Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Urgent!


  • This topic is locked This topic is locked
1 reply to this topic

#1 hemidart

hemidart

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 15 July 2008 - 06:20 AM

Hi..... I have completed the ComboFix process and here is my log report I was told to send here for analysis. My problem still exist! Softwarereferal seems to still be in comand! When I try to connect to the internet I notice at the very top of my screen and in my browser that softwarereferal.com etc. is the first place it tries to go. Once on, I have to stumble around a bit to accually get to yahoo so I can read my emails,surf etc. I notice pop-ups that say I am about to enter an unsecure site at every corner. And it is still extremely sloowwwww. :thumbsup: I hope who ever reads my log report can help me. Thanks!!

ComboFix 08-07-14.2 - Darren Hudson 2008-07-14 22:25:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.616 [GMT -5:00]
Running from: C:\Documents and Settings\Darren Hudson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Darren Hudson\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
C:\Documents and Settings\Darren Hudson\Application Data\Microsoft\Internet Explorer\Quick Launch\XP Antivirus 2008.lnk
C:\Documents and Settings\Darren Hudson\Desktop\Error Cleaner.url
C:\Documents and Settings\Darren Hudson\Desktop\Privacy Protector.url
C:\Documents and Settings\Darren Hudson\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Darren Hudson\Favorites\Error Cleaner.url
C:\Documents and Settings\Darren Hudson\Favorites\Online Security Test.url
C:\Documents and Settings\Darren Hudson\Favorites\Privacy Protector.url
C:\Documents and Settings\Darren Hudson\Favorites\Spyware&Malware Protection.url
C:\Program Files\PCHealthCenter
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\1.exe
C:\Program Files\Search Enhancer Toolbar
C:\Program Files\Search Enhancer Toolbar\tbu07722\basis.xml
C:\Program Files\Search Enhancer Toolbar\tbu07722\enhancer.crc
C:\Program Files\Search Enhancer Toolbar\tbu07722\icons.bmp
C:\Program Files\Search Enhancer Toolbar\tbu07722\version.txt
C:\Program Files\Video Add-on
C:\WINDOWS\cookies.ini
C:\WINDOWS\epeb.exe
C:\WINDOWS\system32\cdjdelpc.ini
C:\WINDOWS\system32\fktdpsgs.ini
C:\WINDOWS\system32\hhucmguw.ini
C:\WINDOWS\system32\hknqtbje.ini
C:\WINDOWS\system32\hvadsavc.ini
C:\WINDOWS\system32\hxtxhgpm.ini
C:\WINDOWS\system32\ifbgokyf.ini
C:\WINDOWS\system32\ihhldute.ini
C:\WINDOWS\system32\kgalpagi.ini
C:\WINDOWS\system32\ltofjiib.ini
C:\WINDOWS\system32\lvovubvl.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nfxukuqc.ini
C:\WINDOWS\system32\psupyobi.ini
C:\WINDOWS\system32\qhxuhbxa.ini
C:\WINDOWS\system32\rsgupxby.ini
C:\WINDOWS\system32\rxdtmdte.ini
C:\WINDOWS\system32\rydodvhr.ini
C:\WINDOWS\system32\sqaqmawd.ini
C:\WINDOWS\system32\syqcweyl.ini
C:\WINDOWS\system32\tnultuvu.ini
C:\WINDOWS\system32\urxgflhh.ini
C:\WINDOWS\system32\vbvmlqga.ini
C:\WINDOWS\system32\vhctuynt.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-15 to 2008-07-15 )))))))))))))))))))))))))))))))
.

2008-07-14 22:32 . 2008-07-14 22:32 <DIR> d-------- C:\Documents and Settings\Darren Hudson\Application Data\TmpRecentIcons
2008-07-14 20:04 . 2008-07-14 20:10 <DIR> d-------- C:\SDFix
2008-07-14 18:41 . 2008-07-14 17:43 389,120 --a------ C:\WINDOWS\kvxqmtre.dll
2008-07-14 18:41 . 2008-07-14 17:43 307,200 --a------ C:\WINDOWS\evgratsm.dll
2008-07-14 18:41 . 2008-07-14 17:43 159,744 --a------ C:\WINDOWS\qndsfmao.dll
2008-07-14 18:41 . 2008-07-14 17:43 102,400 --a------ C:\WINDOWS\agpqlrfm.exe
2008-07-10 23:31 . 2008-07-10 23:32 <DIR> d-------- C:\Program Files\Virtual Earth 3D
2008-06-20 12:41 . 2008-06-20 12:41 245,248 --------- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 05:44 . 2008-06-20 05:44 138,368 --------- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-19 13:54 . 2008-06-19 14:11 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-19 13:45 . 2008-06-19 13:45 <DIR> d--h----- C:\WINDOWS\PIF
2008-06-19 07:51 . 2008-06-19 07:51 144 --a------ C:\domains.dat
2008-06-18 08:24 . 2008-06-18 08:24 <DIR> d-------- C:\Program Files\Scholastic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 03:32 8,225,312 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-15 03:32 292,640 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-15 03:31 28,460 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-15 03:31 111,212 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-15 03:17 --------- d-----w C:\Documents and Settings\Darren Hudson\Application Data\alot
2008-07-15 03:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-15 00:21 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-15 00:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-12 02:12 --------- d-----w C:\Documents and Settings\Darren Hudson\Application Data\Move Networks
2008-07-12 00:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-07-09 03:27 3,106 ----a-w C:\Documents and Settings\Darren Hudson\Application Data\wklnhst.dat
2008-06-30 18:15 --------- d-----w C:\Program Files\Coupons
2008-06-23 15:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 04:32 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-06-11 04:32 --------- d-----w C:\Program Files\AutoCAD 2004
2008-06-11 04:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-06-11 04:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-11 04:20 --------- d-----w C:\Program Files\Buildalot
2008-06-11 01:37 96,966 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-06-11 01:37 88,774 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-06-11 01:37 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-11 01:09 --------- d-----w C:\Program Files\Kaspersky Lab
2008-06-11 01:00 --------- d-----w C:\Documents and Settings\Darren Hudson\Application Data\AVG7
2008-06-11 01:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-11 01:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-06-10 02:29 --------- d-----w C:\Program Files\e-Sword
2008-05-16 23:33 --------- d-----w C:\Program Files\Atari
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-06-02 15:56 160496 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9A3D91FB-FCF6-46A4-A0C2-B4865D8D05DC}"= "C:\WINDOWS\qndsfmao.dll" [2008-07-14 17:43 159744]

[HKEY_CLASSES_ROOT\clsid\{9a3d91fb-fcf6-46a4-a0c2-b4865d8d05dc}]
[HKEY_CLASSES_ROOT\qndsfmao.1]
[HKEY_CLASSES_ROOT\TypeLib\{1CA3FDCA-2340-4DD0-80E3-68EC677CD140}]
[HKEY_CLASSES_ROOT\qndsfmao]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
"NoDispCPL"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"NoStartMenuMorePrograms"= 1 (0x1)
"NoSetFolders"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"evgratsm"= {FAFD1667-5C7A-4689-B43B-CAAEC9DF8182} - C:\WINDOWS\evgratsm.dll [2008-07-14 17:43 307200]
"kvxqmtre"= {D593924B-631A-4224-B215-252087FB40DF} - C:\WINDOWS\kvxqmtre.dll [2008-07-14 17:43 389120]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-06-10 09:59]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-15 03:35:20 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-07-14 17:11:09 C:\WINDOWS\Tasks\User_Feed_Synchronization-{BF644257-4B78-4F00-AE8F-2879F639F17C}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 22:32:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????2?5?7?5??????? ?,?B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\HP Software Update\hpwuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2008-07-15 5:39:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-15 10:39:26
ComboFix2.txt 2007-09-13 15:45:06

Pre-Run: 78,525,276,160 bytes free
Post-Run: 79,369,486,336 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

200 --- E O F --- 2008-07-11 19:58:16

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:59 PM

Posted 15 July 2008 - 06:27 AM

ComboFix logs should not to be posted outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
The BC Staff

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users