Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Message That "c:\windows\system32\ssqrq.exe Not Found"


  • This topic is locked This topic is locked
16 replies to this topic

#1 mdburn1

mdburn1

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, MA
  • Local time:02:45 AM

Posted 18 March 2008 - 03:55 AM

I am cleaning up a PC for a friend and I have found several different spyware variants on it. So far the biggest offender seems to be either a SpyAxe or a Vundo variant ???

I have run spybot, ad-aware, bit-defender, kaspersky and avast but I have one that keeps coming back and I need some help to get rid of it.

I ran cccleaner and removed EVERYTHING.

I have also run smitrem and smitfraud fix on this system but I have this one bug left still.

Now when I boot the computer it gives me a message that ssqrq.exe is not found. it also seems to recreate ctfmon.exe upon each reboot and that is infected each time as well.

Here is the HJT log file from the system.

Thanks for any help you can give me!

Mike

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:51:14 AM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck .exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 156.73.171.30:80
F3 - REG:win.ini: load=C:\WINDOWS\System32\ssqrq.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {C6B70417-D740-4DAA-82B2-BEC5FF2E89B7} - C:\WINDOWS\System32\ssqrq.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - ?p=ZJfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{95560977-12C7-4BD2-8B40-F575EAC2B9F2}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1F945D8-9E1E-436D-9675-222DD721964E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5987 bytes

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:45 AM

Posted 18 March 2008 - 10:35 AM

Hi,

You're dealing with several different infections here, so we need to deal with this one by one...

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then, * Download SDFix and save it to your Desktop.

* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Then, we'll start from there and deal with the rest.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 mdburn1

mdburn1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, MA
  • Local time:02:45 AM

Posted 18 March 2008 - 12:35 PM

Thanks for getting back to me. I knew there was a lot of garbage on the system, it has had NO maintence for the past 3 years. This should be a good one!

I'll follow your instructions and post the logs shortly.

Mike

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:45 AM

Posted 18 March 2008 - 12:53 PM

Ok, I read your logs later :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 mdburn1

mdburn1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, MA
  • Local time:02:45 AM

Posted 18 March 2008 - 01:03 PM

Here are the log files for SDfix and a fresh HiJack this log.


SDFix: Version 1.158

Run by Jason on Tue 03/18/2008 at 01:49 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Schedule Service Path

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\hjvgsmnf\1.png - Deleted
C:\WINDOWS\hjvgsmnf\2.png - Deleted
C:\WINDOWS\hjvgsmnf\3.png - Deleted
C:\WINDOWS\hjvgsmnf\4.png - Deleted
C:\WINDOWS\hjvgsmnf\5.png - Deleted
C:\WINDOWS\hjvgsmnf\6.png - Deleted
C:\WINDOWS\hjvgsmnf\7.png - Deleted
C:\WINDOWS\hjvgsmnf\8.png - Deleted
C:\WINDOWS\hjvgsmnf\9.png - Deleted
C:\WINDOWS\hjvgsmnf\bottom-rc.gif - Deleted
C:\WINDOWS\hjvgsmnf\config.png - Deleted
C:\WINDOWS\hjvgsmnf\content.png - Deleted
C:\WINDOWS\hjvgsmnf\download.gif - Deleted
C:\WINDOWS\hjvgsmnf\frame-bg.gif - Deleted
C:\WINDOWS\hjvgsmnf\frame-bottom-left.gif - Deleted
C:\WINDOWS\hjvgsmnf\frame-h1bg.gif - Deleted
C:\WINDOWS\hjvgsmnf\head.png - Deleted
C:\WINDOWS\hjvgsmnf\icon.png - Deleted
C:\WINDOWS\hjvgsmnf\indexwp.html - Deleted
C:\WINDOWS\hjvgsmnf\main.css - Deleted
C:\WINDOWS\hjvgsmnf\memory-prots.png - Deleted
C:\WINDOWS\hjvgsmnf\net.png - Deleted
C:\WINDOWS\hjvgsmnf\pc.gif - Deleted
C:\WINDOWS\hjvgsmnf\pc-mag.gif - Deleted
C:\WINDOWS\hjvgsmnf\poloska1.png - Deleted
C:\WINDOWS\hjvgsmnf\poloska2.png - Deleted
C:\WINDOWS\hjvgsmnf\poloska3.png - Deleted
C:\WINDOWS\hjvgsmnf\promowp1.html - Deleted
C:\WINDOWS\hjvgsmnf\promowp2.html - Deleted
C:\WINDOWS\hjvgsmnf\promowp3.html - Deleted
C:\WINDOWS\hjvgsmnf\promowp4.html - Deleted
C:\WINDOWS\hjvgsmnf\promowp5.html - Deleted
C:\WINDOWS\hjvgsmnf\reg.png - Deleted
C:\WINDOWS\hjvgsmnf\repair.png - Deleted
C:\WINDOWS\hjvgsmnf\scr-1.png - Deleted
C:\WINDOWS\hjvgsmnf\scr-2.png - Deleted
C:\WINDOWS\hjvgsmnf\start.png - Deleted
C:\WINDOWS\hjvgsmnf\styles.css - Deleted
C:\WINDOWS\hjvgsmnf\top-rc.gif - Deleted
C:\WINDOWS\hjvgsmnf\vline.gif - Deleted
C:\WINDOWS\hjvgsmnf\wp.png - Deleted
C:\WINDOWS\PerfInfo\5ahY1062dBwp.exe - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\users32.dat - Deleted



Folder C:\Temp\bkR11 - Removed
Folder C:\WINDOWS\PerfInfo - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-18 13:55:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 13 Aug 2007 622,080 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Mon 17 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\eb5ff0ae9fdaa24285c4924997a7aa90\BIT18.tmp"
Thu 7 Feb 2008 19,456 ...H. --- "C:\Documents and Settings\Jason\Application Data\Microsoft\Word\~WRL0001.tmp"
Wed 5 Mar 2008 19,968 ...H. --- "C:\Documents and Settings\Jason\Application Data\Microsoft\Word\~WRL0004.tmp"
Wed 5 Mar 2008 21,504 ...H. --- "C:\Documents and Settings\Jason\Application Data\Microsoft\Word\~WRL0408.tmp"

Finished!

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:53 PM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck .exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 156.73.171.30:80
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8EFB1C86-2BF7-47D0-98DD-A11958957D2B} - C:\WINDOWS\System32\ssqrq.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - ?p=ZJfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205834917281
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{95560977-12C7-4BD2-8B40-F575EAC2B9F2}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1F945D8-9E1E-436D-9675-222DD721964E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5615 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:45 AM

Posted 18 March 2008 - 01:37 PM

Ok, next steps..

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 mdburn1

mdburn1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, MA
  • Local time:02:45 AM

Posted 18 March 2008 - 01:59 PM

Okay here are the new log files for ComboFix and HJT.

Thanks again!

COMBOFIX:
ComboFix 08-03-17.1 - Jason 2008-03-18 14:51:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.220 [GMT -5:00]
Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\system32\daSgo02
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\ssqrq.exe
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\voiceip.dll

----- BITS: Possible infected sites -----

hxxp://77.91.228.186
.
((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))
.

2008-03-18 13:48 . 2005-03-02 13:09 577,024 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-03-18 13:46 . 2008-03-18 13:46 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-18 13:43 . 2008-03-18 13:59 <DIR> d-------- C:\SDFix
2008-03-18 04:50 . 2008-03-18 04:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-18 03:52 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-18 03:52 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-18 03:52 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-18 03:52 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-18 03:52 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-18 03:52 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-18 03:51 . 2008-03-18 03:51 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-18 03:51 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-18 03:51 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-03-18 03:18 . 2008-03-18 04:46 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-18 03:18 . 2008-03-18 03:18 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-18 03:18 . 2008-03-18 03:18 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-18 03:18 . 2008-03-18 03:18 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-18 01:28 . 2008-03-18 03:28 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-03-17 23:57 . 2008-03-17 23:57 2,774 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-17 23:55 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-17 23:55 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-17 23:55 . 2008-03-14 09:09 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-17 23:55 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-17 23:55 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-17 23:55 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-17 23:55 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-17 23:52 . 2008-03-18 01:18 426 --a------ C:\WINDOWS\wininit.ini
2008-03-17 23:32 . 2008-03-18 00:34 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-03-17 23:31 . 2008-03-17 23:32 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-17 23:19 . 2008-03-18 01:19 16,896 --a------ C:\WINDOWS\system32\BADFILE.braviax.exe
2008-03-17 23:16 . 2008-03-17 23:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-17 23:02 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-03-17 22:55 . 2008-03-17 22:55 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-03-17 22:49 . 2008-03-17 22:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-17 22:47 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002488_.tmp
2008-03-17 22:38 . 2008-03-17 22:38 <DIR> d-------- C:\WINDOWS\EHome
2008-03-17 22:33 . 2008-03-17 23:22 <DIR> d-------- C:\VundoFix Backups
2008-03-17 22:22 . 2008-03-17 22:22 <DIR> d-------- C:\Program Files\CCleaner
2008-03-17 22:16 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-03-17 22:14 . 2004-08-04 00:56 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2008-03-17 22:14 . 2004-08-04 00:56 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2008-03-17 22:14 . 2004-08-04 00:56 265,728 --a------ C:\WINDOWS\system32\h323.tsp
2008-03-17 22:14 . 2004-01-10 00:11 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2008-03-17 22:12 . 2008-03-17 22:12 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-16 20:17 . 2008-03-16 20:17 0 --ahs---- C:\Documents and Settings\Jason\Application Data\0047ddc63fcee114bd3c4a9728eb19e105c120b1d7e966ef01.dat
2008-03-16 19:58 . 2008-03-16 19:58 14,336 --a------ C:\hUpN.exe
2008-03-14 11:31 . 2008-03-18 00:50 5,120 --a------ C:\Documents and Settings\LocalService\ftpdll.dll
2008-03-14 11:29 . 2008-03-18 03:19 16,896 --a------ C:\WINDOWS\system32\BAD.braviax.exe
2008-03-14 11:29 . 2008-03-18 00:50 5,120 --a------ C:\WINDOWS\system32\ftpdll.dll
2008-03-14 11:29 . 2008-03-18 01:19 5,120 --a------ C:\Documents and Settings\Jason\ftpdll.dll
2008-03-11 17:25 . 2008-03-11 17:25 268 --ah----- C:\sqmdata19.sqm
2008-03-11 17:25 . 2008-03-11 17:25 244 --ah----- C:\sqmnoopt19.sqm
2008-03-11 16:50 . 2008-03-18 04:38 <DIR> d-------- C:\Program Files\SpyAway
2008-03-11 15:30 . 2008-03-11 15:30 268 --ah----- C:\sqmdata18.sqm
2008-03-11 15:30 . 2008-03-11 15:30 244 --ah----- C:\sqmnoopt18.sqm
2008-03-11 12:59 . 2008-03-11 12:59 268 --ah----- C:\sqmdata17.sqm
2008-03-11 12:59 . 2008-03-11 12:59 244 --ah----- C:\sqmnoopt17.sqm
2008-03-11 12:36 . 2008-03-11 12:36 268 --ah----- C:\sqmdata16.sqm
2008-03-11 12:36 . 2008-03-11 12:36 244 --ah----- C:\sqmnoopt16.sqm
2008-03-11 11:09 . 2008-03-11 11:09 <DIR> d-------- C:\Program Files\stc
2008-03-11 11:09 . 2008-03-11 11:09 <DIR> d-------- C:\Program Files\180search assistant
2008-03-11 11:08 . 2008-03-11 11:08 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-11 10:53 . 2008-03-18 13:52 <DIR> d-------- C:\WINDOWS\hjvgsmnf
2008-03-11 10:53 . 2008-03-11 10:53 3,805,830 --a------ C:\WINDOWS\BAD.5ahY1062dB.exe
2008-03-11 10:53 . 2008-03-11 10:53 37,888 --a------ C:\WINDOWS\hizmzgzy.exe
2008-03-09 17:49 . 2008-03-09 17:49 268 --ah----- C:\sqmdata15.sqm
2008-03-09 17:49 . 2008-03-09 17:49 244 --ah----- C:\sqmnoopt15.sqm
2008-03-09 14:25 . 2008-03-09 14:25 268 --ah----- C:\sqmdata14.sqm
2008-03-09 14:25 . 2008-03-09 14:25 244 --ah----- C:\sqmnoopt14.sqm
2008-03-08 15:59 . 2008-03-08 15:59 268 --ah----- C:\sqmdata13.sqm
2008-03-08 15:59 . 2008-03-08 15:59 244 --ah----- C:\sqmnoopt13.sqm
2008-03-07 20:03 . 2008-03-07 20:03 268 --ah----- C:\sqmdata12.sqm
2008-03-07 20:03 . 2008-03-07 20:03 244 --ah----- C:\sqmnoopt12.sqm
2008-02-24 22:41 . 2008-02-25 15:41 <DIR> d-------- C:\Program Files\MSN Games
2008-02-24 22:41 . 2008-02-25 15:55 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\iWin
2008-02-24 22:41 . 2008-02-25 16:27 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-20 12:04 . 2008-02-20 12:04 268 --ah----- C:\sqmdata11.sqm
2008-02-20 12:04 . 2008-02-20 12:04 244 --ah----- C:\sqmnoopt11.sqm
2008-02-19 21:26 . 2008-02-19 21:26 268 --ah----- C:\sqmdata10.sqm
2008-02-19 21:26 . 2008-02-19 21:26 244 --ah----- C:\sqmnoopt10.sqm
2008-02-19 16:46 . 2008-02-19 16:46 268 --ah----- C:\sqmdata09.sqm
2008-02-19 16:46 . 2008-02-19 16:46 244 --ah----- C:\sqmnoopt09.sqm
2008-02-19 16:01 . 2008-02-19 16:01 268 --ah----- C:\sqmdata08.sqm
2008-02-19 16:01 . 2008-02-19 16:01 244 --ah----- C:\sqmnoopt08.sqm
2008-02-19 11:29 . 2008-02-19 11:29 268 --ah----- C:\sqmdata07.sqm
2008-02-19 11:29 . 2008-02-19 11:29 244 --ah----- C:\sqmnoopt07.sqm
2008-02-18 19:55 . 2008-02-18 19:55 268 --ah----- C:\sqmdata06.sqm
2008-02-18 19:55 . 2008-02-18 19:55 244 --ah----- C:\sqmnoopt06.sqm
2008-02-18 16:22 . 2008-02-18 16:22 268 --ah----- C:\sqmdata05.sqm
2008-02-18 16:22 . 2008-02-18 16:22 244 --ah----- C:\sqmnoopt05.sqm
2008-02-18 12:52 . 2008-02-18 12:52 268 --ah----- C:\sqmdata04.sqm
2008-02-18 12:52 . 2008-02-18 12:52 244 --ah----- C:\sqmnoopt04.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-18 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-18 09:32 --------- d-----w C:\Program Files\DNA
2008-03-18 09:10 --------- d-----w C:\Program Files\iTunes
2008-03-18 08:54 --------- d-----w C:\Program Files\QuickTime
2008-03-18 07:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-18 07:42 --------- d-----w C:\Program Files\MSN Messenger
2008-03-18 07:35 --------- d-----w C:\Program Files\Java
2008-03-18 07:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-18 06:58 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-17 04:01 --------- d-----w C:\Program Files\Warcraft III
2008-03-14 02:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-17 19:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-16 19:57 --------- d-----w C:\Documents and Settings\Jason\Application Data\vlc
2008-02-06 21:40 --------- d-----w C:\Documents and Settings\Jason\Application Data\BitTorrent
2008-02-06 03:10 --------- d-----w C:\Documents and Settings\Jason\Application Data\Poser 7
2008-02-06 01:59 --------- d-----w C:\Program Files\e frontier
2008-02-05 21:44 --------- d-----w C:\Program Files\VideoLAN
2008-02-03 18:28 --------- d-----w C:\Documents and Settings\Jason\Application Data\AdobeUM
2008-01-30 14:56 --------- d-----w C:\Program Files\RcvSystem
2008-01-30 00:17 --------- d-----w C:\Program Files\Disney
2008-01-29 01:43 --------- d-----w C:\Documents and Settings\Jason\Application Data\gtk-2.0
2008-01-24 01:22 --------- d-----w C:\Program Files\Guitar Pro 5
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-12-23 04:59 20,480 ----a-w C:\WINDOWS\quit.exe
2004-12-01 23:34 716 ---ha-w C:\Documents and Settings\All Users\Application Data\pb7msys.dat
.
<pre>
----a-w		   290,112 2008-03-18 07:04:26  C:\Program Files\DNA\btdna .exe
----a-w			49,152 2008-03-18 06:18:53  C:\Program Files\HP\HP Software Update\HPWuSchd .exe
----a-w		   241,664 2008-03-18 06:18:54  C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
----a-w		   267,048 2008-03-18 06:18:57  C:\Program Files\iTunes\iTunesHelper .exe
----a-w		   286,720 2008-03-18 06:21:33  C:\Program Files\QuickTime\qttask   .exe
----a-w		   286,720 2008-03-18 07:37:41  C:\Program Files\QuickTime\QTTask  .exe
----a-w		   286,720 2008-03-18 07:37:42  C:\Program Files\QuickTime\QTTask .exe
----a-w		   528,384 2008-03-18 18:59:40  C:\Program Files\VIA\VIAudioi\SBADeck\ADeck .exe
----a-w			15,360 2008-03-18 05:34:04  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-07-20 23:07 7110656]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-07-20 23:07 86016]
"AudioDeck"="C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe" [ ]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [ ]

C:\Documents and Settings\Jason\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-12-02 20:39:33 344064]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="logonui.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"autoload"=
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"autoload"=C:\Documents and Settings\Jason\Local Settings\Application Data\cftmon.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

S0 FPA_RTP;FPA_RTP;C:\WINDOWS\system32\Drivers\FSTOPW.SYS []

.
Contents of the 'Scheduled Tasks' folder
"2008-03-07 22:10:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-18 14:55:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2008-03-18 14:56:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-18 19:56:46
.
2008-03-18 05:37:13 --- E O F ---


HTJ:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:57:59 PM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 156.73.171.30:80
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - ?p=ZJfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205834917281
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{95560977-12C7-4BD2-8B40-F575EAC2B9F2}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1F945D8-9E1E-436D-9675-222DD721964E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 5558 bytes

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:45 AM

Posted 18 March 2008 - 02:25 PM

Hi,

I want to make you aware of the fact that you would need to reinstall your Avast afterwards as some related components were infected and deleted.
But first, proceed with the following steps...

First of all, uninstall Quicktime as it became infected as well. It's better to uninstall it and reinstall it afterwards again since I don't want to take the chance to restore the infected files, this since we cannot be sure which one is infected and which one is clean. That's why it is better to uninstall it. Do not reinstall it yet!!! Because next instructions will also remove the Quicktime folder, this to make sure the infected files inside are gone.

Also, please uninstall SpyAway

Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\Documents and Settings\Jason\Local Settings\Application Data\cftmon.exe
C:\WINDOWS\wininit.ini
C:\WINDOWS\system32\BADFILE.braviax.exe
C:\hUpN.exe
C:\Documents and Settings\LocalService\ftpdll.dll
C:\WINDOWS\system32\BAD.braviax.exe
C:\WINDOWS\system32\ftpdll.dll
C:\Documents and Settings\Jason\ftpdll.dll
C:\WINDOWS\BAD.5ahY1062dB.exe
C:\WINDOWS\hizmzgzy.exe
C:\WINDOWS\quit.exe
Folder::
C:\Program Files\QuickTime
C:\Program Files\RcvSystem
C:\Program Files\stc
C:\Program Files\180search assistant
C:\Program Files\Sysmnt
C:\WINDOWS\hjvgsmnf
C:\Program Files\SpyAway
C:\VundoFix Backups
RENV::
C:\Program Files\DNA\btdna .exe
C:\Program Files\HP\HP Software Update\HPWuSchd .exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck .exe
C:\WINDOWS\system32\ctfmon .exe
Driver::
FPA_RTP
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=-
"avast!"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"autoload"=-
"<NO NAME>"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"autoload"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Also, Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\Documents and Settings\All Users\Application Data\pb7msys.dat

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply as well.
Above file is a hidden file, so in case you don't have hidden files and folders shown.. Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

By the way.. are you aware of the fact that your Windows Firewall is disabled? Any reason why you disabled it? In anyway, I suggest you enable it again, unless you are planning to install a desktop Firewall instead.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 mdburn1

mdburn1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, MA
  • Local time:02:45 AM

Posted 18 March 2008 - 03:49 PM

Windows Firewall was disalbed by something on the system it seems. I enabled it last night.

Gonig to work on this set of instructions now.

Back shortly.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:45 AM

Posted 18 March 2008 - 03:54 PM

Ok, read you later :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 mdburn1

mdburn1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, MA
  • Local time:02:45 AM

Posted 18 March 2008 - 05:28 PM

Results:
VIRUSTOTAL SCAN:
Antivirus Version Last Update Result
AhnLab-V3 2008.3.18.1 2008.03.18 -
AntiVir 7.6.0.75 2008.03.18 -
Authentium 4.93.8 2008.03.18 -
Avast 4.7.1098.0 2008.03.18 -
AVG 7.5.0.516 2008.03.18 -
BitDefender 7.2 2008.03.18 -
CAT-QuickHeal 9.5 2008.03.14 -
ClamAV 0.92.1 2008.03.18 -
DrWeb 4.44.0.09170 2008.03.18 -
eSafe 7.0.15.0 2008.03.18 -
eTrust-Vet 31.3.5623 2008.03.17 -
Ewido 4 2008.03.18 -
F-Prot 4.4.2.54 2008.03.18 -
FileAdvisor 1 2008.03.18 -
Fortinet 3.14.0.0 2008.03.18 -
Ikarus T3.1.1.20 2008.03.18 -
Kaspersky 7.0.0.125 2008.03.18 -
McAfee 5254 2008.03.18 -
Microsoft 1.3301 2008.03.18 -
NOD32v2 2958 2008.03.18 -
Norman 5.80.02 2008.03.18 -
Panda 9.0.0.4 2008.03.17 -
Prevx1 V2 2008.03.18 -
Rising 20.36.12.00 2008.03.18 -
Sophos 4.27.0 2008.03.18 -
Sunbelt 3.0.978.0 2008.03.18 -
Symantec 10 2008.03.18 -
TheHacker 6.2.92.249 2008.03.18 -
VBA32 3.12.6.3 2008.03.17 -
VirusBuster 4.3.26:9 2008.03.18 -
Webwasher-Gateway 6.6.2 2008.03.18 -

ComboFix:
ComboFix 08-03-17.1 - Jason 2008-03-18 18:01:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.292 [GMT -5:00]
Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jason\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Jason\ftpdll.dll
C:\Documents and Settings\Jason\Local Settings\Application Data\cftmon.exe
C:\Documents and Settings\LocalService\ftpdll.dll
C:\hUpN.exe
C:\WINDOWS\BAD.5ahY1062dB.exe
C:\WINDOWS\hizmzgzy.exe
C:\WINDOWS\quit.exe
C:\WINDOWS\system32\BAD.braviax.exe
C:\WINDOWS\system32\BADFILE.braviax.exe
C:\WINDOWS\system32\ftpdll.dll
C:\WINDOWS\wininit.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jason\ftpdll.dll
C:\Documents and Settings\LocalService\ftpdll.dll
C:\hUpN.exe
C:\Program Files\180search assistant
C:\Program Files\180search assistant\180sa.exe
C:\Program Files\180search assistant\sau.exe
C:\Program Files\QuickTime
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\RcvSystem
C:\Program Files\RcvSystem\httpdchk.dll
C:\Program Files\SpyAway
C:\Program Files\SpyAway\stat.bin
C:\Program Files\SpyAway\uninstall.log
C:\Program Files\stc
C:\Program Files\stc\csv5p070.exe
C:\Program Files\Sysmnt
C:\Program Files\Sysmnt\Ssmgr.exe
C:\VundoFix Backups
C:\VundoFix Backups\qrqss.ini.bad
C:\VundoFix Backups\qrqss.ini2.bad
C:\WINDOWS\BAD.5ahY1062dB.exe
C:\WINDOWS\hizmzgzy.exe
C:\WINDOWS\hjvgsmnf
C:\WINDOWS\hjvgsmnf\Thumbs.db
C:\WINDOWS\quit.exe
C:\WINDOWS\system32\BAD.braviax.exe
C:\WINDOWS\system32\BADFILE.braviax.exe
C:\WINDOWS\system32\ftpdll.dll
C:\WINDOWS\wininit.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FPA_RTP
-------\Service_FPA_RTP


((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))
.

2008-03-18 13:48 . 2005-03-02 13:09 577,024 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-03-18 13:46 . 2008-03-18 13:46 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-18 13:43 . 2008-03-18 13:59 <DIR> d-------- C:\SDFix
2008-03-18 04:50 . 2008-03-18 04:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-18 03:51 . 2008-03-18 03:51 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-18 03:18 . 2008-03-18 04:46 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-18 03:18 . 2008-03-18 03:18 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-18 03:18 . 2008-03-18 03:18 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-18 03:18 . 2008-03-18 03:18 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-18 01:28 . 2008-03-18 03:28 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-03-17 23:57 . 2008-03-17 23:57 2,774 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-17 23:55 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-17 23:55 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-17 23:55 . 2008-03-14 09:09 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-17 23:55 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-17 23:55 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-17 23:55 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-17 23:55 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-17 23:32 . 2008-03-18 00:34 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-03-17 23:32 . 2008-03-18 00:34 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-03-17 23:31 . 2008-03-17 23:32 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-17 23:16 . 2008-03-17 23:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-17 23:02 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-03-17 22:55 . 2008-03-17 22:55 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-03-17 22:49 . 2008-03-17 22:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-17 22:47 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002488_.tmp
2008-03-17 22:38 . 2008-03-17 22:38 <DIR> d-------- C:\WINDOWS\EHome
2008-03-17 22:22 . 2008-03-17 22:22 <DIR> d-------- C:\Program Files\CCleaner
2008-03-17 22:16 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-03-17 22:14 . 2004-08-04 00:56 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2008-03-17 22:14 . 2004-08-04 00:56 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2008-03-17 22:14 . 2004-08-04 00:56 265,728 --a------ C:\WINDOWS\system32\h323.tsp
2008-03-17 22:14 . 2004-01-10 00:11 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2008-03-17 22:12 . 2008-03-17 22:12 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-16 20:17 . 2008-03-16 20:17 0 --ahs---- C:\Documents and Settings\Jason\Application Data\0047ddc63fcee114bd3c4a9728eb19e105c120b1d7e966ef01.dat
2008-03-11 17:25 . 2008-03-11 17:25 268 --ah----- C:\sqmdata19.sqm
2008-03-11 17:25 . 2008-03-11 17:25 244 --ah----- C:\sqmnoopt19.sqm
2008-03-11 15:30 . 2008-03-11 15:30 268 --ah----- C:\sqmdata18.sqm
2008-03-11 15:30 . 2008-03-11 15:30 244 --ah----- C:\sqmnoopt18.sqm
2008-03-11 12:59 . 2008-03-11 12:59 268 --ah----- C:\sqmdata17.sqm
2008-03-11 12:59 . 2008-03-11 12:59 244 --ah----- C:\sqmnoopt17.sqm
2008-03-11 12:36 . 2008-03-11 12:36 268 --ah----- C:\sqmdata16.sqm
2008-03-11 12:36 . 2008-03-11 12:36 244 --ah----- C:\sqmnoopt16.sqm
2008-03-09 17:49 . 2008-03-09 17:49 268 --ah----- C:\sqmdata15.sqm
2008-03-09 17:49 . 2008-03-09 17:49 244 --ah----- C:\sqmnoopt15.sqm
2008-03-09 14:25 . 2008-03-09 14:25 268 --ah----- C:\sqmdata14.sqm
2008-03-09 14:25 . 2008-03-09 14:25 244 --ah----- C:\sqmnoopt14.sqm
2008-03-08 15:59 . 2008-03-08 15:59 268 --ah----- C:\sqmdata13.sqm
2008-03-08 15:59 . 2008-03-08 15:59 244 --ah----- C:\sqmnoopt13.sqm
2008-03-07 20:03 . 2008-03-07 20:03 268 --ah----- C:\sqmdata12.sqm
2008-03-07 20:03 . 2008-03-07 20:03 244 --ah----- C:\sqmnoopt12.sqm
2008-02-24 22:41 . 2008-02-25 15:41 <DIR> d-------- C:\Program Files\MSN Games
2008-02-24 22:41 . 2008-02-25 15:55 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\iWin
2008-02-24 22:41 . 2008-02-25 16:27 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-20 12:04 . 2008-02-20 12:04 268 --ah----- C:\sqmdata11.sqm
2008-02-20 12:04 . 2008-02-20 12:04 244 --ah----- C:\sqmnoopt11.sqm
2008-02-19 21:26 . 2008-02-19 21:26 268 --ah----- C:\sqmdata10.sqm
2008-02-19 21:26 . 2008-02-19 21:26 244 --ah----- C:\sqmnoopt10.sqm
2008-02-19 16:46 . 2008-02-19 16:46 268 --ah----- C:\sqmdata09.sqm
2008-02-19 16:46 . 2008-02-19 16:46 244 --ah----- C:\sqmnoopt09.sqm
2008-02-19 16:01 . 2008-02-19 16:01 268 --ah----- C:\sqmdata08.sqm
2008-02-19 16:01 . 2008-02-19 16:01 244 --ah----- C:\sqmnoopt08.sqm
2008-02-19 11:29 . 2008-02-19 11:29 268 --ah----- C:\sqmdata07.sqm
2008-02-19 11:29 . 2008-02-19 11:29 244 --ah----- C:\sqmnoopt07.sqm
2008-02-18 19:55 . 2008-02-18 19:55 268 --ah----- C:\sqmdata06.sqm
2008-02-18 19:55 . 2008-02-18 19:55 244 --ah----- C:\sqmnoopt06.sqm
2008-02-18 16:22 . 2008-02-18 16:22 268 --ah----- C:\sqmdata05.sqm
2008-02-18 16:22 . 2008-02-18 16:22 244 --ah----- C:\sqmnoopt05.sqm
2008-02-18 12:52 . 2008-02-18 12:52 268 --ah----- C:\sqmdata04.sqm
2008-02-18 12:52 . 2008-02-18 12:52 244 --ah----- C:\sqmnoopt04.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-18 23:01 --------- d-----w C:\Program Files\iTunes
2008-03-18 23:01 --------- d-----w C:\Program Files\DNA
2008-03-18 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-18 07:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-18 07:42 --------- d-----w C:\Program Files\MSN Messenger
2008-03-18 07:35 --------- d-----w C:\Program Files\Java
2008-03-18 07:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-18 06:58 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-17 04:01 --------- d-----w C:\Program Files\Warcraft III
2008-03-14 02:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-17 19:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-16 19:57 --------- d-----w C:\Documents and Settings\Jason\Application Data\vlc
2008-02-06 21:40 --------- d-----w C:\Documents and Settings\Jason\Application Data\BitTorrent
2008-02-06 03:10 --------- d-----w C:\Documents and Settings\Jason\Application Data\Poser 7
2008-02-06 01:59 --------- d-----w C:\Program Files\e frontier
2008-02-05 21:44 --------- d-----w C:\Program Files\VideoLAN
2008-02-03 18:28 --------- d-----w C:\Documents and Settings\Jason\Application Data\AdobeUM
2008-01-30 00:17 --------- d-----w C:\Program Files\Disney
2008-01-29 01:43 --------- d-----w C:\Documents and Settings\Jason\Application Data\gtk-2.0
2008-01-24 01:22 --------- d-----w C:\Program Files\Guitar Pro 5
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2004-12-01 23:34 716 ---ha-w C:\Documents and Settings\All Users\Application Data\pb7msys.dat
.

((((((((((((((((((((((((((((( snapshot@2008-03-18_14.56.36.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-18 22:56:17 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NtUser.dat
+ 2008-03-18 23:10:05 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_4a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-07-20 23:07 7110656]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-07-20 23:07 86016]
"AudioDeck"="C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe" [2008-03-18 13:59 528384]

C:\Documents and Settings\Jason\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-12-02 20:39:33 344064]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="logonui.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-03-07 22:10:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-18 18:09:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2008-03-18 18:11:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-18 23:11:19
ComboFix2.txt 2008-03-18 19:56:50
.
2008-03-18 05:37:13 --- E O F ---


HIJACKTHIS:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:13:09 PM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 156.73.171.30:80
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205834917281
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{95560977-12C7-4BD2-8B40-F575EAC2B9F2}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1F945D8-9E1E-436D-9675-222DD721964E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 4728 bytes

Thanks...

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:45 AM

Posted 18 March 2008 - 05:49 PM

Hi,

Please reinstall your Avast again.. because you have currently no Antivirus running, so wideopen for infection. Also, enable your Windows Firewall or install a Desktop Firewall instead. Look in my signature below under Firewalls for the ones I recommend.

I overlooked one file earlier... can't tell if it's malware or not, so also upload the file C:\WINDOWS\002488_.tmp at Virustotal and post the results in your next reply.

Also let me know in your next reply how things are running now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 mdburn1

mdburn1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, MA
  • Local time:02:45 AM

Posted 18 March 2008 - 06:12 PM

I am putting BitDefender on the system for her instead of Avast!.

Windows firewall is running, will replace with Zone Alarm Pro once I look into what if any impact this will have on her kids World of Warcraft and other games....

The VirusTotal scan of that file came back looking exactly like the results for the other file that I posted previously. Nothing found. I'm posting these message from another system so since it looks just like the other one I figured i'd just say so rather than save the log and move it over here...

System is running MUCH better now. When i picked it up it would reboot as soon as explorer came up even in safe mode. Had 5 or six of the balloons coming up to inform of "spyware found... buy our product" (those people should be hung by their toes and beaten with a hammer!) and it was so painfully slow I almost just blew it up and rebuilt it clean.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:45 AM

Posted 18 March 2008 - 07:01 PM

Hi,

Good to hear. :wacko:

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


If you decide to install Bitdefender, keep in mind that it's not a free scanner, so you should pay for it. If you're going to pay for it, then I suggest you install the Bitdefender Security Suite which has a Firewall included... so no need to install a seperate Firewall then.
I don't really like Zonealarm since I have seen it causing a lot of issues as well, but if it works fine in your case, then use it ofcourse. Keep in mind that Zonealarm Pro isn't for free either.
And please do not try to get these programs via crack sites or P2P software, because that's how you get infected in the first place :thumbsup:

Look in my signature below for Antivirus + Firewalls I recommend.

Glad I could help. :blink:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Edited by miekiemoes, 18 March 2008 - 07:01 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 mdburn1

mdburn1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, MA
  • Local time:02:45 AM

Posted 18 March 2008 - 07:18 PM

Yes, I know they need to purchase the software... it's really up to them in the end, but i'll recommend it for them. For now I put Avast back on it so there's something there.

the primary user is a 16 year old "gamer" so i'm not surprised that it was all messed up.

Thanks so much for your assistance!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users