Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange Happenings...help!


  • This topic is locked This topic is locked
26 replies to this topic

#1 klfrancois

klfrancois

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:50 AM

Posted 13 July 2008 - 09:06 PM

To sum up some of the issues i've been having:
I installed Online Armor and shortly thereafter my entire system locked up and after waiting for about 5 minutesI had no choice but to manually shutdown. After reboot I opened Process Explorer and saw that "oasrv.exe" was running even though I had shut down the program. After uninstalling and restarting, I attempted to run Panda ActiveScan but was unable to -- I received an error that it was unable to update. Also, I have been receiving notifications from Automatic Updates to install Security Update for CAPICOM (KB931906). I've already allowed this to install so i'm not really sure what may be causing this... Aside from those issues, my desktop background changes when Windows is shutting down. It shows an image vs. my normal background which is just a black screen. I ran Deckard's System Scanner and have posted the log below.

Any advice you may have would be greatly appreciated! Thanks.

Deckard's System Scanner v20071014.68
Run by HP_Administrator on 2008-07-13 21:52:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as HP_Administrator.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:53:15 PM, on 7/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSSystem32svchost.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:WINDOWSsystem32nvsvc32.exe
C:PROGRA~1AVGAVG8avgrsx.exe
C:PROGRA~1AVGAVG8avgemc.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSehomeehtray.exe
C:windowssystemhpsysdrv.exe
C:WINDOWSRTHDCPL.EXE
C:Program FilesBillP StudiosWinPatrolwinpatrol.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:WINDOWSsystem32wuauclt.exe
C:WINDOWSsystem32wuauclt.exe
C:Documents and SettingsHP_AdministratorDesktopdss.exe
C:PROGRA~1TRENDM~1HIJACK~1HP_Administrator.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG8avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_07binssv.dll
O4 - HKLM..Run: [ehTray] C:WINDOWSehomeehtray.exe
O4 - HKLM..Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [Recguard] C:WINDOWSSMINSTRECGUARD.EXE
O4 - HKLM..Run: [_SetRes] c:hpbincloaker c:hpbinres.bat
O4 - HKLM..Run: [regcmdcons] c:hpbincloaker.exe c:hpbincmdcons.cmd
O4 - HKLM..Run: [hpsysdrv] c:windowssystemhpsysdrv.exe
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..Run: [WinPatrol] C:Program FilesBillP StudiosWinPatrolwinpatrol.exe -expressboot
O4 - HKLM..Run: [AVG8_TRAY] C:PROGRA~1AVGAVG8avgtray.exe
O4 - HKUSS-1-5-21-372749117-3441972294-1571655545-1008..Run: [Aim6] (User '?')
O4 - .DEFAULT User Startup: Pin.lnk = C:hpbinCLOAKER.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_07binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_07binssv.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG8avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:Program FilesSUPERAntiSpywareSASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:Program FilesLavasoftAd-Awareaawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1050Intel 32IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:WINDOWSC:WINDOWSsystem32HPZipm12.exe (file missing)

--
End of file - 4340 bytes

-- Files created between 2008-06-13 and 2008-07-13 -----------------------------

2008-07-13 21:53:02 0 d-------- C:Program FilesTrend Micro
2008-07-13 21:08:15 0 dr-h----- C:Documents and SettingsHP_AdministratorRecent
2008-07-13 18:48:20 0 d-------- C:ProcessExplorer
2008-07-13 18:16:04 0 d-------- C:Program FilesPanda Security
2008-07-13 17:45:50 0 d-------- C:TcpView
2008-07-13 17:35:59 0 d-------- C:Documents and SettingsHP_AdministratorApplication Dataacccore
2008-07-13 17:32:59 0 dr------- C:Documents and SettingsNetworkServiceFavorites
2008-07-13 17:32:46 0 d-------- C:Program FilesViewpoint
2008-07-13 17:32:45 0 d-------- C:Documents and SettingsAll UsersApplication Dataacccore
2008-07-13 17:32:36 0 d-------- C:Documents and SettingsAll UsersApplication DataAOL
2008-07-13 17:32:36 0 d-------- C:Documents and SettingsAll UsersApplication DataAOL OCP
2008-07-13 17:32:17 0 d-------- C:Program FilesCommon FilesAOL
2008-07-13 17:32:01 0 d-------- C:Program FilesAIM6
2008-07-13 17:29:34 0 d-------- C:Program FilesMSECache
2008-07-13 17:27:53 0 dr-h----- C:MSOCache
2008-07-13 17:16:46 0 d-------- C:BootSafe
2008-07-13 14:23:55 0 d-------- C:Documents and SettingsHP_AdministratorApplication DataICAClient
2008-07-13 14:21:45 0 d-------- C:Program FilesCitrix
2008-07-13 14:09:37 0 dr------- C:Documents and SettingsAdministratorRecent
2008-07-13 13:58:16 0 d-------- C:Documents and SettingsAdministratorApplication DataWinPatrol
2008-07-13 13:29:42 0 d-------- C:Documents and SettingsAdministratorApplication DataMalwarebytes
2008-07-13 12:59:21 0 d-------- C:Documents and SettingsAdministratorApplication DataMacromedia
2008-07-13 12:54:30 0 d-------- C:Documents and SettingsAdministratorApplication DataAdobe
2008-07-13 12:49:14 0 d-------- C:Program FilesJava
2008-07-13 12:49:13 0 d-------- C:Program FilesCommon FilesJava
2008-07-13 12:48:59 0 d-------- C:Documents and SettingsHP_AdministratorApplication DataSun
2008-07-13 12:26:04 0 d-a------ C:Documents and SettingsAll UsersApplication DataTEMP
2008-07-13 12:10:37 0 d-------- C:Program FilesTall Emu
2008-07-13 10:46:51 0 d--h----- C:$AVG8.VAULT$
2008-07-13 04:20:38 0 d--hs---- C:Documents and SettingsLocalService.NT AUTHORITYCookies
2008-07-13 04:19:29 0 d-------- C:WINDOWSsystem32driversAvg
2008-07-13 04:19:24 0 d-------- C:Program FilesAVG
2008-07-13 04:19:24 0 d-------- C:Documents and SettingsAll UsersApplication Dataavg8
2008-07-13 04:18:43 262144 --ah----- C:Documents and SettingsAdministratorNTUSER.DAT
2008-07-13 03:54:17 0 d-------- C:Documents and SettingsLocalService.NT AUTHORITYApplication Data
2008-07-13 03:54:17 0 d-------- C:Documents and SettingsLocalService.NT AUTHORITYApplication DataMicrosoft
2008-07-13 03:54:16 0 d-------- C:Documents and SettingsLocalService.NT AUTHORITYStart Menu
2008-07-13 03:54:14 262144 --a------ C:Documents and SettingsLocalService.NT AUTHORITYntuser.dat
2008-07-13 03:54:14 0 d-------- C:Documents and SettingsLocalService.NT AUTHORITYLocal Settings
2008-07-13 02:27:11 0 d-a------ C:WINDOWSsystem32vcmgcd32.dll
2008-07-13 02:27:11 0 d-a------ C:WINDOWSsystem32systems.txt
2008-07-13 02:27:11 0 d-a------ C:WINDOWSsystem32iifgfgf.dll
2008-07-13 02:27:11 0 d-------- C:WINDOWSrundll16.exe
2008-07-13 02:27:11 0 d-a------ C:WINDOWSrundl132.dll
2008-07-13 02:27:11 0 d-a------ C:WINDOWSlogo1_.exe
2008-07-13 02:18:23 0 d-------- C:Documents and SettingsHP_AdministratorApplication DataMalwarebytes
2008-07-13 02:18:21 0 d-------- C:Documents and SettingsAll UsersApplication DataMalwarebytes
2008-07-13 02:18:20 0 d-------- C:Program FilesMalwarebytes' Anti-Malware
2008-07-12 23:40:05 0 d-------- C:Documents and SettingsHP_AdministratorApplication DataMacromedia
2008-07-07 23:25:52 0 d--hs---- C:Documents and SettingsHP_AdministratorUserData
2008-07-07 16:39:34 0 d-------- C:Documents and SettingsHP_AdministratorApplication DataAdobe
2008-07-07 16:35:24 0 d-------- C:Program FilesCommon FilesAdobe
2008-07-07 16:35:24 0 d-------- C:Documents and SettingsAll UsersApplication DataAdobe
2008-07-07 16:21:25 81984 --a------ C:WINDOWSsystem32bdod.bin
2008-07-06 21:36:35 0 d-------- C:Documents and SettingsHP_AdministratorApplication DataWinPatrol
2008-07-06 21:36:31 0 d-------- C:Program FilesBillP Studios
2008-07-06 20:47:29 0 d-------- C:Program FilesLavasoft
2008-07-06 20:47:29 0 d-------- C:Documents and SettingsAll UsersApplication DataLavasoft
2008-07-05 12:47:56 0 d-------- C:WINDOWSSxsCaPendDel
2008-07-05 12:24:18 159744 --a------ C:WINDOWSsystem32hasher.dll <Not Verified; ; hasher Dynamic Link Library>
2008-07-05 11:53:49 0 d-------- C:Program Filesmsn gaming zone
2008-07-05 11:39:38 0 d-------- C:Documents and SettingsAdministratorApplication DataSUPERAntiSpyware.com
2008-07-04 16:37:32 0 d-------- C:Documents and SettingsLocalServiceStart Menu
2008-07-03 11:32:45 0 d--h----- C:WINDOWSsystem32GroupPolicy
2008-06-30 23:21:18 0 d-------- C:Documents and SettingsAll UsersApplication DataSUPERAntiSpyware.com
2008-06-30 23:21:16 0 d-------- C:Program FilesSUPERAntiSpyware
2008-06-30 23:21:16 0 d-------- C:Documents and SettingsHP_AdministratorApplication DataSUPERAntiSpyware.com
2008-06-30 22:33:06 0 d-------- C:Program FilesCCleaner
2008-06-30 21:33:11 0 d-------- C:WINDOWSSun
2008-06-30 21:20:37 0 d-------- C:Program FilesSpywareBlaster
2008-06-30 20:28:08 0 d-------- C:Documents and SettingsHP_AdministratorApplication DataWinBatch
2008-06-30 20:26:07 0 d-------- C:Program FilesMSXML 4.0
2008-06-29 00:33:34 0 d-------- C:WINDOWSpss
2008-06-28 18:17:42 0 --a------ C:WINDOWSnsreg.dat
2008-06-28 18:17:40 0 d-------- C:Documents and SettingsHP_AdministratorApplication DataMozilla
2008-06-28 17:59:04 0 d-------- C:Documents and SettingsAll UsersApplication DataWindows Genuine Advantage
2008-06-28 17:58:58 0 d-------- C:WINDOWSsystem32PreInstall
2008-06-28 17:55:59 0 d-------- C:WINDOWSsystem32SoftwareDistribution
2008-06-27 05:38:19 0 d-------- C:WINDOWSOptions
2008-06-27 05:35:30 0 d-------- C:WINDOWSsystem32appmgmt
2008-06-27 05:04:52 0 d-------- C:WINDOWSCSC
2008-06-27 04:58:50 0 dr------- C:Documents and SettingsHP_AdministratorFavorites
2008-06-27 04:58:50 0 d-------- C:Documents and SettingsHP_AdministratorDesktop
2008-06-27 04:58:50 0 d--hs---- C:Documents and SettingsHP_AdministratorCookies
2008-06-27 04:58:50 0 d-------- C:Documents and SettingsHP_AdministratorApplication Data
2008-06-27 04:58:50 0 d-------- C:Documents and SettingsHP_AdministratorApplication DataIdentities
2008-06-27 04:58:49 0 d-------- C:Documents and SettingsHP_AdministratorWINDOWS
2008-06-27 04:58:49 0 d-------- C:Documents and SettingsHP_AdministratorTemplates
2008-06-27 04:58:49 0 d-------- C:Documents and SettingsHP_AdministratorStart Menu
2008-06-27 04:58:49 0 d-------- C:Documents and SettingsHP_AdministratorSendTo
2008-06-27 04:58:49 0 d-------- C:Documents and SettingsHP_AdministratorPrintHood
2008-06-27 04:58:49 8126464 --a------ C:Documents and SettingsHP_AdministratorNTUSER.DAT
2008-06-27 04:58:49 0 d-------- C:Documents and SettingsHP_AdministratorNetHood
2008-06-27 04:58:49 0 dr------- C:Documents and SettingsHP_AdministratorMy Documents
2008-06-27 04:58:49 0 d--h----- C:Documents and SettingsHP_AdministratorLocal Settings
2008-06-27 04:56:59 0 d-------- C:Documents and SettingsDefault UserWINDOWS
2008-06-27 04:55:58 0 d-------- C:WINDOWSPrefetch
2008-06-27 04:53:01 0 d--hs---- C:System Volume Information
2008-06-27 04:50:51 244 --a------ C:WINDOWSsystemhpsysdrv.dat
2008-06-27 04:36:36 0 dr------- C:WINDOWSOffline Web Pages
2008-06-27 04:33:30 0 dr-hs---- C:WINDOWSsystem32dllcache
2008-06-27 02:44:49 0 d-------- C:Documents and SettingsHP_AdministratorApplication DataHPQ


-- Find3M Report ---------------------------------------------------------------

2008-07-13 17:32:17 0 d-------- C:Program FilesCommon Files
2008-07-06 19:49:52 0 d-------- C:Program FilesCommon FilesInstallShield
2008-07-06 19:49:11 0 d-------- C:Program FilesInstallShield Installation Information
2008-07-06 19:44:36 0 d-------- C:Program FilesCommon FilesSonic Shared
2008-07-06 19:44:12 0 d-------- C:Program FilesCommon FilesHP
2008-07-02 00:06:51 0 d-------- C:Program FilesHP
2008-06-30 21:44:58 0 d-------- C:Program FilesHewlett-Packard


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE~Browser Helper Objects{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
07/07/2008 10:50 PM 75128 --a------ C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"ehTray"="C:WINDOWSehomeehtray.exe" [09/30/2005 12:01 AM]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [08/03/2005 02:19 AM C:WINDOWSarpwrmsg.exe]
"NvCplDaemon"="C:WINDOWSsystem32NvCpl.dll" [05/09/2006 10:50 PM]
"Recguard"="C:WINDOWSSMINSTRECGUARD.EXE" [07/23/2005 01:14 AM]
"_SetRes"="c:hpbincloaker c:hpbinres.bat" []
"regcmdcons"="c:hpbincloaker.exe" [11/07/1999 02:11 AM]
"hpsysdrv"="c:windowssystemhpsysdrv.exe" [05/07/1998 12:04 PM]
"NvMediaCenter"="C:WINDOWSsystem32NvMcTray.dll" [05/09/2006 10:50 PM]
"RTHDCPL"="RTHDCPL.EXE" [10/25/2007 03:57 AM C:WINDOWSRTHDCPL.EXE]
"WinPatrol"="C:Program FilesBillP StudiosWinPatrolwinpatrol.exe" [07/04/2008 12:58 PM]
"AVG8_TRAY"="C:PROGRA~1AVGAVG8avgtray.exe" [07/13/2008 04:19 AM]

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"Aim6"="" []

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystem]
"InstallVisualStyle"=C:WINDOWSResourcesThemesRoyaleRoyale.msstyles
"InstallTheme"=C:WINDOWSResourcesThemesRoyale.theme
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciessystem]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
"EditLevel"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoCommonGroups"=0 (0x0)

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:Program FilesSUPERAntiSpywareSASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotify!SASWinLogon]
C:Program FilesSUPERAntiSpywareSASWINLO.dll 04/19/2007 01:41 PM 294912 C:Program FilesSUPERAntiSpywareSASWINLO.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwindows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalaawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-07-13 21:53:46 ------------

I just noticed that there is a topic titled "Computer" with my post in it.... When I first went to post my topic my browser froze and I had to re-visit the page (luckily I had saved the text in another program) -- It wasn't until after I posted just now that I saw the "Computer" post from myself. Maybe another instance of the strange happenings? I'm not sure! Please disregard the previous post.

Merged posts. Also deleted the duplicate topic entitled "Computer" ~ OB

Edited by Orange Blossom, 19 July 2008 - 10:50 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:50 AM

Posted 27 July 2008 - 10:37 PM

Hello klfrancois,


We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your AVG Antivirus and WinPatrol before running ComboFix, as they will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I€™ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

To disable WinPatrol
Right-click the running icon of Winpatrol in the system tray and choose exit. It will automatically restart at next boot.


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions install the Windows XP Recovery Console if you are using XP. <== IMPORTANT
It is a simple procedure that will only take a few moments of your time. It is our safety net.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 klfrancois

klfrancois
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:50 AM

Posted 28 July 2008 - 08:53 PM

Hi! Sorry for the delay. Here's my ComboFix log:


ComboFix 08-07-28.4 - HP_Administrator 2008-07-28 21:41:17.1 - NTFSx86

Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\regedit.com
C:\WINDOWS\system32\taskmgr.com

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-29 )))))))))))))))))))))))))))))))
.

2008-07-24 22:24 . 2008-07-24 22:24 <DIR> d-------- C:\Program Files\Real
2008-07-24 22:24 . 2008-07-24 22:24 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-07-24 22:24 . 2008-07-24 22:24 <DIR> d-------- C:\Program Files\Common Files\Real
2008-07-19 22:31 . 2008-07-19 22:31 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-07-19 22:29 . 2008-07-19 22:29 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-07-19 22:29 . 2008-07-19 22:30 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-07-19 22:17 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-13 21:53 . 2008-07-13 21:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-13 21:52 . 2008-07-13 21:52 <DIR> d-------- C:\Deckard
2008-07-13 17:35 . 2008-07-13 17:36 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\acccore
2008-07-13 17:32 . 2008-07-13 17:32 <DIR> d-------- C:\Program Files\Viewpoint
2008-07-13 17:32 . 2008-07-13 17:32 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-07-13 17:32 . 2008-07-13 17:35 <DIR> d-------- C:\Program Files\AIM6
2008-07-13 17:32 . 2008-07-13 17:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-07-13 17:32 . 2008-07-13 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-07-13 17:32 . 2008-07-13 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\acccore
2008-07-13 17:31 . 2008-07-13 17:35 368 --ah----- C:\IPH.PH
2008-07-13 17:29 . 2008-07-13 17:29 <DIR> d-------- C:\Program Files\MSECache
2008-07-13 14:23 . 2008-07-25 20:18 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\ICAClient
2008-07-13 12:49 . 2008-07-13 12:49 <DIR> d-------- C:\Program Files\Java
2008-07-13 12:49 . 2008-07-13 12:49 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-13 12:49 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-13 12:26 . 2008-07-28 21:21 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-13 10:46 . 2008-07-27 21:58 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-13 04:19 . 2008-07-28 21:19 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-13 04:19 . 2008-07-13 04:19 <DIR> d-------- C:\Program Files\AVG
2008-07-13 04:19 . 2008-07-13 04:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-13 04:19 . 2008-07-13 04:19 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-13 04:19 . 2008-07-13 04:19 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-13 04:19 . 2008-07-13 04:19 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-13 03:54 . 2008-07-13 04:20 <DIR> d--hs---- C:\Documents and Settings\LocalService.NT AUTHORITY
2008-07-13 02:30 . 2008-07-13 02:30 100 --a------ C:\23990098.$$$
2008-07-13 02:27 . 2008-07-13 02:27 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2008-07-13 02:27 . 2008-07-13 02:27 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2008-07-13 02:26 . 2004-08-10 07:00 146,432 --a------ C:\WINDOWS\R.COM
2008-07-13 02:26 . 2004-08-10 00:00 135,680 --a------ C:\WINDOWS\system32\T.COM
2008-07-13 02:26 . 2008-07-13 02:27 50 --a------ C:\WINDOWS\Lic.xxx
2008-07-13 02:18 . 2008-07-24 19:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-13 02:18 . 2008-07-13 02:18 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
2008-07-13 02:18 . 2008-07-13 02:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-13 02:18 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-07 23:25 . 2008-07-13 12:44 <DIR> d--hs---- C:\Documents and Settings\HP_Administrator\UserData
2008-07-07 16:35 . 2008-07-07 16:35 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-07 16:21 . 2008-07-11 19:01 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-07-07 13:18 . 2008-07-15 20:55 42 --a------ C:\WINDOWS\webica.ini
2008-07-07 11:47 . 2008-07-07 14:07 2,976 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2008-07-07 01:27 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-07-07 01:27 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-07-06 21:36 . 2008-07-06 21:36 <DIR> d-------- C:\Program Files\BillP Studios
2008-07-06 21:36 . 2008-07-06 21:36 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\WinPatrol
2008-07-06 20:47 . 2008-07-06 20:47 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-06 20:47 . 2008-07-06 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-05 12:47 . 2008-07-07 14:12 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-05 12:24 . 2004-03-09 01:00 662,288 --a------ C:\WINDOWS\system32\mscomct2.ocx
2008-07-05 12:24 . 2006-04-13 22:05 159,744 --a------ C:\WINDOWS\system32\hasher.dll
2008-07-05 12:24 . 2001-03-13 18:49 140,288 --a------ C:\WINDOWS\system32\Comdlg32.ocx
2008-07-03 12:16 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-07-03 12:16 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-07-03 12:16 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-07-03 12:16 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-07-03 11:32 . 2008-07-03 11:32 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-03 08:42 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-30 23:21 . 2008-06-30 23:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-30 23:21 . 2008-06-30 23:21 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2008-06-30 23:21 . 2008-06-30 23:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-30 22:33 . 2008-06-30 22:33 <DIR> d-------- C:\Program Files\CCleaner
2008-06-30 21:33 . 2008-06-30 21:33 <DIR> d-------- C:\WINDOWS\Sun
2008-06-30 21:20 . 2008-07-28 21:21 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-30 20:28 . 2008-06-30 20:28 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\WinBatch
2008-06-30 20:28 . 2008-06-30 20:28 35 --a------ C:\WINDOWS\wwwbatch.ini
2008-06-30 20:26 . 2008-06-30 20:26 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-06-30 19:11 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-30 19:11 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-30 19:10 . 2008-04-23 00:16 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-30 19:10 . 2007-04-17 05:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-30 19:10 . 2007-03-08 01:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-30 19:10 . 2008-04-23 00:16 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-30 19:10 . 2008-04-23 00:16 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-30 19:10 . 2008-04-23 00:16 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-30 19:10 . 2008-04-23 00:16 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-30 19:10 . 2008-04-23 00:16 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-30 19:10 . 2008-04-22 03:39 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 00:19 --------- d-----w C:\Program Files\Microsoft Works
2008-07-25 02:24 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-07-25 02:24 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-07-07 20:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-07-06 23:49 --------- d-----w C:\Program Files\InstallShield Installation Information
2008-07-06 23:49 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-06 23:44 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-07-06 23:44 --------- d-----w C:\Program Files\Common Files\HP
2008-07-02 04:06 --------- d-----w C:\Program Files\HP
2008-07-01 01:44 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-27 09:00 1,910 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_EX272AA-ABA a1520n_YC_0Pavi_QMXF621_E63NAemMPA2_48_INAGAMI2_SASUSTek Computer INC._V2.00_B3.11_T060919_WXP2_L409_M959_J250_7AMD_8Athlon 64 X2 Dual Core_92_#080525_N_Z11C10620_G10DE0241.MRK
2008-06-27 06:51 410,976 ----a-w C:\WINDOWS\system32\deploytk.dll
2008-06-27 06:44 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\HPQ
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:45 360,320 ------w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-20 09:52 225,920 ------w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 04:55 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"_SetRes"="c:\hp\bin\cloaker" [X]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-30 00:01 67584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 22:50 7311360]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-23 01:14 237568]
"regcmdcons"="c:\hp\bin\cloaker.exe" [1999-11-07 02:11 27136]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 12:04 52736]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-05-09 22:50 86016]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-13 04:19 1232152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-07-24 22:24 185896]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-07-04 12:58 333120]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 02:19 77312 C:\WINDOWS\arpwrmsg.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 03:57 16855552 C:\WINDOWS\RTHDCPL.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKCU-Main,Default_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 21:42:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-28 21:43:01
ComboFix-quarantined-files.txt 2008-07-29 01:42:59

Pre-Run: 232,559,411,200 bytes free
Post-Run: 232,593,502,208 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

204 --- E O F --- 2008-07-19 17:53:09

#4 klfrancois

klfrancois
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:50 AM

Posted 28 July 2008 - 09:01 PM

In addition to the ComboFix log, there were two additional log files that ComboFix saved, (1) ComboFix Quarantined Files and (2) Add/Remove Programs. I figured I would post them too (sorry for forgetting in my previous post!)


ComboFox-quarantined-files
2004-08-10 00:00 135680 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\TASKMGR.COM.vir
2004-08-10 07:00 146432 --a------ C:\Qoobox\Quarantine\C\WINDOWS\REGEDIT.COM.vir
2008-07-28 21:42 0 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-07-28 21:42 0 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-07-28 21:42 0 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-07-28 21:42 54 --a------ C:\Qoobox\Quarantine\catchme.log
2008-07-28 21:42 90 --a------ C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Aim6.reg.dat


Add-Remove Programs
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9 Lite --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Agere Systems PCI-SV92PP Soft Modem --> agrsmdel
AIM 6 --> C:\Program Files\AIM6\uninst.exe
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Easy Internet Sign-up --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{8105684D-8CA6-440D-8F58-7E5FD67A499D} /l1033
GemMaster Mystic --> "C:\Program Files\GemMaster\uninstallgemmaster.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Player 10 (KB903157) -->
Hotfix for Windows XP (KB888795) -->
Hotfix for Windows XP (KB891593) -->
Hotfix for Windows XP (KB895961) -->
Hotfix for Windows XP (KB899337) -->
Hotfix for Windows XP (KB899510) -->
Hotfix for Windows XP (KB902841) -->
Hotfix for Windows XP (KB926239) --> "C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
HP Document Viewer 6.1 --> C:\Program Files\HP\Digital Imaging\DocumentViewer\hpzscr01.exe -datfile hpqbud04.dat
HP DVD Play 2.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\Setup.exe" -uninstall
HP Imaging Device Functions 7.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart 330,380,420,470,7800,8000,8200 Series --> C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\setup\hpzscr01.exe -d MsiRollbackUninstaller -datfile hphscr08.dat
HP Photosmart Cameras 6.0 --> C:\Program Files\HP\Digital Imaging\{5D61626A-BD55-4e42-82EE-4AE89D8FD050}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP Photosmart for Media Center PC --> c:\Program Files\HP\Digital Imaging\bin\mcpc\setupmcl.exe /u
HP PSC & OfficeJet 5.3.B --> "C:\Program Files\HP\Digital Imaging\{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}\setup\hpzscr01.exe" -datfile hposcr07.dat
HP PSC & OfficeJet 6.1.A --> "C:\Program Files\HP\Digital Imaging\{E5A8DDAB-AE80-48C6-A75B-D0FAB83B299D}\setup\hpzscr01.exe" -datfile hposcr08.dat
HP Solution Center and Imaging Support Tools 6.1 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB928366) --> "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft Away Mode -->
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs --> "C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs --> "C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Otto --> "C:\Program Files\EnglishOtto\uninstallotto.exe"
PC-Doctor 5 for Windows --> C:\Program Files\PC-Doctor 5 for Windows\uninst.exe
Python 2.2 pywin32 extensions (build 203) --> "C:\Python22\Removepywin32.exe" -u "C:\Python22\pywin32-wininst.log"
Python 2.2.3 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Security Update for Windows Internet Explorer 7 (KB938127) --> "C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759) --> "C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748) --> "C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Sonic Express Labeler --> MsiExec.exe /X{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus --> MsiExec.exe /X{21657574-BD54-48A2-9450-EB03B2C7FC29}
SpywareBlaster 4.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Update for Windows XP (KB904942) --> "C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Update Rollup 2 for Windows XP Media Center Edition 2005 -->
Windows Genuine Advantage Validation Tool (KB892130) -->
Windows Internet Explorer 7 --> "C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11 --> "C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11 --> "C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB925766 --> "C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe"
WinPatrol 2008 --> C:\PROGRA~1\BILLPS~1\WINPAT~1\Setup.exe /remove /q0

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:50 AM

Posted 29 July 2008 - 12:25 AM

Hi klfrancois,

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\R.COM
C:\WINDOWS\system32\T.COM
C:\WINDOWS\Lic.xxx
C:\23990098.$$$

Folder:: 
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\rundl132.dll


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 klfrancois

klfrancois
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:50 AM

Posted 29 July 2008 - 08:24 PM

ComboFix 08-07-28.4 - HP_Administrator 2008-07-29 21:15:54.2 - NTFSx86

Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt

FILE ::
C:\23990098.$$$
C:\WINDOWS\Lic.xxx
C:\WINDOWS\R.COM
C:\WINDOWS\system32\T.COM
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\23990098.$$$
C:\WINDOWS\Lic.xxx
C:\WINDOWS\R.COM
C:\WINDOWS\rundl132.dll
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\system32\T.COM

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-30 )))))))))))))))))))))))))))))))
.

2008-07-24 22:24 . 2008-07-24 22:24 <DIR> d-------- C:\Program Files\Real
2008-07-24 22:24 . 2008-07-24 22:24 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-07-24 22:24 . 2008-07-24 22:24 <DIR> d-------- C:\Program Files\Common Files\Real
2008-07-19 22:31 . 2008-07-19 22:31 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-07-19 22:29 . 2008-07-19 22:29 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-07-19 22:29 . 2008-07-19 22:30 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-07-19 22:17 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-13 21:53 . 2008-07-13 21:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-13 21:52 . 2008-07-13 21:52 <DIR> d-------- C:\Deckard
2008-07-13 17:35 . 2008-07-13 17:36 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\acccore
2008-07-13 17:32 . 2008-07-13 17:32 <DIR> d-------- C:\Program Files\Viewpoint
2008-07-13 17:32 . 2008-07-13 17:32 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-07-13 17:32 . 2008-07-13 17:35 <DIR> d-------- C:\Program Files\AIM6
2008-07-13 17:32 . 2008-07-13 17:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-07-13 17:32 . 2008-07-13 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-07-13 17:32 . 2008-07-13 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\acccore
2008-07-13 17:31 . 2008-07-13 17:35 368 --ah----- C:\IPH.PH
2008-07-13 17:29 . 2008-07-13 17:29 <DIR> d-------- C:\Program Files\MSECache
2008-07-13 14:23 . 2008-07-25 20:18 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\ICAClient
2008-07-13 12:49 . 2008-07-13 12:49 <DIR> d-------- C:\Program Files\Java
2008-07-13 12:49 . 2008-07-13 12:49 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-13 12:49 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-13 12:26 . 2008-07-28 21:21 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-13 10:46 . 2008-07-28 21:44 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-13 04:19 . 2008-07-29 20:30 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-13 04:19 . 2008-07-13 04:19 <DIR> d-------- C:\Program Files\AVG
2008-07-13 04:19 . 2008-07-13 04:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-13 04:19 . 2008-07-13 04:19 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-13 04:19 . 2008-07-13 04:19 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-13 04:19 . 2008-07-13 04:19 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-13 03:54 . 2008-07-13 04:20 <DIR> d--hs---- C:\Documents and Settings\LocalService.NT AUTHORITY
2008-07-13 02:18 . 2008-07-24 19:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-13 02:18 . 2008-07-13 02:18 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
2008-07-13 02:18 . 2008-07-13 02:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-13 02:18 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-07 23:25 . 2008-07-13 12:44 <DIR> d--hs---- C:\Documents and Settings\HP_Administrator\UserData
2008-07-07 16:35 . 2008-07-07 16:35 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-07 16:21 . 2008-07-11 19:01 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-07-07 13:18 . 2008-07-15 20:55 42 --a------ C:\WINDOWS\webica.ini
2008-07-07 11:47 . 2008-07-07 14:07 2,976 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2008-07-07 01:27 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-07-07 01:27 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-07-06 21:36 . 2008-07-06 21:36 <DIR> d-------- C:\Program Files\BillP Studios
2008-07-06 21:36 . 2008-07-06 21:36 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\WinPatrol
2008-07-06 20:47 . 2008-07-06 20:47 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-06 20:47 . 2008-07-06 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-05 12:47 . 2008-07-07 14:12 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-05 12:24 . 2004-03-09 01:00 662,288 --a------ C:\WINDOWS\system32\mscomct2.ocx
2008-07-05 12:24 . 2006-04-13 22:05 159,744 --a------ C:\WINDOWS\system32\hasher.dll
2008-07-05 12:24 . 2001-03-13 18:49 140,288 --a------ C:\WINDOWS\system32\Comdlg32.ocx
2008-07-03 12:16 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-07-03 12:16 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-07-03 12:16 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-07-03 12:16 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-07-03 11:32 . 2008-07-03 11:32 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-03 08:42 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-30 23:21 . 2008-06-30 23:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-30 23:21 . 2008-06-30 23:21 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2008-06-30 23:21 . 2008-06-30 23:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-30 22:33 . 2008-06-30 22:33 <DIR> d-------- C:\Program Files\CCleaner
2008-06-30 21:33 . 2008-06-30 21:33 <DIR> d-------- C:\WINDOWS\Sun
2008-06-30 21:20 . 2008-07-28 21:21 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-30 20:28 . 2008-06-30 20:28 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\WinBatch
2008-06-30 20:28 . 2008-06-30 20:28 35 --a------ C:\WINDOWS\wwwbatch.ini
2008-06-30 20:26 . 2008-06-30 20:26 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-06-30 19:11 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-30 19:11 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-30 19:10 . 2008-04-23 00:16 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-30 19:10 . 2007-04-17 05:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-30 19:10 . 2007-03-08 01:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-30 19:10 . 2008-04-23 00:16 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-30 19:10 . 2008-04-23 00:16 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-30 19:10 . 2008-04-23 00:16 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-30 19:10 . 2008-04-23 00:16 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-30 19:10 . 2008-04-23 00:16 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-30 19:10 . 2008-04-22 03:39 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-28 18:17 . 2008-06-28 18:17 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-28 18:02 . 2006-03-20 23:23 23,040 --------- C:\WINDOWS\kb913800.exe
2008-06-28 17:55 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-06-28 17:55 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-06-28 17:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-06-28 17:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-06-28 17:55 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-06-27 05:38 . 2008-06-27 05:38 <DIR> d-------- C:\WINDOWS\Options
2008-06-27 05:00 . 2008-06-27 05:00 1,910 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_CPC_EX272AA-ABA a1520n_YC_0Pavi_QMXF621_E63NAemMPA2_48_INAGAMI2_SASUSTek Computer INC._V2.00_B3.11_T060919_WXP2_L409_M959_J250_7AMD_8Athlon 64 X2 Dual Core_92_#080525_N_Z11C10620_G10DE0241.MRK
2008-06-27 04:58 . 2008-06-27 05:28 <DIR> d-------- C:\Documents and Settings\HP_Administrator\WINDOWS
2008-06-27 04:58 . 2008-07-29 00:32 <DIR> d-------- C:\Documents and Settings\HP_Administrator
2008-06-27 04:57 . 2006-05-24 05:13 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-06-27 04:57 . 2006-05-24 05:35 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2008-06-27 04:57 . 2006-05-24 05:15 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit
2008-06-27 04:56 . 2008-07-03 08:31 <DIR> d-------- C:\Documents and Settings\Default User\WINDOWS
2008-06-27 04:54 . 2001-08-17 16:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-06-27 04:53 . 2001-08-17 17:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-06-27 04:50 . 2008-07-29 20:29 244 --a------ C:\WINDOWS\system\hpsysdrv.dat
2008-06-27 04:33 . 2008-07-19 22:35 <DIR> dr-hs---- C:\WINDOWS\system32\dllcache
2008-06-27 02:51 . 2008-06-27 02:51 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-06-27 02:44 . 2008-06-27 02:44 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\HPQ
2008-06-27 02:41 . 2004-08-09 17:00 101,888 --a------ C:\WINDOWS\system32\dllcache\evntagnt.dll
2008-06-27 02:41 . 2004-08-09 17:00 92,160 --a------ C:\WINDOWS\system32\dllcache\evntwin.exe
2008-06-27 02:41 . 2004-08-09 17:00 39,936 --a------ C:\WINDOWS\system32\dllcache\hostmib.dll
2008-06-27 02:41 . 2004-08-09 17:00 33,792 --a------ C:\WINDOWS\system32\dllcache\lmmib2.dll
2008-06-27 02:41 . 2004-08-09 17:00 32,768 --a------ C:\WINDOWS\system32\dllcache\snmp.exe
2008-06-27 02:41 . 2004-08-09 17:00 24,064 --a------ C:\WINDOWS\system32\dllcache\evntcmd.exe
2008-06-27 02:41 . 2004-08-09 17:00 8,704 --a------ C:\WINDOWS\system32\dllcache\snmptrap.exe
2008-06-27 02:41 . 2004-08-09 17:00 6,144 --a------ C:\WINDOWS\system32\dllcache\snmpmib.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 00:19 --------- d-----w C:\Program Files\Microsoft Works
2008-07-25 02:24 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-07-25 02:24 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-07-07 20:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-07-06 23:49 --------- d-----w C:\Program Files\InstallShield Installation Information
2008-07-06 23:49 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-06 23:44 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-07-06 23:44 --------- d-----w C:\Program Files\Common Files\HP
2008-07-02 04:06 --------- d-----w C:\Program Files\HP
2008-07-01 01:44 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:45 360,320 ------w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-20 09:52 225,920 ------w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 04:55 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-24 02:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-28_21.42.53.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-29 01:23:21 3,968 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{7729C6DE-B49C-4A12-A61A-1B2D47905CA4}.bin
- 2008-07-29 01:22:33 53,640 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-30 00:11:47 53,640 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-29 01:22:33 382,022 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-30 00:11:47 382,022 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"_SetRes"="c:\hp\bin\cloaker" [X]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-30 00:01 67584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 22:50 7311360]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-23 01:14 237568]
"regcmdcons"="c:\hp\bin\cloaker.exe" [1999-11-07 02:11 27136]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 12:04 52736]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-05-09 22:50 86016]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-13 04:19 1232152]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-07-04 12:58 333120]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 02:19 77312 C:\WINDOWS\arpwrmsg.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 03:57 16855552 C:\WINDOWS\RTHDCPL.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=


*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-29 21:17:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-29 21:17:45
ComboFix-quarantined-files.txt 2008-07-30 01:17:44
ComboFix2.txt 2008-07-29 01:43:02

Pre-Run: 232,586,428,416 bytes free
Post-Run: 232,574,509,056 bytes free

231 --- E O F --- 2008-07-30 00:09:53

ComboFix-quarantined-files:
2004-08-10 00:00 135680 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\T.COM.vir
2004-08-10 00:00 135680 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\TASKMGR.COM.vir
2004-08-10 07:00 146432 --a------ C:\Qoobox\Quarantine\C\WINDOWS\R.COM.vir
2004-08-10 07:00 146432 --a------ C:\Qoobox\Quarantine\C\WINDOWS\REGEDIT.COM.vir
2008-07-13 02:27 50 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Lic.xxx.vir
2008-07-13 02:30 100 --a------ C:\Qoobox\Quarantine\C\23990098.$$$.vir
2008-07-28 21:42 0 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-07-28 21:42 0 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-07-28 21:42 0 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-07-28 21:42 90 --a------ C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Aim6.reg.dat
2008-07-29 21:17 108 --a------ C:\Qoobox\Quarantine\catchme.log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:54 PM, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\C:\WINDOWS\system32\HPZipm12.exe (file missing)

--
End of file - 4153 bytes

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:50 AM

Posted 30 July 2008 - 12:26 AM

Hi klfrancois,


Download CCleaner and install it. (default location is best). Do not run it yet!

Beginners Guide to CCleaner

*******************************************

Please run HijackThis and click "Scan." Place checks next to the following entries, if present:

O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\C:\WINDOWS\system32\HPZipm12.exe (file missing)

Close all browsers and other windows except for HijackThis, and click "Fix checked"

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer,

Please perform this online scan: Kaspersky Webscan

Note that you need to run this scan with Internet Explorer for it to work correctly.

If you have any problem running the scan to completion, disable your Antivirus and/or firewall temporarily, just refrain from surfing around while the scan is running and be sure to re-enable when done.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appear asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat step 1.
3. Select "Install" to download the ActiveX controls that allows Kaspersky to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. Wait for the scanner to initialize and update its databases. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE,
Scan Options:
Scan Archives
Scan Mail Bases


then click "OK"
7. Select a target to scan: Click on "My Computer" and the scan will begin.
8. Once the scan is complete it will display if your system has been infected.
Now click on the Save Report As... button:

Posted Image

Under Save as type select Text file write name for the file and save it to your Desktop.
Locate the file at the Desktop, open it, then copy and paste that information in your next post.
9. Post the Kaspersky scan results, a new Hijackthis log, and tell me how your computer is running.

Edited by SifuMike, 30 July 2008 - 12:26 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 klfrancois

klfrancois
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:50 AM

Posted 30 July 2008 - 11:46 PM

Hi! I fixed the entry in HijackThis and downloaded and ran CCleaner as requested, but when running the Kaspersky Webscan I noticed that it didn't prompt me to install (as you listed in your directions) and did not attempt to run any active x controls. It automatically installed, updated and then I scanned using the instructions you listed; however, the scan rendered 0 results.

As far as how my computer is running, it definitely seems to be running a bit faster....but when the computer boots and the Windows log-in screen comes up (manual entry of username/password), I am seeing a wallpaper that I do not use as my background (I do not use a wallpaper - the desktop is plain black), nor have I ever seen it before on this computer. It's not really "suspicious"...aside from the fact that I have no clue where it came from. Brief description: looks to be a landscape - blue sky, green grass with what looks like a large bubble on the right hand side of the screen... definitely not what I have ever seen as a pre-installed wallpaper on here. Also, when the log-in screen appears it is in Windows classic style theme (square edges) and then once I click OK the log-in window changes to Windows XP theme (rounded edges). Maybe the things i'm noting here are insignificant, but to me they may be signs of a problem that still exists. **One more thing, i've been seeing the Windows Update icon in my system tray, and it is still prompting me to download the CAPICOM update (same issue from 1st post). ??? I'm at a loss, but I appreciate all of your help thus far, and any further help you may be able to provide.

Here is the new Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:48 AM, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4044 bytes

#9 klfrancois

klfrancois
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:50 AM

Posted 31 July 2008 - 12:01 AM

KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, July 31, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, July 31, 2008 03:51:12
Records in database: 1032086


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
F:\
G:\
H:\
I:\

Scan statistics
Files scanned 58815
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 01:17:34

No malware has been detected. The scan area is clean.
The selected area was scanned.

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:50 AM

Posted 31 July 2008 - 12:24 AM

Hi klfrancois,

It automatically installed, updated and then I scanned using the instructions you listed; however, the scan rendered 0 results.


That is great. No malware is lurking. :thumbsup:


One more thing, i've been seeing the Windows Update icon in my system tray, and it is still prompting me to download the CAPICOM update (same issue from 1st post).



If you go to the Windows Update there is an option to hide this update. Look under your update history......


I am seeing a wallpaper that I do not use as my background (I do not use a wallpaper - the desktop is plain black), nor have I ever seen it before on this computer. It's not really "suspicious"...aside from the fact that I have no clue where it came from. Brief description: looks to be a landscape - blue sky, green grass with what looks like a large bubble on the right hand side of the screen... definitely not what I have ever seen as a pre-installed wallpaper on here. Also, when the log-in screen appears it is in Windows classic style theme (square edges) and then once I click OK the log-in window changes to Windows XP theme (rounded edges)


Login as usual and now right click on your Desktop and go to Properties.
Next go to Desktop tab->Customize Desktop button->Web tab.
Uncheck everything listed there.
Then delete all the entries listed except for 'My Current Home Page'.
Click OK and OK.
Restart and see if the problem is gone now.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 klfrancois

klfrancois
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:50 AM

Posted 31 July 2008 - 08:17 PM

Hi,

I followed the steps you gave in response to the wallpaper issue I described:

"Login as usual and now right click on your Desktop and go to Properties.
Next go to Desktop tab->Customize Desktop button->Web tab.
Uncheck everything listed there.
Then delete all the entries listed except for 'My Current Home Page'.
Click OK and OK.
Restart and see if the problem is gone now."

And on the Web tab there is only one thing listed, "My Current Home Page" and it was already unchecked, same goes for the "Lock desktop items" box. Maybe it's nothing...but I don't know why this wallpaper only displays when I am in the log-in screen. As soon as I click OK it changes to black.

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:50 AM

Posted 31 July 2008 - 10:07 PM

You computer looks clean of malware. :thumbsup:

but I don't know why this wallpaper only displays when I am in the log-in screen. As soon as I click OK it changes to black.


The wallpaper on the log in-screen is a job for our Windows XP Home and Professional forum. My expertise is malware removal.


Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, Deckard, _OTMoveIt), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 klfrancois

klfrancois
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:50 AM

Posted 31 July 2008 - 11:50 PM

I guess I was assuming the malware I had on my system had something to do with the wallpaper. Guess I was wrong. Thank you for all of your help.

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:50 AM

Posted 06 August 2008 - 09:57 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:50 AM

Posted 21 August 2008 - 12:29 AM

topic reopened
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users