Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windows explorer seems to be hijacked by malware - attached hijack this log


  • This topic is locked This topic is locked
5 replies to this topic

#1 reflect0mate

reflect0mate

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 17 November 2008 - 07:58 PM

I gave my kids an old machine to use. But before I could create non-admin accounts for them they had already downloaded some sort of malware...

I used ccleaner to remove temp files.

Symptoms:

- All windows explorer actions seem to be hijacked. If it is open after a amount of time the screen will hide the taskbar and then close all windows explorer instances.
- Most of the time trying to click on the start menu fails. The whole screen goes black and prevents you from selecting any menu item.
- possibly unrelated, but the sound has been disabled and any attempt to reinstall the drivers causes the computer to shutdown
- also possibly unrelated i am unable to change any settings on my matrox parhelia video card
- both the computer itself and internet access have slowed down drastically




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:00 PM, on 11/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
D:\WINDOWS\system32\inetsrv\inetinfo.exe
d:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
d:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe
D:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
D:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe
D:\Program Files\Microsoft SQL Server\MSSQL.4\Reporting Services\ReportServer\bin\ReportingServicesService.exe
D:\WINDOWS\System32\snmp.exe
d:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\mqsvc.exe
D:\WINDOWS\system32\mqtgsvc.exe
D:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Matrox Graphics Inc\PowerDesk HF\Matrox.PowerDesk.PDeskNet.exe
D:\WINDOWS\Logi_MwX.Exe
D:\Program Files\Logitech\G-series Software\LGDCore.exe
D:\Program Files\Logitech\G-series Software\LCDMon.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\CTHELPER.EXE
D:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
D:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
D:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
D:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
D:\WINDOWS\system32\LVCOMSX.EXE
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe
D:\Program Files\SlickRun\sr.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
D:\Documents and Settings\Raoul Ellias\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
d:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.DesktopManagement.Host.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Belkin\Nostromo\nost_LM.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
D:\Program Files\ProcessTamer\ProcessTamerTray.exe
D:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
D:\WINDOWS\system32\msiexec.exe
D:\Program Files\EditPlus 2\editplus.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - D:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - D:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - D:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Linkman - {5C9DCA26-CEC4-4280-A831-D622D4DBF113} - D:\PROGRA~1\Linkman\LINKMA~1.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - D:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - D:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Matrox PowerDesk 8] "D:\Program Files\Matrox Graphics Inc\PowerDesk HF\matrox.powerdesk.exe" /silent
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Launch LGDCore] "D:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "D:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [IPHSend] D:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "D:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Matrox PowerDesk SE] "d:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SlickRun] "D:\Program Files\SlickRun\sr.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "D:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Raoul Ellias\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-21-1177238915-1214440339-725345543-1023\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'ccnetuser')
O4 - HKUS\S-1-5-21-1177238915-1214440339-725345543-1023\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User 'ccnetuser')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-21-1177238915-1214440339-725345543-1023 Startup: desktop(2).ini (User 'ccnetuser')
O4 - S-1-5-18 Startup: desktop(2).ini (User 'SYSTEM')
O4 - .DEFAULT Startup: desktop(2).ini (User 'Default user')
O4 - Startup: desktop(2).ini
O4 - Startup: ProcessTamer.lnk = D:\Program Files\ProcessTamer\ProcessTamerTray.exe
O4 - Global Startup: desktop(2).ini
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Loadout Manager.lnk = D:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Customize Menu - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {0AD401E5-2D78-45B1-B875-07B0F9ED3937} - D:\Program Files\nStuff\Web Development Helper\WebDevHelper.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "D:\Program Files\Fiddler\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "D:\Program Files\Fiddler\Fiddler.exe" (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1169085511359
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - https://time.inscopesolutions.com/BusinessPortal/msrdp.cab
O16 - DPF: {B590F5BC-5774-47D8-859E-727E25E017AA} (DriverDetectiveMembers.members) - http://www.drivershq.com/files/cab/member/...Detective-m.cab
O16 - DPF: {BA11E984-66D3-11D3-9196-006008105FA5} (SDClientHelper Class) - https://time.inscopesolutions.com/businessp...ClientTools.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.24.18/ttinst.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - D:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: CruiseControl.NET Server (CCService) - ThoughtWorks - D:\Program Files\CruiseControl.NET\server\ccservice.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - d:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: Matrox Centering Service - Matrox Graphics Inc. - d:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
O23 - Service: Matrox.Pdesk.ServicesHost - Matrox Graphics Inc - d:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

--
End of file - 14670 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:16 AM

Posted 17 November 2008 - 08:03 PM

Hello! :thumbsup:
My name is Sam and I will be helping you.

I will do my best to communicate clearly to you so that we can resolve your issues as quickly as possible. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to fix your computer. Please communicate freely with me about how your computer is reacting and behaving as we work through this process.


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 reflect0mate

reflect0mate
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 17 November 2008 - 08:29 PM

NOTE: After combofix was done spybot s&d popped up with the below info, should I allow the regestry change? It wants to delete it. Also should I check "Remember this desicion?" or should i disable spybot and run combofix again? Btw I have left the"Allow change" dialog to remain open..

Current filename:

Database status: Not required - virus, spyware, malware or other resource hog
Value:
Filename: system32.exe

Description
Added by the _AGOBOT-KU_ WORM! Note - has a blank entry under the Startup Item/Name field

Source: Paul Collins Startup list

=============================================
below is the combo fix log
===============================================

ComboFix 08-11-16.05 - Raoul Ellias 2008-11-17 19:09:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.315 [GMT -6:00]
Running from: d:\documents and settings\Raoul Ellias\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-10-18 to 2008-11-18 )))))))))))))))))))))))))))))))
.

2008-11-17 19:06 . 2008-11-17 19:06 4,958,588 --a------ d:\windows\{00000002-00000000-00000001-00001102-00000004-10021102}.BAK
2008-11-16 19:06 . 2008-11-16 19:06 27,288 --a------ d:\documents and settings\abby\Application Data\GDIPFONTCACHEV1.DAT
2008-11-12 22:15 . 2008-09-04 11:15 1,106,944 -----c--- d:\windows\system32\dllcache\msxml3.dll
2008-11-12 22:15 . 2008-10-24 05:21 455,296 -----c--- d:\windows\system32\dllcache\mrxsmb.sys
2008-11-09 21:12 . 2008-11-09 21:12 <DIR> d-------- d:\documents and settings\Raoul Ellias\Application Data\FastStone
2008-11-09 20:19 . 2008-11-09 20:27 <DIR> d-------- d:\program files\EsetOnlineScanner
2008-11-09 20:17 . 2008-11-09 20:17 <DIR> d-------- d:\program files\FastStone Image Viewer
2008-11-09 19:57 . 2008-11-09 19:59 <DIR> d-------- d:\program files\XoftSpySE
2008-11-09 19:55 . 2008-11-09 19:56 <DIR> d-------- d:\program files\RogueRemover FREE
2008-11-06 20:10 . 2008-11-06 20:10 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2008-11-06 20:10 . 2008-11-06 20:10 <DIR> d-------- d:\documents and settings\Raoul Ellias\Application Data\Malwarebytes
2008-11-06 20:10 . 2008-11-06 20:10 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-06 20:10 . 2008-10-22 16:10 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2008-11-06 20:10 . 2008-10-22 16:10 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2008-11-03 22:22 . 2008-11-03 22:22 <DIR> d-------- d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-03 22:21 . 2008-11-03 22:21 <DIR> d-------- d:\program files\SUPERAntiSpyware
2008-11-03 22:21 . 2008-11-03 22:21 <DIR> d-------- d:\documents and settings\ccnetuser\Application Data\SUPERAntiSpyware.com
2008-11-03 21:49 . 2008-11-03 21:50 <DIR> d-------- d:\program files\CCleaner
2008-11-03 20:08 . 2008-11-03 20:08 <DIR> d-------- D:\VundoFix Backups
2008-11-03 19:09 . 2008-11-03 19:09 <DIR> d-------- d:\program files\Trend Micro
2008-11-03 19:08 . 2008-11-03 19:08 <DIR> d-------- D:\Tools
2008-11-03 07:43 . 2008-11-03 07:43 <DIR> d-------- d:\documents and settings\ccnetuser\Application Data\Logitech
2008-10-28 18:33 . 2008-10-28 18:37 <DIR> d-------- d:\documents and settings\All Users\Application Data\Lavasoft
2008-10-28 15:34 . 2008-10-28 15:34 <DIR> d-------- d:\program files\TeaTimer (Spybot - Search & Destroy)
2008-10-28 15:34 . 2008-10-28 15:34 <DIR> d-------- d:\program files\SDHelper (Spybot - Search & Destroy)
2008-10-28 07:53 . 2008-10-28 07:53 <DIR> d-------- d:\windows\SQLTools9_KB954606_ENU
2008-10-28 07:49 . 2008-10-28 07:49 <DIR> d-------- d:\windows\DTS9_KB954606_ENU
2008-10-28 07:46 . 2008-10-28 07:46 <DIR> d-------- d:\windows\NS9_KB954606_ENU
2008-10-28 07:35 . 2008-10-28 07:36 <DIR> d-------- d:\windows\RS9_KB954606_ENU
2008-10-28 07:29 . 2008-10-28 07:29 <DIR> d-------- d:\windows\OLAP9_KB954606_ENU
2008-10-28 07:13 . 2008-10-28 07:13 <DIR> d-------- d:\windows\SQL9_KB954606_ENU
2008-10-27 00:59 . 2008-10-27 00:59 <DIR> d-------- d:\program files\Microsoft Silverlight
2008-10-27 00:40 . 2008-10-27 00:41 <DIR> d-------- d:\windows\SQLTools9_KB948109_ENU
2008-10-27 00:34 . 2008-10-27 00:34 <DIR> d-------- d:\windows\DTS9_KB948109_ENU
2008-10-27 00:30 . 2008-10-27 00:30 <DIR> d-------- d:\windows\NS9_KB948109_ENU
2008-10-27 00:24 . 2008-10-27 00:24 <DIR> d-------- d:\windows\RS9_KB948109_ENU
2008-10-27 00:19 . 2008-10-27 00:19 <DIR> d-------- d:\windows\OLAP9_KB948109_ENU
2008-10-27 00:00 . 2008-10-27 00:00 <DIR> d-------- d:\documents and settings\All Users\Application Data\Matrox Graphics Inc
2008-10-27 00:00 . 2008-06-10 18:25 2,005,376 --a------ d:\windows\system32\MTXPARD.dll
2008-10-27 00:00 . 2008-06-10 18:27 1,485,568 --a------ d:\windows\system32\drivers\MTXPARM.sys
2008-10-27 00:00 . 2008-06-10 18:27 5,504 --a------ d:\windows\system32\drivers\mtxparmx.sys
2008-10-26 23:59 . 2008-06-10 18:27 761,856 --a------ d:\windows\system32\MtxEscape.dll
2008-10-26 23:59 . 2008-05-06 20:18 139,264 --a------ d:\windows\system32\MtxCIP2.dll
2008-10-26 10:03 . 2008-10-26 10:03 <DIR> d-------- d:\documents and settings\finn\Application Data\Yahoo!
2008-10-26 10:02 . 2008-10-26 10:02 <DIR> d-------- d:\documents and settings\finn\Application Data\Research In Motion
2008-10-23 21:05 . 2008-10-15 10:34 337,408 -----c--- d:\windows\system32\dllcache\netapi32.dll
2008-10-23 20:55 . 2008-10-23 20:55 <DIR> d-------- d:\documents and settings\abby\Application Data\Yahoo!
2008-10-23 20:52 . 2008-10-23 20:52 <DIR> d-------- d:\documents and settings\abby\Application Data\Logitech
2008-10-23 20:50 . 2008-10-24 02:26 <DIR> d-------- d:\documents and settings\abby
2008-10-22 19:16 . 2008-10-22 19:16 <DIR> d-------- d:\documents and settings\finn\Application Data\Logitech
2008-10-22 18:46 . 2008-10-22 18:47 <DIR> d-------- d:\documents and settings\finn
2008-10-20 19:32 . 2008-10-28 21:56 <DIR> d-------- d:\program files\iWin.com
2008-10-20 19:32 . 2008-10-20 19:32 <DIR> d-------- d:\documents and settings\Raoul Ellias\Application Data\iWinArcade
2008-10-20 19:31 . 2008-10-28 21:56 <DIR> d-------- d:\documents and settings\All Users\Application Data\iWin Games
2008-10-19 15:19 . 2008-10-19 15:19 <DIR> d-------- d:\documents and settings\Raoul Ellias\Application Data\Yahoo!
2008-10-19 15:19 . 2008-10-19 15:19 <DIR> d-------- d:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-10-19 14:23 . 2008-10-20 19:33 <DIR> d-------- d:\documents and settings\Raoul Ellias\Application Data\PlayFirst
2008-10-19 14:23 . 2008-10-20 19:49 <DIR> d-a------ d:\documents and settings\All Users\Application Data\TEMP
2008-10-19 14:23 . 2008-10-20 19:33 <DIR> d-------- d:\documents and settings\All Users\Application Data\PlayFirst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-13 09:05 --------- d-----w d:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-10 03:03 --------- d-----w d:\program files\Realtek AC97
2008-11-07 04:02 --------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-04 04:19 --------- d-----w d:\program files\Common Files\Wise Installation Wizard
2008-11-03 00:02 --------- d-----w d:\program files\Spybot - Search & Destroy
2008-10-29 03:52 --------- d-----w d:\program files\UltiDev
2008-10-29 00:33 --------- d-----w d:\program files\Lavasoft
2008-10-28 13:55 --------- d-----w d:\program files\Microsoft SQL Server
2008-10-27 06:00 --------- d-----w d:\program files\Matrox Graphics Inc
2008-10-24 11:21 455,296 ----a-w d:\windows\system32\drivers\mrxsmb.sys
2008-10-19 20:23 --------- d-----w d:\program files\Yahoo!
2008-09-30 22:43 1,286,152 ----a-w d:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w d:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w d:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w d:\windows\system32\msxml3.dll
2008-08-28 07:46 74,752 ----a-w d:\windows\system32\msw3prt.dll
2008-08-28 07:46 104,960 ----a-w d:\windows\system32\win32spl.dll
2008-08-26 07:24 826,368 ----a-w d:\windows\system32\wininet.dll
2007-02-18 14:55 27,288 ----a-w d:\documents and settings\Raoul Ellias\Application Data\GDIPFONTCACHEV1.DAT
2004-09-22 22:46 192,512 ----a-w d:\windows\inf\unregmp2(2).exe
2006-04-27 01:22 8 --sh--r d:\windows\system32\5ABC974A12.sys
.

((((((((((((((((((((((((((((( snapshot@2008-11-09_19.39.11.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-10 01:10:56 1,379,840 ----a-w d:\windows\$hf_mig$\KB954459\SP3QFE\msxml6.dll
+ 2007-11-30 12:39:22 17,272 ----a-w d:\windows\$hf_mig$\KB954459\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w d:\windows\$hf_mig$\KB954459\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w d:\windows\$hf_mig$\KB954459\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w d:\windows\$hf_mig$\KB954459\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w d:\windows\$hf_mig$\KB954459\update\updspapi.dll
- 2005-11-18 16:20:26 217,088 ----a-w d:\windows\Alcrmv.exe
+ 2006-07-31 17:27:30 217,088 ----a-w d:\windows\Alcrmv.exe
- 2006-07-31 16:19:24 315,392 ----a-w d:\windows\alcupd.exe
+ 2006-07-31 17:19:00 315,392 ----a-w d:\windows\alcupd.exe
+ 2008-10-24 11:21:09 455,296 ------w d:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-11-13 09:02:02 32,768 ----a-r d:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
- 2008-10-05 08:47:03 20,240 ----a-r d:\windows\Installer\{90120000-0026-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-11-13 09:05:23 20,240 ----a-r d:\windows\Installer\{90120000-0026-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-10-05 08:47:03 217,864 ----a-r d:\windows\Installer\{90120000-0026-0000-0000-0000000FF1CE}\misc.exe
+ 2008-11-13 09:05:23 217,864 ----a-r d:\windows\Installer\{90120000-0026-0000-0000-0000000FF1CE}\misc.exe
- 2008-10-05 08:47:03 18,704 ----a-r d:\windows\Installer\{90120000-0026-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-11-13 09:05:23 18,704 ----a-r d:\windows\Installer\{90120000-0026-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-10-05 08:47:03 35,088 ----a-r d:\windows\Installer\{90120000-0026-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-11-13 09:05:23 35,088 ----a-r d:\windows\Installer\{90120000-0026-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-10-05 08:44:58 135,168 ----a-r d:\windows\Installer\{90850409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-11-13 09:03:49 135,168 ----a-r d:\windows\Installer\{90850409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-10-05 08:44:58 40,960 ----a-r d:\windows\Installer\{90850409-6000-11D3-8CFE-0150048383C9}\wrdvicon.exe
+ 2008-11-13 09:03:49 40,960 ----a-r d:\windows\Installer\{90850409-6000-11D3-8CFE-0150048383C9}\wrdvicon.exe
- 2006-06-21 10:42:44 577,536 ----a-w d:\windows\SOUNDMAN.EXE
+ 2007-04-16 21:28:22 577,536 ----a-w d:\windows\SOUNDMAN.EXE
- 2008-04-13 18:45:14 60,160 -c--a-w d:\windows\system32\dllcache\drmk.sys
+ 2008-04-13 19:45:14 60,160 -c--a-w d:\windows\system32\dllcache\drmk.sys
- 2008-04-13 19:16:36 141,056 -c--a-w d:\windows\system32\dllcache\ks.sys
+ 2008-04-13 20:16:36 141,056 -c--a-w d:\windows\system32\dllcache\ks.sys
+ 2008-04-14 01:11:56 4,096 -c--a-w d:\windows\system32\dllcache\ksuser.dll
- 2008-04-14 00:12:01 1,306,624 -c----w d:\windows\system32\dllcache\msxml6.dll
+ 2008-09-10 01:14:56 1,307,648 -c----w d:\windows\system32\dllcache\msxml6.dll
- 2008-04-13 19:19:42 146,048 -c--a-w d:\windows\system32\dllcache\portcls.sys
+ 2008-04-13 20:19:42 146,048 -c--a-w d:\windows\system32\dllcache\portcls.sys
- 2008-04-13 18:45:16 49,408 -c--a-w d:\windows\system32\dllcache\stream.sys
+ 2008-04-13 19:45:16 49,408 -c--a-w d:\windows\system32\dllcache\stream.sys
- 2008-04-14 00:12:46 23,552 -c--a-w d:\windows\system32\dllcache\wdmaud.drv
+ 2008-04-14 01:12:46 23,552 -c--a-w d:\windows\system32\dllcache\wdmaud.drv
- 2006-09-23 03:43:19 4,011,264 ----a-r d:\windows\system32\drivers\ALCXWDM.SYS
+ 2008-01-24 22:36:16 4,127,488 ----a-r d:\windows\system32\drivers\ALCXWDM.SYS
- 2008-04-13 18:45:14 60,160 ----a-w d:\windows\system32\drivers\drmk.sys
+ 2008-04-13 19:45:14 60,160 ----a-w d:\windows\system32\drivers\drmk.sys
- 2008-04-13 19:16:36 141,056 ----a-w d:\windows\system32\drivers\ks.sys
+ 2008-04-13 20:16:36 141,056 ----a-w d:\windows\system32\drivers\ks.sys
- 2008-04-13 19:19:42 146,048 ----a-w d:\windows\system32\drivers\portcls.sys
+ 2008-04-13 20:19:42 146,048 ----a-w d:\windows\system32\drivers\portcls.sys
- 2008-04-13 18:45:16 49,408 ----a-w d:\windows\system32\drivers\stream.sys
+ 2008-04-13 19:45:16 49,408 ----a-w d:\windows\system32\drivers\stream.sys
- 2008-11-10 01:30:30 386,242 ----a-w d:\windows\system32\inetsrv\MetaBase.bin
+ 2008-11-18 00:33:24 386,244 ----a-w d:\windows\system32\inetsrv\MetaBase.bin
- 2008-04-14 00:11:56 4,096 ----a-w d:\windows\system32\ksuser.dll
+ 2008-04-14 01:11:56 4,096 ----a-w d:\windows\system32\ksuser.dll
+ 2007-07-27 20:49:02 196,683 ----a-w d:\windows\system32\lnod32apiA.dll
+ 2007-07-27 20:49:02 225,355 ----a-w d:\windows\system32\lnod32apiW.dll
+ 2005-12-06 01:25:22 139,264 ----a-w d:\windows\system32\lnod32umc.dll
+ 2005-12-05 18:37:10 106,496 ----a-w d:\windows\system32\lnod32upd.dll
- 2008-10-07 17:19:42 16,721,856 ----a-w d:\windows\system32\MRT.exe
+ 2008-11-04 00:10:25 17,318,336 ----a-w d:\windows\system32\MRT.exe
+ 2008-02-11 15:39:26 253,952 ----a-w d:\windows\system32\OnlineScannerDLLA.dll
+ 2008-02-11 15:39:18 237,568 ----a-w d:\windows\system32\OnlineScannerDLLW.dll
+ 2008-02-08 19:53:46 110,592 ----a-w d:\windows\system32\OnlineScannerLang.dll
+ 2008-02-05 14:48:04 77,824 ----a-w d:\windows\system32\OnlineScannerUninstaller.exe
- 2006-06-30 11:32:46 143,360 ----a-w d:\windows\system32\RTLCPAPI.dll
+ 2006-10-18 08:53:26 147,456 ----a-w d:\windows\system32\RTLCPAPI.dll
- 2006-07-14 13:44:56 10,528,256 ----a-w d:\windows\system32\RTLCPL.EXE
+ 2006-12-08 21:20:14 10,528,768 ----a-w d:\windows\system32\RTLCPL.EXE
- 2007-11-30 11:18:51 17,272 ------w d:\windows\system32\spmsg.dll
+ 2008-07-08 13:02:01 17,272 ------w d:\windows\system32\spmsg.dll
- 2008-04-14 00:12:46 23,552 ----a-w d:\windows\system32\wdmaud.drv
+ 2008-04-14 01:12:46 23,552 ----a-w d:\windows\system32\wdmaud.drv
+ 2008-11-18 00:29:32 16,384 ----atw d:\windows\Temp\Perflib_Perfdata_214.dat
+ 2008-11-18 00:30:23 16,384 ----atw d:\windows\Temp\Perflib_Perfdata_544.dat
+ 2008-11-18 00:31:41 16,384 ----atw d:\windows\Temp\Perflib_Perfdata_c28.dat
+ 2008-09-30 22:42:08 1,286,152 ----a-w d:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-09-30 22:45:12 91,656 ----a-w d:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="d:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"SlickRun"="d:\program files\SlickRun\sr.exe" [2005-12-23 178688]
"LogitechSoftwareUpdate"="d:\program files\Logitech\Video\ManifestEngine.exe" [2004-06-01 196608]
"swg"="d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"RoboForm"="d:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-06-11 160832]
"Google Update"="d:\documents and settings\Raoul Ellias\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-01 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Matrox PowerDesk 8"="d:\program files\Matrox Graphics Inc\PowerDesk HF\matrox.powerdesk.exe" [2005-12-21 106496]
"Launch LGDCore"="d:\program files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304]
"Launch LCDMon"="d:\program files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152]
"IPHSend"="d:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"TkBellExe"="d:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-14 180269]
"Logitech Hardware Abstraction Layer"="d:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2006-07-19 94208]
"LVCOMSX"="d:\windows\system32\LVCOMSX.EXE" [2004-05-21 221184]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2007-05-26 257088]
"HP Software Update"="d:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"Matrox PowerDesk SE"="d:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe" [2008-06-11 2630664]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 d:\windows\LOGI_MWX.EXE]
"CTHelper"="CTHELPER.EXE" [2007-04-09 d:\windows\system32\CtHelper.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 d:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="d:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

d:\documents and settings\Default User\Start Menu\Programs\Startup\
desktop(2).ini [2006-04-11 84]

d:\documents and settings\abby\Start Menu\Programs\Startup\
desktop(2).ini [2006-04-11 84]

d:\documents and settings\finn\Start Menu\Programs\Startup\
desktop(2).ini [2006-04-11 84]

d:\documents and settings\Raoul Ellias\Start Menu\Programs\Startup\
desktop(2).ini [2006-04-11 84]
ProcessTamer.lnk - d:\program files\ProcessTamer\ProcessTamerTray.exe [2006-09-22 151552]

d:\documents and settings\ccnetuser\Start Menu\Programs\Startup\
desktop(2).ini [2006-04-11 84]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
desktop(2).ini [2006-04-11 84]
HP Digital Imaging Monitor.lnk - d:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - d:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]
Loadout Manager.lnk - d:\program files\Belkin\Nostromo\nost_LM.exe [2004-04-06 454656]
Logitech SetPoint.lnk - d:\program files\Logitech\SetPoint\SetPoint.exe [2006-11-02 671744]
Microsoft Office.lnk - d:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "d:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.enc"= ITIG726.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link RangeBooster G WUA-2340]
--a------ 2005-12-15 11:18 2490368 d:\program files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 d:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\WINDOWS\\system32\\mqsvc.exe"=
"d:\\Program Files\\Microsoft Visual Studio 8\\Common7\\IDE\\devenv.exe"=
"d:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus Personal\\kavsvc.exe"=
"d:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"d:\\Program Files\\Common Files\\AOL\\1158893945\\ee\\aolsoftware.exe"=
"d:\\Program Files\\Common Files\\AOL\\1158893945\\ee\\aim6.exe"=
"d:\\Program Files\\BitTorrent\\bittorrent.exe"=
"d:\\Program Files\\Microsoft SQL Server\\MSSQL.2\\MSSQL\\Binn\\sqlservr.exe"=
"d:\\Program Files\\mIRC\\mirc.exe"=
"d:\\Program Files\\Dragonmount Networks\\dIRC\\dIRC.exe"=
"d:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Home\\ftpte.exe"=
"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\Program Files\\Cisco Systems\\VPN Client\\ipsecdialer.exe"=
"d:\\Program Files\\MaxiVista Pro Server\\MaxiVistaA.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"62515:UDP"= 62515:UDP:vpn

R0 Klpf;Klpf;d:\windows\system32\Drivers\Klpf.sys [2004-09-03 28723]
R0 Klpid;Klpid;d:\windows\system32\Drivers\klpid.sys [2004-09-03 33046]
R1 Klmc;Klmc;d:\windows\system32\drivers\klmc.sys [2004-08-11 9939]
R1 Mtxparmx;Mtxparmx;d:\windows\system32\DRIVERS\Mtxparmx.sys [2008-10-27 5504]
R2 CCService;CruiseControl.NET Server;d:\program files\CruiseControl.NET\server\ccservice.exe [2006-02-23 20480]
R2 LBeepKE;LBeepKE;d:\windows\system32\Drivers\LBeepKE.sys [2006-11-02 3712]
R2 Matrox Centering Service;Matrox Centering Service;"d:\program files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe" [2008-06-11 586760]
R2 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost;"d:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe" [2008-06-11 189448]
R2 MaxiAcom;MaxiAcom;d:\windows\system32\Drivers\MaxiAcom.SYS [2007-01-28 4608]
R2 MsDtsServer;SQL Server Integration Services;"d:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe" [2008-08-05 205840]
R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);"d:\program files\Microsoft SQL Server\MSSQL.4\Reporting Services\ReportServer\bin\ReportingServicesService.exe" [2008-08-05 16912]
R3 ctgame;Game Port;d:\windows\system32\DRIVERS\ctgame.sys [2002-12-30 12160]
R3 maxivista;Maxi_Vista_DriverA;d:\windows\system32\DRIVERS\maxivista.sys [2007-01-28 4736]
R3 MTXPAR;MTXPAR;d:\windows\system32\DRIVERS\MTXPARM.sys [2008-10-27 1485568]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;d:\windows\system32\DRIVERS\A5AGU.sys [2005-07-25 348352]
S3 ATHFMWDL;D-Link predator Bootloader driver;d:\windows\system32\Drivers\ATHFMWDL.sys [2005-07-25 43392]
S3 bcgame;Nostromo HID Device Minidriver;d:\windows\system32\drivers\bcgame.sys [2003-07-24 22821]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"d:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-03-27 29744]
S3 maxidemo;Maxi_Vista_Demo_Driver;d:\windows\system32\DRIVERS\maxidemo.sys []
S3 MTXPARH;MTXPARH;d:\windows\system32\DRIVERS\MTXPARHM.sys [2006-04-11 541056]
S3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);d:\windows\system32\DRIVERS\CamDrL20.sys [2006-11-10 245760]
S3 RimSerPort;RIM Virtual Serial Port;d:\windows\system32\DRIVERS\RimSerial.sys [2007-05-08 18432]
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;d:\windows\system32\DRIVERS\netusbxp.sys [2002-02-20 72576]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"d:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2006-12-02 2805000]
.
Contents of the 'Scheduled Tasks' folder

2008-11-11 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 14:42]

2008-11-17 d:\windows\Tasks\GoogleUpdateTaskUser.job
- d:\documents and settings\Raoul Ellias\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-01 19:03]

2008-11-18 d:\windows\Tasks\XoftSpySE 2.job
- d:\program files\XoftSpySE\XoftSpy.exe [2008-10-29 12:16]

2008-11-16 d:\windows\Tasks\XoftSpySE.job
- d:\program files\XoftSpySE\XoftSpy.exe [2008-10-29 12:16]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - d:\documents and settings\Raoul Ellias\Application Data\Mozilla\Firefox\Profiles\uc3496y7.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - d:\documents and settings\Raoul Ellias\Local Settings\Application Data\Google\Update\1.2.131.25\npGoogleOneClick6.dll
FF -: plugin - d:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - d:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - d:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - d:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - d:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - d:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - d:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - d:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - d:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - d:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - d:\program files\Mozilla Firefox\plugins\npitunes.dll
FF -: plugin - d:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - d:\program files\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - d:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-17 19:14:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql]
"ImagePath"="\"d:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:MSSQLSERVER"
.
Completion time: 2008-11-17 19:20:21
ComboFix-quarantined-files.txt 2008-11-18 01:19:56
ComboFix2.txt 2008-11-10 01:40:53

Pre-Run: 43,495,198,720 bytes free
Post-Run: 43,475,927,040 bytes free

330 --- E O F --- 2008-11-13 09:12:18

#4 reflect0mate

reflect0mate
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 17 November 2008 - 09:29 PM

For what its worth..

After seeing the spybot s&d dialog I tried to google agobot-ku using google chrome. It almost immediately closed the chrome browser down. Google chrome had been working fine untill then. Did it "figure out" what I was doing?

Thanks so much for your help.

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:16 AM

Posted 18 November 2008 - 09:14 AM

It would be unusual for malware to target Chrome, but it's possible.
Can you post the log from Spybot so that I can see exactly what it detected?

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:16 AM

Posted 04 December 2008 - 03:47 PM

Unfortunately there has been no response. :thumbsup:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users