Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Taken Over By Trojan-downloader.win32.injecter.zy 1


  • This topic is locked This topic is locked
10 replies to this topic

#1 rdr8887

rdr8887

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 28 June 2008 - 05:39 PM

Everytime I open up a new browser window or click in My Computer, a browser window opens with a message to download IE Antivirus. Internet explorer seems to be more affected than Firefox is. It takes a while to close browser windows. I ran Avast, Spybot S&D, and Adaware. Adaware aware found a threat and removed it, but it did not fix the problem.




Main.txt

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-28 18:22:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
62: 2008-06-28 22:22:52 UTC - RP106 - Deckard's System Scanner Restore Point
61: 2008-06-28 13:37:00 UTC - RP105 - Software Distribution Service 3.0
60: 2008-06-27 23:20:11 UTC - RP104 - Software Distribution Service 3.0
59: 2008-06-27 01:00:15 UTC - RP103 - Software Distribution Service 3.0
58: 2008-06-26 01:06:43 UTC - RP102 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-05-28 03:38:44 UTC - RP45 - Installed DirectX


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-28 18:24:21
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (7.00.5730.13)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\ehome\ehRecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\HPQ\shared\HpqToaster.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WinView plugin - {8AE578E0-6DF5-41E0-869F-F65A32D2F6BD} - C:\WINDOWS\system32\xmlwin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1212114410093
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe


--
End of file - 7237 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 PcdrNt - c:\windows\system32\drivers\pcdrnt.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R3 hpqwmi (HP WMI Interface) - c:\program files\hpq\shared\hpqwmi.exe <Not Verified; Hewlett-Packard Development Company, L.P.; hpqwmi Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-05-28 and 2008-06-28 -----------------------------

2008-06-28 13:31:54 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-28 13:31:40 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2008-06-27 19:56:31 26624 --a------ C:\WINDOWS\system32\xmlwin.dll
2008-06-19 16:51:59 0 d-------- C:\Program Files\Microsoft Works
2008-06-19 16:50:06 0 d-------- C:\Program Files\Microsoft.NET
2008-06-19 16:47:56 0 d-------- C:\WINDOWS\SHELLNEW
2008-06-19 16:46:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-19 16:46:20 0 dr-h----- C:\MSOCache
2008-06-19 16:01:13 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-06-19 16:00:54 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-15 21:26:55 68096 --a------ C:\WINDOWS\system32\WBTRV32.DLL <Not Verified; Pervasive Software Inc.; Pervasive Software Communications Module>
2008-06-15 21:26:55 110080 --a------ C:\WINDOWS\system32\W32MKRC.DLL
2008-06-15 21:26:55 320512 --a------ C:\WINDOWS\system32\W32MKDE.EXE
2008-06-15 21:26:51 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-05-31 17:31:54 0 d-------- C:\Program Files\Broadcom
2008-05-31 15:11:18 201728 --a------ C:\WINDOWS\creator <Not Verified; SoftThinks; DeleteRP Application>
2008-05-31 15:11:17 0 d-------- C:\Program Files\SP36691
2008-05-31 15:10:56 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-05-31 15:10:50 0 d-------- C:\WINDOWS\tiinst
2008-05-31 15:09:49 0 d-------- C:\Program Files\NetWaiting
2008-05-31 02:20:49 0 d-------- C:\Program Files\Lavasoft
2008-05-31 02:20:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-31 02:20:28 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-31 01:17:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-31 01:08:23 0 d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-05-31 00:50:33 0 d-------- C:\Program Files\Alwil Software
2008-05-30 23:19:52 0 d-------- C:\Documents and Settings\Owner\Application Data\Google
2008-05-30 22:35:28 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-05-30 22:35:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-05-30 22:35:21 0 d-------- C:\Program Files\Google
2008-05-30 22:21:53 0 d-------- C:\Documents and Settings\Owner\Application Data\Leadertech
2008-05-29 23:03:46 0 d--hs---- C:\WINDOWS\CSC
2008-05-29 23:03:12 0 d-------- C:\WINDOWS\Prefetch
2008-05-29 22:57:02 0 d-------- C:\WINDOWS\system32\scripting
2008-05-29 22:57:02 0 d-------- C:\WINDOWS\system32\en
2008-05-29 22:57:02 0 d-------- C:\WINDOWS\l2schemas
2008-05-29 22:57:01 0 d-------- C:\WINDOWS\system32\bits
2008-05-29 22:55:22 0 d-------- C:\WINDOWS\ServicePackFiles
2008-05-29 22:53:08 0 d-------- C:\WINDOWS\network diagnostic
2008-05-29 22:32:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-05-29 22:31:35 0 d-------- C:\WINDOWS\Sun
2008-05-29 22:31:35 0 d-------- C:\Documents and Settings\Owner\Application Data\Sun
2008-05-29 22:30:03 0 d-------- C:\WINDOWS\system32\PreInstall
2008-05-29 22:27:21 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-05-29 22:26:36 0 d--hs---- C:\Documents and Settings\Owner\UserData
2008-05-29 22:26:09 0 d-------- C:\Documents and Settings\Owner\Application Data\Macromedia


-- Find3M Report ---------------------------------------------------------------

2008-06-19 16:51:20 0 d-------- C:\Program Files\Common Files
2008-05-31 17:29:00 0 d-------- C:\Program Files\Hp
2008-05-31 15:11:07 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-31 15:09:49 0 d-------- C:\Program Files\CONEXANT
2008-05-29 22:57:21 0 d-------- C:\Program Files\Messenger
2008-05-29 22:57:01 0 d-------- C:\Program Files\Movie Maker
2008-05-29 22:55:05 0 d-------- C:\Program Files\Windows NT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8AE578E0-6DF5-41E0-869F-F65A32D2F6BD}]
06/27/2008 07:56 PM 26624 --a------ C:\WINDOWS\system32\xmlwin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 04:56 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [09/15/2007 05:27 AM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [09/28/2005 12:05 AM]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [08/01/2005 05:26 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/05/2007 05:17 PM]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [10/11/2005 07:17 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [08/26/2005 09:14 PM]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [12/13/2005 07:45 PM]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [09/15/2007 05:29 AM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/2008 07:19 PM]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [05/08/2007 07:24 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [04/13/2008 08:12 PM]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [8/16/2005 2:56:00 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9c4af5a-e377-11db-8cba-806d6172696f}]
AutoRun\command- E:\bit.exe -S "LTFT.bits"




-- End of Deckard's System Scanner: finished at 2008-06-28 18:26:37 ------------






EXTRA.TXT


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: AMD Turion™ 64 Mobile Technology ML-34
Percentage of Memory in Use: 50%
Physical Memory (total/avail): 1022.17 MiB / 508.5 MiB
Pagefile Memory (total/avail): 2969.25 MiB / 2387.04 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1907.73 MiB

C: is Fixed (NTFS) - 74.53 GiB total, 63.39 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST980210A - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OWNER-F335EBB2D
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\OWNER-F335EBB2D
MOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Crash Reports
MOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exe
MOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\crashreporter-override.ini
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\PROGRA~1\Java\JRE15~1.0_0\bin;C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625;.
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 36 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2402
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=OWNER-F335EBB2D
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Broadcom 802.11 Wireless LAN Adapter --> "C:\Program Files\Broadcom\Broadcom 802.11\Driver\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Broadcom\Broadcom 802.11\Driver"
Conexant AC-Link Audio --> C:\Program Files\CONEXANT\CNXT_AUDIO\UIU32a.exe -U -ICPL309BA.INF
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HP Help and Support --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}\Setup.exe" -l0x9 -removeonly
HP Integrated Module with Bluetooth wireless technology --> MsiExec.exe /X{3F4EC965-28EF-45C3-B063-04B25D4E9679}
HP Product Detection --> MsiExec.exe /X{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}
HP Update --> MsiExec.exe /X{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}
HP User Guides 0008 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{43A6AA2A-74B5-4E1C-91DB-ECB2F99D9ED7}\setup.exe" -l0x9 -removeonly
HP Wireless Assistant 2.00 C1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}\Setup.exe" -l0x9 hpquninst
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150050}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional 2007 --> MsiExec.exe /X{91120000-0014-0000-0000-0000000FF1CE}
Microsoft Office Professional 2007 Trial --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROR /dll OSETUP.DLL
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
muvee autoProducer 4.0 - SE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{534AA552-E1F1-4965-B2AA-FBDEB0730D60}\setup.exe" -l0x9
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Quick Launch Buttons 5.20 D2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEB326EC-8F40-47B2-BA22-BB092565D66F}\setup.exe" -l0x9 -uninst
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\setup.exe" -l0x9 REMOVE
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378\HXFSETUP.EXE -U -Icpl309bk.inf
Sonic Audio Module --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic Copy Module --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic Data Module --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\Program Files\InstallShield Installation Information\{B9C22F96-61F6-4ADA-808A-4A1AE835E75F}\setup.exe -runfromtemp -l0x0409
Update Rollup 2 for Windows XP Media Center Edition 2005 -->
Windows XP Media Center Edition 2005 KB894553 --> C:\WINDOWS\$NtUninstallKB894553$\spuninst\spuninst.exe
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Zone Deluxe Games --> MsiExec.exe /I{66C018BD-6F16-4B32-B4CD-1DC1B21FBDFF}


-- Application Event Log -------------------------------------------------------

Event Record #/Type342 / Error
Event Submitted/Written: 06/28/2008 01:31:15 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.5730.13, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type341 / Error
Event Submitted/Written: 06/28/2008 01:30:44 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.5730.13, faulting module ntdll.dll, version 5.1.2600.5512, fault address 0x000369aa.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type340 / Error
Event Submitted/Written: 06/28/2008 01:28:37 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.5730.13, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type339 / Error
Event Submitted/Written: 06/28/2008 01:27:48 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 223121472.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type338 / Error
Event Submitted/Written: 06/28/2008 01:27:45 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2192 / Warning
Event Submitted/Written: 06/28/2008 09:36:27 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0014A5B70540. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type2171 / Warning
Event Submitted/Written: 06/27/2008 07:19:40 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0014A5B70540. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type2151 / Error
Event Submitted/Written: 06/26/2008 08:59:41 PM
Event ID/Source: 1000 / Dhcp
Event Description:
Your computer has lost the lease to its IP address 192.168.1.2 on the
Network Card with network address 0014A5B70540.

Event Record #/Type2150 / Warning
Event Submitted/Written: 06/26/2008 08:59:41 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0014A5B70540. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type2127 / Warning
Event Submitted/Written: 06/25/2008 07:13:30 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-06-28 18:26:37 ------------



KASPERSKY REPORT.TXT

Saturday, June 28, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, June 28, 2008 20:25:10
Records in database: 895967


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\

Scan statistics
Files scanned 44427
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 00:47:29

File name Threat name Threats count
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\R7X0M536\c-setup[1].exe Infected: Trojan-Downloader.Win32.Injecter.zy 1

The selected area was scanned.

BC AdBot (Login to Remove)

 


m

#2 rdr8887

rdr8887
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 01 July 2008 - 06:19 PM

Did I post something incorrectly? Or did I leave out any information?

#3 rdr8887

rdr8887
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 02 July 2008 - 05:55 PM

My laptop is now running VERY slow on the internet. I am able to use firefox browser to log on and check email. However, internet explorer will not do anything but show popups. Should I run another scan on Panda? I tried to look for the file Panda found to delete it, but I was unable to find it.

Thanks in advance!

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:24 PM

Posted 21 July 2008 - 10:07 AM

Hello, rdr8887.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
Please run Deckard's System Scanner again, this time using these instructions:
(In the event you lost your copy, you can download a new one from here: Deckard's System Scanner)
  • Click on Start, click on Run
  • Copy and paste the following in the open window and then click OK:
    "%userprofile%\desktop\dss.exe" /config
  • This will open up DSS configuration
  • Click on Check All.
  • Click Scan.
    DSS will now run again.
  • Please post back both logs that open in notepad.
    Main.txt and Extra.txt
In your next reply, please include the following:
  • DSS's Main.txt
  • DSS's Extra.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 rdr8887

rdr8887
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 21 July 2008 - 12:43 PM

I will follow these steps now. But, my logs may have changed. I can't remember exactly what I did, but, I removed a portion (if not all) of the spyware. I had to go ahead and do something....

I will follow your steps, but let me know if I should post another log or repeat everything I did initially.

Thanks,
Ray

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:24 PM

Posted 21 July 2008 - 12:43 PM

That's why we ask for new ones :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 rdr8887

rdr8887
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 21 July 2008 - 01:03 PM

dss.exe has encountered a problem and needs to close. We are sorry for the inconvenience.

This happened 3 times with trying to scan.

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:24 PM

Posted 22 July 2008 - 11:49 AM

Hello, rdr8887.
We need to run ComboFix.In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 rdr8887

rdr8887
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 25 July 2008 - 08:05 PM

I'm sorry it took so long. I had a crisis come up at work and was not able to be near my personal laptop.

Here is the log.

ComboFix 08-07-24.6 - Owner 2008-07-25 21:01:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.589 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.

2008-07-09 16:33 . 2008-07-21 17:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-07-09 16:33 . 2008-04-13 11:45 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-07-02 22:17 . 2008-07-02 22:17 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-28 18:22 . 2008-06-28 18:22 <DIR> d-------- C:\Deckard
2008-06-28 13:31 . 2008-06-28 13:31 0 --a------ C:\WINDOWS\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-19 20:52 --------- d-----w C:\Program Files\Microsoft Works
2008-06-19 20:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-19 20:50 --------- d-----w C:\Program Files\Microsoft.NET
2008-06-19 20:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-06-19 20:00 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-02 03:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-05-31 21:31 --------- d-----w C:\Program Files\Broadcom
2008-05-31 21:29 --------- d-----w C:\Program Files\Hp
2008-05-31 19:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-31 19:11 --------- d-----w C:\Program Files\SP36691
2008-05-31 19:09 --------- d-----w C:\Program Files\NetWaiting
2008-05-31 19:09 --------- d-----w C:\Program Files\CONEXANT
2008-05-31 06:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-31 06:20 --------- d-----w C:\Program Files\Lavasoft
2008-05-31 06:20 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-31 05:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-31 05:17 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-31 05:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\Uniblue
2008-05-31 04:53 --------- d-----w C:\Program Files\Google
2008-05-31 04:50 --------- d-----w C:\Program Files\Alwil Software
2008-05-31 02:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\Leadertech
2008-05-28 03:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 20:12 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 16:56 64512]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 05:27 1015808]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-28 00:05 344064]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-08-01 17:26 233534]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-05 17:17 98304]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-10-11 19:17 409600]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-26 21:14 36975]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 19:45 507904]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 05:29 102400]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 19:19 79224]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 19:24 54840]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-08-16 14:56:00 577597]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 17:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{adc6429a-4c8f-11dd-a5b3-0016d43476dd}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9c4af5a-e377-11db-8cba-806d6172696f}]
\Shell\AutoRun\command - E:\bit.exe -S "LTFT.bits"

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2 - C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 -: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 21:03:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????????h????????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-25 21:04:46
ComboFix-quarantined-files.txt 2008-07-26 01:04:26

Pre-Run: 67,353,452,544 bytes free
Post-Run: 67,521,683,456 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

119 --- E O F --- 2008-07-26 00:48:32

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:24 PM

Posted 28 July 2008 - 08:31 AM

Hello, rdr8887.

I don't see any malware. Are you still having problems?

I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:24 PM

Posted 02 August 2008 - 11:31 PM

Hello, rdr8887.
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users