Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix Log. Please Check. Thanks A Millon


  • This topic is locked This topic is locked
2 replies to this topic

#1 Notorious J.O.E.

Notorious J.O.E.

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 23 July 2008 - 01:25 PM

ComboFix 08-07-22.4 - HP_Administrator 2008-07-23 12:07:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.508 [GMT -6:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

K:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-06-23 to 2008-07-23 )))))))))))))))))))))))))))))))
.

2008-07-22 10:51 . 2005-04-21 13:45 <DIR> d-------- C:\Documents and Settings\Limited\WINDOWS
2008-07-22 10:51 . 2005-04-21 13:45 <DIR> d-------- C:\Documents and Settings\Limited\Application Data\Symantec
2008-07-22 10:51 . 2005-04-21 13:45 <DIR> d-------- C:\Documents and Settings\Limited\Application Data\SampleView
2008-07-22 10:51 . 2005-04-21 13:45 <DIR> d-------- C:\Documents and Settings\Limited\Application Data\InterMute
2008-07-22 10:51 . 2005-04-21 13:45 <DIR> d-------- C:\Documents and Settings\Limited\Application Data\Apple Computer
2008-07-22 10:51 . 2008-07-22 10:51 <DIR> d-------- C:\Documents and Settings\Limited
2008-07-21 23:01 . 2008-07-21 23:11 <DIR> d-------- C:\Program Files\Exterminate It!
2008-07-17 19:51 . 2008-07-17 19:51 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\dvdcss
2008-07-17 19:34 . 2008-07-17 19:34 <DIR> d-------- C:\Program Files\DVD Decrypter
2008-07-17 10:56 . 2008-07-17 10:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-07-17 10:26 . 2008-07-17 10:26 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Leadertech
2008-07-16 23:07 . 2008-07-16 23:16 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-16 23:07 . 2008-07-18 12:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-16 21:45 . 2008-07-16 21:46 1,720,086 --a------ C:\WINDOWS\system32\TmpA1979562
2008-07-16 21:45 . 2008-07-16 21:45 1,720,086 --a------ C:\WINDOWS\system32\TmpA1934968
2008-07-16 21:43 . 2008-07-16 21:43 1,720,086 --a------ C:\WINDOWS\system32\TmpA1844781
2008-07-16 21:15 . 2008-07-16 21:15 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\vlc
2008-07-14 09:04 . 2008-07-14 09:04 <DIR> d-------- C:\Program Files\iTunes
2008-07-14 09:04 . 2008-07-14 09:04 <DIR> d-------- C:\Program Files\iPod
2008-07-14 09:01 . 2008-07-14 09:01 <DIR> d-------- C:\Program Files\Bonjour
2008-07-14 08:51 . 2008-07-10 09:35 32,000 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 18:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-23 17:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-23 17:19 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Azureus
2008-07-19 20:47 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Move Networks
2008-07-18 01:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-17 23:12 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-17 02:35 --------- d-----w C:\Program Files\Absolute MP3 Splitter
2008-07-16 17:28 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Vso
2008-07-14 15:00 --------- d-----w C:\Program Files\QuickTime
2008-07-07 23:26 --------- d-----w C:\Program Files\Norton 360
2008-07-02 18:43 --------- d-----w C:\Program Files\Azureus
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-12 21:21 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-06-08 20:59 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-06-08 20:59 47,360 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\pcouffin.sys
2008-06-08 20:58 --------- d-----w C:\Program Files\VSO
2008-06-03 01:11 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Seven Zip
2008-06-02 15:59 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-02 15:59 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-02 15:59 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-02 15:59 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-02 15:59 --------- d-----w C:\Program Files\Symantec
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-06-25 21:53 432 -c--a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2005-07-20 04:50 22 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 22:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EarthLink Installer"="/C" [X]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-12-01 04:55 126976]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 06:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 07:43 233472]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-25 08:17 90112]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 08:54 253952]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 19:54 116072]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-21 12:55 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 03:04 52736]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 05:53 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 05:42 659456]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 05:04 59392]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 17:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 04:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-04-06 18:57 90112 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-06 18:53 2805248 C:\WINDOWS\ALCWZRD.EXE]
"WD Button Manager"="WDBtnMgr.exe" [2008-01-15 19:57 364544 C:\WINDOWS\system32\WDBtnMgr.exe]

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-03-26 16:56:31 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24 258048]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2005-04-21 13:07:27 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-07-16 20:38:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.whiskeymilitia.com/
R0 -: HKCU-Main,Default_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R0 -: HKLM-Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R0 -: HKLM-Main,Search Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=duds.ut&login=ceee5d62ee9fe473d8d06cd135b869e0/duds.ut:netzero.net/1119489512/30/sss.6.93571/&ts=42ba0de8&A=0&B=1109577600000&C=1014278400000&D=1090393200000&I=6.0B5&N=&O=A&UT=
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 -: Show All Original Images - "C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 -: Show Original Image - "C:\Program Files\NetZero\qsacc\appres.dll/227"
O17 -: HKLM\CCS\Interface\{3AD3318E-4B7E-497B-9A20-5620985DC8FD}: NameServer = 205.171.3.65,205.171.2.65

O16 -: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab
C:\WINDOWS\Downloaded Program Files\BeboUploader.inf
C:\WINDOWS\system32\unicows.dll
C:\WINDOWS\Downloaded Program Files\BeboUploader.ocx


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-23 12:08:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-23 12:10:12
ComboFix-quarantined-files.txt 2008-07-23 18:10:01
ComboFix2.txt 2008-07-23 17:48:57

Pre-Run: 24,099,667,968 bytes free
Post-Run: 24,087,871,488 bytes free

162 --- E O F --- 2008-07-14 03:13:28

BC AdBot (Login to Remove)

 


#2 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 07 August 2008 - 04:19 PM

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

Download and install HijackThis
  • Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.


    Don't use the Analyse This button, its findings are dangerous if misinterpreted.
    Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required
    .
Uninstall List
Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in your next reply.

Please post the following in your next reply.
  • log from hijackthis
  • uninstall list

Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#3 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 15 August 2008 - 12:07 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users