Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Whatever it is really got me bad


  • This topic is locked This topic is locked
36 replies to this topic

#1 dryice1987

dryice1987

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 29 December 2008 - 05:45 PM

Tried every scan possible, running in safe mode the last three weeks because won't even launch properly without going into BSOD. It has also disabled my McAfee, and doesn't allow installation of any updates. I've run VundoFix, Spybot S & D, AdAware, Malwarebytes scan, AVG, and Crap Cleaner, and nothing has worked. My HJT log, for whomever can help me solve this mess. Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:56:06 PM, on 12/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {33811A52-8407-44B0-B7C1-6B712A98B07E} - C:\WINDOWS\system32\geebb.dll (file missing)
O2 - BHO: (no name) - {5288A616-CF23-40FC-9947-04BE09126600} - C:\WINDOWS\system32\gebcb.dll (file missing)
O2 - BHO: (no name) - {536E0139-6519-4569-9266-9EAA431B0945} - C:\Program Files\Internet Explorer\tebo43855.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {CA9F3EF0-9E33-4546-A734-876B66BD659C} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [HLinit] c:\progra~1\filesu~1\partyb~1.zip\hyperl~1.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11111111-1111-1111-1111-111111114457} - file://c:\ied_s7m.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {3527C5BD-4A46-4362-94B6-12341D087A4B} - http://echospin.com/wizard/files/esWizard.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/webplayer/stage6/...owserPlugin.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - file://E:\games\WebDriverFullInstall.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{87379A36-DA09-4AD0-A855-2EFAB293650B}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEDABB45-14B4-4979-AFCC-64A88D2F189E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: ssqronm - ssqronm.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9634 bytes

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 AM

Posted 06 January 2009 - 03:44 PM

Hello.

Let's see what we can do.

Download and Run ComboFix
Please note that, when ComboFix reboots your machine, allow it to boot into normal mode, even if it will crash.

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode. However, do not use the MsConfig method to edit the Boot.ini.
Important!:Please do not select the Show all checkbox during the scan..
Please post back with:
-the ComboFix log
-the GMER log

Can you boot into normal mode now?

With Regards,
The Panda

#3 dryice1987

dryice1987
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 06 January 2009 - 04:07 PM

Thanks for the reply, Panda.

I will run the suggested scans, but won't be able to do so until tomorrow (1/7).

I can barely boot into normal mode. When I try, the screen comes up and loads it is as if there is an electrical storm on the screen, it is all jumpy and flashy and looks to want to crash. After a very short while, right to BSOD. So I have been in safe mode ever since to at least be able to access the net from home, etc.

I understand that combofix will reboot to normal mode, despite possible crashes, so I will keep an eye on that.

I look forward to the diagnosis of just what this is, and the fix, and I again thank you for the assist.

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 AM

Posted 06 January 2009 - 04:28 PM

That's fine with me. See you tomorrow then.

The Panda

#5 dryice1987

dryice1987
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 08 January 2009 - 09:19 AM

Panda:


It won't let me load Combofix. It starts to load then, then an error message comes up that says:" You cannot rename Combofix as Combofix(1). Please use another name: preferably with alphanumeric characters."

Tried to load from all three sites, got the same message each time.

And there was no opportunity to even try and 'rename" it as it was loading, as it never got that far.

Also, by the way, I tired booting up in normal mode yesterday. No luck. After Wndows splash screen, it went to balsck for two minutes, then BSOD. So I think I am stuck for now with Safe Mode.

Any thoughts?

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 AM

Posted 08 January 2009 - 11:43 AM

Hello.

Please try the link for downloading ComboFix here. Leave the name as it is. Make sure you select Save rather than Run after the download.

With Regards,
The Panda

Edited by PropagandaPanda, 08 January 2009 - 11:44 AM.


#7 dryice1987

dryice1987
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 08 January 2009 - 12:17 PM

OK, thanks, I'll give that one a shot tonight when I get home.

#8 dryice1987

dryice1987
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 09 January 2009 - 01:07 PM

Panda;

For saome reason, my keyboard sometimes does not work when in Safe Mode. Booted/rebooted finally got it going again. I'll run the scans soon, and post on Mon or Tues, as I have to be out of town this weekend. Thanks.

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 AM

Posted 09 January 2009 - 04:30 PM

Okay. I'll keep this topic open.

With Regards,
The Panda

#10 dryice1987

dryice1987
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 12 January 2009 - 12:51 PM

OK, Panda, here goes:

I was able to open and run Combofix with the link you provided. When I ran it the first time, it went thru checking through level 50. On that scan it noted some things (problems?) at different levels it scanned. It got hung up after level 50 and a line came up that said something along the lines of "Windows/system/32 is not a recognized command, intruction or file." Panda, I am paraphrasing here, as I thought that I kept the exact wording, but will have to recreate it.


Anyway, it did no further scanning for a long time. I then tried getting out of it, and Combofix restarted my computer. Since it did that, I again ran a Combofix scan. This time, it again ran all the way thru to Level 50 again. This time, however, it did not note any exceptions or problems. It did again get hung up after Level 50, and gave the same message with respect to Windowss/system/32.


On the Gmer scan, I am posting this as a word file.

I also attach it as a text file if that is easeier for you to read.

Thanks again

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-11 18:10:58
Windows 5.1.2600 Service Pack 2


---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\internet explorer\iexplore.exe[464] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[464] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A179F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[464] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A1720 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[464] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A1764 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[464] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A16AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[464] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A16E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[464] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A17DA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[464] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Classes\CLSID\{8C9D242F-C4F4-5A0E-73B3-583A16151CB1}\InprocServer32@ C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\FSTOCK.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{8C9D242F-C4F4-5A0E-73B3-583A16151CB1}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{8C9D242F-C4F4-5A0E-73B3-583A16151CB1}\ProgID@ FStock.Factoid.1
Reg HKLM\SOFTWARE\Classes\CLSID\{8C9D242F-C4F4-5A0E-73B3-583A16151CB1}\TypeLib@ {4136535C-724B-4F68-AEC2-9A7917456384}
Reg HKLM\SOFTWARE\Classes\CLSID\{8C9D242F-C4F4-5A0E-73B3-583A16151CB1}\VersionIndependentProgID@ FStock.Factoid

---- EOF - GMER 1.0.14 ----

Attached Files



#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 AM

Posted 12 January 2009 - 04:53 PM

Hello.

ComboFix's last release had a little bug that caused that issue.

Please delete this folder:
C:\QooBox\LastRun.

Then delete your copy of ComboFix, download a new one, and run it again.

With Regards,
The Panda

#12 dryice1987

dryice1987
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 12 January 2009 - 05:03 PM

OK, we'll do that next

#13 dryice1987

dryice1987
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 12 January 2009 - 08:48 PM

OK, the Combofix fix worked and here is the logfile (alos attahced as a textfile):



ComboFix 09-01-11.04 - Mark 2009-01-12 19:30:36.4 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.272 [GMT -6:00]
Running from: c:\documents and settings\Mark\My Documents\Combo-Fix.exe
FW: McAfee Personal Firewall *enabled*
.

((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-11 16:34 . 2009-01-11 16:38 250 --a------ c:\windows\gmer.ini
2009-01-09 14:21 . 2009-01-09 14:22 <DIR> d-------- c:\documents and settings\TEMP.D4PQXV31.001
2009-01-07 21:01 . 2009-01-07 21:01 <DIR> d-------- c:\documents and settings\TEMP.D4PQXV31.000
2009-01-07 19:23 . 2009-01-07 19:23 <DIR> d-------- c:\documents and settings\TEMP.D4PQXV31
2009-01-05 20:07 . 2009-01-05 20:07 <DIR> d-------- c:\program files\Alwil Software
2009-01-03 14:46 . 2009-01-03 14:46 164 --a------ C:\install.dat
2009-01-01 17:40 . 2009-01-01 17:40 <DIR> d-------- c:\documents and settings\Administrator.D4PQXV31\Application Data\Malwarebytes
2009-01-01 17:39 . 2003-12-03 16:27 <DIR> d-------- c:\documents and settings\Administrator.D4PQXV31\Application Data\Sonic
2009-01-01 17:39 . 2003-12-03 16:25 <DIR> d-------- c:\documents and settings\Administrator.D4PQXV31\Application Data\Jasc Software Inc
2009-01-01 17:39 . 2007-07-26 19:52 <DIR> d-------- c:\documents and settings\Administrator.D4PQXV31\Application Data\Gtek
2009-01-01 17:39 . 2003-12-03 16:17 <DIR> d-------- c:\documents and settings\Administrator.D4PQXV31\Application Data\Creative
2009-01-01 17:39 . 2009-01-01 17:39 <DIR> d-------- c:\documents and settings\Administrator.D4PQXV31
2008-12-30 19:30 . 2008-12-30 19:30 <DIR> d-------- c:\documents and settings\Andy\Application Data\Malwarebytes
2008-12-29 21:11 . 2008-12-29 21:11 <DIR> d-------- c:\documents and settings\Dan\Application Data\Malwarebytes
2008-12-29 17:37 . 2008-12-29 17:37 <DIR> d-------- c:\documents and settings\TEMP
2008-12-28 13:55 . 2008-12-28 13:55 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 00:13 --------- d-----w c:\documents and settings\Mark\Application Data\Yahoo!
2008-12-28 22:36 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-02 00:48 --------- d-----w c:\documents and settings\Dan\Application Data\Grisoft
2008-12-02 00:39 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-02 00:38 --------- d-----w c:\documents and settings\Dan\Application Data\McAfee
2008-12-01 21:32 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-30 02:04 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-29 03:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-29 02:04 --------- d-----w c:\program files\CCleaner
2008-11-27 14:32 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-27 14:31 --------- d-----w c:\program files\TrojanHunter 5.0
2008-11-25 22:08 --------- d-----w c:\program files\McAfee
2008-11-25 21:56 --------- d-----w c:\program files\LimeWire
2008-11-25 21:55 --------- d-----w c:\program files\DVDVideoSoft
2008-11-25 21:55 --------- d-----w c:\program files\Common Files\DVDVIDEOSOFT
2008-11-23 19:18 --------- d-----w c:\documents and settings\Mark\Application Data\Malwarebytes
2008-11-23 19:18 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-22 14:17 --------- d-----w c:\documents and settings\Dan\Application Data\Move Networks
2008-10-30 23:38 103,856 ----a-w c:\documents and settings\Dan\Application Data\GDIPFONTCACHEV1.DAT
2008-07-10 15:51 643,072 ----a-w c:\program files\iPodUpdaterExt.dll
2008-07-10 15:51 5,692 ----a-w c:\program files\About iTunes.rtf
2008-07-10 15:51 438,272 ----a-w c:\program files\CDDBControlApple.dll
2008-07-10 15:51 289,064 ----a-w c:\program files\iTunesHelper.exe
2008-07-10 15:51 283,136 ----a-w c:\program files\iTunesOutlookAddIn.dll
2008-07-10 15:51 20,246,824 ----a-w c:\program files\iTunes.exe
2008-07-10 15:51 172,544 ----a-w c:\program files\iTunesPhotoSupport.dll
2008-07-10 15:51 132,392 ----a-w c:\program files\iTunesMiniPlayer.dll
2008-07-10 15:51 116,008 ----a-w c:\program files\ITDetector.ocx
2008-07-10 15:51 108,328 ----a-w c:\program files\iTunesAdmin.dll
2008-07-10 15:48 8,356 ----a-w c:\program files\Acknowledgements.rtf
2006-09-21 01:34 102,656 -c--a-w c:\documents and settings\Andy\Application Data\GDIPFONTCACHEV1.DAT
2006-02-12 23:42 97,952 -c--a-w c:\documents and settings\Mark\Application Data\GDIPFONTCACHEV1.DAT
2006-01-06 03:15 20,921,040 -c--a-w c:\program files\AdbeRdr705_enu_full.exe
2005-10-13 23:39 97,560 -c--a-w c:\documents and settings\Sandy\Application Data\GDIPFONTCACHEV1.DAT
2005-03-26 02:54 3,566,394 ----a-w c:\program files\windowsinstaller.zip
2004-08-04 07:56 35,741 -c--a-w c:\documents and settings\Andy\08770877.dat
2002-08-29 11:00 35,741 -c--a-w c:\documents and settings\Mark\08770877.dat
2008-08-26 21:16 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008082620080827\index.dat
2008-08-26 21:16 49,152 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008082720080828\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-24 218496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2005-03-10 126976]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2005-03-10 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2005-03-10 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2005-03-10 28672]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunesHelper.exe" [2008-07-10 289064]
"THGuard"="c:\program files\TrojanHunter 5.0\THGuard.exe" [2008-10-24 1056928]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2008-10-22 1261200]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"Logitech Utility"="Logi_MwX.Exe" [2003-03-04 c:\windows\LOGI_MWX.EXE]
"nwiz"="nwiz.exe" [2005-12-10 c:\windows\SYSTEM32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2005-12-08 c:\windows\CTHELPER.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2008-10-22 399504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winci63.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windq32.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winel16.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhf11.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhm52.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winnm73.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqg02.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winru63.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsn80.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvm42.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvy64.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winyi13.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=c:\windows\pss\SBC Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\John\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a------ 2005-03-10 20:23 28672 c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2005-03-09 19:10 11776 c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2005-03-10 20:23 380928 c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 10:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
--a------ 2005-03-10 20:23 86016 c:\program files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2003-12-09 11:03 57344 c:\progra~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a------ 2005-04-22 18:49 397312 c:\progra~1\Yahoo!\YOP\yop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 04:59 122880 c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-12-10 03:06 1519616 c:\windows\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
--a------ 2005-12-08 10:51 25600 c:\windows\MIDIDEF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YPCService"=3 (0x3)
"DownloadManagerLite"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 PzWDM;PzWDM;c:\windows\SYSTEM32\DRIVERS\PzWDM.sys [2008-03-10 15172]
S1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [2009-01-05 111184]
S3 nenum13E;nenum13E;\??\c:\docume~1\Andy\LOCALS~1\Temp\nenum13E.sys --> c:\docume~1\Andy\LOCALS~1\Temp\nenum13E.sys [?]
S3 Winci63;Winci63;\??\c:\windows\System32\drivers\Winci63.sys --> c:\windows\System32\drivers\Winci63.sys [?]
S3 Windq32;Windq32;\??\c:\windows\System32\drivers\Windq32.sys --> c:\windows\System32\drivers\Windq32.sys [?]
S3 Winhf11;Winhf11;\??\c:\windows\System32\drivers\Winhf11.sys --> c:\windows\System32\drivers\Winhf11.sys [?]
S3 Winhm52;Winhm52;\??\c:\windows\System32\drivers\Winhm52.sys --> c:\windows\System32\drivers\Winhm52.sys [?]
S3 Winnm73;Winnm73;\??\c:\windows\System32\drivers\Winnm73.sys --> c:\windows\System32\drivers\Winnm73.sys [?]
S3 Winqg02;Winqg02;\??\c:\windows\System32\drivers\Winqg02.sys --> c:\windows\System32\drivers\Winqg02.sys [?]
S3 Winsn80;Winsn80;\??\c:\windows\System32\drivers\Winsn80.sys --> c:\windows\System32\drivers\Winsn80.sys [?]
S3 Winvm42;Winvm42;\??\c:\windows\System32\drivers\Winvm42.sys --> c:\windows\System32\drivers\Winvm42.sys [?]
S3 Winvy64;Winvy64;\??\c:\windows\System32\drivers\Winvy64.sys --> c:\windows\System32\drivers\Winvy64.sys [?]
S3 Winyi13;Winyi13;\??\c:\windows\System32\drivers\Winyi13.sys --> c:\windows\System32\drivers\Winyi13.sys [?]
S4 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [2009-01-05 20560]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-10-12 24652]
S4 Winel16;Winel16;\??\c:\windows\System32\drivers\Winel16.sys --> c:\windows\System32\drivers\Winel16.sys [?]
S4 Winru63;Winru63;\??\c:\windows\System32\drivers\Winru63.sys --> c:\windows\System32\drivers\Winru63.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
- - - - ORPHANS REMOVED - - - -

BHO-{33811A52-8407-44B0-B7C1-6B712A98B07E} - c:\windows\system32\geebb.dll
BHO-{5288A616-CF23-40FC-9947-04BE09126600} - c:\windows\system32\gebcb.dll
BHO-{536E0139-6519-4569-9266-9EAA431B0945} - c:\program files\Internet Explorer\tebo43855.dll
BHO-{CA9F3EF0-9E33-4546-A734-876B66BD659C} - (no file)
HKLM-Run-CTXFIREG - CTxfiReg.exe
HKLM-RunOnce-HLinit - c:\progra~1\filesu~1\partyb~1.zip\hyperl~1.exe
Notify-ssqronm - ssqronm.dll
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys
SafeBoot-Windx06.sys
SafeBoot-Winfs57.sys
SafeBoot-Winit88.sys
SafeBoot-Winkm25.sys
SafeBoot-Winmk24.sys
SafeBoot-Winmy81.sys
SafeBoot-Winnc88.sys
SafeBoot-Winnk00.sys
SafeBoot-Winpt48.sys
SafeBoot-Winud14.sys
SafeBoot-Winut25.sys
SafeBoot-Winyu67.sys
MSConfigStartUp-AIM - c:\program files\AIM\aim.exe
MSConfigStartUp-dla - c:\windows\system32\dla\tfswctrl.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-Steam - c:\program files\steam\steam.exe
MSConfigStartUp-Yahoo! Pager - c:\progra~1\Yahoo!\MESSEN~1\ypager.exe
MSConfigStartUp-{ZN} - c:\docume~1\Andy\LOCALS~1\Temp\thinksnet.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
Trusted Zone: *.yahoo.com
TCP: {87379A36-DA09-4AD0-A855-2EFAB293650B} = 208.67.220.220,208.67.222.222
TCP: {CEDABB45-14B4-4979-AFCC-64A88D2F189E} = 208.67.220.220,208.67.222.222

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

- c:\windows\Downloaded Program Files\RhapX.inf

c:\windows\SYSTEM32\msvbvm60.dll - c:\windows\SYSTEM32\oleaut32.dll
c:\windows\SYSTEM32\olepro32.dll
c:\windows\SYSTEM32\asycfilt.dll
c:\windows\SYSTEM32\stdole2.tlb
c:\windows\SYSTEM32\comcat.dll
O16 -: {3527C5BD-4A46-4362-94B6-12341D087A4B}
hxxp://echospin.com/wizard/files/esWizard.cab
c:\windows\Downloaded Program Files\esProxy.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 19:34:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HLinit = c:\progra~1\filesu~1\partyb~1.zip\hyperl~1.exe??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????8

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\l3codeca.acm
.
Completion time: 2009-01-12 19:40:26
ComboFix-quarantined-files.txt 2009-01-13 01:39:07

Pre-Run: 28,257,681,408 bytes free
Post-Run: 28,231,278,592 bytes free

267 --- E O F --- 2008-10-24 03:27:03

Attached Files

  • Attached File  log.txt   18.26KB   25 downloads


#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 AM

Posted 13 January 2009 - 12:17 PM

Hello.

There is definately something in there.

Please make sure your protection is disabled.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    Rootkit::
    c:\windows\System32\drivers\Winci63.sys
    c:\windows\System32\drivers\Windq32.sys 
    c:\windows\System32\drivers\Winhf11.sys
    c:\windows\System32\drivers\Winhm52.sys
    c:\windows\System32\drivers\Winnm73.sys
    c:\windows\System32\drivers\Winqg02.sys
    c:\windows\System32\drivers\Winsn80.sys
    c:\windows\System32\drivers\Winvm42.sys
    c:\windows\System32\drivers\Winvy64.sys
    c:\windows\System32\drivers\Winyi13.sys
    c:\windows\System32\drivers\Winel16.sys
    c:\windows\System32\drivers\Winru63.sys
    
    Registry::
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winci63.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windq32.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winel16.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhf11.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhm52.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winnm73.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqg02.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winru63.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsn80.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvm42.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvy64.sys]
    
    Driver::
    nenum13E
    Winci63
    Windq32
    Winhf11
    Winhm52
    Winnm73
    Winqg02
    Winsn80
    Winvm42
    Winvy64
    Winyi13
    Winel16
    Winru63
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall
With Regards,
The Panda

#15 dryice1987

dryice1987
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 13 January 2009 - 01:28 PM

OK, I'll do that tonite and report back..




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users