Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log - I Think It's A Trojan But Need Help


  • This topic is locked This topic is locked
10 replies to this topic

#1 Razorburne

Razorburne

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 31 August 2008 - 03:56 PM

Just a couple days ago I started getting popups while I'm using internet explorer telling me that my computer my be infected and that I should download more protection software. Along with this message, a random website pops up - usually displaying a fake virus scan in progress, but sometimes just a totally random website. I ran Adaware from Lavasoft - it notifies me of "Trojan Horse Downloader.zlob.13.B" or Win 32 Trojan - which it says it deletes, but upon restart is back again. AVG Free also detects something and claims to "heal" it, but it seems to stick around. I need help...please....I have no idea what to do, so I found out about Hijack This and am now posting to find some guidance.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:33:07 AM, on 8/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [A00F23C9CE.exe] C:\DOCUME~1\KEITHW~1\LOCALS~1\Temp\_A00F23C9CE.exe
O4 - HKCU\..\Run: [A00FAA8CF1.exe] C:\DOCUME~1\KEITHW~1\LOCALS~1\Temp\_A00FAA8CF1.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201327103819
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201327088577
O20 - Winlogon Notify: 3c5081fd382 - C:\WINDOWS\system32\__c007E3AE.dat (file missing)
O20 - Winlogon Notify: __c0062A70 - C:\WINDOWS\system32\__c0062A70.dat (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 8135 bytes

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:40 PM

Posted 01 September 2008 - 04:53 AM

Hello Razorburne and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Restart your computer.

4. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, and you're notified a more current version is available, please download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Razorburne

Razorburne
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 01 September 2008 - 02:15 PM

Thunder,

I went ahead and completed steps 1, 2, and 3 - I wasn't sure if you wanted me to download and run ComboFix before posting as well, so I am being better safe than sorry, and have not yet downloaded ComboFix. I figured I would give you the MBAM log as well as a fresh HijackThis log as requested, and then follow your advice (as to whether to go ahead with the ComboFix or not).

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.25
Database version: 1103
Windows 5.1.2600 Service Pack 3

2:49:39 AM 9/1/2008
mbam-log-09-01-2008 (02-49-39).txt

Scan type: Quick Scan
Objects scanned: 43009
Time elapsed: 7 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\__c0032610.dat (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0032610 (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0062a70 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c006f87e (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f23c9ce.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00faa8cf1.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Keith Woythaler\Local Settings\Temp\GLK3.tmp (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Documents and Settings\Keith Woythaler\Local Settings\Temp\_A00FAA8CF1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c0032610.dat (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


Here is the fresh HijackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:22 AM, on 9/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201327103819
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201327088577
O20 - Winlogon Notify: 3c5081fd382 - C:\WINDOWS\system32\__c007E3AE.dat (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 7587 bytes

#4 Razorburne

Razorburne
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 01 September 2008 - 02:54 PM

One quick question about the ComboFix........I have read and followed the guide/tutorial and have followed the instructions to download both the ComboFix file as well as the Windows Recovery boot disk file. I went to drag the windows file onto the ComboFix file and immediately it asks me if I am sure I want to run ComboFix (is this normal??? ---this seemed slightly different than the tutorial and I wasn't sure if the windows file had in fact been installed or if I was going to be in trouble by running the ComboFix [as maybe it hadn't bee installed]). Should I just go ahead and say yes to running ComboFix? I cancelled it for now until I hear back from you.

Hope to hear from you soon.

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:40 PM

Posted 01 September 2008 - 04:24 PM

Hello Razorburne,

Yes, when the Recovery Console installation is complete,
you do get an option to continue and start the ComboFix scan. :thumbsup:

Looks like MBAM took out most, if not everything, out,
but to be sure a ComboFix run would be helpful.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#6 Razorburne

Razorburne
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 01 September 2008 - 08:13 PM

Thunder,

I have gone ahead and I ran the ComboFix program - below please find the log as requested.

1. Is there anything else I need to do to complete this process or does it seem like everything is gone?

2. If you think everything is clear, is there anything I should do to prevent this from happening again? I run the AVG free antivirus, and I have Windows Firewall on; I use Adaware every once in a while. Anything else I should be doing?


Here is the ComboFix Log:

ComboFix 08-08-31.01 - Keith Woythaler 2008-09-01 8:45:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.228 [GMT -4:00]
Running from: C:\Documents and Settings\Keith Woythaler\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Keith Woythaler\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Keith Woythaler\Application Data\macromedia\Flash Player\#SharedObjects\5DSQ47MH\bin.clearspring.com
C:\Documents and Settings\Keith Woythaler\Application Data\macromedia\Flash Player\#SharedObjects\5DSQ47MH\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Keith Woythaler\Application Data\macromedia\Flash Player\#SharedObjects\5DSQ47MH\interclick.com
C:\Documents and Settings\Keith Woythaler\Application Data\macromedia\Flash Player\#SharedObjects\5DSQ47MH\interclick.com\ud.sol
C:\Documents and Settings\Keith Woythaler\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Keith Woythaler\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Keith Woythaler\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Keith Woythaler\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Keith Woythaler\Cookies\keith woythaler@a.chryslerllc[1].txt
C:\Documents and Settings\Keith Woythaler\Cookies\keith woythaler@a.consumerreports[2].txt
C:\Documents and Settings\Keith Woythaler\Cookies\keith woythaler@ads.pointroll[1].txt
C:\Documents and Settings\Keith Woythaler\Cookies\keith woythaler@edge.ru4[2].txt
C:\Documents and Settings\Keith Woythaler\Cookies\keith woythaler@ehg-cruiseshipcenters.hitbox[2].txt
C:\Documents and Settings\Keith Woythaler\Cookies\keith woythaler@ehg-espn.hitbox[2].txt
C:\Documents and Settings\Keith Woythaler\Cookies\keith woythaler@ehg.allstate[1].txt
C:\Documents and Settings\Keith Woythaler\Cookies\keith woythaler@imiclk[1].txt
C:\Documents and Settings\Keith Woythaler\Cookies\keith woythaler@trafficmp[2].txt
C:\WINDOWS\system32\mdm.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-01 to 2008-09-01 )))))))))))))))))))))))))))))))
.

2008-09-01 02:39 . 2008-09-01 02:39 <DIR> d-------- C:\Documents and Settings\Keith Woythaler\Application Data\Malwarebytes
2008-09-01 02:38 . 2008-09-01 02:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-01 02:38 . 2008-09-01 02:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-01 02:38 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-09-01 02:38 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-09-01 02:18 . 2008-09-01 02:18 230 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.inf
2008-08-31 04:32 . 2008-08-31 04:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-30 12:08 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys
2008-08-30 12:07 . 2008-08-30 12:07 <DIR> d-------- C:\Program Files\Panda Security
2008-08-30 09:30 . 2008-06-23 12:57 6,066,176 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2008-08-30 09:30 . 2007-04-17 05:32 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2008-08-30 09:30 . 2007-03-08 01:10 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2008-08-30 09:30 . 2008-06-23 12:57 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2008-08-30 09:30 . 2008-06-23 12:57 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2008-08-30 09:30 . 2008-06-23 12:57 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2008-08-30 09:30 . 2008-06-23 12:57 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2008-08-30 09:30 . 2008-06-23 12:57 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2008-08-30 09:30 . 2008-06-23 05:20 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-08-30 09:03 . 2002-08-28 17:00 68,608 --a------ C:\WINDOWS\SYSTEM32\plugin.ocx
2008-08-30 08:05 . 2008-05-01 10:33 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-30 08:02 . 2008-04-11 15:04 691,712 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2008-08-30 08:00 . 2008-06-13 07:05 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-08-30 08:00 . 2008-05-08 10:02 203,136 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-08-30 07:23 . 2008-08-30 07:23 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-08-30 07:23 . 2008-08-30 07:23 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-08-30 07:23 . 2008-08-30 07:23 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-30 06:15 . 2008-04-13 20:12 246,814 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\strmdll.dll
2008-08-30 06:14 . 2008-04-13 20:12 774,144 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\setup_wm.exe
2008-08-30 06:13 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\msxml6.dll
2008-08-30 06:12 . 2008-04-13 20:10 844,314 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msdxm.ocx
2008-08-30 06:12 . 2008-04-13 20:12 356,352 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msscp.dll
2008-08-30 06:12 . 2008-04-13 20:12 259,072 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msnetobj.dll
2008-08-30 06:12 . 2008-04-13 20:12 201,728 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\mspmsp.dll
2008-08-30 06:12 . 2008-04-13 20:12 155,136 --------- C:\WINDOWS\SYSTEM32\mssha.dll
2008-08-30 06:12 . 2008-04-13 14:14 76,800 --------- C:\WINDOWS\SYSTEM32\msshavmsg.dll
2008-08-30 06:12 . 2008-04-13 20:12 69,632 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msscds32.ax
2008-08-30 06:12 . 2008-04-13 20:12 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\mspmsnsv.dll
2008-08-30 06:12 . 2008-04-13 20:10 4,126 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msdxmlc.dll
2008-08-30 06:10 . 2008-04-13 20:09 290,816 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\l3codeca.acm
2008-08-30 06:10 . 2008-04-13 20:11 61,440 --------- C:\WINDOWS\SYSTEM32\kmsvc.dll
2008-08-30 06:10 . 2008-04-13 20:11 37,376 --------- C:\WINDOWS\SYSTEM32\l2gpstore.dll
2008-08-30 06:10 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\SYSTEM32\kbdpash.dll
2008-08-30 06:10 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\SYSTEM32\kbdnepr.dll
2008-08-30 06:10 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\SYSTEM32\kbdiultn.dll
2008-08-30 06:10 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\SYSTEM32\kbdbhc.dll
2008-08-30 06:10 . 2007-09-17 04:48 1,261 --------- C:\WINDOWS\SYSTEM32\pid.inf
2008-08-30 06:08 . 2002-08-28 17:00 381,425 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\copycd.wmv
2008-08-30 06:07 . 2008-04-13 20:11 136,192 --------- C:\WINDOWS\SYSTEM32\aaclient.dll
2008-08-30 05:15 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-08-30 05:15 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-08-26 22:33 . 2008-08-26 22:33 74,240 --a------ C:\WINDOWS\SYSTEM32\__c007e3ae.dat.infect
2008-08-23 11:07 . 2008-09-01 00:03 <DIR> dr-h----- C:\$VAULT$.AVG
2008-08-06 11:11 . 2008-08-06 11:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-01 05:09 --------- d-----w C:\Documents and Settings\Keith Woythaler\Application Data\AVG7
2008-08-31 04:41 --------- d-----w C:\Program Files\Bonjour
2008-08-06 15:12 --------- d-----w C:\Program Files\Lavasoft
2008-08-06 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-21 03:26 --------- d-----w C:\Program Files\HP
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2002-12-16 12:20 207,759 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 20:12 1695232]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-22 05:43 413775]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-06-24 19:32 4800512]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-08-01 02:43 126976]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-08-01 02:43 557056]
"DadApp"="C:\Program Files\Dell\AccessDirect\dadapp.exe" [2002-11-01 04:47 208560]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-12-16 08:15 26112]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 05:29 90112]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2002-08-22 01:11 221184]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 00:01 579584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"nwiz"="nwiz.exe" [2003-06-24 19:32 323584 C:\WINDOWS\SYSTEM32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-01 22:14 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2002-12-16 08:09:32 20480]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 01:17:18 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
Wireless-G Notebook Adapter.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2007-12-25 21:07:02 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 NICSer_WPC54G;NICSer_WPC54G;C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe [2003-11-13 14:29]
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\CBTNDIS5.SYS [2003-07-16 23:28]
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2004-09-25 00:36]
S3 epstw2k;SCM Parallel Port SCSI Driver;C:\WINDOWS\system32\DRIVERS\epstw2k.sys [2001-08-17 14:50]
S3 jnv4_mib;jnv4_mib;C:\DOCUME~1\KEITHW~1\LOCALS~1\Temp\jnv4_mib.sys []
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2008-04-13 14:45]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

Notify-3c5081fd382 - C:\WINDOWS\system32\__c007E3AE.dat


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.optonline.net/
R0 -: HKLM-Main,Start Page = hxxp://www.dellnet.com/
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
R1 -: HKCU-Internet Settings,ProxyOverride = 127.0.0.1;hxxp://localhost;*.local
O18 -: Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - C:\Program Files\Microsoft ActiveSync\AATP.DLL
O18 -: WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL
O18 -: WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL
O18 -: WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL
O18 -: WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL
O18 -: WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL
O18 -: WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-01 08:50:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MMTray = C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe?w???g?p??V??g?p??SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\TrayApp??????? ?w?????????????\?wp ?w???????w???g ??????????g?????CY????????g?p??2??????? ???<???? @???X???X???????????????????Y?????F?Q?????
DwlClient = C:\Program Files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???X???????????x???????????????????H???P???? ?w? ?w)??p????????(????????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X????????"@?e?????

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-09-01 8:55:10
ComboFix-quarantined-files.txt 2008-09-01 12:54:04

Pre-Run: 12,232,458,240 bytes free
Post-Run: 12,516,749,312 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

207

#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:40 PM

Posted 02 September 2008 - 08:03 AM

Hello Razorburne,

Your protection seems quite good to me,
better to pay more attention to your surfing habits :
what you click on, where you surf to, ...
I'll give you some more info when we close this topic. :thumbsup:

For now, let's clean up some leftovers :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
C:\WINDOWS\SYSTEM32\__c007e3ae.dat.infect
C:\DOCUME~1\KEITHW~1\LOCALS~1\Temp\jnv4_mib.sys
Driver::
jnv4_mib

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#8 Razorburne

Razorburne
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 02 September 2008 - 10:27 PM

Hello Thunder,

I have done as you instructed....below please find both the ComboFix Log and the HijackThis Log.

I have not had any issues with popups or anything resembling the original problem...so thank you for that...you have been wonderful in helping me thus far. The only one concern I had came last night right before I was going to bed. I had been on the internet and was about to close internet explorer and shut down my computer when all of a sudden I got a "blue screen of death" with an error message. Honestly I do not remember what it said - I probably should have written it down but I did not. Right now is the first time I have been on my computer since yesterday as I have been at work all day, but I have not had the problem as of yet. The only thing I remember it saying was that "if this is the first time you have received this message, shut down your computer"...as I was going to bed I turned it off anyway. My computer has been on for approximately an hour now without any error messages. I don't necessarily know what this means. Should I be concerned?



Here is the newest ComboFix Log:


ComboFix 08-08-31.01 - Keith Woythaler 2008-09-02 10:56:49.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.225 [GMT -4:00]
Running from: C:\Documents and Settings\Keith Woythaler\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Keith Woythaler\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\DOCUME~1\KEITHW~1\LOCALS~1\Temp\jnv4_mib.sys
C:\WINDOWS\SYSTEM32\__c007e3ae.dat.infect
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\__c007e3ae.dat.infect

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JNV4_MIB
-------\Service_jnv4_mib


((((((((((((((((((((((((( Files Created from 2008-08-02 to 2008-09-02 )))))))))))))))))))))))))))))))
.

2008-09-01 02:39 . 2008-09-01 02:39 <DIR> d-------- C:\Documents and Settings\Keith Woythaler\Application Data\Malwarebytes
2008-09-01 02:38 . 2008-09-01 02:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-01 02:38 . 2008-09-01 02:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-01 02:38 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-09-01 02:38 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-09-01 02:18 . 2008-09-01 02:18 230 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.inf
2008-08-31 04:32 . 2008-08-31 04:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-30 12:08 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys
2008-08-30 12:07 . 2008-08-30 12:07 <DIR> d-------- C:\Program Files\Panda Security
2008-08-30 09:30 . 2008-06-23 12:57 6,066,176 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2008-08-30 09:30 . 2007-04-17 05:32 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2008-08-30 09:30 . 2007-03-08 01:10 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2008-08-30 09:30 . 2008-06-23 12:57 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2008-08-30 09:30 . 2008-06-23 12:57 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2008-08-30 09:30 . 2008-06-23 12:57 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2008-08-30 09:30 . 2008-06-23 12:57 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2008-08-30 09:30 . 2008-06-23 12:57 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2008-08-30 09:30 . 2008-06-23 05:20 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-08-30 09:03 . 2002-08-28 17:00 68,608 --a------ C:\WINDOWS\SYSTEM32\plugin.ocx
2008-08-30 08:05 . 2008-05-01 10:33 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-30 08:02 . 2008-04-11 15:04 691,712 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2008-08-30 08:00 . 2008-06-13 07:05 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-08-30 08:00 . 2008-05-08 10:02 203,136 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-08-30 07:23 . 2008-08-30 07:23 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-08-30 07:23 . 2008-08-30 07:23 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-08-30 07:23 . 2008-08-30 07:23 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-30 06:15 . 2008-04-13 20:12 246,814 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\strmdll.dll
2008-08-30 06:14 . 2008-04-13 20:12 774,144 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\setup_wm.exe
2008-08-30 06:13 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\msxml6.dll
2008-08-30 06:12 . 2008-04-13 20:10 844,314 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msdxm.ocx
2008-08-30 06:12 . 2008-04-13 20:12 356,352 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msscp.dll
2008-08-30 06:12 . 2008-04-13 20:12 259,072 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msnetobj.dll
2008-08-30 06:12 . 2008-04-13 20:12 201,728 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\mspmsp.dll
2008-08-30 06:12 . 2008-04-13 20:12 155,136 --------- C:\WINDOWS\SYSTEM32\mssha.dll
2008-08-30 06:12 . 2008-04-13 14:14 76,800 --------- C:\WINDOWS\SYSTEM32\msshavmsg.dll
2008-08-30 06:12 . 2008-04-13 20:12 69,632 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msscds32.ax
2008-08-30 06:12 . 2008-04-13 20:12 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\mspmsnsv.dll
2008-08-30 06:12 . 2008-04-13 20:10 4,126 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msdxmlc.dll
2008-08-30 06:10 . 2008-04-13 20:09 290,816 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\l3codeca.acm
2008-08-30 06:10 . 2008-04-13 20:11 61,440 --------- C:\WINDOWS\SYSTEM32\kmsvc.dll
2008-08-30 06:10 . 2008-04-13 20:11 37,376 --------- C:\WINDOWS\SYSTEM32\l2gpstore.dll
2008-08-30 06:10 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\SYSTEM32\kbdpash.dll
2008-08-30 06:10 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\SYSTEM32\kbdnepr.dll
2008-08-30 06:10 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\SYSTEM32\kbdiultn.dll
2008-08-30 06:10 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\SYSTEM32\kbdbhc.dll
2008-08-30 06:10 . 2007-09-17 04:48 1,261 --------- C:\WINDOWS\SYSTEM32\pid.inf
2008-08-30 06:08 . 2002-08-28 17:00 381,425 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\copycd.wmv
2008-08-30 06:07 . 2008-04-13 20:11 136,192 --------- C:\WINDOWS\SYSTEM32\aaclient.dll
2008-08-30 05:15 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-08-30 05:15 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-08-23 11:07 . 2008-09-01 00:03 <DIR> dr-h----- C:\$VAULT$.AVG
2008-08-06 11:11 . 2008-08-06 11:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-01 05:09 --------- d-----w C:\Documents and Settings\Keith Woythaler\Application Data\AVG7
2008-08-31 04:41 --------- d-----w C:\Program Files\Bonjour
2008-08-06 15:12 --------- d-----w C:\Program Files\Lavasoft
2008-08-06 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-21 03:26 --------- d-----w C:\Program Files\HP
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2002-12-16 12:20 207,759 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((( snapshot@2008-09-01_ 8.53.37.98 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 20:12 1695232]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-22 05:43 413775]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-06-24 19:32 4800512]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-08-01 02:43 126976]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-08-01 02:43 557056]
"DadApp"="C:\Program Files\Dell\AccessDirect\dadapp.exe" [2002-11-01 04:47 208560]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-12-16 08:15 26112]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 05:29 90112]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2002-08-22 01:11 221184]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 00:01 579584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"nwiz"="nwiz.exe" [2003-06-24 19:32 323584 C:\WINDOWS\SYSTEM32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-01 22:14 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2002-12-16 08:09:32 20480]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 01:17:18 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
Wireless-G Notebook Adapter.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2007-12-25 21:07:02 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 NICSer_WPC54G;NICSer_WPC54G;C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe [2003-11-13 14:29]
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\CBTNDIS5.SYS [2003-07-16 23:28]
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2004-09-25 00:36]
S3 epstw2k;SCM Parallel Port SCSI Driver;C:\WINDOWS\system32\DRIVERS\epstw2k.sys [2001-08-17 14:50]
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2008-04-13 14:45]
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-02 11:03:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Program Files\Dell\AccessDirect\dadtray.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-09-02 11:09:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-02 15:09:50
ComboFix2.txt 2008-09-01 12:55:11

Pre-Run: 12,502,855,680 bytes free
Post-Run: 12,437,442,560 bytes free

187




Here is the newest HijackThisLog:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:24 AM, on 9/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201327103819
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201327088577
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 7381 bytes

#9 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:40 PM

Posted 03 September 2008 - 04:04 AM

Hello Razorburne,

Well, your logs look fine now,
but your system has been tested quite extensively these last days,
so when you've finished next step, it may be a good idea to defragment your system drive. :thumbsup:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#10 Razorburne

Razorburne
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 03 September 2008 - 11:41 PM

Thunder,

Thank you for all of your help....you have been a Godsend....truly Thank you!

#11 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:40 PM

Posted 04 September 2008 - 03:17 AM

Glad we could help, Razorburne :thumbsup:

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users