Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde > Pesky Holdovers...


  • This topic is locked This topic is locked
12 replies to this topic

#1 rdenman

rdenman

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 02 March 2008 - 03:55 PM

hello..

i was infected with virtumonde, my NOD32 found the infection and did what it could to fix it. However i am left with 3 problems:
1. file c:\windows\system32\pmkjg.exe cannot be found at startup
2. file c:\windows\system32\ujkxxefb.dll cannot be found at startup
3. nasty adware still generates addtl unwanted IE windows with unwanted sites.

Everything else seems ok..

I have read many posts on many forums etc, and many posts from this forum, and i have run, the following on my computer:

NOD32 - found virus and did what it could
Spybot S&D - removed all adware
RegCleaner 3.0 - removed and cleaned up Registry
Vundofix - didn't find a problem
virtumondebegone.exe - didn't find a problem
ComboFiX - log file attached
Hijack this - log file attached

Thanks for your help..

Combo Fix Log

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


HiJAck This Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:33:43 PM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\pmkjg.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {fa5feba0-8dc5-c9c8-b624-515cc4f97290} - {09279f4c-c515-426b-8c9c-5cd80abef5af} - (no file)
O2 - BHO: (no name) - {2F54E98B-EFA5-4EC2-9117-F8A2280F8A03} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {B0DB8C42-10DD-7F0D-D85F-30E603F50A91} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [08ff8e63] rundll32.exe "C:\WINDOWS\system32\ujkxxefb.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [Snte] "C:\PROGRA~1\COMMON~1\FNTS~1\logonui.exe" -vt ndrv
O4 - HKCU\..\Run: [QdrModule12] "C:\Program Files\QdrModule\QdrModule12.exe"
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZRxdm429YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: urqppnm - urqppnm.dll (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5769 bytes

BC AdBot (Login to Remove)

 


m

#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:26 PM

Posted 02 March 2008 - 04:14 PM

Hello rdenman,

Welcome to Bleeping Computer :thumbsup:

That was not the right ComboFix report. :blink: You really should not have run it unless asked to do so. This is a very powerful tool, and used wrong it could render your computer unbootable!

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\pmkjg.exe
O2 - BHO: {fa5feba0-8dc5-c9c8-b624-515cc4f97290} - {09279f4c-c515-426b-8c9c-5cd80abef5af} - (no file)
O2 - BHO: (no name) - {2F54E98B-EFA5-4EC2-9117-F8A2280F8A03} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {B0DB8C42-10DD-7F0D-D85F-30E603F50A91} - (no file)
O4 - HKLM\..\Run: [08ff8e63] rundll32.exe "C:\WINDOWS\system32\ujkxxefb.dll",b
O4 - HKCU\..\Run: [Snte] "C:\PROGRA~1\COMMON~1\FNTS~1\logonui.exe" -vt ndrv
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - Winlogon Notify: urqppnm - urqppnm.dll (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\system32\pmkjg.exe
C:\WINDOWS\system32\ujkxxefb.dll

Folder::
C:\PROGRA~1\COMMON~1\FNTS~1


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 rdenman

rdenman
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 02 March 2008 - 08:21 PM

First.. i wanna say thanks for ur help...

Hijack log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:51 PM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [QdrModule12] "C:\Program Files\QdrModule\QdrModule12.exe"
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - ?p=ZRxdm429YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4866 bytes

ComboFix log


ComboFix 08-03-03.4 - Bob Denman 2008-03-02 20:00:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.253 [GMT -5:00]
Running from: C:\Documents and Settings\Bob Denman\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bob Denman\Desktop\cfscript.txt

FILE ::
C:\WINDOWS\system32\pmkjg.exe
C:\WINDOWS\system32\ujkxxefb.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Bob Denman\Start Menu\Programs\Internet Speed Monitor
C:\PROGRA~1\COMMON~1\FNTS~1\F?nts\
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\fnts~1\F?nts\
C:\Program Files\ISM
C:\Program Files\kernel
C:\Program Files\QdrDrive
C:\Program Files\QdrModule
C:\WINDOWS\racle~1
C:\WINDOWS\system32\bfexxkju.ini
C:\WINDOWS\system32\bob.exe
C:\WINDOWS\system32\girpvgom.ini
C:\WINDOWS\system32\gjkmp.ini
C:\WINDOWS\system32\gjkmp.ini2
C:\WINDOWS\system32\juweullh.ini
C:\WINDOWS\system32\model.dat
C:\WINDOWS\system32\oxdmvfek.ini
C:\WINDOWS\system32\RCX31.tmp
C:\WINDOWS\system32\RCX32.tmp
C:\WINDOWS\system32\RCX33.tmp
C:\WINDOWS\system32\RCX34.tmp
C:\WINDOWS\system32\tercuaoh.ini
C:\WINDOWS\system32\wnsintcc32.exe
C:\WINDOWS\system32\wscyucgy.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-02 13:12 . 2008-03-02 13:12 <DIR> d-------- C:\VundoFix Backups
2008-03-01 21:34 . 2007-12-06 21:21 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-01 21:34 . 2007-06-30 22:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-01 21:34 . 2007-06-30 22:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-01 21:34 . 2007-12-06 21:21 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-01 21:34 . 2007-12-06 21:21 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-01 21:34 . 2007-12-06 21:21 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-01 21:34 . 2007-12-06 21:21 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-01 21:34 . 2007-12-06 21:21 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-01 21:34 . 2007-12-06 06:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-01 21:18 . 2008-03-01 21:18 <DIR> d-------- C:\Program Files\MSBuild
2008-03-01 21:12 . 2008-03-01 21:12 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-03-01 21:11 . 2008-03-01 21:11 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-03-01 21:08 . 2008-03-01 21:08 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-01 21:08 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-29 23:39 . 2008-02-29 23:46 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-02-29 23:39 . 2008-02-29 23:46 298,104 --a------ C:\WINDOWS\system32\imon.dll
2008-02-29 23:39 . 2008-02-29 23:46 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2008-02-29 22:06 . 2008-02-29 22:06 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-28 23:04 . 2008-03-01 02:29 <DIR> d-------- C:\Program Files\ESET
2008-02-28 22:53 . 2008-02-28 22:53 23 --a------ C:\WINDOWS\kodakpcd.Bob Denman.ini
2008-02-28 22:14 . 2008-02-28 22:14 99,060 --a------ C:\WINDOWS\BM0bccbdff.xml
2008-02-28 22:13 . 2008-02-28 22:13 22 --a------ C:\WINDOWS\pskt.ini
2008-02-08 22:19 . 2008-02-28 22:06 2,560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-02-07 21:59 . 2008-02-07 21:59 294 --ahs---- C:\WINDOWS\system32\gsdytlsf.ini
2008-02-06 12:16 . 2008-02-29 15:47 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-02-03 19:13 . 2008-02-28 23:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-03 19:13 . 2008-02-28 23:17 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 20:32 --------- d-----w C:\Program Files\Trend Micro
2008-03-01 15:42 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-03-01 15:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-29 19:25 --------- d-----w C:\Program Files\Apoint2K
2008-02-29 14:01 --------- d-----w C:\Program Files\QuickTime
2008-02-29 04:03 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak
2008-02-29 03:58 --------- d-----w C:\Program Files\Kodak
2008-02-29 03:48 --------- d-----w C:\Program Files\HPQ
2008-02-29 03:47 --------- d-----w C:\Program Files\Google
2008-02-29 03:46 --------- d-----w C:\Program Files\Citrix
2008-02-29 03:45 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-02-29 03:39 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-06 02:20 --------- d-----w C:\Program Files\Viewpoint
2008-02-05 17:58 --------- d--h--w C:\Documents and Settings\Vickie Denman\Application Data\GTek
2008-02-05 17:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-05 17:55 --------- d-----w C:\Documents and Settings\Bob Denman\Application Data\Viewpoint
2008-02-05 17:55 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2008-02-05 17:50 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-07 18:32 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\QuickTime
2008-01-06 21:41 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-06 17:59 --------- d-----w C:\Program Files\SearchAssistant3
2008-01-06 17:49 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2008-01-06 17:37 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\SITEguard
2008-01-06 17:35 --------- d-----w C:\Program Files\Common Files\iS3
2008-01-06 15:50 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avg7
2008-01-06 03:01 --------- d-----w C:\Program Files\Registry Defender
2007-07-27 02:21 55,120 ----a-w C:\Documents and Settings\Bob Denman\Application Data\GDIPFONTCACHEV1.DAT
2006-04-22 02:23 55,120 ----a-w C:\Documents and Settings\Vickie Denman\Application Data\GDIPFONTCACHEV1.DAT
2005-07-24 20:38 458 ----a-w C:\Documents and Settings\Vickie Denman\Application Data\wklnhst.dat
.
<pre>
----a-w			57,344 2008-02-29 03:50:29  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
----a-w			39,792 2008-02-29 04:21:44  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		   159,744 2008-02-29 05:43:34  C:\Program Files\Apoint2K\Apoint .exe
----a-w		   180,269 2008-02-29 05:43:45  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w		   949,376 2008-02-29 05:38:00  C:\Program Files\ESET\nod32kui .exe
----a-w			68,856 2008-02-29 03:27:58  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w			49,152 2008-02-29 03:27:25  C:\Program Files\HP\HP Software Update\HPWuSchd .exe
----a-w		   241,664 2008-02-29 05:43:51  C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
----a-w		   200,766 2008-02-29 05:43:39  C:\Program Files\HPQ\Default Settings\cpqset .exe
----a-w		   290,816 2008-02-29 05:43:40  C:\Program Files\HPQ\Quick Launch Buttons\EabServr .exe
----a-w			36,975 2008-02-29 05:43:42  C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
----a-w		 1,694,208 2008-02-29 05:38:05  C:\Program Files\Messenger\msmsgs .exe
----a-w			98,304 2008-02-29 06:27:13  C:\Program Files\QuickTime\qttask				   .exe
----a-w			98,304 2008-02-29 06:27:13  C:\Program Files\QuickTime\qttask				  .exe
----a-w			98,304 2008-02-29 06:27:13  C:\Program Files\QuickTime\qttask				 .exe
----a-w			98,304 2008-02-29 04:39:48  C:\Program Files\QuickTime\qttask				.exe
----a-w			98,304 2008-02-29 04:19:27  C:\Program Files\QuickTime\qttask			   .exe
----a-w			98,304 2008-02-29 05:10:18  C:\Program Files\QuickTime\qttask			  .exe
----a-w			98,304 2008-02-29 05:10:18  C:\Program Files\QuickTime\qttask			 .exe
----a-w			98,304 2008-02-29 05:10:19  C:\Program Files\QuickTime\qttask			.exe
----a-w			98,304 2008-02-29 05:10:19  C:\Program Files\QuickTime\qttask		   .exe
----a-w			98,304 2008-02-29 05:10:19  C:\Program Files\QuickTime\qttask		  .exe
----a-w			98,304 2008-02-29 05:10:20  C:\Program Files\QuickTime\qttask		 .exe
----a-w			98,304 2008-02-29 05:10:20  C:\Program Files\QuickTime\qttask		.exe
----a-w			98,304 2008-02-29 05:10:20  C:\Program Files\QuickTime\qttask	   .exe
----a-w			98,304 2008-02-29 05:10:20  C:\Program Files\QuickTime\qttask	  .exe
----a-w			98,304 2008-02-29 05:10:21  C:\Program Files\QuickTime\qttask	 .exe
----a-w			98,304 2008-02-29 05:10:21  C:\Program Files\QuickTime\qttask	.exe
----a-w			98,304 2008-02-29 05:10:21  C:\Program Files\QuickTime\qttask   .exe
----a-w			98,304 2008-02-29 05:10:22  C:\Program Files\QuickTime\qttask  .exe
----a-w			98,304 2008-02-29 05:10:22  C:\Program Files\QuickTime\qttask .exe
----a-w		 2,097,488 2008-02-29 20:47:53  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w		   897,089 2008-02-29 03:27:30  C:\Program Files\Trend Micro\Internet Security 2006\pccguide .exe
----a-w			15,360 2008-02-29 20:47:49  C:\WINDOWS\system32\ctfmon .exe
</pre>


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"E6TaskPanel"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" [ ]
"QdrModule12"="C:\Program Files\QdrModule\QdrModule12.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2004-04-07 14:22 323584 C:\WINDOWS\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 15:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-29 23:46 949376]
"DXDllRegExe"="dxdllreg.exe" []

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 17:48:22 565309]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 04:19:24 237568]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R1 mchInjDrv;madCodeHook DLL injection driver;C:\WINDOWS\system32\Drivers\mchInjDrv.sys [2008-02-28 22:06]
R2 NgVpnMgr;Aventail VPN Client;C:\WINDOWS\system32\ngvpnmgr.exe [2007-04-10 10:34]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2004-08-04 03:00]
R3 NgLog;Aventail VPN Logging;C:\WINDOWS\system32\DRIVERS\nglog.sys [2007-04-10 10:32]
R3 NgVpn;Aventail VPN Adapter;C:\WINDOWS\system32\DRIVERS\ngvpn.sys [2007-04-10 10:34]
S3 A3AX;D-Link AirPro DWL-A650 Wireless Cardbus Adapter Service;C:\WINDOWS\system32\DRIVERS\a3ax.sys [2002-02-26 11:13]
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys []
S3 NgFilter;Aventail VPN Filter;C:\WINDOWS\system32\DRIVERS\ngfilter.sys [2007-04-10 10:34]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-02 20:09:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-03-02 20:13:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-03 01:13:07
.
2008-03-02 18:42:17 --- E O F ---

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:26 PM

Posted 02 March 2008 - 08:30 PM

Hello,

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

RenV::
----a-w 57,344 2008-02-29 03:50:29 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
----a-w 39,792 2008-02-29 04:21:44 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 159,744 2008-02-29 05:43:34 C:\Program Files\Apoint2K\Apoint .exe
----a-w 180,269 2008-02-29 05:43:45 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 949,376 2008-02-29 05:38:00 C:\Program Files\ESET\nod32kui .exe
----a-w 68,856 2008-02-29 03:27:58 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w 49,152 2008-02-29 03:27:25 C:\Program Files\HP\HP Software Update\HPWuSchd .exe
----a-w 241,664 2008-02-29 05:43:51 C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
----a-w 200,766 2008-02-29 05:43:39 C:\Program Files\HPQ\Default Settings\cpqset .exe
----a-w 290,816 2008-02-29 05:43:40 C:\Program Files\HPQ\Quick Launch Buttons\EabServr .exe
----a-w 36,975 2008-02-29 05:43:42 C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
----a-w 1,694,208 2008-02-29 05:38:05 C:\Program Files\Messenger\msmsgs .exe
----a-w 98,304 2008-02-29 06:27:13 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-02-29 06:27:13 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-02-29 06:27:13 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-02-29 04:39:48 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-02-29 04:19:27 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-02-29 05:10:18 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-02-29 05:10:18 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-02-29 05:10:19 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-02-29 05:10:19 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-02-29 05:10:19 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-02-29 05:10:20 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-02-29 05:10:20 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-02-29 05:10:20 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-02-29 05:10:20 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-02-29 05:10:21 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-02-29 05:10:21 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-02-29 05:10:21 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-02-29 05:10:22 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-02-29 05:10:22 C:\Program Files\QuickTime\qttask .exe
----a-w 2,097,488 2008-02-29 20:47:53 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 897,089 2008-02-29 03:27:30 C:\Program Files\Trend Micro\Internet Security 2006\pccguide .exe
----a-w 15,360 2008-02-29 20:47:49 C:\WINDOWS\system32\ctfmon .exe


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

How is it running now please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 rdenman

rdenman
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 02 March 2008 - 09:00 PM

all start up errors are gone.. it seems to be good... I.E. was little slow to boot...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:20 PM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [QdrModule12] "C:\Program Files\QdrModule\QdrModule12.exe"
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - ?p=ZRxdm429YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4845 bytes

ComboFix 08-03-03.4 - Bob Denman 2008-03-02 20:39:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.227 [GMT -5:00]
Running from: C:\Documents and Settings\Bob Denman\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bob Denman\Desktop\cfscript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-02 13:12 . 2008-03-02 13:12 <DIR> d-------- C:\VundoFix Backups
2008-03-01 21:34 . 2007-12-06 21:21 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-01 21:34 . 2007-06-30 22:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-01 21:34 . 2007-06-30 22:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-01 21:34 . 2007-12-06 21:21 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-01 21:34 . 2007-12-06 21:21 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-01 21:34 . 2007-12-06 21:21 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-01 21:34 . 2007-12-06 21:21 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-01 21:34 . 2007-12-06 21:21 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-01 21:34 . 2007-12-06 06:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-01 21:18 . 2008-03-01 21:18 <DIR> d-------- C:\Program Files\MSBuild
2008-03-01 21:12 . 2008-03-01 21:12 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-03-01 21:11 . 2008-03-01 21:11 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-03-01 21:08 . 2008-03-01 21:08 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-01 21:08 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-29 23:39 . 2008-02-29 23:46 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-02-29 23:39 . 2008-02-29 23:46 298,104 --a------ C:\WINDOWS\system32\imon.dll
2008-02-29 23:39 . 2008-02-29 23:46 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2008-02-29 22:06 . 2008-02-29 22:06 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-28 23:04 . 2008-03-01 02:29 <DIR> d-------- C:\Program Files\ESET
2008-02-28 22:53 . 2008-02-28 22:53 23 --a------ C:\WINDOWS\kodakpcd.Bob Denman.ini
2008-02-28 22:14 . 2008-02-28 22:14 99,060 --a------ C:\WINDOWS\BM0bccbdff.xml
2008-02-28 22:13 . 2008-02-28 22:13 22 --a------ C:\WINDOWS\pskt.ini
2008-02-08 22:19 . 2008-02-28 22:06 2,560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-02-07 21:59 . 2008-02-07 21:59 294 --ahs---- C:\WINDOWS\system32\gsdytlsf.ini
2008-02-06 12:16 . 2008-02-29 15:47 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-02-03 19:13 . 2008-02-28 23:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-03 19:13 . 2008-02-28 23:17 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 20:32 --------- d-----w C:\Program Files\Trend Micro
2008-03-01 15:42 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-03-01 15:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-29 19:25 --------- d-----w C:\Program Files\Apoint2K
2008-02-29 14:01 --------- d-----w C:\Program Files\QuickTime
2008-02-29 04:03 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak
2008-02-29 03:58 --------- d-----w C:\Program Files\Kodak
2008-02-29 03:48 --------- d-----w C:\Program Files\HPQ
2008-02-29 03:47 --------- d-----w C:\Program Files\Google
2008-02-29 03:46 --------- d-----w C:\Program Files\Citrix
2008-02-29 03:45 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-02-29 03:39 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-06 02:20 --------- d-----w C:\Program Files\Viewpoint
2008-02-05 17:58 --------- d--h--w C:\Documents and Settings\Vickie Denman\Application Data\GTek
2008-02-05 17:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-05 17:55 --------- d-----w C:\Documents and Settings\Bob Denman\Application Data\Viewpoint
2008-02-05 17:55 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2008-02-05 17:50 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-11 05:53 44,544 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-01-07 18:32 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\QuickTime
2008-01-06 21:41 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-06 17:59 --------- d-----w C:\Program Files\SearchAssistant3
2008-01-06 17:49 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2008-01-06 17:37 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\SITEguard
2008-01-06 17:35 --------- d-----w C:\Program Files\Common Files\iS3
2008-01-06 15:50 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avg7
2008-01-06 03:01 --------- d-----w C:\Program Files\Registry Defender
2007-12-19 23:01 347,136 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-08 15:51 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-07 01:07 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-12-07 01:07 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-12-07 01:07 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-12-07 01:07 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-12-07 01:07 1,023,488 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-12-06 11:01 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:00 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 04:59 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-07-27 02:21 55,120 ----a-w C:\Documents and Settings\Bob Denman\Application Data\GDIPFONTCACHEV1.DAT
2006-04-22 02:23 55,120 ----a-w C:\Documents and Settings\Vickie Denman\Application Data\GDIPFONTCACHEV1.DAT
2005-07-24 20:38 458 ----a-w C:\Documents and Settings\Vickie Denman\Application Data\wklnhst.dat
.
<pre>
----a-w			57,344 2008-02-29 03:50:29  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
----a-w			39,792 2008-02-29 04:21:44  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		   159,744 2008-02-29 05:43:34  C:\Program Files\Apoint2K\Apoint .exe
----a-w		   180,269 2008-02-29 05:43:45  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w		   949,376 2008-02-29 05:38:00  C:\Program Files\ESET\nod32kui .exe
----a-w			68,856 2008-02-29 03:27:58  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w			49,152 2008-02-29 03:27:25  C:\Program Files\HP\HP Software Update\HPWuSchd .exe
----a-w		   241,664 2008-02-29 05:43:51  C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
----a-w		   200,766 2008-02-29 05:43:39  C:\Program Files\HPQ\Default Settings\cpqset .exe
----a-w		   290,816 2008-02-29 05:43:40  C:\Program Files\HPQ\Quick Launch Buttons\EabServr .exe
----a-w			36,975 2008-02-29 05:43:42  C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
----a-w		 1,694,208 2008-02-29 05:38:05  C:\Program Files\Messenger\msmsgs .exe
----a-w			98,304 2008-02-29 06:27:13  C:\Program Files\QuickTime\qttask				   .exe
----a-w			98,304 2008-02-29 06:27:13  C:\Program Files\QuickTime\qttask				  .exe
----a-w			98,304 2008-02-29 06:27:13  C:\Program Files\QuickTime\qttask				 .exe
----a-w			98,304 2008-02-29 04:39:48  C:\Program Files\QuickTime\qttask				.exe
----a-w			98,304 2008-02-29 04:19:27  C:\Program Files\QuickTime\qttask			   .exe
----a-w			98,304 2008-02-29 05:10:18  C:\Program Files\QuickTime\qttask			  .exe
----a-w			98,304 2008-02-29 05:10:18  C:\Program Files\QuickTime\qttask			 .exe
----a-w			98,304 2008-02-29 05:10:19  C:\Program Files\QuickTime\qttask			.exe
----a-w			98,304 2008-02-29 05:10:19  C:\Program Files\QuickTime\qttask		   .exe
----a-w			98,304 2008-02-29 05:10:19  C:\Program Files\QuickTime\qttask		  .exe
----a-w			98,304 2008-02-29 05:10:20  C:\Program Files\QuickTime\qttask		 .exe
----a-w			98,304 2008-02-29 05:10:20  C:\Program Files\QuickTime\qttask		.exe
----a-w			98,304 2008-02-29 05:10:20  C:\Program Files\QuickTime\qttask	   .exe
----a-w			98,304 2008-02-29 05:10:20  C:\Program Files\QuickTime\qttask	  .exe
----a-w			98,304 2008-02-29 05:10:21  C:\Program Files\QuickTime\qttask	 .exe
----a-w			98,304 2008-02-29 05:10:21  C:\Program Files\QuickTime\qttask	.exe
----a-w			98,304 2008-02-29 05:10:21  C:\Program Files\QuickTime\qttask   .exe
----a-w			98,304 2008-02-29 05:10:22  C:\Program Files\QuickTime\qttask  .exe
----a-w			98,304 2008-02-29 05:10:22  C:\Program Files\QuickTime\qttask .exe
----a-w		 2,097,488 2008-02-29 20:47:53  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w		   897,089 2008-02-29 03:27:30  C:\Program Files\Trend Micro\Internet Security 2006\pccguide .exe
----a-w			15,360 2008-02-29 20:47:49  C:\WINDOWS\system32\ctfmon .exe
</pre>


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"E6TaskPanel"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" [ ]
"QdrModule12"="C:\Program Files\QdrModule\QdrModule12.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2004-04-07 14:22 323584 C:\WINDOWS\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 15:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-29 23:46 949376]
"DXDllRegExe"="dxdllreg.exe" []

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 17:48:22 565309]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 04:19:24 237568]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R1 mchInjDrv;madCodeHook DLL injection driver;C:\WINDOWS\system32\Drivers\mchInjDrv.sys [2008-02-28 22:06]
R2 NgVpnMgr;Aventail VPN Client;C:\WINDOWS\system32\ngvpnmgr.exe [2007-04-10 10:34]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2004-08-04 03:00]
R3 NgLog;Aventail VPN Logging;C:\WINDOWS\system32\DRIVERS\nglog.sys [2007-04-10 10:32]
R3 NgVpn;Aventail VPN Adapter;C:\WINDOWS\system32\DRIVERS\ngvpn.sys [2007-04-10 10:34]
S3 A3AX;D-Link AirPro DWL-A650 Wireless Cardbus Adapter Service;C:\WINDOWS\system32\DRIVERS\a3ax.sys [2002-02-26 11:13]
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys []
S3 NgFilter;Aventail VPN Filter;C:\WINDOWS\system32\DRIVERS\ngfilter.sys [2007-04-10 10:34]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-02 20:41:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-02 20:42:34
ComboFix-quarantined-files.txt 2008-03-03 01:42:11
ComboFix2.txt 2008-03-03 01:13:12
.
2008-03-02 18:42:17 --- E O F ---

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:26 PM

Posted 02 March 2008 - 09:07 PM

Hello,

Glad to know it, but it looks like the script didn't work last time. Please go offline and disable all your protection programs and try my previous instructions again. Be sure to re enable them again before coming back online ot post the report. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 rdenman

rdenman
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 02 March 2008 - 09:32 PM

Combofix didn't require a restart so none was done.. FYI

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:42 PM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [QdrModule12] "C:\Program Files\QdrModule\QdrModule12.exe"
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - ?p=ZRxdm429YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4812 bytes


ComboFix 08-03-03.4 - Bob Denman 2008-03-02 21:17:06.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.262 [GMT -5:00]
Running from: C:\Documents and Settings\Bob Denman\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bob Denman\Desktop\cfscript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-02 13:12 . 2008-03-02 13:12 <DIR> d-------- C:\VundoFix Backups
2008-03-01 21:34 . 2007-12-06 21:21 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-01 21:34 . 2007-06-30 22:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-01 21:34 . 2007-06-30 22:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-01 21:34 . 2007-12-06 21:21 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-01 21:34 . 2007-12-06 21:21 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-01 21:34 . 2007-12-06 21:21 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-01 21:34 . 2007-12-06 21:21 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-01 21:34 . 2007-12-06 21:21 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-01 21:34 . 2007-12-06 06:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-01 21:18 . 2008-03-01 21:18 <DIR> d-------- C:\Program Files\MSBuild
2008-03-01 21:12 . 2008-03-01 21:12 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-03-01 21:11 . 2008-03-01 21:11 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-03-01 21:08 . 2008-03-01 21:08 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-01 21:08 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-29 23:39 . 2008-02-29 23:46 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-02-29 23:39 . 2008-02-29 23:46 298,104 --a------ C:\WINDOWS\system32\imon.dll
2008-02-29 23:39 . 2008-02-29 23:46 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2008-02-29 22:06 . 2008-02-29 22:06 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-28 23:04 . 2008-03-01 02:29 <DIR> d-------- C:\Program Files\ESET
2008-02-28 22:53 . 2008-02-28 22:53 23 --a------ C:\WINDOWS\kodakpcd.Bob Denman.ini
2008-02-28 22:14 . 2008-02-28 22:14 99,060 --a------ C:\WINDOWS\BM0bccbdff.xml
2008-02-28 22:13 . 2008-02-28 22:13 22 --a------ C:\WINDOWS\pskt.ini
2008-02-08 22:19 . 2008-02-28 22:06 2,560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-02-07 21:59 . 2008-02-07 21:59 294 --ahs---- C:\WINDOWS\system32\gsdytlsf.ini
2008-02-06 12:16 . 2008-02-29 15:47 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-02-03 19:13 . 2008-02-28 23:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-03 19:13 . 2008-02-28 23:17 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 20:32 --------- d-----w C:\Program Files\Trend Micro
2008-03-01 15:42 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-03-01 15:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-29 19:25 --------- d-----w C:\Program Files\Apoint2K
2008-02-29 14:01 --------- d-----w C:\Program Files\QuickTime
2008-02-29 04:03 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak
2008-02-29 03:58 --------- d-----w C:\Program Files\Kodak
2008-02-29 03:48 --------- d-----w C:\Program Files\HPQ
2008-02-29 03:47 --------- d-----w C:\Program Files\Google
2008-02-29 03:46 --------- d-----w C:\Program Files\Citrix
2008-02-29 03:45 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-02-29 03:39 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-06 02:20 --------- d-----w C:\Program Files\Viewpoint
2008-02-05 17:58 --------- d--h--w C:\Documents and Settings\Vickie Denman\Application Data\GTek
2008-02-05 17:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-05 17:55 --------- d-----w C:\Documents and Settings\Bob Denman\Application Data\Viewpoint
2008-02-05 17:55 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2008-02-05 17:50 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-11 05:53 44,544 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-01-07 18:32 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\QuickTime
2008-01-06 21:41 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-06 17:59 --------- d-----w C:\Program Files\SearchAssistant3
2008-01-06 17:49 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2008-01-06 17:37 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\SITEguard
2008-01-06 17:35 --------- d-----w C:\Program Files\Common Files\iS3
2008-01-06 15:50 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avg7
2008-01-06 03:01 --------- d-----w C:\Program Files\Registry Defender
2007-12-19 23:01 347,136 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-08 15:51 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-07 01:07 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-12-07 01:07 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-12-07 01:07 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-12-07 01:07 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-12-07 01:07 1,023,488 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-12-06 11:01 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:00 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 04:59 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-07-27 02:21 55,120 ----a-w C:\Documents and Settings\Bob Denman\Application Data\GDIPFONTCACHEV1.DAT
2006-04-22 02:23 55,120 ----a-w C:\Documents and Settings\Vickie Denman\Application Data\GDIPFONTCACHEV1.DAT
2005-07-24 20:38 458 ----a-w C:\Documents and Settings\Vickie Denman\Application Data\wklnhst.dat
.
<pre>
----a-w			57,344 2008-02-29 03:50:29  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
----a-w			39,792 2008-02-29 04:21:44  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		   159,744 2008-02-29 05:43:34  C:\Program Files\Apoint2K\Apoint .exe
----a-w		   180,269 2008-02-29 05:43:45  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w		   949,376 2008-02-29 05:38:00  C:\Program Files\ESET\nod32kui .exe
----a-w			68,856 2008-02-29 03:27:58  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w			49,152 2008-02-29 03:27:25  C:\Program Files\HP\HP Software Update\HPWuSchd .exe
----a-w		   241,664 2008-02-29 05:43:51  C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
----a-w		   200,766 2008-02-29 05:43:39  C:\Program Files\HPQ\Default Settings\cpqset .exe
----a-w		   290,816 2008-02-29 05:43:40  C:\Program Files\HPQ\Quick Launch Buttons\EabServr .exe
----a-w			36,975 2008-02-29 05:43:42  C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
----a-w		 1,694,208 2008-02-29 05:38:05  C:\Program Files\Messenger\msmsgs .exe
----a-w			98,304 2008-02-29 06:27:13  C:\Program Files\QuickTime\qttask				   .exe
----a-w			98,304 2008-02-29 06:27:13  C:\Program Files\QuickTime\qttask				  .exe
----a-w			98,304 2008-02-29 06:27:13  C:\Program Files\QuickTime\qttask				 .exe
----a-w			98,304 2008-02-29 04:39:48  C:\Program Files\QuickTime\qttask				.exe
----a-w			98,304 2008-02-29 04:19:27  C:\Program Files\QuickTime\qttask			   .exe
----a-w			98,304 2008-02-29 05:10:18  C:\Program Files\QuickTime\qttask			  .exe
----a-w			98,304 2008-02-29 05:10:18  C:\Program Files\QuickTime\qttask			 .exe
----a-w			98,304 2008-02-29 05:10:19  C:\Program Files\QuickTime\qttask			.exe
----a-w			98,304 2008-02-29 05:10:19  C:\Program Files\QuickTime\qttask		   .exe
----a-w			98,304 2008-02-29 05:10:19  C:\Program Files\QuickTime\qttask		  .exe
----a-w			98,304 2008-02-29 05:10:20  C:\Program Files\QuickTime\qttask		 .exe
----a-w			98,304 2008-02-29 05:10:20  C:\Program Files\QuickTime\qttask		.exe
----a-w			98,304 2008-02-29 05:10:20  C:\Program Files\QuickTime\qttask	   .exe
----a-w			98,304 2008-02-29 05:10:20  C:\Program Files\QuickTime\qttask	  .exe
----a-w			98,304 2008-02-29 05:10:21  C:\Program Files\QuickTime\qttask	 .exe
----a-w			98,304 2008-02-29 05:10:21  C:\Program Files\QuickTime\qttask	.exe
----a-w			98,304 2008-02-29 05:10:21  C:\Program Files\QuickTime\qttask   .exe
----a-w			98,304 2008-02-29 05:10:22  C:\Program Files\QuickTime\qttask  .exe
----a-w			98,304 2008-02-29 05:10:22  C:\Program Files\QuickTime\qttask .exe
----a-w		 2,097,488 2008-02-29 20:47:53  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w		   897,089 2008-02-29 03:27:30  C:\Program Files\Trend Micro\Internet Security 2006\pccguide .exe
----a-w			15,360 2008-02-29 20:47:49  C:\WINDOWS\system32\ctfmon .exe
</pre>


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"E6TaskPanel"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" [ ]
"QdrModule12"="C:\Program Files\QdrModule\QdrModule12.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2004-04-07 14:22 323584 C:\WINDOWS\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 15:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-29 23:46 949376]
"DXDllRegExe"="dxdllreg.exe" []

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 17:48:22 565309]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 04:19:24 237568]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R1 mchInjDrv;madCodeHook DLL injection driver;C:\WINDOWS\system32\Drivers\mchInjDrv.sys [2008-02-28 22:06]
R2 NgVpnMgr;Aventail VPN Client;C:\WINDOWS\system32\ngvpnmgr.exe [2007-04-10 10:34]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2004-08-04 03:00]
R3 NgLog;Aventail VPN Logging;C:\WINDOWS\system32\DRIVERS\nglog.sys [2007-04-10 10:32]
R3 NgVpn;Aventail VPN Adapter;C:\WINDOWS\system32\DRIVERS\ngvpn.sys [2007-04-10 10:34]
S3 A3AX;D-Link AirPro DWL-A650 Wireless Cardbus Adapter Service;C:\WINDOWS\system32\DRIVERS\a3ax.sys [2002-02-26 11:13]
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys []
S3 NgFilter;Aventail VPN Filter;C:\WINDOWS\system32\DRIVERS\ngfilter.sys [2007-04-10 10:34]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-02 21:20:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-02 21:21:38
ComboFix-quarantined-files.txt 2008-03-03 02:21:16
ComboFix2.txt 2008-03-03 01:42:34
ComboFix3.txt 2008-03-03 01:13:12
.
2008-03-02 18:42:17 --- E O F ---

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:26 PM

Posted 02 March 2008 - 11:16 PM

Hello,

Thanks for trying. :thumbsup: Things might get a bit sticky here with this infection. After this scan, you may have to reinstall some of the programs affected. They've been infected, and for whatever reason, ComboFix has been unable to find legit copies to replace the infected ones with.

Please download and run Bit Defender 8 online scanner
  • Install the program and then follow the prompts to download all available updates.
  • Select Antivirus and then click the Settings button. Click Default. Click Ok.
  • Select Local Drives and click Scan.
  • When the scan is complete save the log and post it back here in your next reply.
After you run this, please run ComboFix again and post its report as well.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 rdenman

rdenman
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 02 March 2008 - 11:30 PM

well i'm back to ground zero... the errors are back.. when i rebooted etc, i allowed Spybot S&D to reload, and then it detected registry changes.. and then all the errors came back...


So, do I start over at the beginning of our thread? Very frustrating..

Didn't even get to run Bit Defender...

:-(

honestly, this is my Dad's laptop, and it's operational, and I am able to salvage his personal items on here... I'm thinking about just a clean start, format and reinstall of the OS.... Any chance it would still come back??

Edited by rdenman, 02 March 2008 - 11:34 PM.


#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:26 PM

Posted 02 March 2008 - 11:43 PM

That might be easier at this point, really. Do you see all those programs in the code box from when you ran ComboFix? Those are all the programs affected by this infection. We can still try to save it if you want to, but you're going to have to leave SpyBot off until it's totally clean if we do. This is up to you and what you need to do. Just let me know. :thumbsup:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 rdenman

rdenman
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 03 March 2008 - 12:17 AM

at this point all i want to do is SAFELY get all his pics off the computer. I called him and that's all he wants.

HOw can i be assured that i'm not moving a bad file or virus with any of the pics.. just don't wanna chance it...

Does this virus attach to any .jpg's?

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:26 PM

Posted 03 March 2008 - 01:06 AM

Scan them before you move them with your AntiVirus, or something like AVG AntiSpyware. :thumbsup: I don't think individual pictures would be affected, but just to be on the safe side I'd scan them.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:26 PM

Posted 09 March 2008 - 06:10 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users