Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zordisa And Many Other Trojan.adclicker Files


  • This topic is locked This topic is locked
22 replies to this topic

#1 jc71587

jc71587

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 05 September 2008 - 10:21 AM

For the past week or so, my Symantec Antivirus has been alerting me to threats on a pretty frequent basis. I have a number of instances where zordisa.dll was found, but Symantec left it alone. My log shows that zordisa.dll is current quarantined, but I don't see it or anything else in my quarantine section so I don't know if it really is or not. I have also had an alert to mf0824.exe, which Symantec calls an Infostealer.Wowcraft threat. There has been a us.exe that is considered to be a W32.hitapop threat, ffxi369.exe and A0252998.dll which are Trojan Horses, and a number of random file names that are considered Trojan.adclickers. I ran a Spybot S&D, Adaware and did another scan with Symantec and it found a number of things, so I deleted all of them, but I still think I may have some sort of virus. Also, a new user was randomly added to my computer (called IUSER-admin). I deleted that particular user, but it came back again. I have since deleted it in safe mode and it is currently not showing up, but I am afraid it might come back. I don't know what else to do and I'm worried that someone may have access to passwords that I have entered. I'm going to change them, but I need to be sure the culprit is gone first.

Here is my HijackThis log. Any help would be greatly appreciated!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:11 AM, on 9/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AFinding.exe
C:\WINDOWS\system32\afisicx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\macidwe.exe
C:\WINDOWS\system32\Nobicyt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\noxtcyr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\noytcyr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\roytctm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\sobicyt.exe
C:\WINDOWS\system32\sotpeca.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\soxpeca.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\tdxdowkc.exe
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\WServing.exe
C:\WINDOWS\system32\wsldoekd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Jacob\Local Settings\Temp\{5EB0C7EF-6BD6-423F-AA65-48472B5A8E08}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: afinding Service (afinding) - Unknown owner - C:\WINDOWS\system32\AFinding.exe
O23 - Service: afisicx Co. Ltd. (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: mabidwe Service (mabidwe) - Unknown owner - C:\WINDOWS\system32\mabidwe.exe
O23 - Service: macidwe Service (macidwe) - Unknown owner - C:\WINDOWS\system32\macidwe.exe
O23 - Service: nobicyt Service (nobicyt) - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe
O23 - Service: noxtcyr Corporation (noxtcyr) - Unknown owner - C:\WINDOWS\system32\noxtcyr.exe
O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: perfs Service (perfs) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)
O23 - Service: routing Service (routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing)
O23 - Service: roxtctm Corporation inc. (roxtctm) - Unknown owner - C:\WINDOWS\system32\roxtctm.exe (file missing)
O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\WINDOWS\system32\roytctm.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: sobicyt Service (sobicyt) - Unknown owner - C:\WINDOWS\system32\sobicyt.exe
O23 - Service: sotpeca Settings storage service (sotpeca) - Unknown owner - C:\WINDOWS\system32\sotpeca.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\WINDOWS\system32\soxpeca.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe
O23 - Service: tdydowkc Service (tdydowkc) - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe
O23 - Service: wserving Service (wserving) - Unknown owner - C:\WINDOWS\system32\WServing.exe
O23 - Service: wsldoekd Manages messages (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe

--
End of file - 13191 bytes

Thanks.

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:50 AM

Posted 13 September 2008 - 10:36 PM

Hello, jc71587.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)

I want to apologise that it has taken so long to get back to you. We on the HJT Team are working as fast as possible to get your log answered.

If you would still like help, please post a new HiJack This log below, as things may have changed on your system.

If you do not still need help, please let me know, so that I can move on to other users who still need help.

Please take note of the following:
  • While a HJT Team member is working with you, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Please reply using the Posted Image button in the lower left hand corner of your screen.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" :).
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 jc71587

jc71587
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 14 September 2008 - 06:06 PM

Hi Billy,

Thanks for taking the time out to help me, I realize you guys are very busy! I have since changed my passwords to login to financial institutions on a another computer as a precaution. I also continue to get the IUSER-admin user when I log-on even after I have deleted it. Here is my most recent HijackThis log. Thanks again for your help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:27 PM, on 9/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AFinding.exe
C:\WINDOWS\system32\afisicx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\macidwe.exe
C:\WINDOWS\system32\Nobicyt.exe
C:\WINDOWS\system32\noxtcyr.exe
C:\WINDOWS\system32\noytcyr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\roytctm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\atsxyzd.sys
C:\WINDOWS\system32\sobicyt.exe
C:\WINDOWS\system32\sotpeca.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\soxpeca.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\tdxdowkc.exe
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\WServing.exe
C:\WINDOWS\system32\wsldoekd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\PROGRA~1\SYMANT~1\DWHWIZRD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Jacob\Local Settings\Temp\{5EB0C7EF-6BD6-423F-AA65-48472B5A8E08}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: afinding Service (afinding) - Unknown owner - C:\WINDOWS\system32\AFinding.exe
O23 - Service: afisicx Co. Ltd. (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: mabidwe Service (mabidwe) - Unknown owner - C:\WINDOWS\system32\mabidwe.exe
O23 - Service: macidwe Service (macidwe) - Unknown owner - C:\WINDOWS\system32\macidwe.exe
O23 - Service: nobicyt Service (nobicyt) - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe
O23 - Service: noxtcyr Corporation (noxtcyr) - Unknown owner - C:\WINDOWS\system32\noxtcyr.exe
O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: perfs Service (perfs) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)
O23 - Service: routing Service (routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing)
O23 - Service: roxtctm Corporation inc. (roxtctm) - Unknown owner - C:\WINDOWS\system32\roxtctm.exe (file missing)
O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\WINDOWS\system32\roytctm.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: sobicyt Service (sobicyt) - Unknown owner - C:\WINDOWS\system32\sobicyt.exe
O23 - Service: sotpeca Settings storage service (sotpeca) - Unknown owner - C:\WINDOWS\system32\sotpeca.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\WINDOWS\system32\soxpeca.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe
O23 - Service: tdydowkc Service (tdydowkc) - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe
O23 - Service: wserving Service (wserving) - Unknown owner - C:\WINDOWS\system32\WServing.exe
O23 - Service: wsldoekd Manages messages (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe

--
End of file - 13177 bytes

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:50 AM

Posted 15 September 2008 - 02:37 PM

Hello, jc71587.
Please set your system to show hidden files.
  • Click Start, open My Computer, select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading, select the "Show hidden files and folders" radio button.
  • Uncheck the "Hide file extensions for known file types" checkbox.
  • Uncheck the "Hide protected operating system files (Recommended)" checkbox.
  • Click OK to confirm.
  • Close/exit My Computer.
We need to upload a file for further inspection
  • Please go to this page.
  • Where it asks for the "Link to where the file was requested" copy and paste in
    http://www.bleepingcomputer.com/forums/t/167587/zordisa-and-many-other-trojanadclicker-files/
  • Where it says "Browse to the file you want to submit", please browse to this file:
    C:\Windows\System32\zordisa.dll
  • Press the Posted Image button.
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 jc71587

jc71587
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 15 September 2008 - 05:31 PM

Hi Billy,

I followed your instructions up to the point where you asked me to browse to zordisa.dll. I looked in C:\Windows\System32, but I did not see a zordisa.dll. The last file in that folder is zipfldr.dll. Maybe my Symantec deleted it? For some reason the Threat History log on my Symantec AntiVirus doesn't show anything even when I show last month as the range. I know there has to be something still though because I hear random clicking noises in the background when I'm not even doing anything and sometimes random voices that sound like ads just come over the speakers.

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:50 AM

Posted 15 September 2008 - 11:25 PM

Hello, jc71587.

It must be "hiding". Let's see if we can root it out :thumbsup:

We need to execute an Avenger2 script
Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  • Please download The Avenger2 by SwanDog46.
  • Unzip avenger.exe to your desktop.
  • Copy the text in the following codebox by selecting all of it, and pressing ( + C) or by right clicking and selecting "Copy"
    Files to move:
    C:\Windows\System32\zordisa.dll | C:\badfile.dll
  • Now start The Avenger2 by double clicking avenger.exe on your desktop.
  • Read the prompt that appears, and press OK.
  • Paste the script into the textbox that appears, using ( + V) or by right clicking and choosing "Paste".
  • Press the "Execute" button.
  • You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  • Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.
We need to upload a file for further inspection
  • Please go to this page.
  • Where it asks for the "Link to where the file was requested" copy and paste in
    54
  • Where it says "Browse to the file you want to submit", browse to
    C:\badfile.dll
  • Press the Posted Image button.
In your next reply, please include the following:
  • Avenger's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 jc71587

jc71587
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 16 September 2008 - 06:03 AM

Still no luck...it didn't seem to find it.

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\Windows\System32\zordisa.dll" not found!
File move operation "C:\Windows\System32\zordisa.dll|C:\badfile.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:50 AM

Posted 18 September 2008 - 01:53 PM

Hello, jc71587.
We need to run ComboFix.In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 jc71587

jc71587
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 18 September 2008 - 03:29 PM

I attempted to install the Recovery Console, but I never got a confirmation. I dragged the Recovery installer icon onto ComboFix like it said, but it didn't say anything about the console being installed...ComboFix just started. Anyways, here is the log...Thanks again for your help!

ComboFix 08-09-16.05 - Jacob 2008-09-18 15:59:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.142 [GMT -4:00]
Running from: C:\Documents and Settings\Jacob\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\test.txt
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\Install.txt
C:\WINDOWS\system32\afinding.exe
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\atsxyzd.sys
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\macidwe.exe
C:\WINDOWS\system32\Nobicyt.exe
C:\WINDOWS\system32\noxtcyr.exe
C:\WINDOWS\system32\noytcyr.exe
C:\WINDOWS\system32\roytctm.exe
C:\WINDOWS\system32\rtl60.bpl
C:\WINDOWS\system32\sobicyt.exe
C:\WINDOWS\system32\sotpeca.exe
C:\WINDOWS\system32\soxpeca.exe
C:\WINDOWS\system32\syspilog.pil
C:\WINDOWS\system32\tdxdowkc.exe
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\tmp0_53473663569.bk
C:\WINDOWS\system32\tmp0_861152180542.bk
C:\WINDOWS\system32\tmp4_76397540363.bk
C:\WINDOWS\system32\tpszxyd.sys
C:\WINDOWS\system32\WServing.exe
C:\WINDOWS\system32\wsldoekd.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_AFISICX
-------\Legacy_MABIDWE
-------\Legacy_MACIDWE
-------\Legacy_NOXTCYR
-------\Legacy_NOYTCYR
-------\Legacy_PANDRV
-------\Legacy_PERFS
-------\Legacy_ROUTING
-------\Legacy_ROXTCTM
-------\Legacy_ROYTCTM
-------\Legacy_SEUICTOL
-------\Legacy_SOBICYT
-------\Legacy_SOTPECA
-------\Legacy_SOXPECA
-------\Legacy_TDXDOWKC
-------\Legacy_TDYDOWKC
-------\Legacy_WSERVING
-------\Legacy_WSLDOEKD
-------\Service_afinding
-------\Service_afisicx
-------\Service_mabidwe
-------\Service_macidwe
-------\Service_noxtcyr
-------\Service_noytcyr
-------\Service_perfs
-------\Service_routing
-------\Service_roxtctm
-------\Service_roytctm
-------\Service_seuictol
-------\Service_sobicyt
-------\Service_sotpeca
-------\Service_soxpeca
-------\Service_tdxdowkc
-------\Service_tdydowkc
-------\Service_wserving
-------\Service_wsldoekd


((((((((((((((((((((((((( Files Created from 2008-08-18 to 2008-09-18 )))))))))))))))))))))))))))))))
.

2008-09-04 14:31 . 2008-09-04 14:31 <DIR> d-------- C:\Documents and Settings\Jacob\Application Data\WeatherBug
2008-09-04 13:52 . 2008-09-04 13:52 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-04 08:34 . 2008-09-04 08:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-04 08:34 . 2008-09-04 08:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-04 08:31 . 2008-09-04 08:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-01 16:44 . 2008-09-01 22:42 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-09-01 16:44 . 2008-09-01 22:41 <DIR> d-------- C:\Documents and Settings\Jacob\Application Data\Spyware Terminator
2008-09-01 16:44 . 2008-09-01 22:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-09-01 16:44 . 2008-09-01 16:44 141,312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-08-31 14:11 . 2008-08-31 14:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-28 13:08 . 2008-08-28 13:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-28 13:08 . 2008-08-28 13:08 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-21 18:02 . 2008-08-21 18:02 <DIR> d-------- C:\Documents and Settings\Jacob\.realobjects

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-18 20:04 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-18 19:28 --------- d-----w C:\Program Files\Lx_cats
2008-09-18 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-13 21:14 --------- d-----w C:\Program Files\World of Warcraft
2008-09-04 20:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-04 19:54 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2007-10-28 01:30 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2007-01-17 00:20 42,236 ----a-w C:\Program Files\uninstal.log
.

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 67,160 2005-08-05 19:08:26 C:\Program Files\AIM\bak\aim.exe
----a-w 67,160 2005-08-05 19:08:26 C:\Program Files\AIM\aim.exe

----a-w 159,744 2003-10-08 03:40:00 C:\Program Files\Apoint2K\bak\Apoint.exe
----a-w 159,744 2003-10-08 03:40:00 C:\Program Files\Apoint2K\Apoint.exe

----a-w 151,552 2004-04-13 04:00:24 C:\Program Files\Common Files\InterVideo\SchSvr\bak\SchSvr.exe

----a-w 180,269 2004-11-21 21:40:42 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 110,592 2003-08-19 08:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 67,184 2004-12-10 22:02:26 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 67,184 2004-12-10 22:02:26 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

----a-w 49,152 2005-02-17 03:11:42 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 241,664 2005-01-12 19:54:58 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe

----a-w 200,766 2004-03-01 20:05:46 C:\Program Files\HPQ\Default Settings\bak\cpqset.exe

----a-w 286,720 2004-07-30 15:33:44 C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe

----a-w 192,512 2004-04-13 05:49:22 C:\Program Files\InterVideo\Common\Bin\bak\WinRemote.exe

----a-w 286,720 2004-04-21 18:28:18 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 286,720 2004-04-21 15:28:18 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 36,975 2005-11-10 18:03:52 C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe

----a-w 192,512 2005-02-21 11:21:18 C:\Program Files\Lexmark 3300 Series\bak\lxccmon.exe

----a-w 299,008 2005-01-20 02:19:38 C:\Program Files\Lexmark Fax Solutions\bak\fm3032.exe

----a-w 98,304 2004-08-25 13:10:44 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 120,640 2004-12-30 18:19:40 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe
----a-w 120,640 2004-12-30 18:19:40 C:\Program Files\Symantec AntiVirus\VPTray.exe

----a-w 483,328 2003-05-23 02:55:38 C:\WINDOWS\system32\bak\hphmon05.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 67160]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-03-27 4670968]
"MoneyAgent"="c:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [N/A]
"RecordNow!"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 159744]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-04-07 4730880]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [N/A]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [N/A]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-04-21 286720]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [N/A]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [N/A]
"Home Theater SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [N/A]
"WINREMOTE"="C:\Program Files\InterVideo\Common\Bin\WinRemote.exe" [N/A]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [N/A]
"LXCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 69632]
"lxccmon.exe"="C:\Program Files\Lexmark 3300 Series\lxccmon.exe" [N/A]
"FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [N/A]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 67184]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-12-30 120640]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [N/A]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 C:\WINDOWS\AGRSMMSG.exe]
"nwiz"="nwiz.exe" [2004-04-07 C:\WINDOWS\system32\nwiz.exe]
"DXDllRegExe"="dxdllreg.exe" [N/A]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-01-05 125624]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2004-01-29 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Activision\\Rome - Total War\\RomeTW.exe"=
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\PocketSoft\\RTPatch\\AutoRTP\\artpschd.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Worms World Party\\WWP\\wwp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

S2 nobicyt;nobicyt Service;C:\WINDOWS\system32\Nobicyt.exe [ ]
S2 solewxte;solewxte Service;C:\WINDOWS\system32\solewxte.exe [2004-08-04 44032]
S3 jatmlano;jatmlano;C:\DOCUME~1\Jacob\LOCALS~1\Temp\jatmlano.sys [ ]
S3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys [ ]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
R0 -: HKLM-Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O8 -: &AIM Search - C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O16 -: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} - hxxps://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
C:\WINDOWS\Downloaded Program Files\WMDL.inf
C:\WINDOWS\Downloaded Program Files\WMDownload.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-18 16:12:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-09-18 16:19:48 - machine was rebooted [Jacob]
ComboFix-quarantined-files.txt 2008-09-18 20:19:33

Pre-Run: 61,576,232,960 bytes free
Post-Run: 61,895,163,904 bytes free

246 --- E O F --- 2008-09-11 07:01:44

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:50 AM

Posted 18 September 2008 - 05:54 PM

Hello, jc71587.

Please re-download the RC files, and then retry installing the Console now. When asked to continue scanning, answer NO.

Than do this:

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/index.php?showtopic=167587&view=findpost&p=948882
    
    registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RecordNow!"=-
    "DXDllRegExe"=-
    
    driver::
    nobicyt
    solewxte
    jatmlano
    
    rootkit::
    C:\DOCUME~1\Jacob\LOCALS~1\Temp\jatmlano.sys
    C:\WINDOWS\system32\Nobicyt.exe
    
    collect::
    C:\WINDOWS\system32\solewxte.exe
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 jc71587

jc71587
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 18 September 2008 - 07:42 PM

My internet is zipping along now! I had forgotten how fast it could go. I downloaded the RC file again (to my desktop) and dragged it on the ComboFix icon, but it just opened up ComboFix again with no kind of acknowledgement of whether it downloaded the RC or not...I don't think it did. I don't know why thats not working. I did the same thing with the text in notepad (dragged onto ComboFix) and it gave no acknowledgement, but looking at the log--it looks like it did use the command. One other thing...the first time that I ran ComboFix it messed up my Symantec AntiVirus, when I opened up Symnatec, there was a dialog box that said "Symantec AntiVirus is missing savrt32.dll, a required file. Please reinstall the product". So I reinstalled it, but now it's showing that message again since I ran ComboFix again...is it supposed to delete something from Symantec? I turned off all my antivirus/firewalls that I know of.

Anyways, here's the log. Thanks again!

ComboFix 08-09-16.05 - Jacob 2008-09-18 20:09:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.165 [GMT -4:00]
Running from: C:\Documents and Settings\Jacob\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jacob\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\Nobicyt.exe
C:\WINDOWS\system32\solewxte.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JATMLANO
-------\Legacy_NOBICYT
-------\Legacy_SOLEWXTE
-------\Service_jatmlano
-------\Service_nobicyt
-------\Service_solewxte


((((((((((((((((((((((((( Files Created from 2008-08-19 to 2008-09-19 )))))))))))))))))))))))))))))))
.

2008-09-18 16:48 . 2004-03-04 23:46 83,168 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-09-18 16:48 . 2004-03-04 23:46 82,832 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-09-04 14:31 . 2008-09-04 14:31 <DIR> d-------- C:\Documents and Settings\Jacob\Application Data\WeatherBug
2008-09-04 13:52 . 2008-09-04 13:52 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-04 08:34 . 2008-09-04 08:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-04 08:34 . 2008-09-04 08:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-04 08:31 . 2008-09-04 08:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-01 16:44 . 2008-09-01 22:42 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-09-01 16:44 . 2008-09-01 22:41 <DIR> d-------- C:\Documents and Settings\Jacob\Application Data\Spyware Terminator
2008-09-01 16:44 . 2008-09-01 22:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-09-01 16:44 . 2008-09-01 16:44 141,312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-08-31 14:11 . 2008-08-31 14:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-28 13:08 . 2008-08-28 13:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-28 13:08 . 2008-08-28 13:08 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-21 18:02 . 2008-08-21 18:02 <DIR> d-------- C:\Documents and Settings\Jacob\.realobjects

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-19 00:12 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-18 23:39 --------- d-----w C:\Program Files\Lx_cats
2008-09-18 20:49 --------- d-----w C:\Program Files\Symantec
2008-09-18 20:49 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-18 20:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-18 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-13 21:14 --------- d-----w C:\Program Files\World of Warcraft
2008-09-04 20:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-04 19:54 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2007-10-28 01:30 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2007-01-17 00:20 42,236 ----a-w C:\Program Files\uninstal.log
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 67,160 2005-08-05 19:08:26 C:\Program Files\AIM\bak\aim.exe
----a-w 67,160 2005-08-05 19:08:26 C:\Program Files\AIM\aim.exe

----a-w 159,744 2003-10-08 03:40:00 C:\Program Files\Apoint2K\bak\Apoint.exe
----a-w 159,744 2003-10-08 03:40:00 C:\Program Files\Apoint2K\Apoint.exe

----a-w 151,552 2004-04-13 04:00:24 C:\Program Files\Common Files\InterVideo\SchSvr\bak\SchSvr.exe

----a-w 180,269 2004-11-21 21:40:42 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 110,592 2003-08-19 08:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 67,184 2004-12-10 22:02:26 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 67,184 2004-12-10 22:02:26 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

----a-w 49,152 2005-02-17 03:11:42 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 241,664 2005-01-12 19:54:58 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe

----a-w 200,766 2004-03-01 20:05:46 C:\Program Files\HPQ\Default Settings\bak\cpqset.exe

----a-w 286,720 2004-07-30 15:33:44 C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe

----a-w 192,512 2004-04-13 05:49:22 C:\Program Files\InterVideo\Common\Bin\bak\WinRemote.exe

----a-w 286,720 2004-04-21 18:28:18 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 286,720 2004-04-21 15:28:18 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 36,975 2005-11-10 18:03:52 C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe

----a-w 192,512 2005-02-21 11:21:18 C:\Program Files\Lexmark 3300 Series\bak\lxccmon.exe

----a-w 299,008 2005-01-20 02:19:38 C:\Program Files\Lexmark Fax Solutions\bak\fm3032.exe

----a-w 98,304 2004-08-25 13:10:44 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 120,640 2004-12-30 18:19:40 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe
----a-w 120,640 2004-12-30 18:19:40 C:\Program Files\Symantec AntiVirus\VPTray.exe

----a-w 483,328 2003-05-23 02:55:38 C:\WINDOWS\system32\bak\hphmon05.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 67160]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-03-27 4670968]
"MoneyAgent"="c:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 159744]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-04-07 4730880]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [N/A]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [N/A]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-04-21 286720]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [N/A]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [N/A]
"Home Theater SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [N/A]
"WINREMOTE"="C:\Program Files\InterVideo\Common\Bin\WinRemote.exe" [N/A]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [N/A]
"LXCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 69632]
"lxccmon.exe"="C:\Program Files\Lexmark 3300 Series\lxccmon.exe" [N/A]
"FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [N/A]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [N/A]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 67184]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-12-30 120640]
"AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 C:\WINDOWS\AGRSMMSG.exe]
"nwiz"="nwiz.exe" [2004-04-07 C:\WINDOWS\system32\nwiz.exe]
"DXDllRegExe"="dxdllreg.exe" [N/A]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-01-05 125624]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2004-01-29 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Activision\\Rome - Total War\\RomeTW.exe"=
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\PocketSoft\\RTPatch\\AutoRTP\\artpschd.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Worms World Party\\WWP\\wwp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

S3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys [ ]

*Newly Created Service* - CCEVTMGR
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-18 20:21:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-09-18 20:29:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-19 00:29:10
ComboFix2.txt 2008-09-18 20:19:49

Pre-Run: 63,344,271,360 bytes free
Post-Run: 63,380,529,152 bytes free

182 --- E O F --- 2008-09-11 07:01:44

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:50 AM

Posted 18 September 2008 - 10:08 PM

Alright... I want to get some more eyeballs on the RC and Symantec issues. Stay tuned :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:50 AM

Posted 19 September 2008 - 04:47 PM

Hello, jc71587.
1.[/b] Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: All files to your desktop.

RegSearch Options File

[Search]
savrt32.dll
[Exclude]

[Options]
Filter=KVDLUI


2. Download Registry Search to your desktop.
  • Right-click on the compressed RegSearch folder, and choose Extract All. In the box that pops open, click Next, then Next again, and then Finish. You now have another RegSearch folder on your desktop.
  • Open the new folder, and double click on regsearch.exe.
  • Click Import in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
  • Click OK and Registry Search will scan your registry for the file(s). A Notepad box will open with a report, please save the report on your desktop.
Please post the RegSearch report in your next reply.

Alright. Please attempt to re-download the recovery console and try again. Note: The download file must never be renamed. It needs to have that cryptic name given by microsoft when the file is dragged on to combofix.

The correct filename should be something like WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

When you have done that please post the new combofix log as well as the contents of C:\QooBox\ComboFix-quarantined-files.txt as well as a the new combofix log from this retried installation of the recovery console :thumbsup:

Thanks!

In your next reply, please include the following:
  • Regsearch's log
  • CF's New Log
  • ComboFix-quarantined-files.txt

Billy3

Edited by Billy O'Neal, 19 September 2008 - 04:48 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#14 jc71587

jc71587
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 19 September 2008 - 08:35 PM

The RC finally worked! I think my problem before was that I disable my wireless internet before running ComboFix...I guess it needed it to be connected.

Here are the logs you requested:

Regsearch:
Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.5.0

; Results at 9/19/2008 8:36:17 PM for strings:
; 'savrt32.dll'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\71DECD1F77D7E3546ACEC3E68CA8D0D7]
"497CA84818B8A04418EA464733D75B72"="C:\\Program Files\\Symantec AntiVirus\\SavRT32.dll"

; End Of The Log...


ComboFix log:
ComboFix 08-09-19.06 - Jacob 2008-09-19 21:20:03.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.253 [GMT -4:00]
Running from: C:\Documents and Settings\Jacob\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-08-20 to 2008-09-20 )))))))))))))))))))))))))))))))
.

2008-09-18 20:54 . 2004-03-04 23:46 83,168 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-09-18 20:54 . 2004-03-04 23:46 82,832 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-09-04 14:31 . 2008-09-04 14:31 <DIR> d-------- C:\Documents and Settings\Jacob\Application Data\WeatherBug
2008-09-04 13:52 . 2008-09-04 13:52 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-04 08:34 . 2008-09-04 08:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-04 08:34 . 2008-09-04 08:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-04 08:31 . 2008-09-04 08:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-01 16:44 . 2008-09-01 22:42 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-09-01 16:44 . 2008-09-01 22:41 <DIR> d-------- C:\Documents and Settings\Jacob\Application Data\Spyware Terminator
2008-09-01 16:44 . 2008-09-01 22:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-09-01 16:44 . 2008-09-01 16:44 141,312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-08-31 14:11 . 2008-08-31 14:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-28 13:08 . 2008-08-28 13:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-28 13:08 . 2008-08-28 13:08 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-21 18:02 . 2008-08-21 18:02 <DIR> d-------- C:\Documents and Settings\Jacob\.realobjects

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-20 01:09 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-19 11:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-19 02:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-19 00:54 --------- d-----w C:\Program Files\Symantec
2008-09-19 00:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-18 23:39 --------- d-----w C:\Program Files\Lx_cats
2008-09-13 21:14 --------- d-----w C:\Program Files\World of Warcraft
2008-09-04 20:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-04 19:54 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 22:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 14:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2007-10-28 01:30 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2007-01-17 00:20 42,236 ----a-w C:\Program Files\uninstal.log
.

((((((((((((((((((((((((((((( snapshot@2008-09-18_20.28.47.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-18 20:49:35 40,960 ----a-r C:\WINDOWS\Installer\{848AC794-8B81-440A-81AE-6474337DB527}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-09-19 00:54:43 40,960 ----a-r C:\WINDOWS\Installer\{848AC794-8B81-440A-81AE-6474337DB527}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2008-09-18 20:49:35 40,960 ----a-r C:\WINDOWS\Installer\{848AC794-8B81-440A-81AE-6474337DB527}\NewShortcut4.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-09-19 00:54:43 40,960 ----a-r C:\WINDOWS\Installer\{848AC794-8B81-440A-81AE-6474337DB527}\NewShortcut4.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2008-09-18 20:49:35 40,960 ----a-r C:\WINDOWS\Installer\{848AC794-8B81-440A-81AE-6474337DB527}\NewShortcut5.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-09-19 00:54:43 40,960 ----a-r C:\WINDOWS\Installer\{848AC794-8B81-440A-81AE-6474337DB527}\NewShortcut5.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---------- TEMP00

----a-w 67,160 2005-08-05 19:08:26 C:\Program Files\AIM\bak\aim.exe

---------- TEMP00
----a-w 67,160 2005-08-05 19:08:26 C:\Program Files\AIM\aim.exe

---------- TEMP00

----a-w 159,744 2003-10-08 03:40:00 C:\Program Files\Apoint2K\bak\Apoint.exe

---------- TEMP00
----a-w 159,744 2003-10-08 03:40:00 C:\Program Files\Apoint2K\Apoint.exe

---------- TEMP00

----a-w 151,552 2004-04-13 04:00:24 C:\Program Files\Common Files\InterVideo\SchSvr\bak\SchSvr.exe

---------- TEMP00

----a-w 180,269 2004-11-21 21:40:42 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

---------- TEMP00

----a-w 110,592 2003-08-19 08:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

---------- TEMP00

----a-w 67,184 2004-12-10 22:02:26 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

---------- TEMP00
----a-w 67,184 2004-12-10 22:02:26 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

---------- TEMP00

----a-w 49,152 2005-02-17 03:11:42 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

---------- TEMP00

----a-w 241,664 2005-01-12 19:54:58 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe

---------- TEMP00

----a-w 200,766 2004-03-01 20:05:46 C:\Program Files\HPQ\Default Settings\bak\cpqset.exe

---------- TEMP00

----a-w 286,720 2004-07-30 15:33:44 C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe

---------- TEMP00

----a-w 192,512 2004-04-13 05:49:22 C:\Program Files\InterVideo\Common\Bin\bak\WinRemote.exe

---------- TEMP00

----a-w 286,720 2004-04-21 18:28:18 C:\Program Files\iTunes\bak\iTunesHelper.exe

---------- TEMP00
----a-w 286,720 2004-04-21 15:28:18 C:\Program Files\iTunes\iTunesHelper.exe

---------- TEMP00

----a-w 36,975 2005-11-10 18:03:52 C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe

---------- TEMP00

----a-w 192,512 2005-02-21 11:21:18 C:\Program Files\Lexmark 3300 Series\bak\lxccmon.exe

---------- TEMP00

----a-w 299,008 2005-01-20 02:19:38 C:\Program Files\Lexmark Fax Solutions\bak\fm3032.exe

---------- TEMP00

----a-w 98,304 2004-08-25 13:10:44 C:\Program Files\QuickTime\bak\qttask.exe

---------- TEMP00

----a-w 120,640 2004-12-30 18:19:40 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe

---------- TEMP00
----a-w 120,640 2004-12-30 18:19:40 C:\Program Files\Symantec AntiVirus\VPTray.exe

---------- TEMP00

----a-w 483,328 2003-05-23 02:55:38 C:\WINDOWS\system32\bak\hphmon05.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 67160]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-03-27 4670968]
"MoneyAgent"="c:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 159744]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-04-07 4730880]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [N/A]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [N/A]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-04-21 286720]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [N/A]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [N/A]
"Home Theater SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [N/A]
"WINREMOTE"="C:\Program Files\InterVideo\Common\Bin\WinRemote.exe" [N/A]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [N/A]
"LXCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 69632]
"lxccmon.exe"="C:\Program Files\Lexmark 3300 Series\lxccmon.exe" [N/A]
"FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [N/A]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [N/A]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 67184]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-12-30 120640]
"AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 C:\WINDOWS\AGRSMMSG.exe]
"nwiz"="nwiz.exe" [2004-04-07 C:\WINDOWS\system32\nwiz.exe]
"DXDllRegExe"="dxdllreg.exe" [N/A]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-01-05 125624]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2004-01-29 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Activision\\Rome - Total War\\RomeTW.exe"=
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\PocketSoft\\RTPatch\\AutoRTP\\artpschd.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Worms World Party\\WWP\\wwp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

S3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys [ ]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
R0 -: HKLM-Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O8 -: &AIM Search - C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O16 -: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} - hxxps://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
C:\WINDOWS\Downloaded Program Files\WMDL.inf
C:\WINDOWS\Downloaded Program Files\WMDownload.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-19 21:23:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\Jacob\LOCALS~1\Temp\RGI1.tmp

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-09-19 21:26:18
ComboFix-quarantined-files.txt 2008-09-20 01:26:05
ComboFix2.txt 2008-09-19 00:29:30
ComboFix3.txt 2008-09-18 20:19:49

Pre-Run: 63,166,316,544 bytes free
Post-Run: 63,156,756,480 bytes free

225 --- E O F --- 2008-09-11 07:01:44



Quarantined files:
2004-08-04 08:00:00 10 C:\Qoobox\Quarantine\C\WINDOWS\system32\comsa32.sys.vir
2004-08-04 08:00:00 256,000 C:\Qoobox\Quarantine\C\WINDOWS\system32\tpszxyd.sys.vir
2004-08-04 08:00:00 257,024 C:\Qoobox\Quarantine\C\WINDOWS\system32\atsxyzd.sys.vir
2004-08-04 08:00:00 272 C:\Qoobox\Quarantine\C\WINDOWS\Install.txt.vir
2004-08-04 08:00:00 36,864 C:\Qoobox\Quarantine\C\WINDOWS\system32\wsldoekd.exe.vir
2004-08-04 08:00:00 37,376 C:\Qoobox\Quarantine\C\WINDOWS\system32\macidwe.exe.vir
2004-08-04 08:00:00 37,376 C:\Qoobox\Quarantine\C\WINDOWS\system32\Nobicyt.exe.vir
2004-08-04 08:00:00 37,376 C:\Qoobox\Quarantine\C\WINDOWS\system32\sobicyt.exe.vir
2004-08-04 08:00:00 37,376 C:\Qoobox\Quarantine\C\WINDOWS\system32\tdxdowkc.exe.vir
2004-08-04 08:00:00 37,888 C:\Qoobox\Quarantine\C\WINDOWS\system32\noxtcyr.exe.vir
2004-08-04 08:00:00 37,888 C:\Qoobox\Quarantine\C\WINDOWS\system32\noytcyr.exe.vir
2004-08-04 08:00:00 37,888 C:\Qoobox\Quarantine\C\WINDOWS\system32\roytctm.exe.vir
2004-08-04 08:00:00 38,400 C:\Qoobox\Quarantine\C\WINDOWS\system32\AFinding.exe.vir
2004-08-04 08:00:00 38,400 C:\Qoobox\Quarantine\C\WINDOWS\system32\afisicx.exe.vir
2004-08-04 08:00:00 38,400 C:\Qoobox\Quarantine\C\WINDOWS\system32\sotpeca.exe.vir
2004-08-04 08:00:00 38,400 C:\Qoobox\Quarantine\C\WINDOWS\system32\WServing.exe.vir
2004-08-04 08:00:00 38,912 C:\Qoobox\Quarantine\C\WINDOWS\system32\mabidwe.exe.vir
2004-08-04 08:00:00 38,912 C:\Qoobox\Quarantine\C\WINDOWS\system32\tdydowkc.exe.vir
2004-08-04 08:00:00 39,424 C:\Qoobox\Quarantine\C\WINDOWS\system32\soxpeca.exe.vir
2004-08-04 08:00:00 44,032 C:\Qoobox\Quarantine\C\WINDOWS\system32\solewxte.exe.vir
2004-08-04 08:00:00 676,352 C:\Qoobox\Quarantine\C\WINDOWS\system32\rtl60.bpl.vir
2007-02-14 21:30:50 144 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\setup.inf.vir
2008-08-24 19:46:09 2,706 C:\Qoobox\Quarantine\C\WINDOWS\system32\syspilog.pil.vir
2008-08-24 21:10:46 24 C:\Qoobox\Quarantine\C\test.txt.vir
2008-08-25 15:34:57 25,990 C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp0_53473663569.bk.vir
2008-08-25 15:39:01 27,077 C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp0_861152180542.bk.vir
2008-09-18 10:33:31 176,368 C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp4_76397540363.bk.vir
2008-09-18 20:02:46 1,024 C:\Qoobox\Quarantine\Registry_backups\Legacy_PANDRV.reg.dat
2008-09-18 20:02:46 1,044 C:\Qoobox\Quarantine\Registry_backups\Legacy_MABIDWE.reg.dat
2008-09-18 20:02:46 1,044 C:\Qoobox\Quarantine\Registry_backups\Legacy_MACIDWE.reg.dat
2008-09-18 20:02:46 1,044 C:\Qoobox\Quarantine\Registry_backups\Legacy_NOYTCYR.reg.dat
2008-09-18 20:02:46 1,044 C:\Qoobox\Quarantine\Registry_backups\Legacy_ROYTCTM.reg.dat
2008-09-18 20:02:46 1,044 C:\Qoobox\Quarantine\Registry_backups\Legacy_SOBICYT.reg.dat
2008-09-18 20:02:46 1,044 C:\Qoobox\Quarantine\Registry_backups\Legacy_SOXPECA.reg.dat
2008-09-18 20:02:46 1,046 C:\Qoobox\Quarantine\Registry_backups\Legacy_AFISICX.reg.dat
2008-09-18 20:02:46 1,052 C:\Qoobox\Quarantine\Registry_backups\Legacy_NOXTCYR.reg.dat
2008-09-18 20:02:46 1,056 C:\Qoobox\Quarantine\Registry_backups\Legacy_AFINDING.reg.dat
2008-09-18 20:02:46 1,056 C:\Qoobox\Quarantine\Registry_backups\Legacy_TDXDOWKC.reg.dat
2008-09-18 20:02:46 1,056 C:\Qoobox\Quarantine\Registry_backups\Legacy_TDYDOWKC.reg.dat
2008-09-18 20:02:46 1,056 C:\Qoobox\Quarantine\Registry_backups\Legacy_WSERVING.reg.dat
2008-09-18 20:02:46 1,074 C:\Qoobox\Quarantine\Registry_backups\Legacy_WSLDOEKD.reg.dat
2008-09-18 20:02:46 1,078 C:\Qoobox\Quarantine\Registry_backups\Legacy_SOTPECA.reg.dat
2008-09-18 20:02:46 800 C:\Qoobox\Quarantine\Registry_backups\Legacy_PERFS.reg.dat
2008-09-18 20:02:46 816 C:\Qoobox\Quarantine\Registry_backups\Legacy_ROUTING.reg.dat
2008-09-18 20:02:46 822 C:\Qoobox\Quarantine\Registry_backups\Legacy_SEUICTOL.reg.dat
2008-09-18 20:02:46 834 C:\Qoobox\Quarantine\Registry_backups\Legacy_ROXTCTM.reg.dat
2008-09-18 20:02:47 2,226 C:\Qoobox\Quarantine\Registry_backups\Service_noytcyr.reg.dat
2008-09-18 20:02:47 2,226 C:\Qoobox\Quarantine\Registry_backups\Service_routing.reg.dat
2008-09-18 20:02:47 2,232 C:\Qoobox\Quarantine\Registry_backups\Service_macidwe.reg.dat
2008-09-18 20:02:47 2,242 C:\Qoobox\Quarantine\Registry_backups\Service_mabidwe.reg.dat
2008-09-18 20:02:47 2,244 C:\Qoobox\Quarantine\Registry_backups\Service_afisicx.reg.dat
2008-09-18 20:02:47 2,250 C:\Qoobox\Quarantine\Registry_backups\Service_noxtcyr.reg.dat
2008-09-18 20:02:47 2,258 C:\Qoobox\Quarantine\Registry_backups\Service_afinding.reg.dat
2008-09-18 20:02:47 2,456 C:\Qoobox\Quarantine\Registry_backups\Service_perfs.reg.dat
2008-09-18 20:02:48 2,232 C:\Qoobox\Quarantine\Registry_backups\Service_sobicyt.reg.dat
2008-09-18 20:02:48 2,242 C:\Qoobox\Quarantine\Registry_backups\Service_roytctm.reg.dat
2008-09-18 20:02:48 2,244 C:\Qoobox\Quarantine\Registry_backups\Service_roxtctm.reg.dat
2008-09-18 20:02:48 2,246 C:\Qoobox\Quarantine\Registry_backups\Service_tdxdowkc.reg.dat
2008-09-18 20:02:48 2,260 C:\Qoobox\Quarantine\Registry_backups\Service_soxpeca.reg.dat
2008-09-18 20:02:48 2,278 C:\Qoobox\Quarantine\Registry_backups\Service_sotpeca.reg.dat
2008-09-18 20:02:48 5,412 C:\Qoobox\Quarantine\Registry_backups\Service_seuictol.reg.dat
2008-09-18 20:02:49 2,240 C:\Qoobox\Quarantine\Registry_backups\Service_tdydowkc.reg.dat
2008-09-18 20:02:49 2,264 C:\Qoobox\Quarantine\Registry_backups\Service_wsldoekd.reg.dat
2008-09-18 20:02:49 2,282 C:\Qoobox\Quarantine\Registry_backups\Service_wserving.reg.dat
2008-09-18 20:19:12 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-09-18 20:19:12 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-09-18 20:19:12 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-09-19 00:09:11 22,011 C:\Qoobox\Quarantine\[4]-Submit_2008-09-18@20.09.zip
2008-09-19 00:12:23 2,232 C:\Qoobox\Quarantine\Registry_backups\Service_nobicyt.reg.dat
2008-09-19 00:12:23 2,336 C:\Qoobox\Quarantine\Registry_backups\Service_jatmlano.reg.dat
2008-09-19 00:12:23 286 C:\Qoobox\Quarantine\Registry_backups\Legacy_JATMLANO.reg.dat
2008-09-19 00:12:23 816 C:\Qoobox\Quarantine\Registry_backups\Legacy_NOBICYT.reg.dat
2008-09-19 00:12:23 824 C:\Qoobox\Quarantine\Registry_backups\Legacy_SOLEWXTE.reg.dat
2008-09-19 00:12:24 2,240 C:\Qoobox\Quarantine\Registry_backups\Service_solewxte.reg.dat
2008-09-20 01:22:17 6,869 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-09-20 01:23:03 417 C:\Qoobox\Quarantine\catchme.log

#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:50 AM

Posted 20 September 2008 - 05:12 PM

Hello, jc71587.

Alrighty... let's try this one more time :)

Go ahead and re-install norton one more time. Then DELETE and RE DOWNLOAD ComboFix. Run it one more time. Then please let me know if the error from Norton appears on boot this time :)

You don't need to try installing the RC this time, it's already there.

Please include the ComboFix log in your next reply.

Thanks! :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users