Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help diagnose


  • This topic is locked This topic is locked
30 replies to this topic

#1 bustamove

bustamove

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 12 February 2009 - 01:27 PM

I have encountered the smithfraud trojan and have tried removing it using both spybot and ad-aware to no avail. I ran HijackThis and the log is shown below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:21:54 PM, on 2/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
D:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
D:\Program Files\McAfee\Common Framework\FrameworkService.exe
D:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
D:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\IoctlSvc.exe
D:\WINDOWS\system32\HPZipm12.exe
d:\WINDOWS\system32\ZuneBusEnum.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\McAfee\Common Framework\UdaterUI.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\McAfee\Common Framework\McTray.exe
D:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
D:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - D:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ad-Watch] D:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1231021062450
O20 - Winlogon Notify: nnnljihi - nnnljihi.dll (file missing)
O20 - Winlogon Notify: urqQjiIx - urqQjiIx.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - D:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - D:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - D:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - D:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - D:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8870 bytes

Any help is greatly appreciated

BC AdBot (Login to Remove)

 


#2 bustamove

bustamove
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 12 February 2009 - 04:22 PM

update: I forgot to mention that spybot kept returning with only one entry

i believe it was: windows/system32/core.cache.dsk

The only effect seems to be an occasional IE popup. Nothing more than that as of this time

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:28 PM

Posted 13 February 2009 - 02:25 PM

Hello bustamove,

Posted Image

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :thumbup2:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 bustamove

bustamove
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 14 February 2009 - 12:26 PM

Ok done.

Here is the Combofix log:

ComboFix 09-02-12.03 - Alex 2009-02-14 12:07:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1499 [GMT -5:00]
Running from: d:\documents and settings\Alex\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\system32\drivers\core.cache.dsk
d:\windows\system32\drivers\nwlnkipxx.sys
d:\windows\system32\mcrh.tmp
d:\windows\system32\wl.exe
d:\windows\system32\x13
d:\windows\system32\x13\VE2PIX5.exe
d:\windows\system32\Z55

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NWLNKIPXX
-------\Service_nwlnkipxx


((((((((((((((((((((((((( Files Created from 2009-01-14 to 2009-02-14 )))))))))))))))))))))))))))))))
.

2009-02-12 13:17 . 2009-02-12 13:17 <DIR> d-------- d:\program files\Trend Micro
2009-02-12 11:39 . 2009-02-12 11:25 15,688 --a------ d:\windows\system32\lsdelete.exe
2009-02-12 11:25 . 2009-02-12 11:25 <DIR> d----c--- d:\windows\system32\DRVSTORE
2009-02-12 11:25 . 2009-02-12 11:25 64,160 --a------ d:\windows\system32\drivers\Lbd.sys
2009-02-12 11:15 . 2009-02-12 11:15 <DIR> d-------- d:\program files\Lavasoft
2009-02-12 11:15 . 2009-02-12 11:25 <DIR> d-------- d:\documents and settings\All Users\Application Data\Lavasoft
2009-02-12 11:15 . 2009-02-12 11:15 <DIR> d--h-c--- d:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-07 17:14 . 2009-02-07 17:14 <DIR> d-------- d:\documents and settings\Pablo\Application Data\PlayFirst
2009-02-07 17:14 . 2009-02-07 17:14 <DIR> d-------- d:\documents and settings\All Users\Application Data\PlayFirst
2009-02-07 15:51 . 2009-02-12 10:36 292 --a------ d:\windows\wininit.ini
2009-02-06 21:21 . 2009-02-06 21:21 <DIR> d-------- d:\documents and settings\Daisy\Application Data\Meridian93
2009-02-06 18:52 . 2009-02-06 18:52 <DIR> d-------- d:\program files\Spybot - Search & Destroy
2009-02-06 18:52 . 2009-02-06 18:53 <DIR> d-------- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-06 17:49 . 2009-02-06 17:49 0 --a------ d:\windows\system32\drivers\feaxzdon.sys
2009-02-01 22:00 . 2009-02-01 22:00 <DIR> d-------- d:\documents and settings\Chris\Application Data\Artogon
2009-02-01 21:39 . 2009-02-01 21:39 <DIR> d-------- d:\documents and settings\Chris\Application Data\Friday's games
2009-01-31 18:53 . 2009-01-31 18:53 <DIR> d-------- d:\documents and settings\All Users\Application Data\JollyBear
2009-01-30 21:07 . 2009-01-30 21:07 <DIR> d-------- d:\documents and settings\Daisy\Application Data\Artogon
2009-01-29 21:40 . 2009-01-29 21:40 <DIR> d-------- d:\documents and settings\All Users\Application Data\Alawar Stargaze
2009-01-29 21:09 . 2009-01-29 21:09 <DIR> d-------- d:\documents and settings\Daisy\Application Data\AdobeUM
2009-01-26 17:56 . 2008-12-01 14:35 593,920 --------- d:\windows\system32\ati2sgag.exe
2009-01-26 17:55 . 2009-01-26 17:55 <DIR> d-------- D:\ATI
2009-01-26 17:38 . 2009-01-26 17:38 0 --a------ d:\windows\ativpsrm.bin
2009-01-26 17:37 . 2008-10-03 17:00 3,107,788 -ra------ d:\windows\system32\ativvaxx.dat
2009-01-26 17:37 . 2008-10-03 17:00 3,107,788 -ra------ d:\windows\system32\ativva5x.dat
2009-01-26 17:37 . 2008-10-03 17:00 887,724 -ra------ d:\windows\system32\ativva6x.dat
2009-01-26 17:37 . 2008-12-01 15:52 425,984 --a------ d:\windows\system32\ATIDEMGX.dll
2009-01-26 17:37 . 2008-12-01 15:19 307,200 --a------ d:\windows\system32\atiiiexx.dll
2009-01-26 17:37 . 2008-10-30 09:45 180,720 --a------ d:\windows\system32\atiicdxx.dat
2009-01-26 17:37 . 2008-07-02 14:40 136,704 -ra------ d:\windows\system32\drivers\AtiHdmi.sys
2009-01-26 17:37 . 2008-10-17 09:19 15,079 --a------ d:\windows\atiogl.xml
2009-01-26 17:37 . 2007-08-31 08:20 7,167 -ra------ d:\windows\system32\atifglpf.xml
2009-01-26 17:37 . 2008-09-29 15:22 529 -ra------ d:\windows\system32\ATIODCLI.exe.manifest
2009-01-26 17:37 . 2008-10-03 15:48 527 -ra------ d:\windows\system32\ATIODE.exe.manifest
2009-01-26 17:35 . 2008-04-13 13:45 10,368 --a------ d:\windows\system32\drivers\hidusb.sys
2009-01-26 17:35 . 2008-04-13 13:45 10,368 --a--c--- d:\windows\system32\dllcache\hidusb.sys
2009-01-25 21:32 . 2009-01-25 21:32 <DIR> d-------- d:\documents and settings\All Users\Application Data\AdventureChronicles1
2009-01-25 20:15 . 2009-01-25 20:16 <DIR> d-------- d:\documents and settings\Daisy\Application Data\Fabulous Finds
2009-01-25 19:15 . 2009-01-25 19:15 <DIR> d-------- d:\documents and settings\All Users\Application Data\PlayPond
2009-01-25 18:21 . 2009-02-09 21:27 23 --a------ d:\windows\BlendSettings.ini
2009-01-25 17:49 . 2009-01-25 17:49 <DIR> d-------- d:\program files\Bethesda Softworks
2009-01-25 11:12 . 2009-01-25 11:12 151 --a------ d:\windows\PhotoSnapViewer.INI
2009-01-24 15:58 . 2009-01-24 15:58 <DIR> d-------- d:\documents and settings\Alex\Application Data\blg
2009-01-22 20:42 . 2009-01-22 20:42 <DIR> d-------- d:\documents and settings\Daisy\Application Data\blg
2009-01-22 20:42 . 2009-01-22 20:42 <DIR> d-------- d:\documents and settings\All Users\Application Data\blg
2009-01-21 20:48 . 2009-01-21 20:48 <DIR> d-------- d:\documents and settings\Chris\Application Data\Oberonv1001
2009-01-21 20:47 . 2009-01-21 20:47 <DIR> d-------- d:\program files\Oberon Media
2009-01-21 20:47 . 2009-01-25 17:51 <DIR> d-------- d:\program files\MSN Games
2009-01-18 11:50 . 2009-02-11 19:14 <DIR> d-a------ d:\documents and settings\All Users\Application Data\TEMP
2009-01-18 11:26 . 2009-01-18 11:26 <DIR> d-------- d:\program files\bfgclient
2009-01-18 11:25 . 2009-02-07 15:58 <DIR> d-------- d:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-01-18 11:17 . 2009-01-18 11:17 <DIR> d-------- d:\documents and settings\Daisy\Application Data\The Labyrinth Plus! Edition
2009-01-17 14:37 . 2009-02-02 21:02 <DIR> d-------- d:\documents and settings\Alex\Application Data\Ahead
2009-01-16 20:56 . 2009-01-16 20:56 <DIR> d-------- d:\documents and settings\Alex\Application Data\Acreon
2009-01-15 21:18 . 2009-01-15 21:18 <DIR> d-------- d:\documents and settings\All Users\Application Data\Blizzard
2009-01-15 20:01 . 2009-02-12 16:34 <DIR> d-------- d:\program files\World of Warcraft
2009-01-15 20:01 . 2009-01-15 20:42 <DIR> d-------- d:\program files\Common Files\Blizzard Entertainment
2009-01-15 11:19 . 2009-01-15 11:19 <DIR> d-------- d:\documents and settings\Pablo\Application Data\Transcend
2009-01-15 09:18 . 2009-01-15 09:18 <DIR> d-------- d:\documents and settings\Administrator
2009-01-15 09:09 . 2008-05-19 18:16 186,407 --a------ d:\windows\system32\nvapps.nvb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 16:40 --------- d-----w d:\documents and settings\All Users\Application Data\Google Updater
2009-01-26 22:56 --------- d--h--w d:\program files\InstallShield Installation Information
2009-01-13 03:07 --------- d-----w d:\program files\MSXML 4.0
2009-01-12 21:36 --------- d-----w d:\documents and settings\Pablo\Application Data\Ahead
2009-01-12 00:11 --------- d-----w d:\program files\Common Files\DVDnextCOPY2
2009-01-12 00:11 --------- d-----w d:\program files\Common Files\DistributeShield
2009-01-11 22:01 --------- d-----w d:\program files\Google
2009-01-11 16:37 94,208 ----a-w d:\windows\DIIUnin.exe
2009-01-11 16:37 2,829 ----a-w d:\windows\DIIUnin.pif
2009-01-11 15:44 --------- d-----w d:\documents and settings\All Users\Application Data\Ahead
2009-01-11 15:43 --------- d-----w d:\program files\Common Files\Ahead
2009-01-11 15:40 --------- d-----w d:\documents and settings\All Users\Application Data\Nero
2009-01-10 22:49 34,528 ----a-w d:\windows\system32\drivers\Pcouffin.sys
2009-01-10 22:39 --------- d-----w d:\documents and settings\Pablo\Application Data\AdobeUM
2009-01-10 22:37 --------- d-----w d:\program files\Common Files\Adobe
2009-01-10 20:32 --------- d-----w d:\documents and settings\Pablo\Application Data\Nero
2009-01-10 20:31 --------- d-----w d:\program files\Nero
2009-01-07 03:00 --------- d-----w d:\program files\HP
2009-01-07 02:36 --------- d-----w d:\documents and settings\Pablo\Application Data\OfficeUpdate12
2009-01-07 01:07 --------- d-----w d:\program files\Microsoft Works
2009-01-07 00:50 --------- d-----w d:\program files\Microsoft ActiveSync
2009-01-07 00:50 --------- d-----w d:\program files\Common Files\L&H
2009-01-07 00:44 --------- d-----w d:\program files\Microsoft.NET
2009-01-07 00:05 --------- d-----w d:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-01-06 00:34 315,392 ----a-w d:\windows\HideWin.exe
2009-01-06 00:34 --------- d-----w d:\program files\Realtek
2009-01-06 00:31 --------- d-----w d:\program files\Setup Files
2009-01-06 00:30 --------- d-----w d:\program files\Intel
2009-01-06 00:30 --------- d-----w d:\program files\Common Files\InstallShield
2009-01-06 00:23 --------- d-----w d:\program files\MSI
2009-01-04 21:46 0 ---ha-w d:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-01-04 21:46 0 ---ha-w d:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-01-04 21:45 0 ---ha-w d:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-01-04 21:18 --------- d-----w d:\documents and settings\All Users\Application Data\nView_Profiles
2009-01-04 21:10 --------- d-----w d:\program files\Zune
2009-01-04 21:09 0 ---ha-w d:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-01-04 21:09 0 ---ha-w d:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-01-04 20:24 --------- d-----w d:\program files\Windows Defender
2009-01-04 20:20 --------- d-----w d:\program files\Windows Media Connect 2
2009-01-03 22:43 --------- d-----w d:\documents and settings\All Users\Application Data\McAfee
2009-01-03 22:42 --------- d-----w d:\program files\McAfee
2009-01-03 22:42 --------- d-----w d:\program files\Common Files\McAfee
2009-01-03 22:42 --------- d-----w d:\program files\Common Files\Cisco Systems
2009-01-03 21:58 --------- d-----w d:\program files\microsoft frontpage
2008-12-05 00:54 524,288 ----a-w d:\windows\opuc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="d:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]





And here is the hijackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:31 PM, on 2/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
D:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
D:\Program Files\McAfee\Common Framework\FrameworkService.exe
D:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
D:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\IoctlSvc.exe
D:\WINDOWS\system32\HPZipm12.exe
d:\WINDOWS\system32\ZuneBusEnum.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
D:\Program Files\McAfee\Common Framework\UdaterUI.exe
D:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
D:\Program Files\McAfee\Common Framework\McTray.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - D:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ad-Watch] D:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1231021062450
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - D:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - D:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - D:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - D:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - D:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8433 bytes

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:28 PM

Posted 14 February 2009 - 01:46 PM

Hello,

The ComboFix log got cut off. Could you please post the whole thing? HijackThis looks all right.....how is it running please?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 bustamove

bustamove
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 14 February 2009 - 02:46 PM

Here is the combofix log again.

ComboFix 09-02-12.03 - Alex 2009-02-14 12:07:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1499 [GMT -5:00]
Running from: d:\documents and settings\Alex\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\system32\drivers\core.cache.dsk
d:\windows\system32\drivers\nwlnkipxx.sys
d:\windows\system32\mcrh.tmp
d:\windows\system32\wl.exe
d:\windows\system32\x13
d:\windows\system32\x13\VE2PIX5.exe
d:\windows\system32\Z55

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NWLNKIPXX
-------\Service_nwlnkipxx


((((((((((((((((((((((((( Files Created from 2009-01-14 to 2009-02-14 )))))))))))))))))))))))))))))))
.

2009-02-12 13:17 . 2009-02-12 13:17 <DIR> d-------- d:\program files\Trend Micro
2009-02-12 11:39 . 2009-02-12 11:25 15,688 --a------ d:\windows\system32\lsdelete.exe
2009-02-12 11:25 . 2009-02-12 11:25 <DIR> d----c--- d:\windows\system32\DRVSTORE
2009-02-12 11:25 . 2009-02-12 11:25 64,160 --a------ d:\windows\system32\drivers\Lbd.sys
2009-02-12 11:15 . 2009-02-12 11:15 <DIR> d-------- d:\program files\Lavasoft
2009-02-12 11:15 . 2009-02-12 11:25 <DIR> d-------- d:\documents and settings\All Users\Application Data\Lavasoft
2009-02-12 11:15 . 2009-02-12 11:15 <DIR> d--h-c--- d:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-07 17:14 . 2009-02-07 17:14 <DIR> d-------- d:\documents and settings\Pablo\Application Data\PlayFirst
2009-02-07 17:14 . 2009-02-07 17:14 <DIR> d-------- d:\documents and settings\All Users\Application Data\PlayFirst
2009-02-07 15:51 . 2009-02-12 10:36 292 --a------ d:\windows\wininit.ini
2009-02-06 21:21 . 2009-02-06 21:21 <DIR> d-------- d:\documents and settings\Daisy\Application Data\Meridian93
2009-02-06 18:52 . 2009-02-06 18:52 <DIR> d-------- d:\program files\Spybot - Search & Destroy
2009-02-06 18:52 . 2009-02-06 18:53 <DIR> d-------- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-06 17:49 . 2009-02-06 17:49 0 --a------ d:\windows\system32\drivers\feaxzdon.sys
2009-02-01 22:00 . 2009-02-01 22:00 <DIR> d-------- d:\documents and settings\Chris\Application Data\Artogon
2009-02-01 21:39 . 2009-02-01 21:39 <DIR> d-------- d:\documents and settings\Chris\Application Data\Friday's games
2009-01-31 18:53 . 2009-01-31 18:53 <DIR> d-------- d:\documents and settings\All Users\Application Data\JollyBear
2009-01-30 21:07 . 2009-01-30 21:07 <DIR> d-------- d:\documents and settings\Daisy\Application Data\Artogon
2009-01-29 21:40 . 2009-01-29 21:40 <DIR> d-------- d:\documents and settings\All Users\Application Data\Alawar Stargaze
2009-01-29 21:09 . 2009-01-29 21:09 <DIR> d-------- d:\documents and settings\Daisy\Application Data\AdobeUM
2009-01-26 17:56 . 2008-12-01 14:35 593,920 --------- d:\windows\system32\ati2sgag.exe
2009-01-26 17:55 . 2009-01-26 17:55 <DIR> d-------- D:\ATI
2009-01-26 17:38 . 2009-01-26 17:38 0 --a------ d:\windows\ativpsrm.bin
2009-01-26 17:37 . 2008-10-03 17:00 3,107,788 -ra------ d:\windows\system32\ativvaxx.dat
2009-01-26 17:37 . 2008-10-03 17:00 3,107,788 -ra------ d:\windows\system32\ativva5x.dat
2009-01-26 17:37 . 2008-10-03 17:00 887,724 -ra------ d:\windows\system32\ativva6x.dat
2009-01-26 17:37 . 2008-12-01 15:52 425,984 --a------ d:\windows\system32\ATIDEMGX.dll
2009-01-26 17:37 . 2008-12-01 15:19 307,200 --a------ d:\windows\system32\atiiiexx.dll
2009-01-26 17:37 . 2008-10-30 09:45 180,720 --a------ d:\windows\system32\atiicdxx.dat
2009-01-26 17:37 . 2008-07-02 14:40 136,704 -ra------ d:\windows\system32\drivers\AtiHdmi.sys
2009-01-26 17:37 . 2008-10-17 09:19 15,079 --a------ d:\windows\atiogl.xml
2009-01-26 17:37 . 2007-08-31 08:20 7,167 -ra------ d:\windows\system32\atifglpf.xml
2009-01-26 17:37 . 2008-09-29 15:22 529 -ra------ d:\windows\system32\ATIODCLI.exe.manifest
2009-01-26 17:37 . 2008-10-03 15:48 527 -ra------ d:\windows\system32\ATIODE.exe.manifest
2009-01-26 17:35 . 2008-04-13 13:45 10,368 --a------ d:\windows\system32\drivers\hidusb.sys
2009-01-26 17:35 . 2008-04-13 13:45 10,368 --a--c--- d:\windows\system32\dllcache\hidusb.sys
2009-01-25 21:32 . 2009-01-25 21:32 <DIR> d-------- d:\documents and settings\All Users\Application Data\AdventureChronicles1
2009-01-25 20:15 . 2009-01-25 20:16 <DIR> d-------- d:\documents and settings\Daisy\Application Data\Fabulous Finds
2009-01-25 19:15 . 2009-01-25 19:15 <DIR> d-------- d:\documents and settings\All Users\Application Data\PlayPond
2009-01-25 18:21 . 2009-02-09 21:27 23 --a------ d:\windows\BlendSettings.ini
2009-01-25 17:49 . 2009-01-25 17:49 <DIR> d-------- d:\program files\Bethesda Softworks
2009-01-25 11:12 . 2009-01-25 11:12 151 --a------ d:\windows\PhotoSnapViewer.INI
2009-01-24 15:58 . 2009-01-24 15:58 <DIR> d-------- d:\documents and settings\Alex\Application Data\blg
2009-01-22 20:42 . 2009-01-22 20:42 <DIR> d-------- d:\documents and settings\Daisy\Application Data\blg
2009-01-22 20:42 . 2009-01-22 20:42 <DIR> d-------- d:\documents and settings\All Users\Application Data\blg
2009-01-21 20:48 . 2009-01-21 20:48 <DIR> d-------- d:\documents and settings\Chris\Application Data\Oberonv1001
2009-01-21 20:47 . 2009-01-21 20:47 <DIR> d-------- d:\program files\Oberon Media
2009-01-21 20:47 . 2009-01-25 17:51 <DIR> d-------- d:\program files\MSN Games
2009-01-18 11:50 . 2009-02-11 19:14 <DIR> d-a------ d:\documents and settings\All Users\Application Data\TEMP
2009-01-18 11:26 . 2009-01-18 11:26 <DIR> d-------- d:\program files\bfgclient
2009-01-18 11:25 . 2009-02-07 15:58 <DIR> d-------- d:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-01-18 11:17 . 2009-01-18 11:17 <DIR> d-------- d:\documents and settings\Daisy\Application Data\The Labyrinth Plus! Edition
2009-01-17 14:37 . 2009-02-02 21:02 <DIR> d-------- d:\documents and settings\Alex\Application Data\Ahead
2009-01-16 20:56 . 2009-01-16 20:56 <DIR> d-------- d:\documents and settings\Alex\Application Data\Acreon
2009-01-15 21:18 . 2009-01-15 21:18 <DIR> d-------- d:\documents and settings\All Users\Application Data\Blizzard
2009-01-15 20:01 . 2009-02-12 16:34 <DIR> d-------- d:\program files\World of Warcraft
2009-01-15 20:01 . 2009-01-15 20:42 <DIR> d-------- d:\program files\Common Files\Blizzard Entertainment
2009-01-15 11:19 . 2009-01-15 11:19 <DIR> d-------- d:\documents and settings\Pablo\Application Data\Transcend
2009-01-15 09:18 . 2009-01-15 09:18 <DIR> d-------- d:\documents and settings\Administrator
2009-01-15 09:09 . 2008-05-19 18:16 186,407 --a------ d:\windows\system32\nvapps.nvb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 16:40 --------- d-----w d:\documents and settings\All Users\Application Data\Google Updater
2009-01-26 22:56 --------- d--h--w d:\program files\InstallShield Installation Information
2009-01-13 03:07 --------- d-----w d:\program files\MSXML 4.0
2009-01-12 21:36 --------- d-----w d:\documents and settings\Pablo\Application Data\Ahead
2009-01-12 00:11 --------- d-----w d:\program files\Common Files\DVDnextCOPY2
2009-01-12 00:11 --------- d-----w d:\program files\Common Files\DistributeShield
2009-01-11 22:01 --------- d-----w d:\program files\Google
2009-01-11 16:37 94,208 ----a-w d:\windows\DIIUnin.exe
2009-01-11 16:37 2,829 ----a-w d:\windows\DIIUnin.pif
2009-01-11 15:44 --------- d-----w d:\documents and settings\All Users\Application Data\Ahead
2009-01-11 15:43 --------- d-----w d:\program files\Common Files\Ahead
2009-01-11 15:40 --------- d-----w d:\documents and settings\All Users\Application Data\Nero
2009-01-10 22:49 34,528 ----a-w d:\windows\system32\drivers\Pcouffin.sys
2009-01-10 22:39 --------- d-----w d:\documents and settings\Pablo\Application Data\AdobeUM
2009-01-10 22:37 --------- d-----w d:\program files\Common Files\Adobe
2009-01-10 20:32 --------- d-----w d:\documents and settings\Pablo\Application Data\Nero
2009-01-10 20:31 --------- d-----w d:\program files\Nero
2009-01-07 03:00 --------- d-----w d:\program files\HP
2009-01-07 02:36 --------- d-----w d:\documents and settings\Pablo\Application Data\OfficeUpdate12
2009-01-07 01:07 --------- d-----w d:\program files\Microsoft Works
2009-01-07 00:50 --------- d-----w d:\program files\Microsoft ActiveSync
2009-01-07 00:50 --------- d-----w d:\program files\Common Files\L&H
2009-01-07 00:44 --------- d-----w d:\program files\Microsoft.NET
2009-01-07 00:05 --------- d-----w d:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-01-06 00:34 315,392 ----a-w d:\windows\HideWin.exe
2009-01-06 00:34 --------- d-----w d:\program files\Realtek
2009-01-06 00:31 --------- d-----w d:\program files\Setup Files
2009-01-06 00:30 --------- d-----w d:\program files\Intel
2009-01-06 00:30 --------- d-----w d:\program files\Common Files\InstallShield
2009-01-06 00:23 --------- d-----w d:\program files\MSI
2009-01-04 21:46 0 ---ha-w d:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-01-04 21:46 0 ---ha-w d:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-01-04 21:45 0 ---ha-w d:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-01-04 21:18 --------- d-----w d:\documents and settings\All Users\Application Data\nView_Profiles
2009-01-04 21:10 --------- d-----w d:\program files\Zune
2009-01-04 21:09 0 ---ha-w d:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-01-04 21:09 0 ---ha-w d:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-01-04 20:24 --------- d-----w d:\program files\Windows Defender
2009-01-04 20:20 --------- d-----w d:\program files\Windows Media Connect 2
2009-01-03 22:43 --------- d-----w d:\documents and settings\All Users\Application Data\McAfee
2009-01-03 22:42 --------- d-----w d:\program files\McAfee
2009-01-03 22:42 --------- d-----w d:\program files\Common Files\McAfee
2009-01-03 22:42 --------- d-----w d:\program files\Common Files\Cisco Systems
2009-01-03 21:58 --------- d-----w d:\program files\microsoft frontpage
2008-12-05 00:54 524,288 ----a-w d:\windows\opuc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="d:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="d:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-24 111952]
"McAfeeUpdaterUI"="d:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"NeroFilterCheck"="d:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"Ad-Watch"="d:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-12 509784]
"nwiz"="nwiz.exe" [2008-05-16 d:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 d:\windows\RTHDCPL.exe]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - d:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-01-10 25214]
Microsoft Office OneNote 2003 Quick Launch.lnk - d:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 64864]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^DigiCell.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\DigiCell.lnk
backup=d:\windows\pss\DigiCell.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
--a------ 2007-11-19 11:01 1970176 d:\windows\system32\xRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2005-03-09 10:29 139264 d:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
--a------ 2007-03-20 14:36 36864 d:\windows\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveMonitor]
--a------ 2008-04-30 18:30 498176 d:\program files\MSI\Live Update 3\LMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-16 14:01 86016 d:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
--a------ 2008-11-10 12:23 157312 d:\program files\Zune\ZuneLauncher.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=

R0 Lbd;Lbd;d:\windows\system32\drivers\Lbd.sys [2009-02-12 64160]
R2 WinDefend;Windows Defender;d:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S0 eewmvxti;eewmvxti;d:\windows\system32\drivers\imdlhzof.sys --> d:\windows\system32\drivers\imdlhzof.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;d:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S2 VRDVC10;Sony VRD-VC10 [Video Capture];d:\windows\system32\drivers\VRDVC10X.SYS [2004-11-09 10:02:40 31104]
S3 NtApm;NT Apm/Legacy Interface Driver;d:\windows\system32\drivers\NtApm.sys [2009-01-03 9344]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05230250-d9e7-11dd-b6af-001617d831d1}]
\Shell\AutoRun\command - H:\
\Shell\open\Command - rundll32.exe .\\mskcrtd.dll,InstallM
.
Contents of the 'Scheduled Tasks' folder

2009-02-12 d:\windows\Tasks\Ad-Aware Update (Weekly).job
- d:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-12 11:25]

2009-02-14 d:\windows\Tasks\MP Scheduled Scan.job
- d:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

Notify-nnnljihi - nnnljihi.dll
Notify-urqQjiIx - urqQjiIx.dll


.
------- Supplementary Scan -------
.
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://d:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://d:\windows\Java\classes\xmldso.cab
FF - ProfilePath - d:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\93nv45a3.default\
FF - plugin: c:\program files\Adobe\Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF - plugin: d:\program files\Google\Google Updater\2.4.1439.6872\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-14 12:15:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
d:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\ati2evxx.exe
d:\windows\system32\ati2evxx.exe
d:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
d:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
d:\program files\McAfee\Common Framework\FrameworkService.exe
d:\program files\McAfee\VirusScan Enterprise\mcshield.exe
d:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
d:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
d:\program files\McAfee\Common Framework\naPrdMgr.exe
d:\windows\system32\IoctlSvc.exe
d:\windows\system32\HPZipm12.exe
d:\windows\system32\ZuneBusEnum.exe
d:\windows\system32\wscntfy.exe
d:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\Adobe\Acrobat 7.0\Distillr\acrodist.exe
d:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
d:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2009-02-14 12:18:34 - machine was rebooted [Alex]
ComboFix-quarantined-files.txt 2009-02-14 17:18:31

Pre-Run: 33,510,887,424 bytes free
Post-Run: 35,740,327,936 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

262 --- E O F --- 2009-02-12 15:03:29



As far as PC performance the IE pop-up is no longer coming up and everything seems to be working fine

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:28 PM

Posted 14 February 2009 - 02:53 PM

Hello,

Thanks. :)

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
d:\windows\system32\drivers\imdlhzof.sys


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Looking pretty good. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 bustamove

bustamove
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 14 February 2009 - 03:31 PM

whew glad to hear that its looking good :thumbup2:

Here is the Combofix log from the CFScript execution:


ComboFix 09-02-12.03 - Alex 2009-02-14 15:24:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1496 [GMT -5:00]
Running from: d:\documents and settings\Alex\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Alex\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
d:\windows\system32\drivers\imdlhzof.sys
.

((((((((((((((((((((((((( Files Created from 2009-01-14 to 2009-02-14 )))))))))))))))))))))))))))))))
.

2009-02-12 13:17 . 2009-02-12 13:17 <DIR> d-------- d:\program files\Trend Micro
2009-02-12 11:39 . 2009-02-12 11:25 15,688 --a------ d:\windows\system32\lsdelete.exe
2009-02-12 11:25 . 2009-02-12 11:25 <DIR> d----c--- d:\windows\system32\DRVSTORE
2009-02-12 11:25 . 2009-02-12 11:25 64,160 --a------ d:\windows\system32\drivers\Lbd.sys
2009-02-12 11:15 . 2009-02-12 11:15 <DIR> d-------- d:\program files\Lavasoft
2009-02-12 11:15 . 2009-02-12 11:25 <DIR> d-------- d:\documents and settings\All Users\Application Data\Lavasoft
2009-02-12 11:15 . 2009-02-12 11:15 <DIR> d--h-c--- d:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-07 17:14 . 2009-02-07 17:14 <DIR> d-------- d:\documents and settings\Pablo\Application Data\PlayFirst
2009-02-07 17:14 . 2009-02-07 17:14 <DIR> d-------- d:\documents and settings\All Users\Application Data\PlayFirst
2009-02-07 15:51 . 2009-02-12 10:36 292 --a------ d:\windows\wininit.ini
2009-02-06 21:21 . 2009-02-06 21:21 <DIR> d-------- d:\documents and settings\Daisy\Application Data\Meridian93
2009-02-06 18:52 . 2009-02-06 18:52 <DIR> d-------- d:\program files\Spybot - Search & Destroy
2009-02-06 18:52 . 2009-02-06 18:53 <DIR> d-------- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-06 17:49 . 2009-02-06 17:49 0 --a------ d:\windows\system32\drivers\feaxzdon.sys
2009-02-01 22:00 . 2009-02-01 22:00 <DIR> d-------- d:\documents and settings\Chris\Application Data\Artogon
2009-02-01 21:39 . 2009-02-01 21:39 <DIR> d-------- d:\documents and settings\Chris\Application Data\Friday's games
2009-01-31 18:53 . 2009-01-31 18:53 <DIR> d-------- d:\documents and settings\All Users\Application Data\JollyBear
2009-01-30 21:07 . 2009-01-30 21:07 <DIR> d-------- d:\documents and settings\Daisy\Application Data\Artogon
2009-01-29 21:40 . 2009-01-29 21:40 <DIR> d-------- d:\documents and settings\All Users\Application Data\Alawar Stargaze
2009-01-29 21:09 . 2009-01-29 21:09 <DIR> d-------- d:\documents and settings\Daisy\Application Data\AdobeUM
2009-01-26 17:56 . 2008-12-01 14:35 593,920 --------- d:\windows\system32\ati2sgag.exe
2009-01-26 17:55 . 2009-01-26 17:55 <DIR> d-------- D:\ATI
2009-01-26 17:38 . 2009-01-26 17:38 0 --a------ d:\windows\ativpsrm.bin
2009-01-26 17:37 . 2008-10-03 17:00 3,107,788 -ra------ d:\windows\system32\ativvaxx.dat
2009-01-26 17:37 . 2008-10-03 17:00 3,107,788 -ra------ d:\windows\system32\ativva5x.dat
2009-01-26 17:37 . 2008-10-03 17:00 887,724 -ra------ d:\windows\system32\ativva6x.dat
2009-01-26 17:37 . 2008-12-01 15:52 425,984 --a------ d:\windows\system32\ATIDEMGX.dll
2009-01-26 17:37 . 2008-12-01 15:19 307,200 --a------ d:\windows\system32\atiiiexx.dll
2009-01-26 17:37 . 2008-10-30 09:45 180,720 --a------ d:\windows\system32\atiicdxx.dat
2009-01-26 17:37 . 2008-07-02 14:40 136,704 -ra------ d:\windows\system32\drivers\AtiHdmi.sys
2009-01-26 17:37 . 2008-10-17 09:19 15,079 --a------ d:\windows\atiogl.xml
2009-01-26 17:37 . 2007-08-31 08:20 7,167 -ra------ d:\windows\system32\atifglpf.xml
2009-01-26 17:37 . 2008-09-29 15:22 529 -ra------ d:\windows\system32\ATIODCLI.exe.manifest
2009-01-26 17:37 . 2008-10-03 15:48 527 -ra------ d:\windows\system32\ATIODE.exe.manifest
2009-01-26 17:35 . 2008-04-13 13:45 10,368 --a------ d:\windows\system32\drivers\hidusb.sys
2009-01-26 17:35 . 2008-04-13 13:45 10,368 --a--c--- d:\windows\system32\dllcache\hidusb.sys
2009-01-25 21:32 . 2009-01-25 21:32 <DIR> d-------- d:\documents and settings\All Users\Application Data\AdventureChronicles1
2009-01-25 20:15 . 2009-01-25 20:16 <DIR> d-------- d:\documents and settings\Daisy\Application Data\Fabulous Finds
2009-01-25 19:15 . 2009-01-25 19:15 <DIR> d-------- d:\documents and settings\All Users\Application Data\PlayPond
2009-01-25 18:21 . 2009-02-09 21:27 23 --a------ d:\windows\BlendSettings.ini
2009-01-25 17:49 . 2009-01-25 17:49 <DIR> d-------- d:\program files\Bethesda Softworks
2009-01-25 11:12 . 2009-01-25 11:12 151 --a------ d:\windows\PhotoSnapViewer.INI
2009-01-24 15:58 . 2009-01-24 15:58 <DIR> d-------- d:\documents and settings\Alex\Application Data\blg
2009-01-22 20:42 . 2009-01-22 20:42 <DIR> d-------- d:\documents and settings\Daisy\Application Data\blg
2009-01-22 20:42 . 2009-01-22 20:42 <DIR> d-------- d:\documents and settings\All Users\Application Data\blg
2009-01-21 20:48 . 2009-01-21 20:48 <DIR> d-------- d:\documents and settings\Chris\Application Data\Oberonv1001
2009-01-21 20:47 . 2009-01-21 20:47 <DIR> d-------- d:\program files\Oberon Media
2009-01-21 20:47 . 2009-01-25 17:51 <DIR> d-------- d:\program files\MSN Games
2009-01-18 11:50 . 2009-02-11 19:14 <DIR> d-a------ d:\documents and settings\All Users\Application Data\TEMP
2009-01-18 11:26 . 2009-01-18 11:26 <DIR> d-------- d:\program files\bfgclient
2009-01-18 11:25 . 2009-02-07 15:58 <DIR> d-------- d:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-01-18 11:17 . 2009-01-18 11:17 <DIR> d-------- d:\documents and settings\Daisy\Application Data\The Labyrinth Plus! Edition
2009-01-17 14:37 . 2009-02-02 21:02 <DIR> d-------- d:\documents and settings\Alex\Application Data\Ahead
2009-01-16 20:56 . 2009-01-16 20:56 <DIR> d-------- d:\documents and settings\Alex\Application Data\Acreon
2009-01-15 21:18 . 2009-01-15 21:18 <DIR> d-------- d:\documents and settings\All Users\Application Data\Blizzard
2009-01-15 20:01 . 2009-02-12 16:34 <DIR> d-------- d:\program files\World of Warcraft
2009-01-15 20:01 . 2009-01-15 20:42 <DIR> d-------- d:\program files\Common Files\Blizzard Entertainment
2009-01-15 11:19 . 2009-01-15 11:19 <DIR> d-------- d:\documents and settings\Pablo\Application Data\Transcend
2009-01-15 09:18 . 2009-01-15 09:18 <DIR> d-------- d:\documents and settings\Administrator
2009-01-15 09:09 . 2008-05-19 18:16 186,407 --a------ d:\windows\system32\nvapps.nvb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-14 19:29 --------- d-----w d:\documents and settings\All Users\Application Data\Google Updater
2009-01-26 22:56 --------- d--h--w d:\program files\InstallShield Installation Information
2009-01-13 03:07 --------- d-----w d:\program files\MSXML 4.0
2009-01-12 21:36 --------- d-----w d:\documents and settings\Pablo\Application Data\Ahead
2009-01-12 00:11 --------- d-----w d:\program files\Common Files\DVDnextCOPY2
2009-01-12 00:11 --------- d-----w d:\program files\Common Files\DistributeShield
2009-01-11 22:01 --------- d-----w d:\program files\Google
2009-01-11 16:43 21,840 ----a-w d:\windows\system32\SIntfNT.dll
2009-01-11 16:43 17,212 ----a-w d:\windows\system32\SIntf32.dll
2009-01-11 16:43 12,067 ----a-w d:\windows\system32\SIntf16.dll
2009-01-11 16:37 94,208 ----a-w d:\windows\DIIUnin.exe
2009-01-11 16:37 2,829 ----a-w d:\windows\DIIUnin.pif
2009-01-11 15:44 --------- d-----w d:\documents and settings\All Users\Application Data\Ahead
2009-01-11 15:43 --------- d-----w d:\program files\Common Files\Ahead
2009-01-11 15:40 --------- d-----w d:\documents and settings\All Users\Application Data\Nero
2009-01-10 22:49 34,528 ----a-w d:\windows\system32\drivers\Pcouffin.sys
2009-01-10 22:39 --------- d-----w d:\documents and settings\Pablo\Application Data\AdobeUM
2009-01-10 22:37 --------- d-----w d:\program files\Common Files\Adobe
2009-01-10 20:32 --------- d-----w d:\documents and settings\Pablo\Application Data\Nero
2009-01-10 20:31 --------- d-----w d:\program files\Nero
2009-01-07 03:00 --------- d-----w d:\program files\HP
2009-01-07 02:36 --------- d-----w d:\documents and settings\Pablo\Application Data\OfficeUpdate12
2009-01-07 01:07 --------- d-----w d:\program files\Microsoft Works
2009-01-07 00:50 --------- d-----w d:\program files\Microsoft ActiveSync
2009-01-07 00:50 --------- d-----w d:\program files\Common Files\L&H
2009-01-07 00:44 --------- d-----w d:\program files\Microsoft.NET
2009-01-07 00:05 --------- d-----w d:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-01-06 00:34 315,392 ----a-w d:\windows\HideWin.exe
2009-01-06 00:34 --------- d-----w d:\program files\Realtek
2009-01-06 00:31 --------- d-----w d:\program files\Setup Files
2009-01-06 00:30 --------- d-----w d:\program files\Intel
2009-01-06 00:30 --------- d-----w d:\program files\Common Files\InstallShield
2009-01-06 00:23 --------- d-----w d:\program files\MSI
2009-01-04 21:46 0 ---ha-w d:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-01-04 21:46 0 ---ha-w d:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-01-04 21:45 0 ---ha-w d:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-01-04 21:18 --------- d-----w d:\documents and settings\All Users\Application Data\nView_Profiles
2009-01-04 21:10 --------- d-----w d:\program files\Zune
2009-01-04 21:09 0 ---ha-w d:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-01-04 21:09 0 ---ha-w d:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-01-04 20:24 --------- d-----w d:\program files\Windows Defender
2009-01-04 20:20 --------- d-----w d:\program files\Windows Media Connect 2
2009-01-03 22:43 --------- d-----w d:\documents and settings\All Users\Application Data\McAfee
2009-01-03 22:42 --------- d-----w d:\program files\McAfee
2009-01-03 22:42 --------- d-----w d:\program files\Common Files\McAfee
2009-01-03 22:42 --------- d-----w d:\program files\Common Files\Cisco Systems
2009-01-03 21:58 --------- d-----w d:\program files\microsoft frontpage
2009-01-03 21:57 558,142 ----a-w d:\windows\java\Packages\EEMFBL3J.ZIP
2009-01-03 21:57 155,995 ----a-w d:\windows\java\Packages\AUAJF1NR.ZIP
2008-12-20 23:15 826,368 ----a-w d:\windows\system32\wininet.dll
2008-12-05 00:54 524,288 ----a-w d:\windows\opuc.dll
2008-12-01 20:51 318,464 ----a-w d:\windows\system32\ati2dvag.dll
2008-12-01 20:46 11,304,960 ----a-w d:\windows\system32\atioglxx.dll
2008-12-01 20:41 188,416 ----a-w d:\windows\system32\atipdlxx.dll
2008-12-01 20:40 43,520 ----a-w d:\windows\system32\ati2edxx.dll
2008-12-01 20:40 26,112 ----a-w d:\windows\system32\Ati2mdxx.exe
2008-12-01 20:40 147,456 ----a-w d:\windows\system32\Oemdspif.dll
2008-12-01 20:40 143,360 ----a-w d:\windows\system32\ati2evxx.dll
2008-12-01 20:38 598,016 ----a-w d:\windows\system32\ati2evxx.exe
2008-12-01 20:37 53,248 ----a-w d:\windows\system32\ATIDDC.DLL
2008-12-01 20:27 4,120,384 ----a-w d:\windows\system32\ati3duag.dll
2008-12-01 20:11 2,495,360 ----a-w d:\windows\system32\ativvaxx.dll
2008-12-01 19:57 48,640 ----a-w d:\windows\system32\amdpcom32.dll
2008-12-01 19:53 45,056 ----a-w d:\windows\system32\amdcalrt.dll
2008-12-01 19:53 45,056 ----a-w d:\windows\system32\amdcalcl.dll
2008-12-01 19:53 401,408 ----a-w d:\windows\system32\atikvmag.dll
2008-12-01 19:52 86,016 ----a-w d:\windows\system32\atiadlxx.dll
2008-12-01 19:52 17,408 ----a-w d:\windows\system32\atitvo32.dll
2008-12-01 19:50 3,252,224 ----a-w d:\windows\system32\Amdcaldd.dll
2008-12-01 19:50 286,720 ----a-w d:\windows\system32\atiok3x2.dll
2008-12-01 19:45 577,536 ----a-w d:\windows\system32\ati2cqag.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-02-14_12.17.33.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-14 17:29:12 16,384 ----atw d:\windows\temp\Perflib_Perfdata_62c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="d:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="d:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-24 111952]
"McAfeeUpdaterUI"="d:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"NeroFilterCheck"="d:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"Ad-Watch"="d:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-12 509784]
"nwiz"="nwiz.exe" [2008-05-16 d:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 d:\windows\RTHDCPL.exe]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - d:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-01-10 25214]
Microsoft Office OneNote 2003 Quick Launch.lnk - d:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 64864]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^DigiCell.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\DigiCell.lnk
backup=d:\windows\pss\DigiCell.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
--a------ 2007-11-19 11:01 1970176 d:\windows\system32\xRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2005-03-09 10:29 139264 d:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
--a------ 2007-03-20 14:36 36864 d:\windows\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveMonitor]
--a------ 2008-04-30 18:30 498176 d:\program files\MSI\Live Update 3\LMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-16 14:01 86016 d:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
--a------ 2008-11-10 12:23 157312 d:\program files\Zune\ZuneLauncher.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=

R0 Lbd;Lbd;d:\windows\system32\drivers\Lbd.sys [2009-02-12 64160]
R2 WinDefend;Windows Defender;d:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S0 eewmvxti;eewmvxti;d:\windows\system32\drivers\imdlhzof.sys --> d:\windows\system32\drivers\imdlhzof.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;d:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S2 VRDVC10;Sony VRD-VC10 [Video Capture];d:\windows\system32\drivers\VRDVC10X.SYS [2004-11-09 10:02:40 31104]
S3 NtApm;NT Apm/Legacy Interface Driver;d:\windows\system32\drivers\NtApm.sys [2009-01-03 9344]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05230250-d9e7-11dd-b6af-001617d831d1}]
\Shell\AutoRun\command - H:\
\Shell\open\Command - rundll32.exe .\\mskcrtd.dll,InstallM
.
Contents of the 'Scheduled Tasks' folder

2009-02-12 d:\windows\Tasks\Ad-Aware Update (Weekly).job
- d:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-12 11:25]

2009-02-14 d:\windows\Tasks\MP Scheduled Scan.job
- d:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://d:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://d:\windows\Java\classes\xmldso.cab
FF - ProfilePath - d:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\93nv45a3.default\
FF - plugin: c:\program files\Adobe\Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF - plugin: d:\program files\Google\Google Updater\2.4.1439.6872\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-14 15:25:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
d:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-14 15:26:56
ComboFix-quarantined-files.txt 2009-02-14 20:26:48
ComboFix2.txt 2009-02-14 17:18:36

Pre-Run: 35,740,217,344 bytes free
Post-Run: 35,719,135,232 bytes free

250 --- E O F --- 2009-02-12 15:03:29

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:28 PM

Posted 15 February 2009 - 12:22 PM

Hello,

HHmmmm......let's try this again, please :

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

KILLALL::

File::
d:\windows\system32\drivers\feaxzdon.sys
d:\windows\system32\drivers\imdlhzof.sys

Driver::
feaxzdon
imdlhzof


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Still running all right? :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 bustamove

bustamove
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 15 February 2009 - 08:43 PM

well the pc is still running relatively well but apparently someone thought it was a good idea to try and download something behind my back and almost set me back to step one. Here is the combofix log.



ComboFix 09-02-12.03 - Alex 2009-02-15 20:27:32.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1503 [GMT -5:00]
Running from: d:\documents and settings\Alex\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Alex\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
d:\windows\system32\drivers\feaxzdon.sys
d:\windows\system32\drivers\imdlhzof.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\system32\alrbhfar.dll
d:\windows\system32\drivers\feaxzdon.sys
d:\windows\system32\oqYHRqss.ini
d:\windows\system32\oqYHRqss.ini2
d:\windows\system32\qrqvvgmd.dll
d:\windows\system32\ssqRHYqo.dll
d:\windows\system32\vanoxx.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-16 to 2009-02-16 )))))))))))))))))))))))))))))))
.

2009-02-15 18:38 . 2009-02-15 18:38 36,352 --a------ d:\windows\system32\urqOEwxw.dll
2009-02-14 21:17 . 2009-02-14 21:17 <DIR> d-------- d:\documents and settings\Daisy\Application Data\Big Fish Games
2009-02-14 19:19 . 2009-02-14 19:19 <DIR> d-------- d:\documents and settings\Daisy\Application Data\Friday's games
2009-02-12 13:17 . 2009-02-12 13:17 <DIR> d-------- d:\program files\Trend Micro
2009-02-12 11:39 . 2009-02-12 11:25 15,688 --a------ d:\windows\system32\lsdelete.exe
2009-02-12 11:25 . 2009-02-12 11:25 <DIR> d----c--- d:\windows\system32\DRVSTORE
2009-02-12 11:25 . 2009-02-12 11:25 64,160 --a------ d:\windows\system32\drivers\Lbd.sys
2009-02-12 11:15 . 2009-02-12 11:15 <DIR> d-------- d:\program files\Lavasoft
2009-02-12 11:15 . 2009-02-12 11:25 <DIR> d-------- d:\documents and settings\All Users\Application Data\Lavasoft
2009-02-12 11:15 . 2009-02-12 11:15 <DIR> d--h-c--- d:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-07 17:14 . 2009-02-07 17:14 <DIR> d-------- d:\documents and settings\Pablo\Application Data\PlayFirst
2009-02-07 17:14 . 2009-02-07 17:14 <DIR> d-------- d:\documents and settings\All Users\Application Data\PlayFirst
2009-02-07 15:51 . 2009-02-12 10:36 292 --a------ d:\windows\wininit.ini
2009-02-06 21:21 . 2009-02-06 21:21 <DIR> d-------- d:\documents and settings\Daisy\Application Data\Meridian93
2009-02-06 18:52 . 2009-02-06 18:52 <DIR> d-------- d:\program files\Spybot - Search & Destroy
2009-02-06 18:52 . 2009-02-06 18:53 <DIR> d-------- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-01 22:00 . 2009-02-01 22:00 <DIR> d-------- d:\documents and settings\Chris\Application Data\Artogon
2009-02-01 21:39 . 2009-02-01 21:39 <DIR> d-------- d:\documents and settings\Chris\Application Data\Friday's games
2009-01-31 18:53 . 2009-01-31 18:53 <DIR> d-------- d:\documents and settings\All Users\Application Data\JollyBear
2009-01-30 21:07 . 2009-01-30 21:07 <DIR> d-------- d:\documents and settings\Daisy\Application Data\Artogon
2009-01-29 21:40 . 2009-01-29 21:40 <DIR> d-------- d:\documents and settings\All Users\Application Data\Alawar Stargaze
2009-01-29 21:09 . 2009-01-29 21:09 <DIR> d-------- d:\documents and settings\Daisy\Application Data\AdobeUM
2009-01-26 17:56 . 2008-12-01 14:35 593,920 --------- d:\windows\system32\ati2sgag.exe
2009-01-26 17:55 . 2009-01-26 17:55 <DIR> d-------- D:\ATI
2009-01-26 17:38 . 2009-01-26 17:38 0 --a------ d:\windows\ativpsrm.bin
2009-01-26 17:37 . 2008-10-03 17:00 3,107,788 -ra------ d:\windows\system32\ativvaxx.dat
2009-01-26 17:37 . 2008-10-03 17:00 3,107,788 -ra------ d:\windows\system32\ativva5x.dat
2009-01-26 17:37 . 2008-10-03 17:00 887,724 -ra------ d:\windows\system32\ativva6x.dat
2009-01-26 17:37 . 2008-12-01 15:52 425,984 --a------ d:\windows\system32\ATIDEMGX.dll
2009-01-26 17:37 . 2008-12-01 15:19 307,200 --a------ d:\windows\system32\atiiiexx.dll
2009-01-26 17:37 . 2008-10-30 09:45 180,720 --a------ d:\windows\system32\atiicdxx.dat
2009-01-26 17:37 . 2008-07-02 14:40 136,704 -ra------ d:\windows\system32\drivers\AtiHdmi.sys
2009-01-26 17:37 . 2008-10-17 09:19 15,079 --a------ d:\windows\atiogl.xml
2009-01-26 17:37 . 2007-08-31 08:20 7,167 -ra------ d:\windows\system32\atifglpf.xml
2009-01-26 17:37 . 2008-09-29 15:22 529 -ra------ d:\windows\system32\ATIODCLI.exe.manifest
2009-01-26 17:37 . 2008-10-03 15:48 527 -ra------ d:\windows\system32\ATIODE.exe.manifest
2009-01-26 17:35 . 2008-04-13 13:45 10,368 --a------ d:\windows\system32\drivers\hidusb.sys
2009-01-26 17:35 . 2008-04-13 13:45 10,368 --a--c--- d:\windows\system32\dllcache\hidusb.sys
2009-01-25 21:32 . 2009-01-25 21:32 <DIR> d-------- d:\documents and settings\All Users\Application Data\AdventureChronicles1
2009-01-25 20:15 . 2009-01-25 20:16 <DIR> d-------- d:\documents and settings\Daisy\Application Data\Fabulous Finds
2009-01-25 19:15 . 2009-01-25 19:15 <DIR> d-------- d:\documents and settings\All Users\Application Data\PlayPond
2009-01-25 18:21 . 2009-02-09 21:27 23 --a------ d:\windows\BlendSettings.ini
2009-01-25 17:49 . 2009-01-25 17:49 <DIR> d-------- d:\program files\Bethesda Softworks
2009-01-25 11:12 . 2009-01-25 11:12 151 --a------ d:\windows\PhotoSnapViewer.INI
2009-01-24 15:58 . 2009-01-24 15:58 <DIR> d-------- d:\documents and settings\Alex\Application Data\blg
2009-01-22 20:42 . 2009-01-22 20:42 <DIR> d-------- d:\documents and settings\Daisy\Application Data\blg
2009-01-22 20:42 . 2009-01-22 20:42 <DIR> d-------- d:\documents and settings\All Users\Application Data\blg
2009-01-21 20:48 . 2009-01-21 20:48 <DIR> d-------- d:\documents and settings\Chris\Application Data\Oberonv1001
2009-01-21 20:47 . 2009-01-21 20:47 <DIR> d-------- d:\program files\Oberon Media
2009-01-21 20:47 . 2009-01-25 17:51 <DIR> d-------- d:\program files\MSN Games
2009-01-18 11:50 . 2009-02-15 19:18 <DIR> d-a------ d:\documents and settings\All Users\Application Data\TEMP
2009-01-18 11:26 . 2009-01-18 11:26 <DIR> d-------- d:\program files\bfgclient
2009-01-18 11:25 . 2009-02-14 21:17 <DIR> d-------- d:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-01-18 11:17 . 2009-01-18 11:17 <DIR> d-------- d:\documents and settings\Daisy\Application Data\The Labyrinth Plus! Edition
2009-01-17 14:37 . 2009-02-02 21:02 <DIR> d-------- d:\documents and settings\Alex\Application Data\Ahead
2009-01-16 20:56 . 2009-01-16 20:56 <DIR> d-------- d:\documents and settings\Alex\Application Data\Acreon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-15 20:29 --------- d-----w d:\documents and settings\All Users\Application Data\Google Updater
2009-02-12 21:34 --------- d-----w d:\program files\World of Warcraft
2009-01-26 22:56 --------- d--h--w d:\program files\InstallShield Installation Information
2009-01-16 02:18 --------- d-----w d:\documents and settings\All Users\Application Data\Blizzard
2009-01-16 01:42 --------- d-----w d:\program files\Common Files\Blizzard Entertainment
2009-01-15 16:19 --------- d-----w d:\documents and settings\Pablo\Application Data\Transcend
2009-01-13 03:07 --------- d-----w d:\program files\MSXML 4.0
2009-01-12 21:36 --------- d-----w d:\documents and settings\Pablo\Application Data\Ahead
2009-01-12 00:11 --------- d-----w d:\program files\Common Files\DVDnextCOPY2
2009-01-12 00:11 --------- d-----w d:\program files\Common Files\DistributeShield
2009-01-11 22:01 --------- d-----w d:\program files\Google
2009-01-11 16:37 94,208 ----a-w d:\windows\DIIUnin.exe
2009-01-11 16:37 2,829 ----a-w d:\windows\DIIUnin.pif
2009-01-11 15:44 --------- d-----w d:\documents and settings\All Users\Application Data\Ahead
2009-01-11 15:43 --------- d-----w d:\program files\Common Files\Ahead
2009-01-11 15:40 --------- d-----w d:\documents and settings\All Users\Application Data\Nero
2009-01-10 22:49 34,528 ----a-w d:\windows\system32\drivers\Pcouffin.sys
2009-01-10 22:39 --------- d-----w d:\documents and settings\Pablo\Application Data\AdobeUM
2009-01-10 22:37 --------- d-----w d:\program files\Common Files\Adobe
2009-01-10 20:32 --------- d-----w d:\documents and settings\Pablo\Application Data\Nero
2009-01-10 20:31 --------- d-----w d:\program files\Nero
2009-01-07 03:00 --------- d-----w d:\program files\HP
2009-01-07 02:36 --------- d-----w d:\documents and settings\Pablo\Application Data\OfficeUpdate12
2009-01-07 01:07 --------- d-----w d:\program files\Microsoft Works
2009-01-07 00:50 --------- d-----w d:\program files\Microsoft ActiveSync
2009-01-07 00:50 --------- d-----w d:\program files\Common Files\L&H
2009-01-07 00:44 --------- d-----w d:\program files\Microsoft.NET
2009-01-07 00:05 --------- d-----w d:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-01-06 00:34 315,392 ----a-w d:\windows\HideWin.exe
2009-01-06 00:34 --------- d-----w d:\program files\Realtek
2009-01-06 00:31 --------- d-----w d:\program files\Setup Files
2009-01-06 00:30 --------- d-----w d:\program files\Intel
2009-01-06 00:30 --------- d-----w d:\program files\Common Files\InstallShield
2009-01-06 00:23 --------- d-----w d:\program files\MSI
2009-01-04 21:46 0 ---ha-w d:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-01-04 21:46 0 ---ha-w d:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-01-04 21:45 0 ---ha-w d:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-01-04 21:18 --------- d-----w d:\documents and settings\All Users\Application Data\nView_Profiles
2009-01-04 21:10 --------- d-----w d:\program files\Zune
2009-01-04 21:09 0 ---ha-w d:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-01-04 21:09 0 ---ha-w d:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-01-04 20:24 --------- d-----w d:\program files\Windows Defender
2009-01-04 20:20 --------- d-----w d:\program files\Windows Media Connect 2
2009-01-03 22:43 --------- d-----w d:\documents and settings\All Users\Application Data\McAfee
2009-01-03 22:42 --------- d-----w d:\program files\McAfee
2009-01-03 22:42 --------- d-----w d:\program files\Common Files\McAfee
2009-01-03 22:42 --------- d-----w d:\program files\Common Files\Cisco Systems
2009-01-03 21:58 --------- d-----w d:\program files\microsoft frontpage
2008-12-05 00:54 524,288 ----a-w d:\windows\opuc.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-02-14_12.17.33.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-06 01:39:30 16,384 ----a-w d:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-15 20:29:08 16,384 ----a-w d:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-06 01:39:30 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-15 20:29:08 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-06 01:39:30 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-15 20:29:08 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2009-02-15 18:38 36352 --a------ d:\windows\system32\urqOEwxw.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="d:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="d:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-24 111952]
"McAfeeUpdaterUI"="d:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"NeroFilterCheck"="d:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"Ad-Watch"="d:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-12 509784]
"nwiz"="nwiz.exe" [2008-05-16 d:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 d:\windows\RTHDCPL.exe]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - d:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-01-10 25214]
Microsoft Office OneNote 2003 Quick Launch.lnk - d:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 64864]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "d:\windows\system32\urqOEwxw.dll" [2009-02-15 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqOEwxw]
2009-02-15 18:38 36352 d:\windows\system32\urqOEwxw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=vanoxx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^DigiCell.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\DigiCell.lnk
backup=d:\windows\pss\DigiCell.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
--a------ 2007-11-19 11:01 1970176 d:\windows\system32\xRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2005-03-09 10:29 139264 d:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
--a------ 2007-03-20 14:36 36864 d:\windows\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveMonitor]
--a------ 2008-04-30 18:30 498176 d:\program files\MSI\Live Update 3\LMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-16 14:01 86016 d:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
--a------ 2008-11-10 12:23 157312 d:\program files\Zune\ZuneLauncher.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=

R0 Lbd;Lbd;d:\windows\system32\drivers\Lbd.sys [2009-02-12 64160]
R2 WinDefend;Windows Defender;d:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S0 eewmvxti;eewmvxti;d:\windows\system32\drivers\imdlhzof.sys --> d:\windows\system32\drivers\imdlhzof.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;d:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S2 VRDVC10;Sony VRD-VC10 [Video Capture];d:\windows\system32\drivers\VRDVC10X.SYS [2004-11-09 10:02:40 31104]
S3 NtApm;NT Apm/Legacy Interface Driver;d:\windows\system32\drivers\NtApm.sys [2009-01-03 9344]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05230250-d9e7-11dd-b6af-001617d831d1}]
\Shell\AutoRun\command - H:\
\Shell\open\Command - rundll32.exe .\\mskcrtd.dll,InstallM
.
Contents of the 'Scheduled Tasks' folder

2009-02-12 d:\windows\Tasks\Ad-Aware Update (Weekly).job
- d:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-12 11:25]

2009-02-16 d:\windows\Tasks\MP Scheduled Scan.job
- d:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2FEFABA0-28D9-4ACA-AB8D-D1E601E119B1} - d:\windows\system32\ssqRHYqo.dll
BHO-{fd93d875-0864-424a-a8c3-8cfe0c49f871} - d:\windows\system32\vanoxx.dll
HKLM-Run-58d5fa23 - d:\windows\system32\alrbhfar.dll


.
------- Supplementary Scan -------
.
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://d:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://d:\windows\Java\classes\xmldso.cab
FF - ProfilePath - d:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\93nv45a3.default\
FF - plugin: c:\program files\Adobe\Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF - plugin: d:\program files\Google\Google Updater\2.4.1439.6872\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-15 20:35:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
d:\windows\system32\Ati2evxx.dll
d:\windows\system32\urqOEwxw.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\ati2evxx.exe
d:\windows\system32\ati2evxx.exe
d:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
d:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
d:\program files\McAfee\Common Framework\FrameworkService.exe
d:\program files\McAfee\VirusScan Enterprise\mcshield.exe
d:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
d:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
d:\program files\McAfee\Common Framework\naPrdMgr.exe
d:\windows\system32\IoctlSvc.exe
d:\windows\system32\HPZipm12.exe
d:\windows\system32\ZuneBusEnum.exe
d:\windows\system32\wscntfy.exe
d:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\Adobe\Acrobat 7.0\Distillr\acrodist.exe
d:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
d:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
d:\windows\system32\WudfHost.exe
.
**************************************************************************
.
Completion time: 2009-02-15 20:38:29 - machine was rebooted [Alex]
ComboFix-quarantined-files.txt 2009-02-16 01:38:26
ComboFix2.txt 2009-02-14 20:27:00
ComboFix3.txt 2009-02-14 17:18:36

Pre-Run: 35,916,111,872 bytes free
Post-Run: 35,977,011,200 bytes free

277 --- E O F --- 2009-02-12 15:03:29

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:28 PM

Posted 15 February 2009 - 09:27 PM

Hello,

Can you please tell me why we're bothering if people are purposely downloading this garbage? This is a waste of my time, and it isn't funny in the least. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 bustamove

bustamove
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 15 February 2009 - 11:31 PM

I don't find it funny either ... Someone who is not allowed to be on the pc used it when I was not home and I assure you actions have been taken to ensure it does not happen again. I understand if you no longer wish to assist me

#13 bustamove

bustamove
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 16 February 2009 - 01:49 PM

Please close this post. I will open another post and ensure that the PC is inaccessible until it has been completely cleaned. Thank you very much for the assistance and I'm sorry that this situation occurred.

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:28 PM

Posted 16 February 2009 - 04:02 PM

Hello,

Not necessary. :thumbup2: I'm just getting in here for the afternoon and am just getting a chance to reply. I have a real life too, please remember.

Let's start all over then : Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 bustamove

bustamove
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 16 February 2009 - 05:59 PM

Thanks for continuing to help me. I deleted the combofix folder and emptied the recycling bin and rebooted. However when I rebooted the PC my desktop (our pc has several profiles) would not load. Should I proceed with the fix on another profile?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users