Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis log..please help


  • This topic is locked This topic is locked
37 replies to this topic

#1 marliaths

marliaths

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 11 October 2008 - 08:10 PM

Hey, lately my computer is a bit slow i think and it just seems like i have a virus or something. recently i updated to windows service pack 3 and then updated once more after that and thats when it started going a bit slow. Here is my hijackthis log, and thank you for helping me in advance:)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:49 PM, on 10/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcjcoms.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Hijackthis\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [LXCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1167010648140
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AE609930-A6EB-4A78-B7DA-B3200705FEBD} (Mophun Control) - http://www.mophun.com/codebase/mophun.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://gameadvisor.futuremark.com/global/msc311.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{88DE2363-BA85-49FB-8EDE-2F2AB2DCCE27}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 127.0.0.1 149.174.211.5
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 127.0.0.1,149.174.211.5
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 127.0.0.1 149.174.211.5
O17 - HKLM\System\CS4\Services\VxD\MSTCP: NameServer = 127.0.0.1,149.174.211.5
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 127.0.0.1,149.174.211.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 127.0.0.1 149.174.211.5
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

--
End of file - 14979 bytes

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:04 AM

Posted 16 October 2008 - 10:18 PM

Hello, marliaths.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
I recomend you remove either McAfee or ESET.

Unless otherwise listed below, you can remove these AV programs from Add/Remove Programs.

Instructions for removing McAfee can be found here: [url="http://"http://service.mcafee.com/FAQDocument.aspx?id=107083&lc=1033"]McAfee Consumer Product Removal Tool[/url]


We need to create an OTViewIt Report
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please include the following:
  • OTViewIt.txt
  • Extra.txt
  • Kaspersky's Log


Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 marliaths

marliaths
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 19 October 2008 - 02:41 AM

hey did what you asked and attached the three files :thumbsup:)

Attached Files



#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:04 AM

Posted 19 October 2008 - 12:40 PM

Hello, marliaths.
That all looks clean. Do you have any other symptoms other than slow?

We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :processes
    explorer.exe
    :files
    C:\Program Files\Online Services\AOL\United States\AOL90\comps\toolbar\toolbr.EXE
    :commands
    [EmptyTemp]
    [Reboot]
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 7...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-Language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe
  • Follow the on screen instructions to install the latest Java version.
In your next reply, please include the following:
  • OTMoveIt3's Log
  • A New HiJack This log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 marliaths

marliaths
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 19 October 2008 - 09:57 PM

This used to come when i would boot up my computer..it is a message from teatimer spybot thing:
Category: System Startup global entry
Change: Value Detected
Entry: LXCJCATS

and then it also has something like address violation for teatimer and i have to click the okay button a lot of times before it goes away. And sometimes the icon for Nod32 would not show up in the right bottom corner but it would still be running because i checked by going to start, all programs, eset, and then nod32 and when i clicked on it would still be running. So just wondering why it was doing that.

After I did the OTMOVEIT3 thing you told me to, the teatimer thing stopped happening but now this thing appeared where the time usally is in the right bottom corner..it is the SQL Server Service Manager. and when i put my mouse cursor on it, it says : Not Connected - // so wondering if i did something wrong or something is screwed up?

After I did that OTMOVEIT3 thing it asked me to pick a program in which i had to open up a file named Documents. I clicked on notepad and this came up:
'"C:\Documents and Settings\All Users\Documents\FFMpeg.Exe"' is not recognized as an internal or external command,
operable program or batch file.

Another thing is that when i drag a file to another location it does not copy like it usually does and neither does it move at all. it just stays at the original spot unless i click cut and then paste it into the new location.

one thing i gotta ask you is that when i went to download the java thing it did not have update 7 but had had update 10 instead so wondering if that is the one i should download, thanks in advance


Here is the log from OTMOVEIT3:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\Program Files\Online Services\AOL\United States\AOL90\comps\toolbar\toolbr.EXE moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\etilqs_f3kqm8oIRxRfDqzzmde0 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_96c.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\c0vc7wce.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\c0vc7wce.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\c0vc7wce.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\c0vc7wce.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\c0vc7wce.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\c0vc7wce.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10192008_193415




and i attached the hijackthis log, anything wrong or everything alright?

Attached Files



#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:04 AM

Posted 19 October 2008 - 10:01 PM

Hello, marliaths.
It looks like there are things going on behind the scenes that I'm not seeing in your logs. There's probably something stealthing things here.

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.
  • About 1 in 100 times the computer will not longer be able to boot after running Combofix. This requires experienced hands to restore the system to bootability.
  • There are several malware infections that "target" Combofix. Experienced Helpers are aware of these infections, and take steps to remove them prior to the use of Combofix. If you do not, various things can happen depending on the infection -- from Combofix being unable to run, to the deletion of the folder C:\Windows\System32, requiring a clean install to repair.
  • Combofix makes some rather significant changes to the internals of XP and Vista in order to work. It can therefore be very dangerous!!
  • The real power of Combofix comes not as a general purposed malware remover. It is rather modest in that capacity. Combofix is powerful because it provides to the experienced Helper a convenient and powerful front-end to Scripts. It is because of its scripting strengths, and its unique reporting capabilities, that you see Combofix often recommended. But not because of its abilities as a general malware scanner.
  • Many malware removal experts will not respond to a request for help if they see that Combofix was run by the end-user without supervision. You might find after running Combofix that your system problems are worse, and nobody is willing to help you.
  • There are several general purpose anti-malware utilities where the Author(s) intended the application for general use by end-users without Supervision. Combofix is not one of them, and you would be advised to honor that position taken by its Author.
How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • ComboFix may ask to reboot the machine. If asked, DO NOT REBOOT THE MACHINE YOURSELF!! (Unless you enjoy installing windows :thumbsup: )
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :)
In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 marliaths

marliaths
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 20 October 2008 - 05:32 PM

i just wanted to clarify..if it asks me to reboot i say no right? and is any of this in safe mode or regular? and should i also install update 10 of java? just wanted to clarify:)

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:04 AM

Posted 20 October 2008 - 05:36 PM

i just wanted to clarify..if it asks me to reboot i say no right? and is any of this in safe mode or regular? and should i also install update 10 of java? just wanted to clarify:)

No, I'm just saying if it attempts to reboot, don't pull power on the machine or try to force a reboot. This may cause your system to hang on reboot if power is pulled while ComboFix is preparing to reboot.

We'll get to update 10 of java in a minnute.. let's ensure things are clean first :thumbsup:

Please run CF in normal mode.

Good luck!!

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 marliaths

marliaths
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 20 October 2008 - 08:30 PM

hey did what you asked and here is the log:

ComboFix 08-10-19.04 - HP_Administrator 2008-10-20 18:10:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.574 [GMT -7:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\OneStepSearch
C:\Program Files\OneStepSearch\home.js
C:\Program Files\OneStepSearch\readme.html
C:\U.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RPCSE
-------\Legacy_TDSSSERV


((((((((((((((((((((((((( Files Created from 2008-09-21 to 2008-10-21 )))))))))))))))))))))))))))))))
.

2008-10-19 19:34 . 2008-10-19 19:34 <DIR> d-------- C:\_OTMoveIt
2008-10-19 19:27 . 2008-10-20 17:59 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SiteAdvisor
2008-10-19 19:27 . 2008-10-19 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-10-19 19:27 . 2008-10-19 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-10-15 10:10 . 2008-08-14 03:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 10:10 . 2008-08-14 03:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 10:10 . 2008-08-14 02:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 10:10 . 2008-08-14 02:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 10:10 . 2008-09-15 05:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 10:10 . 2008-09-08 03:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-11 18:08 . 2008-10-11 18:09 <DIR> d-------- C:\Hijackthis
2008-10-09 17:33 . 2008-09-07 17:11 42,496 --a------ C:\WINDOWS\system32\libusb0.dll
2008-10-09 17:33 . 2008-09-07 17:11 29,184 --a------ C:\WINDOWS\system32\drivers\libusb0.sys
2008-10-08 15:40 . 2008-10-08 15:40 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-10-08 15:40 . 2008-10-08 15:40 <DIR> d-------- C:\WINDOWS\system32\en
2008-10-08 15:40 . 2008-10-08 15:40 <DIR> d-------- C:\WINDOWS\system32\bits
2008-10-08 15:40 . 2008-10-08 15:40 <DIR> d-------- C:\WINDOWS\l2schemas
2008-10-08 15:38 . 2008-10-08 15:38 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-28 15:54 . 2008-09-28 15:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-28 15:54 . 2008-09-28 15:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-28 15:54 . 2008-09-28 15:54 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2008-09-28 15:54 . 2008-09-28 15:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-28 15:17 . 2008-09-28 15:18 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-28 14:49 . 2008-09-28 15:50 <DIR> d-------- C:\SDFix
2008-09-22 17:02 . 2008-09-22 17:02 4,096 --a------ C:\WINDOWS\d3dx.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-21 01:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-20 23:43 --------- d-----w C:\Program Files\Lx_cats
2008-10-08 22:53 --------- d-----w C:\Program Files\MSN Messenger
2008-09-29 02:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-11 01:56 --------- d-----w C:\Program Files\Bonjour
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-09-04 23:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-04 23:07 --------- d-----w C:\Program Files\Veoh Networks
2008-08-31 19:45 --------- d-----w C:\Program Files\Audacity
2008-08-31 05:50 --------- d-----w C:\Program Files\Starcraft
2008-08-31 05:49 --------- d-----w C:\Program Files\Sony
2008-08-31 03:49 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Sony
2008-08-31 03:44 --------- d-----w C:\Program Files\Sony Setup
2008-08-31 03:44 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-08-24 08:46 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Thinstall
2008-08-12 20:37 28,836 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2007-04-15 19:17 2,664,596 ----a-w C:\Program Files\ffmpeg.rev8731.7z
2007-02-13 02:13 20 ---ha-w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2006-05-03 10:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 11:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2007-12-17 13:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 4670968]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 64512]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"lxcjmon.exe"="C:\Program Files\Lexmark 8300 Series\lxcjmon.exe" [2005-09-30 200704]
"EzPrint"="C:\Program Files\Lexmark 8300 Series\ezprint.exe" [2005-08-01 94208]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 61440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-03-13 1443072]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-04 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"LXCJCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2005-09-08 73728]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-02-08 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
Updates from HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2005-09-27 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.xvid"= xvid.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Steam\\steam.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:BlizzardDownloader
"6112:TCP"= 6112:TCP:BlizzardDownloader

R2 NIOC;NIOC Service;C:\WINDOWS\system32\NIOC.SYS [2002-09-27 22912]
R2 WZCBDLService;WZCBDL Service;C:\Program Files\WZCBDL Service\WZCBDLS.exe [2002-03-19 36864]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;C:\WINDOWS\system32\DRIVERS\libusb0.sys [2008-09-07 29184]
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2005-06-05 91841]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6aeedaf5-b012-11db-b428-0015f23b7ec9}]
\shell\open\command - %SystemRoot%\Explorer.exe /idlist,%I,%L
.
Contents of the 'Scheduled Tasks' folder

2008-10-11 C:\WINDOWS\Tasks\HPCeeSchedule.job
- C:\PROGRA~1\EASYIN~1\Ceement\HPCEE.exe [2005-05-24 16:46]

2008-09-22 C:\WINDOWS\Tasks\rpc.job
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe []
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\c0vc7wce.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - C:\Program Files\GameTap\bin\Release\npgametaptool.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - C:\Program Files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-20 18:16:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\ehome\McrdSvc.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcjcoms.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-10-20 18:22:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-21 01:22:56

Pre-Run: 129,499,656,192 bytes free
Post-Run: 129,468,575,744 bytes free

209 --- E O F --- 2008-10-16 17:35:47



after i did all that the spybot messages came again and it said
category: Browser page
change: value detected
entry: search bar

i pressed allow change

category: Browser page
change: default_PAGE_url
entry: search bar

i pressed allow change

category: Browser page
change: default_PAGE_url
entry: search bar
new data: http://go.microsoft.com
i pressed allow change

category: Browser page
change: default_PAGE_url
entry: search bar
old data: www.yahoo.com
new data: http://go.microsoft.com
i pressed allow change

category: command processor
change: value detected
entry: autorun

category: NT STartup
change: value delted
entry: load

category: desktop setting
change: value deleted
entry: scrnsave.exe

i allowed all those and then it said: Exception EOUTofResources in module Teatimer.exe at 000468FC. Cannot create shell notifacation icon. i clicked ok.

anything wrong or everything ok?

and spybot and nod32 are not at the bottom right again

Edited by marliaths, 20 October 2008 - 08:31 PM.


#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:04 AM

Posted 20 October 2008 - 08:38 PM

Hello, marliaths.
Go ahead and run this and then please let me know if you still have issues ;)

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    KILLALL::
    
    file::
    C:\Program Files\ffmpeg.rev8731.7z
    C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
    C:\WINDOWS\system32\flvDX.dll
    C:\WINDOWS\system32\msfDX.dll
    C:\WINDOWS\system32\Smab0.dll
    C:\WINDOWS\Tasks\rpc.job
    folder::
    C:\Program Files\Winferno
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

We need to run a scan using the F-Secure Online Scanner
  • Please follow the link to the F-Secure Online Scanner
    Note: This Scanner is for Internet Explorer Only!
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes, the scan will begin automatically.
  • The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
In your next reply, please include the following:
  • ComboFix.txt
  • F-Secure OnlineScan's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 marliaths

marliaths
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 21 October 2008 - 07:28 PM

ok did what you asked and after the combofix rebooted the computer the system settings protector error came up again. it said: System settings protector has encountered a problem and needs to close. We are sorry for the inconvenience. and then it said Application error: Exception EOutofResources in module TeaTimer.exe at 000468FC. Cannot create shell notification icon. The Nod32 icon is not at the bottom right and neither is the Teatimer icon.


Here is the ComboFix Log:

ComboFix 08-10-19.04 - HP_Administrator 2008-10-21 17:02:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.589 [GMT -7:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
C:\Program Files\ffmpeg.rev8731.7z
C:\WINDOWS\system32\flvDX.dll
C:\WINDOWS\system32\msfDX.dll
C:\WINDOWS\system32\Smab0.dll
C:\WINDOWS\Tasks\rpc.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
C:\Program Files\ffmpeg.rev8731.7z
C:\WINDOWS\system32\flvDX.dll
C:\WINDOWS\system32\msfDX.dll
C:\WINDOWS\system32\Smab0.dll
C:\WINDOWS\Tasks\rpc.job

.
((((((((((((((((((((((((( Files Created from 2008-09-22 to 2008-10-22 )))))))))))))))))))))))))))))))
.

2008-10-19 19:34 . 2008-10-19 19:34 <DIR> d-------- C:\_OTMoveIt
2008-10-19 19:27 . 2008-10-21 16:58 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SiteAdvisor
2008-10-19 19:27 . 2008-10-19 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-10-19 19:27 . 2008-10-19 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-10-15 10:10 . 2008-08-14 03:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 10:10 . 2008-08-14 03:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 10:10 . 2008-08-14 02:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 10:10 . 2008-08-14 02:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 10:10 . 2008-09-15 05:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 10:10 . 2008-09-08 03:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-11 18:08 . 2008-10-11 18:09 <DIR> d-------- C:\Hijackthis
2008-10-09 17:33 . 2008-09-07 17:11 42,496 --a------ C:\WINDOWS\system32\libusb0.dll
2008-10-09 17:33 . 2008-09-07 17:11 29,184 --a------ C:\WINDOWS\system32\drivers\libusb0.sys
2008-10-08 15:40 . 2008-10-08 15:40 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-10-08 15:40 . 2008-10-08 15:40 <DIR> d-------- C:\WINDOWS\system32\en
2008-10-08 15:40 . 2008-10-08 15:40 <DIR> d-------- C:\WINDOWS\system32\bits
2008-10-08 15:40 . 2008-10-08 15:40 <DIR> d-------- C:\WINDOWS\l2schemas
2008-10-08 15:38 . 2008-10-08 15:38 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-28 15:54 . 2008-09-28 15:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-28 15:54 . 2008-09-28 15:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-28 15:54 . 2008-09-28 15:54 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2008-09-28 15:54 . 2008-09-28 15:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-28 15:17 . 2008-09-28 15:18 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-28 14:49 . 2008-09-28 15:50 <DIR> d-------- C:\SDFix
2008-09-22 17:02 . 2008-09-22 17:02 4,096 --a------ C:\WINDOWS\d3dx.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-21 16:39 --------- d-----w C:\Program Files\Lx_cats
2008-10-21 01:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-08 22:53 --------- d-----w C:\Program Files\MSN Messenger
2008-09-29 02:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-11 01:56 --------- d-----w C:\Program Files\Bonjour
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-09-04 23:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-04 23:07 --------- d-----w C:\Program Files\Veoh Networks
2008-08-31 19:45 --------- d-----w C:\Program Files\Audacity
2008-08-31 05:50 --------- d-----w C:\Program Files\Starcraft
2008-08-31 05:49 --------- d-----w C:\Program Files\Sony
2008-08-31 03:49 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Sony
2008-08-31 03:44 --------- d-----w C:\Program Files\Sony Setup
2008-08-31 03:44 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-08-24 08:46 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Thinstall
2008-08-12 20:37 28,836 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-10-20_18.22.39.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-08 22:55:10 72,932 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-21 17:05:26 72,932 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-10-08 22:55:10 428,734 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-21 17:05:26 428,734 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-22 00:07:57 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_8a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 4670968]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 64512]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"lxcjmon.exe"="C:\Program Files\Lexmark 8300 Series\lxcjmon.exe" [2005-09-30 200704]
"EzPrint"="C:\Program Files\Lexmark 8300 Series\ezprint.exe" [2005-08-01 94208]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 61440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-03-13 1443072]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-04 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"LXCJCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2005-09-08 73728]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-02-08 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
Updates from HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2005-09-27 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.xvid"= xvid.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Steam\\steam.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:BlizzardDownloader
"6112:TCP"= 6112:TCP:BlizzardDownloader

R2 NIOC;NIOC Service;C:\WINDOWS\system32\NIOC.SYS [2002-09-27 22912]
R2 WZCBDLService;WZCBDL Service;C:\Program Files\WZCBDL Service\WZCBDLS.exe [2002-03-19 36864]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;C:\WINDOWS\system32\DRIVERS\libusb0.sys [2008-09-07 29184]
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2005-06-05 91841]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6aeedaf5-b012-11db-b428-0015f23b7ec9}]
\shell\open\command - %SystemRoot%\Explorer.exe /idlist,%I,%L
.
Contents of the 'Scheduled Tasks' folder

2008-10-11 C:\WINDOWS\Tasks\HPCeeSchedule.job
- C:\PROGRA~1\EASYIN~1\Ceement\HPCEE.exe [2005-05-24 16:46]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 17:07:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\ehome\McrdSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcjcoms.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-10-21 17:13:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-22 00:13:18
ComboFix2.txt 2008-10-21 01:23:00

Pre-Run: 129,012,989,952 bytes free
Post-Run: 129,100,668,928 bytes free

200 --- E O F --- 2008-10-16 17:35:47





tried to do the F-secure online scan but every time i would try to do it I would get up to the part where I would click full system scan and i would click it but after that my internet explorer would say: Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience.

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:04 AM

Posted 21 October 2008 - 07:51 PM

Hello, marliaths.
Almost there ;)

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/173886/hijackthis-logplease-help/
    
    suspect::[54]
    C:\WINDOWS\system32\drivers\srv.sys
    
    registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6aeedaf5-b012-11db-b428-0015f23b7ec9}]
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 marliaths

marliaths
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 21 October 2008 - 07:54 PM

just wondering if the website address is supposed to go into the code??

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:04 AM

Posted 21 October 2008 - 07:55 PM

Yes it is ;)

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 marliaths

marliaths
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 21 October 2008 - 08:19 PM

ok did that and it asked me to submit the file to you and also did that. after i did all that this came up from spybot:
Category: browser page
change: value detected
entry: searchassistant
old data: http://ie.search.msn.com

i click deny

and then there was this very wierd thing on my desktop i think it was from spybot because thats what it said at the bottom near the startthing

where i minimize things..it was a cup and it had a thing for 180 seconds and an ok button and also two buttons for green tea and black tea..i didn't

click anything..hoping you reply back fast so i know what to do.

here is the log from combofix:

ComboFix 08-10-19.04 - HP_Administrator 2008-10-21 18:07:34.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.497 [GMT -7:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-09-22 to 2008-10-22 )))))))))))))))))))))))))))))))
.

2008-10-21 17:24 . 2008-10-21 17:24 <DIR> d-------- C:\fsaua.data
2008-10-19 19:34 . 2008-10-19 19:34 <DIR> d-------- C:\_OTMoveIt
2008-10-19 19:27 . 2008-10-21 18:02 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SiteAdvisor
2008-10-19 19:27 . 2008-10-19 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-10-19 19:27 . 2008-10-19 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-10-15 10:10 . 2008-08-14 03:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 10:10 . 2008-08-14 03:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 10:10 . 2008-08-14 02:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 10:10 . 2008-08-14 02:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 10:10 . 2008-09-15 05:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 10:10 . 2008-09-08 03:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-11 18:08 . 2008-10-11 18:09 <DIR> d-------- C:\Hijackthis
2008-10-09 17:33 . 2008-09-07 17:11 42,496 --a------ C:\WINDOWS\system32\libusb0.dll
2008-10-09 17:33 . 2008-09-07 17:11 29,184 --a------ C:\WINDOWS\system32\drivers\libusb0.sys
2008-10-08 15:40 . 2008-10-08 15:40 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-10-08 15:40 . 2008-10-08 15:40 <DIR> d-------- C:\WINDOWS\system32\en
2008-10-08 15:40 . 2008-10-08 15:40 <DIR> d-------- C:\WINDOWS\system32\bits
2008-10-08 15:40 . 2008-10-08 15:40 <DIR> d-------- C:\WINDOWS\l2schemas
2008-10-08 15:38 . 2008-10-08 15:38 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-28 15:54 . 2008-09-28 15:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-28 15:54 . 2008-09-28 15:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-28 15:54 . 2008-09-28 15:54 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application

Data\SUPERAntiSpyware.com
2008-09-28 15:54 . 2008-09-28 15:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-28 15:17 . 2008-09-28 15:18 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-28 14:49 . 2008-09-28 15:50 <DIR> d-------- C:\SDFix
2008-09-22 17:02 . 2008-09-22 17:02 4,096 --a------ C:\WINDOWS\d3dx.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-21 16:39 --------- d-----w C:\Program Files\Lx_cats
2008-10-21 01:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-08 22:53 --------- d-----w C:\Program Files\MSN Messenger
2008-10-08 22:43 61,440 ----a-w

C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2008-10-08 22:43 45,056 ----a-w

C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2008-10-08 22:43 44,032 ----a-w

C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2008-10-08 22:43 40,960 ----a-w

C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2008-10-08 22:43 32,768 ----a-w

C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2008-10-08 22:43 32,768 ----a-w

C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2008-10-08 22:43 287,310 ----a-w

C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection.dll
2008-10-08 22:43 163,840 ----a-w

C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2008-09-29 02:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-11 01:56 --------- d-----w C:\Program Files\Bonjour
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-09-04 23:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-04 23:07 --------- d-----w C:\Program Files\Veoh Networks
2008-08-31 19:45 --------- d-----w C:\Program Files\Audacity
2008-08-31 05:50 --------- d-----w C:\Program Files\Starcraft
2008-08-31 05:49 --------- d-----w C:\Program Files\Sony
2008-08-31 03:49 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Sony
2008-08-31 03:44 --------- d-----w C:\Program Files\Sony Setup
2008-08-31 03:44 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-08-24 08:46 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Thinstall
2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-08-12 20:37 28,836 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-10-20_18.22.39.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-27 22:59:28 290,816 ----a-w C:\WINDOWS\Downloaded Program Files\auc_lib.dll
+ 2008-02-27 22:59:28 495,616 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2008-02-27 23:00:12 262,144 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2008-02-27 22:59:16 588,392 ----a-w C:\WINDOWS\Downloaded Program Files\gatelauncher.exe
- 2008-10-08 22:55:10 72,932 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-21 17:05:26 72,932 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-10-08 22:55:10 428,734 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-21 17:05:26 428,734 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-22 00:07:57 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_8a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 4670968]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 64512]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"lxcjmon.exe"="C:\Program Files\Lexmark 8300 Series\lxcjmon.exe" [2005-09-30 200704]
"EzPrint"="C:\Program Files\Lexmark 8300 Series\ezprint.exe" [2005-08-01 94208]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 61440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-03-13 1443072]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-04 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"LXCJCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2005-09-08 73728]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-02-08 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
Updates from HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2005-09-27 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.xvid"= xvid.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Steam\\steam.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:BlizzardDownloader
"6112:TCP"= 6112:TCP:BlizzardDownloader

R2 NIOC;NIOC Service;C:\WINDOWS\system32\NIOC.SYS [2002-09-27 22912]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;C:\WINDOWS\system32\DRIVERS\libusb0.sys [2008-09-07 29184]
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2005-06-05 91841]
Start Pending2 WZCBDLService;WZCBDL Service;C:\Program Files\WZCBDL Service\WZCBDLS.exe [2002-03-19 36864]
.
Contents of the 'Scheduled Tasks' folder

2008-10-11 C:\WINDOWS\Tasks\HPCeeSchedule.job
- C:\PROGRA~1\EASYIN~1\Ceement\HPCEE.exe [2005-05-24 16:46]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 18:10:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-21 18:11:45
ComboFix-quarantined-files.txt 2008-10-22 01:11:07
ComboFix2.txt 2008-10-22 00:13:23
ComboFix3.txt 2008-10-21 01:23:00

Pre-Run: 129,064,415,232 bytes free
Post-Run: 129,049,632,768 bytes free

175 --- E O F --- 2008-10-16 17:35:47




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users