office Find Fast Indexer.lnk - C:\MSOffice\Office\FINDFAST.EXE [1995-09-26 23:00:00 87141]
Microsoft Office Shortcut Bar.lnk - C:\MSOffice\Office\MSOFFICE.EXE [1995-09-26 23:00:00 365669]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-09-20 18:20:02 53861]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"fygsciln"= rundll32 "C:\WINDOWS\Downlo~1\fygsciln.dll",start
"o22o"= rundll32 "C:\WINDOWS\Downlo~1\o22o.dll",Run

R0 zwdu;zwd;C:\WINDOWS\system32\DRIVERS\zwdu.sys [2008-01-22 13:23]
R2 4fp2zp;4fp2zp;C:\WINDOWS\system32\drivers\4fp2zp.sys [2004-08-03 23:56]
S0 awi37pln;awi37pl;C:\WINDOWS\system32\DRIVERS\awi37pln.sys []
S0 eract;erac;C:\WINDOWS\system32\DRIVERS\eract.sys []
S3 ATI2HDDSRV;ATI2HDDSRV;C:\WINDOWS\system32\drivers\ati32srv.sys []
S3 DeepFree Update;DeepFree Update;C:\WINDOWS\system32\drivers\pcihdd2.sys []
Stop Pending3 Ndisprot;Network Monitor Protocol Driver;C:\WINDOWS\system32\DRIVERS\winsys.sys [2005-01-02 21:29]

*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2007-01-30 05:55:44 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 11:28:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

? [1788]
? [2144]
? [2232]
? [2436]
? [3988]
? [4064]
? [1888]
? [1904]
? [1944]
? [1980]
? [2824]
? [2952]
? [3024]
? [3032]
? [3072]
? [3592]
scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\SSLDyn.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\ticw.exe
C:\PROGRA~1\INTERN~1\REMIEX~1.EXE
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\Ro.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\MSOffice\Office\FINDFAST.EXE
C:\MSOffice\Office\MSOFFICE.EXE
C:\WINDOWS\system32\cidaemon.exe
.
**************************************************************************
.
Completion time: 2008-02-01 11:44:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-01 19:44:39
.
2007-01-19 10:27:43 --- E O F ---

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:57 AM

Posted 10 February 2008 - 06:12 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\0f21.exe
C:\WINDOWS\SSLDyn.exE
C:\WINDOWS\system32\SSLDyn.dll
C:\Program Files\Common Files\m1.exe
C:\Program Files\Common Files\m2.exe
C:\Program Files\avp.exe
C:\Program Files\Common Files\WIN.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00C104F7-0F5C-470C-ABCF-A5B2E70752F1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C86488AF-13D5-4FEF-9DDF-9FB88698CFC1}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=-
"myyqcnju"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"fygsciln"=-
"o22o"=-
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.


==================



Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 Kikbuty

Kikbuty
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Temecula
  • Local time:03:57 AM

Posted 14 February 2008 - 01:56 AM

Sam,
Here is my resulting file. The computer is already working better.

ComboFix 08-02.01.1 - Owner 2008-02-04 22:24:32.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\cfscript.txt
* Created a new restore point

FILE
C:\Program Files\avp.exe
C:\Program Files\Common Files\m1.exe
C:\Program Files\Common Files\m2.exe
C:\Program Files\Common Files\WIN.exe
C:\WINDOWS\0f21.exe
C:\WINDOWS\SSLDyn.exE
C:\WINDOWS\system32\SSLDyn.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\avp.exe
C:\Program Files\Common Files\m1.exe
C:\Program Files\Common Files\m2.exe
C:\Program Files\Common Files\WIN.exe
C:\WINDOWS\0f21.exe
C:\WINDOWS\SSLDyn.exE
C:\WINDOWS\system32\RRJUJUVQBMTBZK.DLL
C:\WINDOWS\system32\SSLDyn.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-02-04 21:33 . 2008-02-04 22:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-04 21:33 . 2008-02-04 22:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-18 02:49 . 2008-01-18 02:49 159,744 --a------ C:\WINDOWS\system32\ticw.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 19:14 --------- d-----w C:\Program Files\Incesoft
2008-02-01 19:13 --------- d-----w C:\Program Files\osao
2008-01-22 21:23 12,544 ----a-w C:\WINDOWS\system32\drivers\zwdu.sys
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-15 00:22 49,250 --sha-w C:\WINDOWS\235780WO.DLL
2007-12-14 06:41 77,824 ----a-w C:\WINDOWS\system32\drivers\pcibus.sys
2007-12-14 04:45 --------- d-----w C:\Program Files\Conquer 2.0
2005-01-03 05:27 39,424 ----a-w C:\Program Files\ver.txt
2005-12-29 22:54 249,344 --sh--w C:\WINDOWS\system32\AF388\ctfmon.exe
2005-01-04 22:03 44,032 --sh--w C:\WINDOWS\system32\AF388\svchost.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-03-03 15:44 831557 C:\WINDOWS\system32\nview.dll]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-01-03 08:43 313472]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-01-09 12:40 1460560]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [ ]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 15:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 08:59 126976]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2005-01-09 11:25 70245]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2005-01-09 11:27 70245]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 18:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 20:42 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-03 15:44 4595712]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 14:57 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-07 21:42 78437]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 09:03 155648]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"SSLDyn"="C:\WINDOWS\SSLDyn.exE" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-18 23:03 771704]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 30309]
BTTray.lnk - C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe [2004-10-01 14:12:18 565861]
Microsoft Office Fast Start.lnk - C:\MSOffice\Office\FASTBOOT.EXE [1995-09-26 23:00:00 15461]
Microsoft Office Find Fast Indexer.lnk - C:\MSOffice\Office\FINDFAST.EXE [1995-09-26 23:00:00 87141]
Microsoft Office Shortcut Bar.lnk - C:\MSOffice\Office\MSOFFICE.EXE [1995-09-26 23:00:00 365669]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-09-20 18:20:02 53861]

R0 zwdu;zwd;C:\WINDOWS\system32\DRIVERS\zwdu.sys [2008-01-22 13:23]
R2 4fp2zp;4fp2zp;C:\WINDOWS\system32\drivers\4fp2zp.sys [2004-08-03 23:56]
R2 Re;Ro;C:\WINDOWS\system32\Ro.exe [2004-08-03 23:56]
R2 WinCOM;COM+ Windows System;C:\WINDOWS\system32\wincom.exe [2005-01-08 00:12]
S0 awi37pln;awi37pl;C:\WINDOWS\system32\DRIVERS\awi37pln.sys []
S0 eract;erac;C:\WINDOWS\system32\DRIVERS\eract.sys []
S2 469C0EA8;469C0EA8;C:\WINDOWS\system32\747B6464.EXE [2007-01-29 05:04]
S2 txft;txft;C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\osao\ycky.dll,Service []
S3 ATI2HDDSRV;ATI2HDDSRV;C:\WINDOWS\system32\drivers\ati32srv.sys []
S3 DeepFree Update;DeepFree Update;C:\WINDOWS\system32\drivers\pcihdd2.sys []
Stop Pending3 Ndisprot;Network Monitor Protocol Driver;C:\WINDOWS\system32\DRIVERS\winsys.sys [2005-01-02 21:29]

.
Contents of the 'Scheduled Tasks' folder
"2007-01-30 05:55:44 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 22:36:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

? [1652]
? [1828]
? [1880]
? [216]
? [244]
? [1368]
? [1612]
? [2056]
? [2180]
? [2328]
? [2348]
? [2356]
? [2396]
? [2416]
? [2432]
? [2548]
? [3364]

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-04 22:45:28
ComboFix-quarantined-files.txt 2008-02-05 06:45:23
ComboFix2.txt 2008-02-01 19:44:48
.
2008-02-05 06:07:58 --- E O F ---

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:57 AM

Posted 14 February 2008 - 08:09 PM

I'm still seeing some suspicious files in your log. Did you run the online virus scan?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 Kikbuty

Kikbuty
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Temecula
  • Local time:03:57 AM

Posted 11 March 2008 - 05:01 PM

Sam,
Yes I ran the online virus scan and it showed NO infected files.

As soon as I made the last comment about the computer working better I had several pop ups, so my comment was wrong.

There is one directory on my hard drive that has garbage characters as the file name. I suspect it has malware from an asian site that a visitor accessed. I have tried deleting the directory through windows, through safe mode and even from safe mode command line. It will not go away. I even verified the file and folder attributes are NOT set to read only.

This is an HP pavillion desktop that did not come with backup cd's. I was supposed to make my own but never did, so IF possible I would love to repair this system and not have to reinstall from a new software package. I also don't want to 'upgrade' to Vista as this system would need fairly major equipment upgrades to be fully compatible.

I really do appreciate your help even with my slow replys.

(edited spelling)

Edited by Kikbuty, 11 March 2008 - 05:04 PM.


#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:57 AM

Posted 12 March 2008 - 06:53 AM

Since it's been nearly a month since your last post, we need to almost start from the beginning.
First you need to delete the copy of Combofix that you have on your computer now and download the latest version from here.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Then run Combofix and post a new log in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 Kikbuty

Kikbuty
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Temecula
  • Local time:03:57 AM

Posted 21 March 2008 - 06:05 PM

Sam,
Thanks for your tolerance.

when I turn on the PC with it disconnected from the internet/network, it works well.
When I turn on the PC with if connected the popups start and the favorites are added without my consent.

Also the following occurs:
Internet explorer starts on it's own after the following text box pops up.
Internet explorer is not currently your default browser. would you like to make it your default browser? checked box always perform this check when starting internet explorer yes no

Then, internet explorer starts on it's own and goes to this web site (asian text) with a popup of garbage text. I am guessing that the text box is to bookmark the page. Only buttons are ok and windows close window red x.

click the red x and jump to this web page
http://wopti.e78.com/channel.php?c=10196&a...amp;b=1_150x120

and a new favorite is added to the list
百度
http://www.baidu.com/index.php?tn=greenbrowser_4_pg


Internet Exlorer does not pup up right now but spybot is VERY active, stopping things from happening.
I ran the newest combofix and the popping up would not stop. When I attempted to post the log the computer restarted. And I dont know where the log is. I will attempt to re-run the program and post the results next.

Be back soon... if the pc cooperates.

#13 Kikbuty

Kikbuty
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Temecula
  • Local time:03:57 AM

Posted 21 March 2008 - 06:45 PM

ComboFix 08-03-21.1 - Owner 2008-03-21 16:07:39.5 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\microsoft\pctools
C:\Documents and Settings\All Users\Application Data\microsoft\pctools\pctools.dll
C:\Documents and Settings\All Users\Application Data\t
C:\Documents and Settings\All Users\Application Data\t\a2001.dat
C:\Documents and Settings\All Users\Application Data\t\b2001.dat
C:\Documents and Settings\All Users\Application Data\t\k2001.dat
C:\Documents and Settings\All Users\Application Data\t\p2001.dat
C:\Documents and Settings\All Users\Application Data\t\r2001.dat
C:\Program Files\Common Files\cpush
C:\Program Files\Common Files\cpush\cpush.dll
C:\Program Files\Common Files\cpush\Uninst.exe
C:\Program Files\osao\bfnb.dll
C:\Program Files\osao\dhpd.dll
C:\Program Files\osao\gksg.dll
C:\Program Files\osao\uygu.dll
C:\Program Files\osao\ycky.dll
C:\WINDOWS\12395.exe
C:\WINDOWS\12499.exe
C:\WINDOWS\15069.exe
C:\WINDOWS\15610.exe
C:\WINDOWS\16017.exe
C:\WINDOWS\16725.exe
C:\WINDOWS\18297.exe
C:\WINDOWS\18516.exe
C:\WINDOWS\19953.exe
C:\WINDOWS\19980.exe
C:\WINDOWS\25033.exe
C:\WINDOWS\26815.exe
C:\WINDOWS\28937.exe
C:\WINDOWS\32580.exe
C:\WINDOWS\33272.exe
C:\WINDOWS\3406.exe
C:\WINDOWS\35337.exe
C:\WINDOWS\35527.exe
C:\WINDOWS\36421.exe
C:\WINDOWS\37993.exe
C:\WINDOWS\38320.exe
C:\WINDOWS\38932.exe
C:\WINDOWS\3975.exe
C:\WINDOWS\44596.exe
C:\WINDOWS\45242.exe
C:\WINDOWS\46361.exe
C:\WINDOWS\4694.exe
C:\WINDOWS\4729.exe
C:\WINDOWS\47610.exe
C:\WINDOWS\49105.exe
C:\WINDOWS\8520.exe
C:\WINDOWS\b9b1c00bdd.dll
C:\WINDOWS\dodolook133.exe
C:\WINDOWS\Downloaded Program Files.\cf3bw.dll
C:\WINDOWS\Downloaded Program Files.\dy6ggl.dll
C:\WINDOWS\Downloaded Program Files.\eeeh3.dll
C:\WINDOWS\Downloaded Program Files.\hf31.dll
C:\WINDOWS\e01.bmp
C:\WINDOWS\server.exe
C:\WINDOWS\system32\5f321.exe
C:\WINDOWS\system32\641.dll
C:\WINDOWS\system32\d3d1caps.srg
C:\WINDOWS\system32\dnabeser.dat
C:\WINDOWS\system32\drivers\acpidisk.sys
C:\WINDOWS\system32\drivers\mxdispdr.sys
C:\WINDOWS\system32\f0431ec4dc.dll
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\mscpx32r.det
C:\WINDOWS\system32\mstacim.sig
C:\WINDOWS\system32\server.exe
C:\WINDOWS\system32\winhelp.exe
C:\WINDOWS\system32\Winsp2.dll
C:\WINDOWS\system32\xyz123.dll
C:\WINDOWS\TEMP\~my1.tmp
C:\WINDOWS\TEMP\170.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACPIDISK
-------\Legacy_MS_2FAX
-------\Legacy_MXDISPDR
-------\Service_acpidisk
-------\Service_ms_2fax
-------\Service_mxdispdr


((((((((((((((((((((((((( Files Created from 2008-02-21 to 2008-03-21 )))))))))))))))))))))))))))))))
.

2008-03-21 16:07 . 2008-03-21 16:07 3,631 --a------ C:\26.tmp
2008-03-21 15:33 . 2008-03-21 13:16 53,248 -ra------ C:\WINDOWS\0f21.exe
2008-03-21 15:31 . 2008-03-21 15:31 55,296 --a------ C:\Program Files\Common Files\m1.exe
2008-03-21 15:31 . 2008-03-21 15:57 24,648 --a------ C:\Program Files\avp.exe
2008-03-21 15:22 . 2008-03-21 16:18 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-21 15:22 . 2008-03-21 16:18 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-21 15:15 . 2008-03-21 15:15 33,452 --a------ C:\WINDOWS\server1.exe
2008-03-21 14:07 . 2008-03-21 14:07 24,936 --a------ C:\WINDOWS\system32\ksavp.exe
2008-03-21 14:05 . 2008-03-21 14:05 110 --a------ C:\WINDOWS\$$30689.bat
2008-03-21 14:04 . 2008-03-21 15:14 227,329 --a------ C:\WINDOWS\ad_2517.exe
2008-03-21 14:04 . 2008-03-21 15:14 17,920 --a------ C:\WINDOWS\admin6_ver0111.exe
2008-03-21 14:03 . 2008-03-21 14:04 56,320 --a------ C:\WINDOWS\yeSetup.exe
2008-03-21 14:03 . 2008-03-21 15:14 301 --a------ C:\WINDOWS\system32\pcii.sys
2008-03-21 14:01 . 2008-03-21 14:01 42,496 --a------ C:\Program Files\Common Files\WIN.exe
2008-03-21 14:01 . 2008-03-21 14:01 20,480 --a------ C:\WINDOWS\system32\my_70346.exe
2008-03-21 13:42 . 2008-03-21 13:42 3,631 --a------ C:\3.tmp
2008-03-12 13:41 . 2008-03-12 13:41 3,631 --a------ C:\2.tmp
2008-03-12 13:35 . 2008-03-21 15:31 <DIR> d-------- C:\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 23:23 61,440 ----a-w C:\WINDOWS\system32\27AB6384.DLL
2008-03-21 23:17 --------- d-----w C:\Program Files\osao
2008-03-21 22:32 45,056 ----a-w C:\WINDOWS\system32\nkvckye.dll
2008-03-21 22:32 40,960 ----a-w C:\WINDOWS\system32\adsldpj.dll
2008-03-21 22:32 12,416 ----a-w C:\WINDOWS\system32\drivers\adsldpj.sys
2008-03-21 22:15 25,088 ----a-w C:\WINDOWS\shenji.exe
2008-03-21 21:02 35,328 ----a-w C:\WINDOWS\system32\portablemsi.dll
2008-03-21 20:16 53,248 ----a-r C:\WINDOWS\system32\45f1.dll
2008-03-12 20:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-12 19:26 --------- d-----w C:\Program Files\IntelliMover Data Transfer Demo
2008-03-12 19:13 --------- d-----w C:\Program Files\The Learning Company
2008-03-12 19:07 --------- d-----w C:\Program Files\Hasbro Interactive
2008-03-12 19:04 --------- d-----w C:\Program Files\Cap'n Crunch
2008-03-12 18:53 --------- d-----w C:\Program Files\Conquer 2.0
2008-03-12 18:49 --------- d-----w C:\Program Files\Oberon Media
2008-03-12 18:40 --------- d-----w C:\Program Files\Myth II
2008-03-12 18:35 --------- d-----w C:\Program Files\InterActual
2008-03-12 18:29 --------- d-----w C:\Program Files\GameSpy Arcade
2008-03-12 18:17 --------- d-----w C:\Program Files\Activision
2008-03-12 18:15 --------- d-----w C:\Program Files\Full Tilt Poker
2008-02-05 07:59 17,856 ----a-w C:\WINDOWS\system32\747B6464.EXE
2008-02-05 07:07 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-05 06:59 44,032 ----a-w C:\Program Files\Common Files\remWrem Irem N.exe
2008-02-01 19:14 --------- d-----w C:\Program Files\Incesoft
2008-01-22 21:23 12,544 ----a-w C:\WINDOWS\system32\drivers\zwdu.sys
2008-01-18 10:49 159,744 ----a-w C:\WINDOWS\system32\ticw.exe
2007-12-25 19:00 14,079 --sh--w C:\WINDOWS\system32\gdzxi32.dll
2007-12-25 19:00 13,767 --sh--w C:\WINDOWS\system32\gdjzi32.dll
2007-12-25 19:00 13,218 --sh--w C:\WINDOWS\system32\gdfyi32.dll
2007-12-25 18:58 16,572 --sh--w C:\WINDOWS\system32\gdmsi32.dll
2005-01-03 05:27 39,424 ----a-w C:\Program Files\ver.txt
2007-12-20 23:20 13,908 --sh--w C:\WINDOWS\system32\gdgji32.dll
2007-12-14 06:42 13,454 --sh--w C:\WINDOWS\system32\gdqji32.dll
2005-12-29 22:54 249,344 --sh--w C:\WINDOWS\system32\AF388\ctfmon.exe
2005-01-04 22:03 44,032 --sh--w C:\WINDOWS\system32\AF388\svchost.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00C104F7-0F5C-470C-ABCF-A5B2E70752F1}]
2007-11-13 16:03 106496 --a------ C:\WINDOWS\system32\abskey.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{385AB8C6-FB22-4D17-8834-064E2BA0A6F0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFB3D068-F8DA-4370-A71E-83B1C959CDD6}]
2008-03-21 13:16 53248 -ra------ C:\WINDOWS\system32\45f1.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-03-03 16:44 831557 C:\WINDOWS\system32\nview.dll]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-01-03 09:43 313472]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-01-09 13:40 1460560]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [ ]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 09:59 126976]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2005-01-09 12:25 70245]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2005-01-09 12:27 70245]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 19:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 21:42 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-03 16:44 4595712]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 15:57 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-07 22:42 78437]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 10:03 155648]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"SSLDyn"="C:\WINDOWS\SSLDyn.exE" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-19 00:03 771704]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 30309]
Microsoft Office Fast Start.lnk - C:\MSOffice\Office\FASTBOOT.EXE [1995-09-27 15461]
Microsoft Office Find Fast Indexer.lnk - C:\MSOffice\Office\FINDFAST.EXE [1995-09-27 87141]
Microsoft Office Shortcut Bar.lnk - C:\MSOffice\Office\MSOFFICE.EXE [1995-09-27 365669]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-09-20 19:20:02 53861]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"hf31"= rundll32 "C:\WINDOWS\Downlo~1\hf31.dll",start
"dy6ggl"= rundll32 "C:\WINDOWS\Downlo~1\dy6ggl.dll",Run

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360Safe.com]
debugger=C:\WINDOWS\system32\SVCH0ST.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AntiArp.exe]
debugger=C:\WINDOWS\system32\SVCH0ST.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IceSword.com]
debugger=C:\WINDOWS\system32\SVCH0ST.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwProxy.exe]
Debugger=C:\WINDOWS\system32\SVCH0ST.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zxsweep.exe]
debugger=C:\WINDOWS\system32\SVCH0ST.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\usmt\\8047\\svchost.exe"=
"C:\\WINDOWS\\system32\\usmt\\0042\\svchost.exe"=

R0 adsldpj;adsldpj;C:\WINDOWS\system32\drivers\adsldpj.sys [2008-03-21 15:32]
R0 pu8d;pu8;C:\WINDOWS\system32\DRIVERS\pu8d.sys [2004-08-04 00:56]
R0 zwdu;zwd;C:\WINDOWS\system32\DRIVERS\zwdu.sys [2008-01-22 14:23]
R2 4fp2zp;4fp2zp;C:\WINDOWS\system32\drivers\4fp2zp.sys [2004-08-04 00:56]
R2 ms_2fax;ms_2fax;C:\WINDOWS\system32\5f321.exe [2008-03-20 19:49]
R2 Re;Ro;C:\WINDOWS\system32\Ro.exe [2004-08-04 00:56]
R2 WinCOM;COM+ Windows System;C:\WINDOWS\system32\wincom.exe [2005-01-08 01:12]
S0 awi37pln;awi37pl;C:\WINDOWS\system32\DRIVERS\awi37pln.sys []
S0 eract;erac;C:\WINDOWS\system32\DRIVERS\eract.sys []
S2 469C0EA8;469C0EA8;C:\WINDOWS\system32\747B6464.EXE [2008-02-05 00:59]
S2 portablemsi;portablemsi;C:\WINDOWS\system32\u1206133315g.exe []
S2 txft;txft;C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\osao\ycky.dll,Service -s []
S2 Windows XP SP2 Center;Windows XP SP2 Center;C:\WINDOWS\system32\Server.exe []
S3 ATI2HDDSRV;ATI2HDDSRV;C:\WINDOWS\system32\drivers\ati32srv.sys []
S3 DeepFree Update;DeepFree Update;C:\WINDOWS\system32\drivers\pcihdd2.sys []
Stop Pending3 Ndisprot;Network Monitor Protocol Driver;C:\WINDOWS\system32\DRIVERS\winsys.sys [2005-01-02 22:29]

*Newly Created Service* - ADSLDPJ
*Newly Created Service* - MS_2FAX
.
Contents of the 'Scheduled Tasks' folder
"2007-01-30 05:55:44 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-21 16:24:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

? [3284]

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\5f321.exe 122880 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\27AB6384.DLL

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\27AB6384.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\ticw.exe
c:\Program Files\Common Files\WIN.exe
C:\PROGRA~1\INTERN~1\REMIEX~1.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
c:\Program Files\Common Files\WIN.exe
c:\Program Files\Common Files\WIN.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\Program Files\Common Files\WIN.exe
c:\Program Files\Common Files\WIN.exe
c:\Program Files\Common Files\WIN.exe
c:\Program Files\Common Files\WIN.exe
c:\Program Files\Common Files\WIN.exe
c:\Program Files\Common Files\WIN.exe
c:\Program Files\avp.exe
c:\Program Files\Common Files\WIN.exe
c:\Program Files\Common Files\WIN.exe
c:\Program Files\Common Files\WIN.exe
C:\WINDOWS\system32\wscntfy.exe
c:\win.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\INTERN~1\REMIEX~1.EXE
C:\PROGRA~1\INTERN~1\REMIEX~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\INTERN~1\REMIEX~1.EXE
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-03-21 16:41:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-21 23:40:51
ComboFix2.txt 2008-03-21 21:01:49
ComboFix3.txt 2008-02-05 08:34:37
ComboFix4.txt 2008-02-05 06:45:30
ComboFix5.txt 2008-02-01 19:44:48
.
2008-03-21 22:55:22 --- E O F ---

#14 Kikbuty

Kikbuty
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Temecula
  • Local time:03:57 AM

Posted 21 March 2008 - 06:47 PM

While all the log was being generated I had at least 15 RUNDLL module not found pop ups.
This is so frustrating.

later...
I reboooted the PC and by some magical occurance I noticed that there were 321 processes running. Most of them were win.exe or WIN.EXE.

I rebooted into safe mode command line and searched for these 2 files and renamed them. After rebooting there are no more occurances of these 2 programs in the process list.

Edited by Kikbuty, 21 March 2008 - 08:27 PM.


#15 Kikbuty

Kikbuty
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Temecula
  • Local time:03:57 AM

Posted 21 March 2008 - 09:38 PM

Just for the heck of it I ran the program again.

ComboFix 08-03-21.1 - Owner 2008-03-21 18:57:37.6 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\5f321.exe
C:\WINDOWS\system32\adsldpj.dll
C:\WINDOWS\system32\drivers\adsldpj.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ADSLDPJ
-------\Legacy_MS_2FAX
-------\Service_adsldpj
-------\Service_ms_2fax


((((((((((((((((((((((((( Files Created from 2008-02-22 to 2008-03-22 )))))))))))))))))))))))))))))))
.

2008-03-21 18:56 . 2008-03-21 18:56 3,631 --a------ C:\7.tmp
2008-03-21 16:33 . 2008-03-21 16:33 25,088 --a------ C:\WINDOWS\system32\u1206142372g.exe
2008-03-21 16:07 . 2008-03-21 16:07 3,631 --a------ C:\26.tmp
2008-03-21 15:33 . 2008-03-21 13:16 53,248 -ra------ C:\WINDOWS\0f21.exe
2008-03-21 15:31 . 2008-03-21 17:25 55,296 --a------ C:\Program Files\Common Files\m1.exe
2008-03-21 15:31 . 2008-03-21 15:57 24,648 --a------ C:\Program Files\avp.exe
2008-03-21 15:15 . 2008-03-21 15:15 33,452 --a------ C:\WINDOWS\server1.exe
2008-03-21 14:07 . 2008-03-21 14:07 24,936 --a------ C:\WINDOWS\system32\ksavp.exe
2008-03-21 14:05 . 2008-03-21 14:05 110 --a------ C:\WINDOWS\$$30689.bat
2008-03-21 14:04 . 2008-03-21 15:14 227,329 --a------ C:\WINDOWS\ad_2517.exe
2008-03-21 14:04 . 2008-03-21 15:14 17,920 --a------ C:\WINDOWS\admin6_ver0111.exe
2008-03-21 14:03 . 2008-03-21 14:04 56,320 --a------ C:\WINDOWS\yeSetup.exe
2008-03-21 14:03 . 2008-03-21 15:14 301 --a------ C:\WINDOWS\system32\pcii.sys
2008-03-21 14:02 . 2007-12-06 17:44 617,984 --a------ C:\WINDOWS\system32\urls.dll
2008-03-21 14:02 . 2007-12-06 17:44 617,984 --a------ C:\WINDOWS\system32\ups.dll
2008-03-21 14:02 . 2002-08-29 05:00 114,688 --a------ C:\WINDOWS\system32\cSEDc.exe
2008-03-21 14:02 . 2002-08-29 05:00 114,688 --a------ C:\WINDOWS\system32\ccVS.exe
2008-03-21 14:02 . 2002-08-29 05:00 114,688 --a------ C:\WINDOWS\system32\cc.exe
2008-03-21 14:02 . 2008-03-21 14:02 35,328 --a------ C:\WINDOWS\system32\portablemsi.dll
2008-03-21 14:02 . 2008-03-21 15:15 25,088 --a------ C:\WINDOWS\shenji.exe
2008-03-21 14:02 . 2008-03-21 14:02 1,200 --a------ C:\WINDOWS\system32\Aduio.sys
2008-03-21 14:02 . 2008-03-21 14:02 816 --a------ C:\WINDOWS\system32\tcpip.sys
2008-03-21 14:02 . 2008-03-21 14:02 301 --a------ C:\WINDOWS\system32\Configs.sys
2008-03-21 14:01 . 2008-03-21 14:01 20,480 --a------ C:\WINDOWS\system32\my_70346.exe
2008-03-21 13:42 . 2008-03-21 13:42 3,631 --a------ C:\3.tmp
2008-03-12 13:41 . 2008-03-12 13:41 3,631 --a------ C:\2.tmp
2008-03-12 13:35 . 2008-03-21 15:31 <DIR> d-------- C:\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-22 02:14 61,440 ----a-w C:\WINDOWS\system32\27AB6384.DLL
2008-03-22 00:26 45,056 ----a-w C:\WINDOWS\system32\nkvckye.dll
2008-03-21 23:17 --------- d-----w C:\Program Files\osao
2008-03-21 20:16 53,248 ------w C:\WINDOWS\system32\45f1.dll
2008-03-12 20:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-12 19:26 --------- d-----w C:\Program Files\IntelliMover Data Transfer Demo
2008-03-12 19:13 --------- d-----w C:\Program Files\The Learning Company
2008-03-12 19:07 --------- d-----w C:\Program Files\Hasbro Interactive
2008-03-12 19:04 --------- d-----w C:\Program Files\Cap'n Crunch
2008-03-12 18:53 --------- d-----w C:\Program Files\Conquer 2.0
2008-03-12 18:49 --------- d-----w C:\Program Files\Oberon Media
2008-03-12 18:40 --------- d-----w C:\Program Files\Myth II
2008-03-12 18:35 --------- d-----w C:\Program Files\InterActual
2008-03-12 18:29 --------- d-----w C:\Program Files\GameSpy Arcade
2008-03-12 18:17 --------- d-----w C:\Program Files\Activision
2008-03-12 18:15 --------- d-----w C:\Program Files\Full Tilt Poker
2008-02-05 07:59 17,856 ----a-w C:\WINDOWS\system32\747B6464.EXE
2008-02-05 07:07 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-01 19:14 --------- d-----w C:\Program Files\Incesoft
2008-01-22 21:23 12,544 ----a-w C:\WINDOWS\system32\drivers\zwdu.sys
2008-01-18 10:49 159,744 ----a-w C:\WINDOWS\system32\ticw.exe
2007-12-25 19:00 14,079 --sh--w C:\WINDOWS\system32\gdzxi32.dll
2007-12-25 19:00 13,767 --sh--w C:\WINDOWS\system32\gdjzi32.dll
2007-12-25 19:00 13,218 --sh--w C:\WINDOWS\system32\gdfyi32.dll
2007-12-25 18:58 16,572 --sh--w C:\WINDOWS\system32\gdmsi32.dll
2005-01-03 05:27 39,424 ----a-w C:\Program Files\ver.txt
2007-12-20 23:20 13,908 --sh--w C:\WINDOWS\system32\gdgji32.dll
2007-12-14 06:42 13,454 --sh--w C:\WINDOWS\system32\gdqji32.dll
2005-12-29 22:54 249,344 --sh--w C:\WINDOWS\system32\AF388\ctfmon.exe
2005-01-04 22:03 44,032 --sh--w C:\WINDOWS\system32\AF388\svchost.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00C104F7-0F5C-470C-ABCF-A5B2E70752F1}]
2007-11-13 16:03 106496 --a------ C:\WINDOWS\system32\abskey.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFB3D068-F8DA-4370-A71E-83B1C959CDD6}]
2008-03-21 13:16 53248 --------- C:\WINDOWS\system32\45f1.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-03-03 16:44 831557 C:\WINDOWS\system32\nview.dll]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-01-03 09:43 313472]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-01-09 13:40 1460560]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [ ]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 09:59 126976]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2005-01-09 12:25 70245]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2005-01-09 12:27 70245]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 19:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 21:42 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-03 16:44 4595712]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 15:57 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-07 22:42 78437]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 10:03 155648]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"SSLDyn"="C:\WINDOWS\SSLDyn.exE" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-19 00:03 771704]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 30309]
Microsoft Office Fast Start.lnk - C:\MSOffice\Office\FASTBOOT.EXE [1995-09-27 15461]
Microsoft Office Find Fast Indexer.lnk - C:\MSOffice\Office\FINDFAST.EXE [1995-09-27 87141]
Microsoft Office Shortcut Bar.lnk - C:\MSOffice\Office\MSOFFICE.EXE [1995-09-27 365669]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-09-20 19:20:02 53861]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"hf31"= rundll32 "C:\WINDOWS\Downlo~1\hf31.dll",start
"dy6ggl"= rundll32 "C:\WINDOWS\Downlo~1\dy6ggl.dll",Run

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360Safe.com]
debugger=C:\WINDOWS\system32\SVCH0ST.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AntiArp.exe]
debugger=C:\WINDOWS\system32\SVCH0ST.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IceSword.com]
debugger=C:\WINDOWS\system32\SVCH0ST.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwProxy.exe]
Debugger=C:\WINDOWS\system32\SVCH0ST.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zxsweep.exe]
debugger=C:\WINDOWS\system32\SVCH0ST.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\usmt\\8047\\svchost.exe"=
"C:\\WINDOWS\\system32\\usmt\\0042\\svchost.exe"=

R0 pu8d;pu8;C:\WINDOWS\system32\DRIVERS\pu8d.sys [2004-08-04 00:56]
R0 zwdu;zwd;C:\WINDOWS\system32\DRIVERS\zwdu.sys [2008-01-22 14:23]
R2 4fp2zp;4fp2zp;C:\WINDOWS\system32\drivers\4fp2zp.sys [2004-08-04 00:56]
R2 ms_2fax;ms_2fax;C:\WINDOWS\system32\5f321.exe [2008-03-20 19:49]
R2 Re;Ro;C:\WINDOWS\system32\Ro.exe [2004-08-04 00:56]
R2 WinCOM;COM+ Windows System;C:\WINDOWS\system32\wincom.exe [2005-01-08 01:12]
S0 awi37pln;awi37pl;C:\WINDOWS\system32\DRIVERS\awi37pln.sys []
S0 eract;erac;C:\WINDOWS\system32\DRIVERS\eract.sys []
S2 469C0EA8;469C0EA8;C:\WINDOWS\system32\747B6464.EXE [2008-02-05 00:59]
S2 portablemsi;portablemsi;C:\WINDOWS\system32\u1206133315g.exe []
S2 txft;txft;C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\osao\ycky.dll,Service -s []
S2 Windows XP SP2 Center;Windows XP SP2 Center;C:\WINDOWS\system32\Server.exe []
S3 ATI2HDDSRV;ATI2HDDSRV;C:\WINDOWS\system32\drivers\ati32srv.sys []
S3 DeepFree Update;DeepFree Update;C:\WINDOWS\system32\drivers\pcihdd2.sys []
Stop Pending3 Ndisprot;Network Monitor Protocol Driver;C:\WINDOWS\system32\DRIVERS\winsys.sys [2005-01-02 22:29]

*Newly Created Service* - MS_2FAX
.
Contents of the 'Scheduled Tasks' folder
"2007-01-30 05:55:44 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-21 19:15:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

? [2212]

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\5f321.exe 122880 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\27AB6384.DLL

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\27AB6384.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\ticw.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
c:\win.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2008-03-21 19:36:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-22 02:35:54
ComboFix2.txt 2008-03-21 23:41:02
ComboFix3.txt 2008-03-21 21:01:49
ComboFix4.txt 2008-02-05 08:34:37
ComboFix5.txt 2008-02-05 06:45:30
.
2008-03-21 22:55:22 --- E O F ---




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users