Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus/Malware


  • This topic is locked This topic is locked
12 replies to this topic

#1 delamater

delamater

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 06 January 2009 - 07:46 PM

Google and yahoo redirect to ads and mostly fake websites. I've seen a bunch of other people with the same problem but none of the other stated solutions have seemed to work for me. Please help, I currently have to use Ask.com as my primary search, and its not my favorite.... Attached is a HijackThis log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:47 PM, on 1/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\Hchecker.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 4085 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:43 PM

Posted 07 January 2009 - 05:37 AM

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 delamater

delamater
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 07 January 2009 - 12:39 PM

Thank you very much for re-directing me to Avira (I had used once it a long time ago...). It seems to have gotten rid of the bug and a lot of other things that all the other anti-virus programs and spyware programs I have tried did not catch.

Attached are the logs you requested, do you see anything else I might need to address?



Avira AntiVir Personal
Report file date: Wednesday, January 07, 2009 10:52

Scanning for 1156879 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: VERONICA

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 14:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.1.33 1705984 Bytes 12/24/2008 15:48:17
ANTIVIR2.VDF : 7.1.1.60 318976 Bytes 1/2/2009 15:48:21
ANTIVIR3.VDF : 7.1.1.79 206848 Bytes 1/7/2009 15:48:23
Engineversion : 8.2.0.45
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 16:05:56
AESCRIPT.DLL : 8.1.1.19 336252 Bytes 1/7/2009 15:48:39
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 21:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 19:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 15:41:39
AEOFFICE.DLL : 8.1.0.33 196987 Bytes 1/7/2009 15:48:37
AEHEUR.DLL : 8.1.0.75 1524087 Bytes 1/7/2009 15:48:35
AEHELP.DLL : 8.1.2.0 119159 Bytes 1/7/2009 15:48:28
AEGEN.DLL : 8.1.1.8 323956 Bytes 1/7/2009 15:48:27
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 16:05:56
AECORE.DLL : 8.1.5.2 172405 Bytes 1/7/2009 15:48:25
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 16:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 18:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Wednesday, January 07, 2009 10:52

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned
Scan process 'aim6.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'opera.exe' - '1' Module(s) have been scanned
Scan process 'AcroRd32.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'dcfssvc.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
32 processes with 32 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD2
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD3
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD4
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '57' files ).


Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
[DETECTION] Is the TR/PCK.Krap.D.841 Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSpywareGuard3.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '49c5d073.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSpywareGuard4.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '49c5d078.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSpywareGuard5.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '485d1179.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TargetSaver.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '49d6d068.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinWebdirb.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '49d2d070.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinWebdirb1.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '49d2d071.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinWebdirb2.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '484a1172.qua'!
C:\Documents and Settings\Bethany\Local Settings\Temp\asc_xt_v.exe
[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\Bethany\Local Settings\Temp\ddcArPJA.dll
[DETECTION] Is the TR/Dldr.Agent.atga Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\Bethany\Local Settings\Temp\tmp0000b371
[DETECTION] Is the TR/Dldr.Agent.atga Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\Bethany\Local Settings\Temp\tmp0000b630
[DETECTION] Is the TR/Dldr.Agent.atga Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\Bethany\Local Settings\Temp\tmp0000ddfc
[DETECTION] Is the TR/Dldr.Agent.atga Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\Bethany\Local Settings\Temp\tmp0017b13f
[DETECTION] Is the TR/Dldr.Agent.atga Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\Bethany\Local Settings\Temp\__294.tmp
[DETECTION] Is the TR/Drop.Agent.28160 Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\Bethany\Local Settings\Temp\__2E.tmp
[DETECTION] Is the TR/Generic.496280.1 Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\Bethany\Local Settings\Temp\__41.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\Bethany\My Documents\download\omscookingfreak\something.vbs
[DETECTION] Contains recognition pattern of the VBS/Runner.AU VBS script virus
[NOTE] The file was deleted!
C:\Documents and Settings\HP_Owner\My Documents\Music Production.rar
[0] Archive type: RAR
--> Music Production\Backup\VST & DX Softsynth & Effects Mega Pack\2_Novation Bass-Station Vsti v1.10-h2O.rar
[1] Archive type: RAR
--> Novation.Bass-Station.VSTi.v1.10-H2O\Setup.rar
[2] Archive type: RAR
--> nbst11kg.exe
[DETECTION] Is the TR/Packed.5294 Trojan
--> Novation.Bass-Station.VSTi.v1.10-H2O\nbst11kg.exe
[DETECTION] Is the TR/Packed.5294 Trojan
--> Music Production\Backup\VST & DX Softsynth & Effects Mega Pack\JunoX� VST v1.3 - (technosynth).exe
[WARNING] No further files can be extracted from this archive. The archive will be closed
--> Music Production\Backup.rar
[1] Archive type: RAR
--> Backup\VST & DX Softsynth & Effects Mega Pack\2_Novation Bass-Station Vsti v1.10-h2O.rar
[2] Archive type: RAR
--> Novation.Bass-Station.VSTi.v1.10-H2O\Setup.rar
[3] Archive type: RAR
--> nbst11kg.exe
[DETECTION] Is the TR/Packed.5294 Trojan
--> Novation.Bass-Station.VSTi.v1.10-H2O\nbst11kg.exe
[DETECTION] Is the TR/Packed.5294 Trojan
--> Backup\VST & DX Softsynth & Effects Mega Pack\JunoX� VST v1.3 - (technosynth).exe
[WARNING] No further files can be extracted from this archive. The archive will be closed
[NOTE] The file was deleted!
C:\Documents and Settings\HP_Owner\My Documents\Music Production\Backup.rar
[0] Archive type: RAR
--> Backup\VST & DX Softsynth & Effects Mega Pack\2_Novation Bass-Station Vsti v1.10-h2O.rar
[1] Archive type: RAR
--> Novation.Bass-Station.VSTi.v1.10-H2O\Setup.rar
[2] Archive type: RAR
--> nbst11kg.exe
[DETECTION] Is the TR/Packed.5294 Trojan
--> Novation.Bass-Station.VSTi.v1.10-H2O\nbst11kg.exe
[DETECTION] Is the TR/Packed.5294 Trojan
--> Backup\VST & DX Softsynth & Effects Mega Pack\JunoX� VST v1.3 - (technosynth).exe
[WARNING] No further files can be extracted from this archive. The archive will be closed
[NOTE] The file was deleted!
C:\Downloads\VST & DX Softsynth & Effects Mega Pack\2_Novation Bass-Station Vsti v1.10-h2O.rar.bt!
[0] Archive type: RAR
--> Novation.Bass-Station.VSTi.v1.10-H2O\Setup.rar
[1] Archive type: RAR
--> nbst11kg.exe
[DETECTION] Is the TR/Packed.5294 Trojan
[NOTE] The file was deleted!
C:\Downloads\VST & DX Softsynth & Effects Mega Pack\JunoX VST v1.3 - (technosynth).exe
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Downloads\VST & DX Softsynth & Effects Mega Pack\Tazman 2.0a DXi & VSTi.exe.bt!
[0] Archive type: ACE SFX (self extracting)
--> Tazman 2.0a DXi & VSTi\TMN20A\tassman20.EXE
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP205\A0071211.dll
[DETECTION] Is the TR/Dldr.Delf.ozf Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP205\A0071219.exe
[0] Archive type: ACE SFX (self extracting)
--> VSTi = Retro AS-1 VST - Zone\FILE_ID.DIZ
[WARNING] The file could not be written!
--> VSTi = Retro AS-1 VST - Zone\Damn_NFO_Viewer 2.0.1 (beta-2)\DAMN_NFO_Viewer_v201b2.exe
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP205\A0071223.exe
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP225\A0071863.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP227\A0073926.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP227\A0073945.exe
[DETECTION] Is the TR/Dldr.Delphi.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP227\A0073947.exe
[DETECTION] Is the TR/PCK.Krap.D.1 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP227\A0073948.dll
[DETECTION] Contains recognition pattern of the PHISH/Fraud.SpywareGuard2008.Y phishing file/email
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP227\A0073949.dll
[DETECTION] Contains recognition pattern of the PHISH/Fraud.SpywareGuard2008.AA phishing file/email
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP227\A0073955.sys
[DETECTION] Contains recognition pattern of the RKIT/Agent.fjq.1 root kit
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP228\A0074941.exe
[DETECTION] Is the TR/Agent.auqm Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP229\A0074945.dll
[DETECTION] Contains recognition pattern of the PHISH/Fraud.SpywareGuard2008.AA phishing file/email
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP229\A0074946.dll
[0] Archive type: RSRC
--> Object
[DETECTION] Contains recognition pattern of the PHISH/Fraud.SpywareGuard2008.AA phishing file/email
--> Object
[DETECTION] Contains recognition pattern of the PHISH/Fraud.SpywareGuard2008.AB phishing file/email
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP229\A0074947.exe
[DETECTION] Contains recognition pattern of the WORM/AutoTDSS.M.31 worm
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP229\A0074948.exe
[DETECTION] Is the TR/Agent.asmf Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP229\A0074950.exe
[DETECTION] Is the TR/Dldr.Agent.alda Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP229\A0074951.exe
[DETECTION] Is the TR/Dldr.Agent.aldb Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP229\A0074952.exe
[DETECTION] Is the TR/Agent.arcd Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP229\A0074957.exe
[DETECTION] Contains recognition pattern of the PHISH/Fraud.SpywareGuard2008.Z phishing file/email
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP229\A0074958.dll
[DETECTION] Is the TR/Agent.90624.1 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP229\A0074967.dll
[DETECTION] Is the TR/Monder.abnh Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP229\A0074968.dll
[DETECTION] Is the TR/Monder.abna Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP229\A0074969.exe
[DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP229\A0074970.dll
[DETECTION] Is the TR/Monder.abke.5 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP229\A0074971.dll
[DETECTION] Is the TR/Monder.abnp Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP229\A0074972.dll
[DETECTION] Is the TR/Monder.abke.3 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP229\A0074973.dll
[DETECTION] Is the TR/Monder.abke.5 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP229\A0074974.dll
[DETECTION] Is the TR/Monder.abnh Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP229\A0074975.dll
[DETECTION] Is the TR/Monder.abna Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP229\A0074976.dll
[DETECTION] Is the TR/Monder.abke.4 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP229\A0074977.dll
[DETECTION] Is the TR/Monder.abke.3 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP229\A0074978.exe
[DETECTION] Contains recognition pattern of the PHISH/Fraud.SpywareGuard2008.AB phishing file/email
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP229\A0074983.exe
[DETECTION] Contains recognition pattern of the PHISH/Fraud.SpywareGuard2008.AD phishing file/email
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP232\A0075191.sys
[DETECTION] Contains recognition pattern of the RKIT/Agent.fjq root kit
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP261\A0080953.sys
[DETECTION] Contains recognition pattern of the RKIT/Agent.fwt root kit
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP264\A0081501.dll
[DETECTION] Is the TR/PCK.Krap.D.841 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP264\A0081502.sys
[DETECTION] Contains recognition pattern of the RKIT/Agent.fwt root kit
[NOTE] The file was deleted!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
Begin scan in 'D:\' <HP_RECOVERY>


End of the scan: Wednesday, January 07, 2009 12:13
Used time: 1:21:15 Hour(s)

The scan has been done completely.

9895 Scanning directories
494060 Files were scanned
54 viruses and/or unwanted programs were found
7 Files were classified as suspicious:
49 files were deleted
0 files were repaired
7 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
493996 Files not concerned
19384 Archives were scanned
15 Warnings
56 Notes
---------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:46 PM, on 1/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\avira\antivir personaledition classic\avcenter.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Hchecker.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 4278 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:43 PM

Posted 07 January 2009 - 01:03 PM

Hi,

To get rid of leftovers if still present, please do next...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 delamater

delamater
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 08 January 2009 - 12:18 PM

Combofix scan completed successfully.
HijackThis! Scan completed successfully.

ComboFix 09-01-07.03 - HP_Owner 2009-01-08 12:10:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.252 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Bethany\Application Data\SpeedRunner
c:\documents and settings\Bethany\Application Data\SpeedRunner\config.cfg
c:\documents and settings\Bethany\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Bethany\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\HP_Owner\Application Data\ElfData_v4_0_0.dll
c:\documents and settings\HP_Owner\Application Data\inst.exe
c:\documents and settings\HP_Owner\Application Data\MBSBase64Plugin8257.dll
c:\documents and settings\HP_Owner\Application Data\MBSFolderitemsPlugin8256.dll
c:\documents and settings\HP_Owner\Application Data\MBSGifPlugin8255.dll
c:\documents and settings\HP_Owner\Application Data\MBSJPEGDecompressionPlugin8253.dll
c:\documents and settings\HP_Owner\Application Data\MBSRegistrationPlugin8257.dll
c:\documents and settings\HP_Owner\Application Data\rbap550.dll
c:\documents and settings\HP_Owner\Application Data\RBInternetEncodings550.dll
c:\documents and settings\HP_Owner\Application Data\rbqt550.DLL
c:\documents and settings\HP_Owner\Application Data\RBRegEx550.dll
c:\documents and settings\HP_Owner\Application Data\RBScript550.dll
c:\documents and settings\HP_Owner\Application Data\RBShell550.dll
c:\windows\reged.exe
c:\windows\sys.com
c:\windows\system32\ntnet.drv
c:\windows\system32\sysaudio.sys

.
((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.

2009-01-07 10:45 . 2009-01-07 10:45 <DIR> d-------- c:\program files\Avira
2009-01-07 10:45 . 2009-01-07 10:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-06 18:13 . 2009-01-07 10:33 <DIR> d-------- c:\program files\BHODemon 2
2009-01-06 16:56 . 2009-01-07 10:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-06 16:29 . 2009-01-06 16:29 <DIR> d-------- c:\program files\Trend Micro
2009-01-06 16:10 . 2009-01-06 16:10 <DIR> d-------- c:\program files\AIM Search
2009-01-06 16:10 . 2009-01-06 16:10 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\InstallShield
2009-01-06 16:10 . 2009-01-06 16:10 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\dvdcss
2009-01-06 16:10 . 2009-01-06 16:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\YAMAHA
2009-01-06 16:10 . 2009-01-06 16:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL
2009-01-05 07:15 . 2009-01-05 07:15 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\acccore
2009-01-04 12:16 . 2009-01-04 12:16 44 --a------ C:\Track1.wav
2009-01-03 22:02 . 2009-01-03 22:02 <DIR> d-------- c:\documents and settings\Bethany\Application Data\acccore
2009-01-03 21:44 . 2009-01-03 22:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL OCP
2009-01-03 21:44 . 2009-01-03 21:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2009-01-03 21:43 . 2009-01-03 22:00 368 --ah----- C:\IPH.PH
2009-01-02 03:30 . 2009-01-02 03:30 754 --a------ c:\windows\WORDPAD.INI
2008-12-25 18:06 . 2007-09-03 20:37 2,284,544 -ra------ c:\windows\system32\xgusb.cpl
2008-12-25 18:06 . 2007-09-03 20:37 16,768 -ra------ c:\windows\system32\drivers\ymidusb.sys
2008-12-25 18:00 . 2008-12-25 18:00 <DIR> d-------- c:\program files\YAMAHA
2008-12-11 21:14 . 2008-12-11 21:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-12-11 19:40 . 2009-01-07 10:34 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-11 19:40 . 2009-01-07 10:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-11 09:36 . 2008-12-11 09:36 <DIR> d-------- c:\windows\fzim
2008-12-09 21:20 . 2009-01-06 17:57 <DIR> d--hs---- c:\windows\RGVib3JhaCBTbGFtb24
2008-12-09 21:10 . 2008-12-11 17:16 <DIR> d-------- c:\documents and settings\Bethany\Application Data\Twain
2008-12-09 21:04 . 2008-12-11 18:37 <DIR> d-------- c:\program files\Webtools
2008-12-08 21:54 . 2008-04-13 20:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-12-08 21:54 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-08 21:53 . 2001-08-17 13:56 7,552 --a------ c:\windows\system32\drivers\SONYPVU1.SYS
2008-12-08 21:53 . 2001-08-17 13:56 7,552 --a------ c:\windows\system32\dllcache\sonypvu1.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 23:37 --------- d-----w c:\program files\NINJAM
2009-01-06 21:28 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-06 21:10 --------- d-----w c:\program files\Wolfenstein - Enemy Territory
2009-01-06 21:10 --------- d-----w c:\documents and settings\HP_Owner\Application Data\gtk-2.0
2009-01-06 21:09 --------- d-----w c:\documents and settings\HP_Owner\Application Data\REAPER
2009-01-06 21:09 --------- d-----w c:\documents and settings\Bethany\Application Data\gtk-2.0
2009-01-05 22:35 --------- d-----w c:\documents and settings\HP_Owner\Application Data\Canon
2009-01-04 17:09 --------- d-----w c:\program files\REAPER
2009-01-04 03:00 --------- d-----w c:\program files\AIM6
2009-01-04 02:44 --------- d-----w c:\program files\Common Files\AOL
2009-01-04 02:41 --------- d-----w c:\program files\AIM
2008-12-25 23:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-17 16:21 --------- d-----w c:\documents and settings\HP_Owner\Application Data\FileZilla
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 16:42 --------- d-----w c:\program files\Free FTP
2008-12-02 17:28 --------- d-----w c:\documents and settings\HP_Owner\Application Data\vlc
2008-12-02 01:47 --------- d-----w c:\documents and settings\Bethany\Application Data\vlc
2008-12-01 20:41 --------- d-----w c:\program files\VideoLAN
2008-11-30 20:38 201,440 ----a-w c:\windows\system32\PnkBstrB.exe
2008-11-30 20:38 138,512 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-11-24 12:26 168 ----a-w c:\documents and settings\Bethany\Application Data\wklnhst.dat
2008-11-24 01:35 --------- d-----w c:\documents and settings\Bethany\Application Data\Template
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-10-16 01:00 666,112 ------w c:\windows\system32\dllcache\wininet.dll
2008-10-16 01:00 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
2008-10-16 01:00 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-11 02:35 86,016 ----a-w c:\windows\system32\OpenAL32.dll
2008-10-11 02:35 413,696 ----a-w c:\windows\system32\wrap_oal.dll
2008-08-27 02:45 47,360 ----a-w c:\documents and settings\HP_Owner\Application Data\pcouffin.sys
2008-08-17 01:25 48,640 ---ha-w c:\documents and settings\HP_Owner\Application Data\eSelleratePlugin.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 c:\windows\system32\HdAShCut.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.NTN1"= NUVision.ax
"aux5"= wdmaud.sys
"midi6"= xgusb.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2005-11-09 19:29 249856 c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2005-07-23 01:14 237568 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\regcmdcons]
--a------ 2008-04-13 19:12 146432 c:\windows\regedit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\BitSpirit\\BitSpirit.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\delamater\\half-life\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bobkaleypanteers\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\ScanSoft\\OmniPageSE\\EregEng\\NAVBrowser.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bobkaleypanteers\\dedicated server\\hlds.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bobkaleypanteers\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bobkaleypanteers\\team fortress 2\\hl2.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bobkaleypanteers\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bobkaleypanteers\\diprip warm up\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bobkaleypanteers\\insurgency\\hl2.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe --> c:\program files\MAGIX\Common\Database\bin\fbserver.exe [?]
S3 NUVision;NUVision II Video Service;c:\windows\system32\drivers\nuvvid2.sys [2008-08-14 153760]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2008-07-22 18432]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [2008-07-22 360448]
S3 TASCAM_US122L_MIDI;TASCAM US-122L WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2008-07-22 18944]
S3 TASCAM_US122L_WDM;TASCAM US-122L WDM;c:\windows\system32\drivers\tscusb2a.sys [2008-07-22 33792]
S3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [2008-10-09 544768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download Using &BitSpirit - c:\program files\BitSpirit\bsurl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: ñؾ(&:thumbsup:
Trusted Zone: free.aol.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 12:12:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-08 12:13:30
ComboFix-quarantined-files.txt 2009-01-08 17:13:27

Pre-Run: 69,673,795,584 bytes free
Post-Run: 69,844,291,584 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

225 --- E O F --- 2008-12-18 08:00:55
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:01 PM, on 1/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Hchecker.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 4342 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:43 PM

Posted 08 January 2009 - 12:41 PM

Hi,

We're not finished yet...

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\Windows\system32\wdmaud.sys
Folder::
c:\windows\RGVib3JhaCBTbGFtb24
2c:\documents and settings\Bethany\Application Data\Twain
c:\program files\Webtools
Dirlook::
c:\windows\fzim
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux5"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Edited by miekiemoes, 08 January 2009 - 12:41 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 delamater

delamater
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 08 January 2009 - 02:33 PM

Done and done. What did that do?

ComboFix 09-01-08.01 - HP_Owner 2009-01-08 14:26:43.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.230 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\wdmaud.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\RGVib3JhaCBTbGFtb24

.
((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.

2009-01-07 10:45 . 2009-01-07 10:45 <DIR> d-------- c:\program files\Avira
2009-01-07 10:45 . 2009-01-07 10:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-06 18:13 . 2009-01-07 10:33 <DIR> d-------- c:\program files\BHODemon 2
2009-01-06 16:56 . 2009-01-07 10:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-06 16:29 . 2009-01-06 16:29 <DIR> d-------- c:\program files\Trend Micro
2009-01-06 16:10 . 2009-01-06 16:10 <DIR> d-------- c:\program files\AIM Search
2009-01-06 16:10 . 2009-01-06 16:10 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\InstallShield
2009-01-06 16:10 . 2009-01-06 16:10 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\dvdcss
2009-01-06 16:10 . 2009-01-06 16:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\YAMAHA
2009-01-06 16:10 . 2009-01-06 16:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL
2009-01-05 07:15 . 2009-01-05 07:15 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\acccore
2009-01-04 12:16 . 2009-01-04 12:16 44 --a------ C:\Track1.wav
2009-01-03 22:02 . 2009-01-03 22:02 <DIR> d-------- c:\documents and settings\Bethany\Application Data\acccore
2009-01-03 21:44 . 2009-01-03 22:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL OCP
2009-01-03 21:44 . 2009-01-03 21:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2009-01-03 21:43 . 2009-01-03 22:00 368 --ah----- C:\IPH.PH
2009-01-02 03:30 . 2009-01-02 03:30 754 --a------ c:\windows\WORDPAD.INI
2008-12-25 18:06 . 2007-09-03 20:37 2,284,544 -ra------ c:\windows\system32\xgusb.cpl
2008-12-25 18:06 . 2007-09-03 20:37 16,768 -ra------ c:\windows\system32\drivers\ymidusb.sys
2008-12-25 18:00 . 2008-12-25 18:00 <DIR> d-------- c:\program files\YAMAHA
2008-12-11 21:14 . 2008-12-11 21:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-12-11 19:40 . 2009-01-07 10:34 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-11 19:40 . 2009-01-07 10:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-11 09:36 . 2008-12-11 09:36 <DIR> d-------- c:\windows\fzim
2008-12-09 21:10 . 2008-12-11 17:16 <DIR> d-------- c:\documents and settings\Bethany\Application Data\Twain
2008-12-09 21:04 . 2008-12-11 18:37 <DIR> d-------- c:\program files\Webtools
2008-12-08 21:54 . 2008-04-13 20:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-12-08 21:54 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-08 21:53 . 2001-08-17 13:56 7,552 --a------ c:\windows\system32\drivers\SONYPVU1.SYS
2008-12-08 21:53 . 2001-08-17 13:56 7,552 --a------ c:\windows\system32\dllcache\sonypvu1.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 23:37 --------- d-----w c:\program files\NINJAM
2009-01-06 21:28 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-06 21:10 --------- d-----w c:\program files\Wolfenstein - Enemy Territory
2009-01-06 21:10 --------- d-----w c:\documents and settings\HP_Owner\Application Data\gtk-2.0
2009-01-06 21:09 --------- d-----w c:\documents and settings\HP_Owner\Application Data\REAPER
2009-01-06 21:09 --------- d-----w c:\documents and settings\Bethany\Application Data\gtk-2.0
2009-01-05 22:35 --------- d-----w c:\documents and settings\HP_Owner\Application Data\Canon
2009-01-04 17:09 --------- d-----w c:\program files\REAPER
2009-01-04 03:00 --------- d-----w c:\program files\AIM6
2009-01-04 02:44 --------- d-----w c:\program files\Common Files\AOL
2009-01-04 02:41 --------- d-----w c:\program files\AIM
2008-12-25 23:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-17 16:21 --------- d-----w c:\documents and settings\HP_Owner\Application Data\FileZilla
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 16:42 --------- d-----w c:\program files\Free FTP
2008-12-02 17:28 --------- d-----w c:\documents and settings\HP_Owner\Application Data\vlc
2008-12-02 01:47 --------- d-----w c:\documents and settings\Bethany\Application Data\vlc
2008-12-01 20:41 --------- d-----w c:\program files\VideoLAN
2008-11-30 20:38 201,440 ----a-w c:\windows\system32\PnkBstrB.exe
2008-11-30 20:38 138,512 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-11-24 12:26 168 ----a-w c:\documents and settings\Bethany\Application Data\wklnhst.dat
2008-11-24 01:35 --------- d-----w c:\documents and settings\Bethany\Application Data\Template
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-10-16 01:00 666,112 ------w c:\windows\system32\dllcache\wininet.dll
2008-10-16 01:00 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
2008-10-16 01:00 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-11 02:35 86,016 ----a-w c:\windows\system32\OpenAL32.dll
2008-10-11 02:35 413,696 ----a-w c:\windows\system32\wrap_oal.dll
2008-08-27 02:45 47,360 ----a-w c:\documents and settings\HP_Owner\Application Data\pcouffin.sys
2008-08-17 01:25 48,640 ---ha-w c:\documents and settings\HP_Owner\Application Data\eSelleratePlugin.DLL
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\fzim ----

2008-12-11 09:36 522 --a------ c:\windows\fzim\fzim.dat
2002-07-26 17:02 153088 --a------ c:\windows\fzim\wu


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 c:\windows\system32\HdAShCut.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.NTN1"= NUVision.ax
"midi6"= xgusb.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2005-11-09 19:29 249856 c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2005-07-23 01:14 237568 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\regcmdcons]
--a------ 2008-04-13 19:12 146432 c:\windows\regedit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\BitSpirit\\BitSpirit.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\delamater\\half-life\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bobkaleypanteers\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\ScanSoft\\OmniPageSE\\EregEng\\NAVBrowser.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bobkaleypanteers\\dedicated server\\hlds.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bobkaleypanteers\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bobkaleypanteers\\team fortress 2\\hl2.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bobkaleypanteers\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bobkaleypanteers\\diprip warm up\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bobkaleypanteers\\insurgency\\hl2.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe --> c:\program files\MAGIX\Common\Database\bin\fbserver.exe [?]
S3 NUVision;NUVision II Video Service;c:\windows\system32\drivers\nuvvid2.sys [2008-08-14 153760]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2008-07-22 18432]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [2008-07-22 360448]
S3 TASCAM_US122L_MIDI;TASCAM US-122L WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2008-07-22 18944]
S3 TASCAM_US122L_WDM;TASCAM US-122L WDM;c:\windows\system32\drivers\tscusb2a.sys [2008-07-22 33792]
S3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [2008-10-09 544768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download Using &BitSpirit - c:\program files\BitSpirit\bsurl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: ñؾ(&:thumbsup:
Trusted Zone: free.aol.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 14:29:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-08 14:31:08
ComboFix-quarantined-files.txt 2009-01-08 19:31:06
ComboFix2.txt 2009-01-08 17:13:33

Pre-Run: 69,848,121,344 bytes free
Post-Run: 69,852,286,976 bytes free

202 --- E O F --- 2008-12-18 08:00:55




-------------------------------------------------------------------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:31:35 PM, on 1/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Hchecker.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 4375 bytes

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:43 PM

Posted 08 January 2009 - 02:40 PM

Hi,

Please navigate to and delete the following folders:

c:\documents and settings\Bethany\Application Data\Twain
c:\program files\Webtools
c:\windows\fzim

Then, Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • Java™ 6 Update 5
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 delamater

delamater
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 08 January 2009 - 02:53 PM

Everything appears to bo working quite well. Thank you very much indeed. Could you reccomend a good non-invasive firewall?

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:43 PM

Posted 08 January 2009 - 03:04 PM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

For a Firewall, look in my signature below under Firewalls for the ones I recommend. Comodo and Online Armor are more advanced ones, so if you're not familiar with Firewalls and Windows settings, then I won't recommend these.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 delamater

delamater
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 08 January 2009 - 03:08 PM

Thanks, Comodo made me pull my hair out.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:43 PM

Posted 08 January 2009 - 03:10 PM

Yes, I can imagine if you're not familiar with advanced Firewalls :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:43 PM

Posted 12 January 2009 - 06:27 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users