Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Janpuhito Hijack Log


  • This topic is locked This topic is locked
11 replies to this topic

#1 janpuhito

janpuhito

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 11 February 2008 - 03:44 AM

Hi. The symptoms of my computer running Windows XP sp2 are as follows: initially, as i was browsing a bittorrent site (i think it was bushtorrent.com) two cmd prompts popped up. At first, I thought they were one of those pop up ads that tries to mimic the blue screen of death in order to scare you into buying their product...but when i closed it i soon realize they were actual cmd prompt windows. an "anti-virus" downloader window soon popped up on my screen as well as in my systems tray... i panicked and tried shutting down unfamiliar exe's that were running in the task manager... but when the computer started freezing up some more, i manually unplugged the Ethernet cord and turned off the computer.

Looking back I'm not sure if those were the right things to do, or that i should have done them even earlier. I ran windows in safe mode trying to find a system restore point to restore my computer to - only to find that the only available restore points were of today after this incident happened. (the dell rep said that a virus can wipe out previous restore points..) I began to worry as i don't know what else to do. That was when i called dell. they pointed me to combofix and told me to take care of my own problem because my warranty expired..

At some point, my 2002 Norton Anti-virus popped a window open saying i have a virus in iifcded.dll. I think it was this file that led the dell rep to point me to combofix. I've ran every scan listed on the instructions from the hijack threat (including spybot, stng380 and ad-aware) as well as windows defender, Norton, and Symantec (i think they are the same, but i have two programs because the 2002 Norton expired and my school offers the Symantc stripped down version for free). I cleaned everything found by these scans but windows still lags tremendously when not in the safe mode. Basically, at and after the start up of Windows, the hard drive sounds very busy (like during a scan) and everything lags (which did not happen before this incident), and after about 4-5 minutes of the hard drive noise, the computer resets itself. This has happened a few times - and when i scan the computer again in safe mode after an unsuccessful load to normal Windows, new infections were sometimes found by the same scans that just got rid of them. Two names i remember from the scans: initially, a "webBuying" agent kept popping up" and an infected "iifcded.dll" file also shows up. The following is my hijack log: your expert opinion is greatly appreciated...

-------------------------------log---------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:08 AM, on 2/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\Navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [wrna3ls] C:\program files\rnamfler\naomf.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\RunOnce: [BrandClearStubs] RUNDLL32 IEDKCS32.DLL,BrandCleanInstallStubs >{5CC8E4D9-873D-4BFE-9548-4C6126DE9096}
O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ImageMixer HDD Camera Monitor.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1202680907687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202681031671
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes...uditControl.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RdnaoFlSvc - Unknown owner - C:\Program Files\rnamfler\naofsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9532 bytes

BC AdBot (Login to Remove)

 


#2 janpuhito

janpuhito
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 11 February 2008 - 04:26 AM

I'm sorry, but I don't know where else to post the ComboFix log.

Couple of more points about my problem - I tried updating windows but kept getting an error from the microsoft update site, so I installed IE 7 and now IE won't even start.

Another odd thing is that I also get an error when I try to update the definitions for Windows Defender.

Hope this ComboFix log can tell some story for you guys who are computer literate.

Thx.

--------------------ComboFix log-------------------------
ComboFix 08-02.05.3 - Administrator 2008-02-11 0:45:21.5 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.227 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-02-11 00:08 . 2008-02-11 00:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-10 23:22 . 2008-02-10 23:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-02-10 23:16 . 2008-02-10 23:16 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-02-10 23:16 . 2008-02-10 23:16 759 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-02-10 23:13 . 2008-02-10 23:13 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-10 19:17 . 2008-02-10 20:23 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-10 17:44 . 2008-02-10 18:55 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-10 17:44 . 2008-02-10 17:44 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-10 17:44 . 2008-02-10 17:44 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-10 17:44 . 2008-02-10 17:44 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-10 15:52 . 2008-02-10 18:56 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-02-10 15:17 . 2008-02-10 18:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-10 15:17 . 2008-02-10 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 14:21 . 2004-08-03 23:56 388,608 --a------ C:\kmd.exe
2008-02-10 14:02 . 2008-02-10 17:44 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-10 14:02 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-02-10 14:02 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-02-10 14:02 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-02-10 14:01 . 2008-02-10 14:01 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-02-09 20:39 . 2008-02-09 20:39 0 --a------ C:\WINDOWS\VPC32.INI
2008-02-09 17:31 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-09 12:08 . 2008-02-09 12:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ipswitch
2008-02-08 16:17 . 2008-02-08 16:19 8,014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-08 16:17 . 2008-02-08 16:19 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-08 16:15 . 2008-02-08 16:24 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2008-02-08 16:14 . 2008-02-08 16:14 <DIR> d-------- C:\cab
2008-02-08 14:39 . 2008-02-08 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-08 14:38 . 2008-02-08 14:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-08 14:18 . 2008-02-10 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-08 14:16 . 2008-02-08 21:24 <DIR> d--hs---- C:\WINDOWS\Y2hyaXN0b3BoZXIgaHVuZw
2008-02-08 14:16 . 2008-02-08 14:17 <DIR> d-------- C:\Program Files\RABCO
2008-02-08 14:15 . 2008-02-08 14:15 <DIR> d-------- C:\WINDOWS\system32\za7
2008-02-08 14:15 . 2008-02-08 14:15 <DIR> d-------- C:\WINDOWS\system32\wd11
2008-02-08 14:15 . 2008-02-08 23:15 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-02-08 14:15 . 2008-02-08 16:27 <DIR> d-------- C:\WINDOWS\system32\mv3
2008-02-08 14:15 . 2008-02-08 14:15 <DIR> d-------- C:\WINDOWS\system32\kp9
2008-02-08 14:15 . 2008-02-08 14:16 <DIR> d-------- C:\Temp\isgTi19
2008-01-18 16:01 . 2008-02-10 13:37 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-18 16:01 . 2008-01-18 16:01 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-18 16:00 . 2008-01-18 16:00 <DIR> d-------- C:\Program Files\iPod
2008-01-18 15:59 . 2008-01-18 16:00 <DIR> d-------- C:\Program Files\iTunes
2008-01-18 15:59 . 2008-02-10 18:54 <DIR> d-------- C:\Program Files\Bonjour
2008-01-18 15:57 . 2008-01-18 15:58 <DIR> d-------- C:\Program Files\QuickTime
2008-01-18 15:55 . 2008-01-18 15:55 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-18 15:54 . 2008-01-18 15:54 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-18 15:54 . 2008-01-18 15:54 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-18 15:54 . 2008-01-18 15:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-18 15:54 . 2008-01-15 02:39 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 02:54 --------- d-----w C:\Program Files\Windows Defender
2008-02-09 00:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-09 00:19 48,768 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-09 00:19 110,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-09 00:19 --------- d-----w C:\Program Files\Symantec
2008-02-09 00:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-08 22:40 --------- d-----w C:\Program Files\Lavasoft
2008-02-08 22:40 --------- d-----w C:\Documents and Settings\christopher\Application Data\Lavasoft
2008-02-08 07:48 --------- d--h--r C:\Program Files\rnamfler
2008-01-18 23:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-09 23:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-12-14 19:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2005-03-16 21:06 13,560 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 21:31 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 21:32 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 21:32 455168]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-04-01 15:16 5562368]
"NAV Agent"="C:\PROGRA~1\NORTON~1\Navapw32.exe" [2002-02-27 11:27 75384]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-02-08 16:20 103816]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-04-01 15:16 86016]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-23 17:06 1398272]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"wrna3ls"="C:\program files\rnamfler\naomf.exe" [2006-04-01 09:45 1253448]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 16:33 52840]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-10-07 20:48 125368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"BrandClearStubs"="IEDKCS32.DLL" [2006-11-07 03:27 382976 C:\WINDOWS\system32\iedkcs32.dll]
"NoIE4StubProcessing"="C:\WINDOWS\system32\reg.exe" [2004-08-03 23:56 50176]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-15 05:53 34880]

C:\Documents and Settings\christopher\Start Menu\Programs\Startup\
RABCO - Auto Update.lnk - C:\Program Files\RABCO\RABCOse.exe [2008-02-08 14:16:04 183216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-02-08 18:10:40 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
ImageMixer HDD Camera Monitor.lnk - C:\Program Files\PIXELA\ImageMixer3\HDDCameraMonitor.exe [2007-07-14 13:13:24 2117632]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]
MiniEYE-MiniREAD Launch.lnk - C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe [2006-04-30 18:03:14 323584]


*Newly Created Service* - MSISERVER
*Newly Created Service* - SPUPDSVC
.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 20:49:33 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-11 07:39:20 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-26 04:00:15 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-02-10 21:38:02 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 00:48:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-11 0:49:32
ComboFix-quarantined-files.txt 2008-02-11 08:49:05
ComboFix2.txt 2008-02-10 22:24:03
ComboFix3.txt 2008-02-10 21:50:57
ComboFix4.txt 2008-02-10 21:33:56

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:41 PM

Posted 12 February 2008 - 07:44 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
I apologize for the delay getting to your log, the helpers here are very busy.

If you still need help, please post a fresh Hijackthis log, in this thread, so I can help you with your malware problems.
Give me an update on your most pressing issues at this time.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 janpuhito

janpuhito
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 17 February 2008 - 05:17 AM

Hi Buckeye,

Computer is still crazy. The current symptom is that Windows resets itself about 2 minutes after startup, with the hard drive constantly sounding busy. I can't even have my desktop long enough to get a hijack log in normal mode. I'm posting the hijack log I ran tonight in Safe Mode. I have scanned the hard drive again with Windows Defender, Symantec Antivirus, and Ad-Aware and the scans come up clean on all three. Please let me know if you want a fresh combofix log also. Hope you can help. Thanks.

-Janpuhito

----------------------hijack log-----------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:59 PM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\Navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [wrna3ls] C:\program files\rnamfler\naomf.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ImageMixer HDD Camera Monitor.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1202680907687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202681031671
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes...uditControl.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RdnaoFlSvc - Unknown owner - C:\Program Files\rnamfler\naofsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9323 bytes

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:41 PM

Posted 17 February 2008 - 07:32 AM

Yes, I would like to see a new combofix log. But delete the version that you have now and download the current version from here.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 janpuhito

janpuhito
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 17 February 2008 - 03:28 PM

Hi Buckeye,
Here is the combofix log with the updated combofix you gave me. The computer still resets 1 minute after Windows starts up. When I ran combofix (in safe mode), spybot pops up and warned me about two registry address changes (system32\reg.exe delete...). I assume it was the combofix trying to fix something so I allowed the change. The other weird thing is that I cannot get the updates for Windows Defender and Windows XP itself - in both cases I get the error 0X8007043C, which I couldn't find a corresponding help article on their website. Here's the log, thanks again.

---------------combofix log------------------
ComboFix 08-02-17.2 - Administrator 2008-02-17 11:33:33.6 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.136 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\WINDOWS\system32\nGpxx01

.
((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.

2008-02-11 00:08 . 2008-02-11 00:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-10 23:22 . 2008-02-10 23:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-02-10 23:16 . 2008-02-10 23:16 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-02-10 23:13 . 2008-02-10 23:13 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-10 19:17 . 2008-02-10 20:23 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-10 17:44 . 2008-02-10 18:55 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-10 17:44 . 2008-02-10 17:44 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-10 17:44 . 2008-02-10 17:44 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-10 17:44 . 2008-02-10 17:44 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-10 15:52 . 2008-02-10 18:56 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-02-10 15:17 . 2008-02-10 18:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-10 15:17 . 2008-02-10 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 14:02 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-02-10 14:02 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-02-10 14:02 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-02-10 14:01 . 2008-02-10 14:01 <DIR> d--hs---- C:\Documents and Settings\Administrator\UserData
2008-02-09 20:39 . 2008-02-09 20:39 0 --a------ C:\WINDOWS\VPC32.INI
2008-02-09 12:08 . 2008-02-09 12:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ipswitch
2008-02-08 16:17 . 2008-02-08 16:19 8,014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-08 16:17 . 2008-02-08 16:19 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-08 16:15 . 2008-02-08 16:24 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2008-02-08 16:14 . 2008-02-08 16:14 <DIR> d-------- C:\cab
2008-02-08 14:39 . 2008-02-08 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-08 14:38 . 2008-02-08 14:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-08 14:18 . 2008-02-10 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-08 14:16 . 2008-02-08 21:24 <DIR> d--hs---- C:\WINDOWS\Y2hyaXN0b3BoZXIgaHVuZw
2008-02-08 14:16 . 2008-02-08 14:17 <DIR> d-------- C:\Program Files\RABCO
2008-02-08 14:15 . 2008-02-08 14:15 <DIR> d-------- C:\WINDOWS\system32\za7
2008-02-08 14:15 . 2008-02-08 14:15 <DIR> d-------- C:\WINDOWS\system32\wd11
2008-02-08 14:15 . 2008-02-08 16:27 <DIR> d-------- C:\WINDOWS\system32\mv3
2008-02-08 14:15 . 2008-02-08 14:15 <DIR> d-------- C:\WINDOWS\system32\kp9
2008-01-18 16:01 . 2008-02-10 13:37 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-18 16:01 . 2008-01-18 16:01 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-18 16:00 . 2008-01-18 16:00 <DIR> d-------- C:\Program Files\iPod
2008-01-18 15:59 . 2008-01-18 16:00 <DIR> d-------- C:\Program Files\iTunes
2008-01-18 15:59 . 2008-02-10 18:54 <DIR> d-------- C:\Program Files\Bonjour
2008-01-18 15:57 . 2008-01-18 15:58 <DIR> d-------- C:\Program Files\QuickTime
2008-01-18 15:55 . 2008-01-18 15:55 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-18 15:54 . 2008-01-18 15:54 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-18 15:54 . 2008-01-18 15:54 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-18 15:54 . 2008-01-18 15:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-18 15:54 . 2008-01-15 02:39 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 02:54 --------- d-----w C:\Program Files\Windows Defender
2008-02-09 00:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-09 00:19 48,768 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-09 00:19 110,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-09 00:19 --------- d-----w C:\Program Files\Symantec
2008-02-09 00:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-08 22:40 --------- d-----w C:\Program Files\Lavasoft
2008-02-08 22:40 --------- d-----w C:\Documents and Settings\christopher\Application Data\Lavasoft
2008-02-08 07:48 --------- d--h--r C:\Program Files\rnamfler
2008-01-18 23:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-09 23:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-12-14 19:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2005-03-16 21:06 13,560 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 21:31 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 21:32 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 21:32 455168]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-04-01 15:16 5562368]
"NAV Agent"="C:\PROGRA~1\NORTON~1\Navapw32.exe" [2002-02-27 11:27 75384]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-02-08 16:20 103816]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-04-01 15:16 86016]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-23 17:06 1398272]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"wrna3ls"="C:\program files\rnamfler\naomf.exe" [2006-04-01 09:45 1253448]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 16:33 52840]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-10-07 20:48 125368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-15 05:53 34880]

C:\Documents and Settings\christopher\Start Menu\Programs\Startup\
RABCO - Auto Update.lnk - C:\Program Files\RABCO\RABCOse.exe [2008-02-08 14:16:04 183216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-02-08 18:10:40 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
ImageMixer HDD Camera Monitor.lnk - C:\Program Files\PIXELA\ImageMixer3\HDDCameraMonitor.exe [2007-07-14 13:13:24 2117632]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]
MiniEYE-MiniREAD Launch.lnk - C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe [2006-04-30 18:03:14 323584]


.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 20:49:33 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-16 21:03:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-26 04:00:15 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-02-10 21:38:02 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 11:36:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-17 11:37:10
ComboFix-quarantined-files.txt 2008-02-17 19:36:44
ComboFix2.txt 2008-02-11 08:49:33
ComboFix3.txt 2008-02-10 22:24:03
ComboFix4.txt 2008-02-10 21:50:57
ComboFix5.txt 2008-02-10 21:33:56

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:41 PM

Posted 17 February 2008 - 07:14 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\WINDOWS\system32\za7
C:\WINDOWS\system32\wd11
C:\WINDOWS\system32\mv3
C:\WINDOWS\system32\kp9

Dirlook::
C:\Documents and Settings\All Users\Application Data\Rabio
C:\WINDOWS\Y2hyaXN0b3BoZXIgaHVuZw
C:\Program Files\RABCO
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 janpuhito

janpuhito
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 18 February 2008 - 03:05 AM

Hey Buckeye,
Here's the new combofix log. Any idea on the windows update error?
Thx.

-----------log-------------

ComboFix 08-02-17.2 - Administrator 2008-02-17 23:53:13.7 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.226 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\kp9
C:\WINDOWS\system32\kp9\liopud89104.exe
C:\WINDOWS\system32\mv3
C:\WINDOWS\system32\wd11
C:\WINDOWS\system32\wd11\hiba3133.exe
C:\WINDOWS\system32\za7
C:\WINDOWS\system32\za7\vltcin2.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.

2008-02-11 00:08 . 2008-02-11 00:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-10 23:22 . 2008-02-10 23:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-02-10 23:16 . 2008-02-10 23:16 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-02-10 23:13 . 2008-02-10 23:13 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-10 19:17 . 2008-02-10 20:23 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-10 17:44 . 2008-02-10 18:55 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-10 17:44 . 2008-02-10 17:44 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-10 17:44 . 2008-02-10 17:44 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-10 17:44 . 2008-02-10 17:44 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-10 15:52 . 2008-02-10 18:56 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-02-10 15:17 . 2008-02-10 18:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-10 15:17 . 2008-02-10 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 14:02 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-02-10 14:02 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-02-10 14:02 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-02-10 14:02 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-02-10 14:01 . 2008-02-10 14:01 <DIR> d--hs---- C:\Documents and Settings\Administrator\UserData
2008-02-09 20:39 . 2008-02-09 20:39 0 --a------ C:\WINDOWS\VPC32.INI
2008-02-09 12:08 . 2008-02-09 12:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ipswitch
2008-02-08 16:17 . 2008-02-08 16:19 8,014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-08 16:17 . 2008-02-08 16:19 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-08 16:15 . 2008-02-08 16:24 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2008-02-08 16:14 . 2008-02-08 16:14 <DIR> d-------- C:\cab
2008-02-08 14:39 . 2008-02-08 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-08 14:38 . 2008-02-08 14:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-08 14:18 . 2008-02-10 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-08 14:16 . 2008-02-08 21:24 <DIR> d--hs---- C:\WINDOWS\Y2hyaXN0b3BoZXIgaHVuZw
2008-02-08 14:16 . 2008-02-08 14:17 <DIR> d-------- C:\Program Files\RABCO
2008-01-18 16:01 . 2008-02-10 13:37 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-18 16:01 . 2008-01-18 16:01 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-18 16:00 . 2008-01-18 16:00 <DIR> d-------- C:\Program Files\iPod
2008-01-18 15:59 . 2008-01-18 16:00 <DIR> d-------- C:\Program Files\iTunes
2008-01-18 15:59 . 2008-02-10 18:54 <DIR> d-------- C:\Program Files\Bonjour
2008-01-18 15:57 . 2008-01-18 15:58 <DIR> d-------- C:\Program Files\QuickTime
2008-01-18 15:55 . 2008-01-18 15:55 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-18 15:54 . 2008-01-18 15:54 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-18 15:54 . 2008-01-18 15:54 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-18 15:54 . 2008-01-18 15:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-18 15:54 . 2008-01-15 02:39 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 02:54 --------- d-----w C:\Program Files\Windows Defender
2008-02-09 00:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-09 00:19 48,768 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-09 00:19 110,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-09 00:19 --------- d-----w C:\Program Files\Symantec
2008-02-09 00:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-08 22:40 --------- d-----w C:\Program Files\Lavasoft
2008-02-08 22:40 --------- d-----w C:\Documents and Settings\christopher\Application Data\Lavasoft
2008-02-08 07:48 --------- d--h--r C:\Program Files\rnamfler
2008-01-18 23:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-09 23:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-12-14 19:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2005-03-16 21:06 13,560 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\All Users\Application Data\Rabio ----


---- Directory of C:\Program Files\RABCO ----

2008-02-10 13:37 11158 --a------ C:\Program Files\RABCO\X_RABCOse.log
2008-02-09 17:49 2150 --a------ C:\Program Files\RABCO\RABCOse.original
2008-02-08 14:17 5608 --a------ C:\Program Files\RABCO\un_RABCOSetup_16230.txt
2008-02-08 14:17 2063 --a------ C:\Program Files\RABCO\Setup.log
2008-01-30 14:08 319488 --a------ C:\Program Files\RABCO\ExecutionDll.dll
2008-01-30 14:02 414992 --a------ C:\Program Files\RABCO\RABCO.dll
2008-01-30 14:02 145 --a------ C:\Program Files\RABCO\RABCO.dll.intermediate.manifest
2008-01-30 13:19 183216 --a------ C:\Program Files\RABCO\X_RABCOse.exe
2008-01-30 13:19 183216 --a------ C:\Program Files\RABCO\RABCOse.exe
2007-10-07 07:58 404624 --a------ C:\Program Files\RABCO\un_RABCOSetup_16230.exe

---- Directory of C:\WINDOWS\Y2hyaXN0b3BoZXIgaHVuZw ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 21:31 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 21:32 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 21:32 455168]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-04-01 15:16 5562368]
"NAV Agent"="C:\PROGRA~1\NORTON~1\Navapw32.exe" [2002-02-27 11:27 75384]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-02-08 16:20 103816]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-04-01 15:16 86016]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-23 17:06 1398272]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"wrna3ls"="C:\program files\rnamfler\naomf.exe" [2006-04-01 09:45 1253448]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 16:33 52840]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-10-07 20:48 125368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-15 05:53 34880]

C:\Documents and Settings\christopher\Start Menu\Programs\Startup\
RABCO - Auto Update.lnk - C:\Program Files\RABCO\RABCOse.exe [2008-02-08 14:16:04 183216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-02-08 18:10:40 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
ImageMixer HDD Camera Monitor.lnk - C:\Program Files\PIXELA\ImageMixer3\HDDCameraMonitor.exe [2007-07-14 13:13:24 2117632]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]
MiniEYE-MiniREAD Launch.lnk - C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe [2006-04-30 18:03:14 323584]


.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 20:49:33 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-17 20:39:50 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-26 04:00:15 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-02-17 20:18:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 23:56:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-17 23:57:18
ComboFix-quarantined-files.txt 2008-02-18 07:56:51
ComboFix2.txt 2008-02-17 19:37:11
ComboFix3.txt 2008-02-11 08:49:33
ComboFix4.txt 2008-02-10 22:24:03
ComboFix5.txt 2008-02-10 21:50:57

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:41 PM

Posted 19 February 2008 - 07:48 AM

Ok, here's the good news. Your log appears to be clean. I don't find any signs of an active malware infection in your log.
The bad news is that your issues are being caused by another problem, possibly hardware related. The windows update error refers to a service that needs to run that is not available in safe mode. So to get your updates you will need to be in normal mode.

When you boot up your computer you should hear one or more beeps. These are called beep codes and can help troubleshoot hardware issues. Listen for the beeps when you first boot up and let me know what you hear.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 janpuhito

janpuhito
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 23 February 2008 - 06:36 PM

Hey Buckeye,

Thanks for the good news. I am away at school right now and won't be home to the "problem" computer until next weekend. I will let you know about the beeps then. Thank you.

-janpuhito

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:41 PM

Posted 24 February 2008 - 06:49 AM

Ok, no problem. Just post when you can. :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:41 PM

Posted 12 March 2008 - 06:59 AM

Unfortunately there has been no response. :thumbsup:
This thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users