Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

removing registry key trojan.bho


  • This topic is locked This topic is locked
15 replies to this topic

#1 Mommy2four

Mommy2four

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 05 January 2009 - 01:40 AM

Hi I posted about removing this, and was told that this is a deeper infection and was redirected the the Hijackthis section and told to follow the instructions. Basically, what has happened so far is this. I had a folder popping up on my computer. I ran my anti virus programs and it didn't show anything. So, I finally searched on it and discovered it was a trojan, and the site said to run SuperAntiSpyware to get rid of it. I ran it, it stopped popping up, so I thought it was gone. I ran it again about a week later, and the trojan is still there. Talked to a friend who suggested running Malwarebytes - ran that, said it would delete when I rebooted. Rebooted, ran it again, trojan is still there. In the Malwarebytes this is what is says....

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Delete on reboot

I've run this 2-3 times, but it hasn't removed it when I reboot, so it's not working...I figured I needed more help, so I did another google search and found this site. I posted some basic information, was redirected to the hijackthis forum and this is where I am at now.

So, I've run the dds file as requested and followed all the instructions - I'm now at the point where they tell you to post a new help question.

I've attached a copy of the attach.txt log, and here is the copy of the dds txt log. Hopefully I have given someone enough information that they can help me with this.



DS (Version 1.1.0) - NTFSx86
Run by HP_Administrator at 22:10:33.64 on Sun 01/04/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.281 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\DISC\DiscGui.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat

7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet

explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [DISCover] c:\program files\disc\DISCover.exe
mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe
mRun: [<NO NAME>]
mRun: [PCDrProfiler] "c:\program files\pc-doctor 5 for windows\RunProfiler.exe" -r
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 4.0\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\program files\epson\epson smart panel for

scanner\ESPMAIN.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital

imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from

hp\9972322\program\Updates from HP.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} -

c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program

files\java\jre1.6.0_07\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program

files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: trymedia.com
Filter: text/html - {1658f317-4b1e-4cd2-92d1-52fc88e4f854} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-9 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-9 26824]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-9 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-9 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-9 76040]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 PCD5SRVC{085326CB-51A3560A-05010003};PCD5SRVC{085326CB-51A3560A-05010003} - PCDR Kernel Mode Service Helper

Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2005-9-7 21120]

=============== Created Last 30 ================

2009-01-03 23:58 <DIR> --d----- c:\documents and settings\hp_administrator\.housecall6.6
2009-01-03 23:10 552 a------- c:\windows\system32\d3d8caps.dat
2009-01-03 18:14 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2009-01-03 18:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-03 18:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-03 18:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 18:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-02 00:43 <DIR> --d----- c:\windows\system32\scripting
2009-01-02 00:43 <DIR> --d----- c:\windows\l2schemas
2009-01-02 00:43 <DIR> --d----- c:\windows\system32\en
2009-01-02 00:43 <DIR> --d----- c:\windows\system32\bits
2009-01-02 00:39 <DIR> --d----- c:\windows\ServicePackFiles
2008-12-29 02:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-29 02:51 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-29 02:51 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\SUPERAntiSpyware.com
2008-12-29 02:49 <DIR> --d----- c:\program files\common files\Wise Installation Wizard

==================== Find3M ====================

2009-01-02 00:46 92,947 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-02 00:46 341,048 a-------

c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\HPBasicDetection3.dll
2009-01-02 00:46 163,840 a-------

c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemcheck.dll
2009-01-02 00:46 61,440 a-------

c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemutil.dll
2009-01-02 00:46 45,056 a-------

c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe
2009-01-02 00:46 44,032 a-------

c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe
2009-01-02 00:46 40,960 a-------

c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\ScDmi.dll
2009-01-02 00:46 32,768 a-------

c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\uploadHSC.dll
2009-01-02 00:46 32,768 a-------

c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\Scom.dll
2008-12-12 22:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-10-24 03:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 04:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 05:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 05:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 08:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-14 23:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-14 23:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-08-07 22:14 22 a--sh--- c:\windows\sminst\HPCD.SYS

============= FINISH: 22:11:13.06 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 AM

Posted 12 January 2009 - 05:15 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Download and Run DDS
DDS is a tool that gives us a general overview of the condition of your machine.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
Please tell me what changes have been made to the computer since your topic was started. Also give me an update on any symptoms.

With Regards,
The Panda

#3 Mommy2four

Mommy2four
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 13 January 2009 - 03:48 AM

Hi PropagandaPanda!

First, let me say thank you for getting back to me on this. I have not changed much since my original post. I did download a couple other programs trying to get rid of the trojan, but they didn't work, so I've deleted them - I think...

What started me checking was a file that was popping up when I'd start up my computer. Googled what the name was and it came back as a trojan. Downloaded what was recommended to get rid of it, and after several tries it was still there. This is what Malwarebytes is telling me when I scan my computer.


Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Delete on reboot

I've run this and rebooted, and the trojan is still there. I also ran Spybot Search and Destroy, and it's now telling me ths...

MyWay.MyWebSearch 1 entries PUPSC

I have no idea what this is. It found several and removed all but this one. Again, says it will be gone when I reboot, but it's still there. I do use my computer for banking and paying bills, so would like to get these cleared up to make sure my information isn't going someplace it shouldn't be. One thing I think it interesting is that neither Spybot or AVG which I have on my computer ever alerted me to the trojan, and even now sypbot isn't finding it.

I will try to attach the d.d.s attach file - if I don't do it right please let me know, and you will need to give me more specific instructions.

Here is the d.d.s file that you told me to copy here...


DDS (Ver_09-01-07.01) - NTFSx86
Run by HP_Administrator at 0:11:12.59 on Tue 01/13/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.238 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DISC\DiscGui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\E0AZWUUX\dds[1].com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [DISCover] c:\program files\disc\DISCover.exe
mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe
mRun: [<NO NAME>]
mRun: [PCDrProfiler] "c:\program files\pc-doctor 5 for windows\RunProfiler.exe" -r
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 4.0\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\program files\epson\epson smart panel for scanner\ESPMAIN.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: trymedia.com
Filter: text/html - {1658f317-4b1e-4cd2-92d1-52fc88e4f854} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: avgrsstx.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-9 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-9 26824]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-9 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-9 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-9 76040]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 SASKUTIL;SASKUTIL; [x]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 PCD5SRVC{085326CB-51A3560A-05010003};PCD5SRVC{085326CB-51A3560A-05010003} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2005-9-7 21120]

=============== Created Last 30 ================

2009-01-06 04:02 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\TrojanHunter
2009-01-06 00:39 <DIR> --d----- c:\program files\TrojanHunter 5.0
2009-01-06 00:22 <DIR> --d----- c:\program files\Trend Micro
2009-01-05 19:10 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-03 23:10 552 a------- c:\windows\system32\d3d8caps.dat
2009-01-03 18:14 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2009-01-03 18:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-03 18:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-03 18:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 18:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-02 00:43 <DIR> --d----- c:\windows\system32\scripting
2009-01-02 00:43 <DIR> --d----- c:\windows\l2schemas
2009-01-02 00:43 <DIR> --d----- c:\windows\system32\en
2009-01-02 00:43 <DIR> --d----- c:\windows\system32\bits
2009-01-02 00:39 <DIR> --d----- c:\windows\ServicePackFiles
2008-12-29 02:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-29 02:51 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-29 02:51 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\SUPERAntiSpyware.com

==================== Find3M ====================

2009-01-02 00:46 92,947 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-02 00:46 341,048 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\HPBasicDetection3.dll
2009-01-02 00:46 163,840 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemcheck.dll
2009-01-02 00:46 61,440 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemutil.dll
2009-01-02 00:46 45,056 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe
2009-01-02 00:46 44,032 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe
2009-01-02 00:46 40,960 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\ScDmi.dll
2009-01-02 00:46 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\uploadHSC.dll
2009-01-02 00:46 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\Scom.dll
2008-12-12 22:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-10-24 03:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 04:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 05:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 05:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 08:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-08-07 22:14 22 a--sh--- c:\windows\sminst\HPCD.SYS

============= FINISH: 0:11:47.68 ===============

Attached Files



#4 Mommy2four

Mommy2four
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 13 January 2009 - 03:55 AM

Here is the GMER log...

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-13 00:53:02
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys ZwTerminateProcess [0xF1BDDF20]

---- Kernel code sections - GMER 1.0.14 ----

? C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.14 ----

Library C:\Program (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [640] 0x01210000
Library C:\Program (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [3644] 0x03F60000

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\InprocServer32@ C:\Program Files\Common\helper.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\ProgID@ main.BHO.1
Reg HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\TypeLib@ {8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
Reg HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\VersionIndependentProgID@ main.BHO

---- EOF - GMER 1.0.14 ----

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 AM

Posted 13 January 2009 - 12:25 PM

Hello.

You are infected with something. Let's see what we can do.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable AVG:
  • Please navigate to the system tray on the bottom right hand corner and look for this Posted Image sign.
  • Right click it-> select Quit Control Center.
  • A warning will pop up, click Yes
To disable SpyBot's TeaTimer:
You can find instructions with visuals here.
  • Run Spybot-S&D in Advanced Mode. If it is not already set to do this Go to the Mode menu select Advanced Mode.
  • On the left hand side, Click on Tools.
  • Click on the Resident icon in the list.
  • Uncheck Resident TeaTimer and OK any prompts.
  • Download ResetTeaTimer.bat and run it to remove entries set by TeaTimer. If you are not using Internet Explorer, you may not be prompted to download the file when you click it. In that case, right click it and select "Save Target/Link as" and save the file onto your desktop.
    The file should take only a second to finish. Delete this file after use.
Restart your computer for the changes to take affect.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Please also run a new GMER scan after ComboFix.

With Regards,
The Panda

#6 Mommy2four

Mommy2four
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 14 January 2009 - 05:25 AM

Panda,

Here is the ComboFix file.

ComboFix 09-01-13.04 - HP_Administrator 2009-01-14 2:10:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.506 [GMT -8:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.

2009-01-14 02:04 . 2009-01-14 02:04 <DIR> d-------- c:\windows\system32\LogFiles
2009-01-13 00:25 . 2009-01-13 00:27 250 --a------ c:\windows\gmer.ini
2009-01-06 04:02 . 2009-01-06 04:02 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\TrojanHunter
2009-01-06 00:39 . 2009-01-13 02:49 <DIR> d-------- c:\program files\TrojanHunter 5.0
2009-01-06 00:22 . 2009-01-06 00:22 <DIR> d-------- c:\program files\Trend Micro
2009-01-05 19:10 . 2009-01-05 19:09 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-03 23:10 . 2009-01-03 23:10 552 --a------ c:\windows\system32\d3d8caps.dat
2009-01-03 18:14 . 2009-01-03 18:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 18:14 . 2009-01-03 18:14 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-01-03 18:14 . 2009-01-03 18:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-03 18:14 . 2008-12-03 19:54 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-03 18:14 . 2008-12-03 19:54 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-02 00:43 . 2009-01-02 00:43 <DIR> d-------- c:\windows\system32\scripting
2009-01-02 00:43 . 2009-01-02 00:43 <DIR> d-------- c:\windows\system32\en
2009-01-02 00:43 . 2009-01-02 00:43 <DIR> d-------- c:\windows\system32\bits
2009-01-02 00:43 . 2009-01-02 00:43 <DIR> d-------- c:\windows\l2schemas
2009-01-02 00:39 . 2009-01-02 00:39 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-29 02:51 . 2009-01-12 22:24 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2008-12-29 02:51 . 2008-12-29 02:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 10:05 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\skypePM
2009-01-11 05:47 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-11 04:53 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-07 07:12 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Skype
2009-01-06 07:48 --------- d-----w c:\program files\Yahoo!
2009-01-06 03:09 --------- d-----w c:\program files\Java
2009-01-02 08:46 61,440 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2009-01-02 08:46 45,056 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2009-01-02 08:46 44,032 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2009-01-02 08:46 40,960 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2009-01-02 08:46 341,048 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2009-01-02 08:46 32,768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2009-01-02 08:46 32,768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2009-01-02 08:46 163,840 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-05 08:52 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-03 07:38 --------- d-----w c:\program files\Skype
2008-12-03 07:38 --------- d-----w c:\program files\Common Files\Skype
2008-12-03 07:38 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-12-03 07:15 22,285,608 ----a-w c:\documents and settings\downloads\SkypeSetup.exe
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-26 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-26 61440]
"PCDrProfiler"="c:\program files\PC-Doctor 5 for Windows\RunProfiler.exe" [2005-08-09 53248]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-05 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-08-16 413696]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 c:\windows\arpwrmsg.exe]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-12 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON SMART PANEL for Scanner.lnk - c:\program files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE [2008-08-19 180224]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 282624]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-11-12 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-08-09 97928]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-09 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-09 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-08-09 76040]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 PCD5SRVC{085326CB-51A3560A-05010003};PCD5SRVC{085326CB-51A3560A-05010003} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2005-09-07 21120]
.
Contents of the 'Scheduled Tasks' folder

2009-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: *.trymedia.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 02:14:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC{085326CB-51A3560A-05010003}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\InprocServer32]
@DACL=(02 0000)
@="c:\\Program Files\\Common\\helper.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\ProgID]
@DACL=(02 0000)
@="main.BHO.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\Programmable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\TypeLib]
@DACL=(02 0000)
@="{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\VersionIndependentProgID]
@DACL=(02 0000)
@="main.BHO"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(688)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2009-01-14 2:16:32
ComboFix-quarantined-files.txt 2009-01-14 10:16:16

Pre-Run: 222,433,312,768 bytes free
Post-Run: 222,684,168,192 bytes free

199 --- E O F --- 2009-01-03 11:01:04

#7 Mommy2four

Mommy2four
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 14 January 2009 - 05:35 AM

Hi Panda,

Here is the file from the new gmer scan.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-14 02:33:28
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\InprocServer32@ C:\Program Files\Common\helper.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\ProgID@ main.BHO.1
Reg HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\TypeLib@ {8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
Reg HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\VersionIndependentProgID@ main.BHO

---- EOF - GMER 1.0.14 ----

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 AM

Posted 14 January 2009 - 08:27 AM

Hello.

Let's take care of that..

Please make sure your protection is disabled.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    File::
    c:\Program Files\Common\helper.dll
    
    REGLOCK::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}]
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Again, please follow up with a new GMER scan too.

With Regards,
The Panda

#9 Mommy2four

Mommy2four
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 14 January 2009 - 04:22 PM

Hi Panda,

Here is the new combofix log.

ComboFix 09-01-13.04 - HP_Administrator 2009-01-14 13:13:47.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.456 [GMT -8:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\program files\Common\helper.dll
.

((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.

2009-01-14 02:04 . 2009-01-14 02:04 <DIR> d-------- c:\windows\system32\LogFiles
2009-01-13 00:25 . 2009-01-14 02:26 250 --a------ c:\windows\gmer.ini
2009-01-06 04:02 . 2009-01-06 04:02 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\TrojanHunter
2009-01-06 00:39 . 2009-01-13 02:49 <DIR> d-------- c:\program files\TrojanHunter 5.0
2009-01-06 00:22 . 2009-01-06 00:22 <DIR> d-------- c:\program files\Trend Micro
2009-01-05 19:10 . 2009-01-05 19:09 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-03 23:10 . 2009-01-03 23:10 552 --a------ c:\windows\system32\d3d8caps.dat
2009-01-03 18:14 . 2009-01-14 04:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 18:14 . 2009-01-03 18:14 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-01-03 18:14 . 2009-01-03 18:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-03 18:14 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-03 18:14 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-02 00:43 . 2009-01-02 00:43 <DIR> d-------- c:\windows\system32\scripting
2009-01-02 00:43 . 2009-01-02 00:43 <DIR> d-------- c:\windows\system32\en
2009-01-02 00:43 . 2009-01-02 00:43 <DIR> d-------- c:\windows\system32\bits
2009-01-02 00:43 . 2009-01-02 00:43 <DIR> d-------- c:\windows\l2schemas
2009-01-02 00:39 . 2009-01-02 00:39 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-29 02:51 . 2009-01-12 22:24 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2008-12-29 02:51 . 2008-12-29 02:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 20:28 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\skypePM
2009-01-11 05:47 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-11 04:53 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-07 07:12 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Skype
2009-01-06 07:48 --------- d-----w c:\program files\Yahoo!
2009-01-06 03:09 --------- d-----w c:\program files\Java
2009-01-02 08:46 61,440 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2009-01-02 08:46 45,056 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2009-01-02 08:46 44,032 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2009-01-02 08:46 40,960 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2009-01-02 08:46 341,048 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2009-01-02 08:46 32,768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2009-01-02 08:46 32,768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2009-01-02 08:46 163,840 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-05 08:52 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-03 07:38 --------- d-----w c:\program files\Skype
2008-12-03 07:38 --------- d-----w c:\program files\Common Files\Skype
2008-12-03 07:38 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-12-03 07:15 22,285,608 ----a-w c:\documents and settings\downloads\SkypeSetup.exe
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-14_ 2.15.31.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-09 23:24:37 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-14 20:26:44 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_730.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-26 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-26 61440]
"PCDrProfiler"="c:\program files\PC-Doctor 5 for Windows\RunProfiler.exe" [2005-08-09 53248]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-05 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-08-16 413696]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 c:\windows\arpwrmsg.exe]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-12 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON SMART PANEL for Scanner.lnk - c:\program files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE [2008-08-19 180224]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 282624]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-11-12 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-08-09 97928]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-09 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-09 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-08-09 76040]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 PCD5SRVC{085326CB-51A3560A-05010003};PCD5SRVC{085326CB-51A3560A-05010003} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2005-09-07 21120]
.
Contents of the 'Scheduled Tasks' folder

2009-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: *.trymedia.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 13:16:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC{085326CB-51A3560A-05010003}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(688)
c:\windows\system32\avgrsstx.dll

#10 Mommy2four

Mommy2four
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 14 January 2009 - 04:31 PM

Here's the new gmer log.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-14 13:29:49
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !

---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.14 ----

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 AM

Posted 14 January 2009 - 05:36 PM

Hello.

Looks like that trojan BHO file was removed.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Run MalwareBytes again and post back the log please.

With Regards,
The Panda

#12 Mommy2four

Mommy2four
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 14 January 2009 - 06:49 PM

Hi Panda,

Here is the report from F-Secure

Scanning Report
Wednesday, January 14, 2009 14:50:51 - 15:47:01
Computer name: MATILDA
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 2 malware found
TrackingCookie.2o7 (spyware)
System
TrackingCookie.Questionmarket (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 32158
System: 3403
Not scanned: 7
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 2
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.40.0
F-Secure Hydra: 2.8.8110, 2009-01-14
F-Secure AVP: 7.0.171, 2009-01-14
F-Secure Pegasus: 1.20.0, 2008-11-17
F-Secure Blacklight: 0.0.0
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 AM

Posted 14 January 2009 - 06:52 PM

Looks good.

MalwareBytes still picking up Trojan.BHO?

The Panda

#14 Mommy2four

Mommy2four
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 14 January 2009 - 07:48 PM

Hi Panda,

Just finished the Malwarebytes scan. Here's the log from that. I'm guessing my computer is all clean now. Any idea what this thing was, and the best way to keep from getting infected again? Malwarebytes seems to be a good program - should I run that regularly or is there anything else I should do? Thanks so much for all your help. You have no idea how much I appreciate this.

Malwarebytes' Anti-Malware 1.32
Database version: 1650
Windows 5.1.2600 Service Pack 3

1/14/2009 4:45:15 PM
mbam-log-2009-01-14 (16-45-15).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 141800
Time elapsed: 47 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 AM

Posted 14 January 2009 - 07:55 PM

Hello Mommy2four.

MalwareBytes is very good at removing infections. For detecting infections, I would go with online scans.

Unless you have any problems right now, we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.

If this tool has helped you, please consider making a donation to its author. Posted Image
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Reset clock settings to standard format.
  • Hide file extensions and hidden/system files.
  • Clear the System Restore cache and create new a restore point.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users