Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with detected: Trojan program Rootkit.Win32.Podnuha.bsh


  • This topic is locked This topic is locked
26 replies to this topic

#1 ashton_r

ashton_r

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, WA
  • Local time:08:43 AM

Posted 19 March 2009 - 05:46 PM

DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 15:38:19.37 on Thu 03/19/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.75 [GMT -7:00]

AV: The Shield Deluxe 2008 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://qus10.hpwis.com/
uSearch Page = hxxp://srch-qus10.hpwis.com/
uDefault_Page_URL = hxxp://qus10.hpwis.com/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearch Bar = hxxp://srch-qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13116&gct=&gc=1&q=%s
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\common\ycomp5,1,1,0.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: {2b1c9215-3dbf-4158-9a68-083a59964e7d} - c:\windows\system32\cliconf.dll
BHO: {549B5CA7-4A86-11D7-A4DF-000874180BB3} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\ycomp5,1,1,0.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: Search panel: {f1ad7e0d-e8ae-d057-e858-477ed6d29836} - c:\windows\system32\msdzsmbssr.dll
uRun: [RecordNow!]
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HPHUPD05] c:\program files\hp\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [LTMSG] LTMSG.exe 7
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [AVP] "c:\program files\pcsecurityshield\the shield deluxe 2008\avp.exe"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\pcsecurityshield\the shield deluxe 2008\scieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: SpSubLSP.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232569175031
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232680185375
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: igfxcui - igfxsrvc.dll
Notify: klogon - c:\windows\system32\klogon.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-3-3 110360]
R0 ttqztsaj;ttqztsaj;c:\windows\system32\drivers\ttqztsaj.sys [2004-2-4 23424]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-1-27 175888]
R2 AVP;The Shield Deluxe 2008;c:\program files\pcsecurityshield\the shield deluxe 2008\avp.exe [2007-8-23 200768]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]

=============== Created Last 30 ================

2009-03-15 01:52 101,287 a------- c:\windows\system32\drivers\klin.dat
2009-03-15 01:52 89,601 a------- c:\windows\system32\drivers\klick.dat
2009-03-15 01:52 <DIR> --d----- c:\program files\PCSecurityShield
2009-03-15 01:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCSecurityShield
2009-03-15 01:52 532,256 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-15 01:52 13,856 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-03-15 01:52 6,836 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-15 01:52 1,676 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-03-12 17:59 679,936 a------- c:\windows\system32\D3DX81ab.dll
2009-03-12 17:58 <DIR> --d----- c:\program files\WinPcap
2009-03-11 20:26 <DIR> --d----- c:\program files\common files\DivX Shared
2009-02-25 22:35 50,200 a------- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2009-02-25 22:35 79,896 a------- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2009-02-25 22:33 <DIR> --d----- c:\windows\system32\RsFx
2009-02-25 22:30 <DIR> --d----- c:\program files\MSXML 6.0
2009-02-25 22:08 <DIR> --d----- c:\program files\Microsoft SQL Server
2009-02-25 22:00 <DIR> --d----- c:\program files\common files\Merge Modules
2009-02-25 21:22 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-02-25 20:28 <DIR> --d----- c:\windows\system32\XPSViewer
2009-02-25 20:26 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-25 20:26 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-25 20:26 117,760 -------- c:\windows\system32\prntvpt.dll
2009-02-25 20:26 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-02-25 20:26 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-25 20:26 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-02-25 20:26 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-02-25 20:26 <DIR> --d----- C:\e9fd88fdce50f28aa807

==================== Find3M ====================

2009-03-17 15:05 69,158 a------- c:\windows\system32\msdzsmbssr.dll-uninst.exe
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 12:12 80,795 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-06 19:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-03 17:32 164,889 a------- c:\windows\hpoins21.dat
2009-02-01 22:51 360,320 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-01-31 00:54 98,304 a------- c:\windows\system32\CmdLineExt.dll
2009-01-27 21:39 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-01-22 19:23 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-21 13:14 3,888 a------- c:\windows\viassary-hp.reg
2009-01-21 13:11 3,772 a--shr-- c:\windows\system32\drivers\HP_DW255A-ABA SR1020N NA510_YC_Pres_QMXK411_E42NAheRET3_4_IGamila Giovani Neon series_SMICRO-STAR INTERNATIONAL CO., LTD_V030_B3.08_T040225_WXH1_L409_M504_J80_7Intel_8Celeron_92.8_1_N10EC8139_P_Z11C1044C_K_A808624C5.MRK
2008-12-25 16:50 31 a------- c:\documents and settings\owner\jagex_runescape_preferences.dat
2008-12-20 16:15 826,368 a------- c:\windows\system32\wininet.dll
2008-10-26 01:17 68 a------- c:\documents and settings\owner\z.bat
2006-02-03 16:19 0 a--sh--- c:\windows\sminst\HPCD.SYS

============= FINISH: 15:41:34.17 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:43 PM

Posted 19 March 2009 - 06:47 PM

Hi,

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Edit..

Extra note..
Please uninstall the Ask Toolbar, because that one is not recommended.

Edited by miekiemoes, 19 March 2009 - 06:49 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 ashton_r

ashton_r
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, WA
  • Local time:08:43 AM

Posted 19 March 2009 - 09:12 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:21 PM, on 3/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirec...p;gc=1&q=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2B1C9215-3DBF-4158-9A68-083A59964E7D} - C:\WINDOWS\system32\cliconf.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1232569175031
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1232680185375
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 9007 bytes


Malwarebytes' Anti-Malware 1.34
Database version: 1874
Windows 5.1.2600 Service Pack 3

3/19/2009 6:55:16 PM
mbam-log-2009-03-19 (18-55-16).txt

Scan type: Quick Scan
Objects scanned: 80953
Time elapsed: 44 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b1c9215-3dbf-4158-9a68-083a59964e7d} (Trojan.Downloader) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2b1c9215-3dbf-4158-9a68-083a59964e7d} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2b1c9215-3dbf-4158-9a68-083a59964e7d} (Trojan.Downloader) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{394173b4-568f-369f-308a-3d251ec9f473} (Adware.MySideSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Owner\Application Data\FunWebProducts (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\FunWebProducts\Data (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\FunWebProducts\Data\Owner (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\cogad (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Rapid Antivirus (Rogue.RapidAntivirus) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\cliconf.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\msdzsmbssr.dll-uninst.exe (Adware.MySideSearch) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-4234073565-3817908929-3494609505-1003\Dc57.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\minmpkyz.dat (Rootkit.Agent) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for EvID4226Patch223d-en.zip\EvID4226Patch.exe (Malware.Tool) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\FunWebProducts\Data\Owner\avatar.dat (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\FunWebProducts\Data\Owner\register.dat (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\FunWebProducts\Data\Owner\zbucks.dat (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Program Files\Rapid Antivirus\Uninstall.exe (Rogue.RapidAntivirus) -> Quarantined and deleted successfully.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:43 PM

Posted 20 March 2009 - 05:07 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 ashton_r

ashton_r
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, WA
  • Local time:08:43 AM

Posted 20 March 2009 - 05:22 PM

ComboFix 09-03-19.02 - Owner 2009-03-20 14:56:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.97 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: The Shield Deluxe 2008 *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\components\msdzsmbssr.dll
c:\windows\system32\klogon.dll
c:\windows\Tasks\sasjwbsf.job
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-02-20 to 2009-03-20 )))))))))))))))))))))))))))))))
.

2009-03-19 19:57 . 2009-03-19 19:59 1,113,259 --a------ C:\Downloader_Warcraft3_The_Frozen_Throne_enUS.exe
2009-03-19 18:03 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-19 18:02 . 2009-03-19 18:03 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-19 18:02 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-15 01:52 . 2009-03-15 01:52 <DIR> d-------- c:\program files\PCSecurityShield
2009-03-15 01:52 . 2009-03-20 15:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCSecurityShield
2009-03-15 01:52 . 2009-03-20 15:14 1,084,192 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-03-15 01:52 . 2009-03-17 19:21 101,287 --a------ c:\windows\system32\drivers\klin.dat
2009-03-15 01:52 . 2009-03-17 19:21 89,601 --a------ c:\windows\system32\drivers\klick.dat
2009-03-15 01:52 . 2009-03-20 15:14 30,496 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2009-03-15 01:52 . 2009-03-20 15:04 15,500 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-03-15 01:52 . 2009-03-20 15:04 3,812 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2009-03-12 17:59 . 2005-01-22 12:12 679,936 --a------ c:\windows\system32\D3DX81ab.dll
2009-03-12 17:58 . 2009-03-12 17:58 <DIR> d-------- c:\program files\WinPcap
2009-03-11 20:26 . 2009-03-11 20:26 <DIR> d-------- c:\program files\Common Files\DivX Shared
2009-02-25 22:35 . 2008-07-10 17:28 79,896 --a------ c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2009-02-25 22:35 . 2008-07-10 17:28 50,200 --a------ c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2009-02-25 22:33 . 2009-02-25 22:33 <DIR> d-------- c:\windows\system32\RsFx
2009-02-25 22:30 . 2009-02-25 22:30 <DIR> d-------- c:\program files\MSXML 6.0
2009-02-25 22:08 . 2009-02-25 22:33 <DIR> d-------- c:\program files\Microsoft SQL Server
2009-02-25 22:00 . 2009-02-25 22:04 <DIR> d-------- c:\program files\Microsoft Visual Studio 9.0
2009-02-25 22:00 . 2009-02-25 22:02 <DIR> d-------- c:\program files\Common Files\Merge Modules
2009-02-25 22:00 . 2009-02-25 22:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-25 21:22 . 2009-01-09 12:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-02-25 21:06 . 2009-02-25 21:06 <DIR> d-------- c:\program files\Microsoft SDKs
2009-02-25 20:28 . 2009-02-25 20:28 <DIR> d-------- c:\windows\system32\XPSViewer
2009-02-25 20:28 . 2009-02-25 20:28 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-25 20:28 . 2009-02-25 20:28 <DIR> d-------- c:\program files\MSBuild
2009-02-25 20:26 . 2009-02-25 20:27 <DIR> d-------- C:\e9fd88fdce50f28aa807
2009-02-25 20:26 . 2008-07-06 05:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-02-25 20:26 . 2008-07-06 05:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2009-02-25 20:26 . 2008-07-06 03:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-25 20:26 . 2008-07-06 05:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-02-25 20:26 . 2008-07-06 05:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-25 20:26 . 2008-07-06 05:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-02-25 20:26 . 2008-07-06 05:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-22 14:07 . 2009-02-27 20:37 <DIR> d-------- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-20 22:05 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-03-20 03:41 --------- d-----w c:\program files\Warcraft III
2009-03-18 02:39 --------- d-----w c:\documents and settings\Owner\Application Data\MP3Rocket
2009-03-18 02:17 --------- d-----w c:\program files\Symantec
2009-03-18 02:17 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-18 02:09 --------- d-----w c:\program files\MP3 Rocket
2009-03-15 08:56 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2009-03-15 08:48 --------- d-----w c:\program files\Norton AntiVirus
2009-03-15 08:47 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-13 00:59 --------- d-----w c:\program files\WC3Banlist
2009-03-12 03:27 --------- d-----w c:\program files\DivX
2009-03-03 04:54 --------- d-----w c:\program files\Safari
2009-03-03 04:52 --------- d-----w c:\program files\Bonjour
2009-02-26 05:30 --------- d-----w c:\program files\Microsoft.NET
2009-02-22 21:07 --------- d-----w c:\program files\Microsoft
2009-02-22 01:36 --------- d-----w c:\documents and settings\Owner\Application Data\Mount&Blade
2009-02-20 20:14 --------- d-----w c:\program files\Easy Internet signup
2009-02-09 04:23 --------- d-----w c:\program files\MySpace
2009-02-09 04:23 --------- d-----w c:\documents and settings\Owner\Application Data\MySpace
2009-02-05 07:02 --------- d-----w c:\program files\HP
2009-02-04 00:29 --------- d-----w c:\documents and settings\Owner\Application Data\HP
2009-02-04 00:15 --------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-02-02 08:01 --------- d-----w c:\program files\Mount&Blade
2009-02-02 07:44 --------- d-----w c:\program files\Windows Live Safety Center
2009-02-02 05:51 360,320 ----a-w c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-02-02 05:42 --------- d-----w c:\program files\uTorrent
2009-01-31 20:27 --------- d-----w c:\documents and settings\Owner\Application Data\Leadertech
2009-01-31 20:26 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-31 20:26 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-31 20:26 --------- d-----w c:\program files\Atari
2009-01-31 11:23 --------- d-----w c:\program files\MagicISO
2009-01-31 11:04 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2009-01-31 11:02 --------- d-----w c:\program files\Bus Driver
2009-01-31 10:48 --------- d-----w c:\program files\Frets on Fire
2009-01-31 09:28 --------- d-----w c:\program files\Control Monger
2009-01-31 09:27 --------- d-----w c:\documents and settings\All Users\Application Data\CMData
2009-01-31 09:15 --------- d-s---w c:\program files\Xfire
2009-01-31 09:15 --------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2009-01-31 09:15 --------- d-----w c:\documents and settings\Owner\Application Data\CMData
2009-01-31 08:25 --------- d-----w c:\program files\BoltSoft
2009-01-31 08:08 --------- d-----w c:\program files\Sierra
2009-01-28 04:46 --------- d-----w c:\program files\DAEMON Tools Toolbar
2009-01-28 04:46 --------- d-----w c:\program files\DAEMON Tools Lite
2009-01-28 04:39 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-01-26 04:59 --------- d-----w c:\program files\iTunes
2009-01-26 04:57 --------- d-----w c:\program files\QuickTime
2009-01-24 06:03 --------- d-----w c:\program files\NCH Swift Sound
2009-01-24 06:03 --------- d-----w c:\documents and settings\Owner\Application Data\NCH Swift Sound
2009-01-24 06:03 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-01-24 05:43 --------- d-----w c:\program files\NCH Software
2009-01-23 23:31 --------- d-----w c:\program files\Quicken
2009-01-23 23:28 --------- d-----w c:\program files\Cheat Engine
2009-01-23 23:28 --------- d-----w c:\documents and settings\Owner\Application Data\IGN_DLM
2009-01-23 23:28 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-23 23:26 --------- d-----w c:\program files\Perfect World Entertainment
2009-01-23 11:44 --------- d-----w c:\documents and settings\Owner\Application Data\Any Video Converter
2009-01-23 05:06 --------- d-----w c:\program files\Philips
2009-01-23 02:54 --------- d-----w c:\program files\Windows Live SkyDrive
2009-01-23 02:53 --------- d-----w c:\program files\Windows Live
2009-01-23 02:42 --------- d-----w c:\program files\Common Files\Windows Live
2009-01-23 02:22 --------- d-----w c:\program files\Java
2009-01-22 07:16 --------- d-----w c:\program files\Any Video Converter
2009-01-22 00:56 --------- d-----w c:\program files\AskSearch
2009-01-21 20:14 3,888 ----a-w c:\windows\viassary-hp.reg
2009-01-21 20:11 3,772 --sha-r c:\windows\system32\drivers\HP_DW255A-ABA SR1020N NA510_YC_Pres_QMXK411_E42NAheRET3_4_IGamila Giovani Neon series_SMICRO-STAR INTERNATIONAL CO., LTD_V030_B3.08_T040225_WXH1_L409_M504_J80_7Intel_8Celeron_92.8_1_N10EC8139_P_Z11C1044C_K_A808624C5.MRK
2009-01-21 20:07 --------- d-----w c:\program files\Yahoo!
2009-01-21 14:58 --------- d-----w c:\program files\MSN Messenger
2009-01-21 06:30 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-21 06:30 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-21 06:02 --------- d-----w c:\program files\SUPERAntiSpyware
2009-01-21 06:02 --------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-01-21 05:58 --------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-21 05:58 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-21 05:47 --------- d-----w c:\program files\CCleaner
2008-12-25 23:50 31 ----a-w c:\documents and settings\Owner\jagex_runescape_preferences.dat
2008-10-26 08:17 68 ----a-w c:\documents and settings\Owner\z.bat
2009-01-27 01:34 1,044,480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 200,704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B1C9215-3DBF-4158-9A68-083A59964E7D}]
2004-08-04 00:56 96256 --a------ c:\windows\system32\cliconf.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]
"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-01-26 151597]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2003-11-03 221184]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-12-11 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-22 136600]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-08-20 155648]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Raptr.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Raptr.lnk
backup=c:\windows\pss\Raptr.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=c:\windows\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-12-29 03:40 687560 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2009-01-06 14:06 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2008-12-12 11:46 9555968 c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-01-26 03:24 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 ttqztsaj;ttqztsaj;c:\windows\system32\drivers\ttqztsaj.sys [2004-02-04 23424]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-07-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-10 369688]

--- Other Services/Drivers In Memory ---

*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-03-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-21 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-06-19 01:17]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-RecordNow! - (no file)
HKLM-Run-VTTimer - VTTimer.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://qus10.hpwis.com/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13116&gct=&gc=1&q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: SpSubLSP.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-20 15:08:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(704)
c:\windows\system32\SpSubLSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-03-20 15:19:36 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2009-03-20 22:19:04

Pre-Run: 11,486,056,448 bytes free
Post-Run: 13,405,757,440 bytes free

285 --- E O F --- 2009-03-13 01:10:45

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:43 PM

Posted 20 March 2009 - 06:20 PM

Hi,

I suggest that you uninstall PCSecurityShield, because it has a questionable reputation.
Also uninstall the DAEMON Tools Toolbar, it's not recommended either.
Reboot afterwards.

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\cliconf.dll
c:\documents and settings\Owner\z.bat
Collect::[8]
c:\windows\system32\drivers\ttqztsaj.sys
DDS::
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13116&gct=&gc=1&q=%s
Driver::
ttqztsaj
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B1C9215-3DBF-4158-9A68-083A59964E7D}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.
Then, please visit this site:
http://www.bleepingcomputer.com/submit-malware.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 ashton_r

ashton_r
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, WA
  • Local time:08:43 AM

Posted 22 March 2009 - 11:49 PM

i submitted the qoobox file, and pcsecurity is my antivirus, should i really remove it?



i removed what i posted cuz i need to rescan, 4got to save it...

Edited by ashton_r, 22 March 2009 - 11:49 PM.


#8 ashton_r

ashton_r
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, WA
  • Local time:08:43 AM

Posted 23 March 2009 - 12:19 AM

ComboFix 09-03-22.01 - Owner 2009-03-22 21:55:30.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.229 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: The Shield Deluxe 2008 *On-access scanning disabled* (Updated)
* Created a new restore point
* Resident AV is active


FILE ::
c:\documents and settings\Owner\z.bat
c:\windows\system32\cliconf.dll
.

((((((((((((((((((((((((( Files Created from 2009-02-23 to 2009-03-23 )))))))))))))))))))))))))))))))
.

2009-03-19 19:57 . 2009-03-19 19:59 1,113,259 --a------ C:\Downloader_Warcraft3_The_Frozen_Throne_enUS.exe
2009-03-19 18:03 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-19 18:02 . 2009-03-19 18:03 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-19 18:02 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-15 01:52 . 2009-03-15 01:52 <DIR> d-------- c:\program files\PCSecurityShield
2009-03-15 01:52 . 2009-03-20 15:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCSecurityShield
2009-03-15 01:52 . 2009-03-22 22:07 1,702,432 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-03-15 01:52 . 2009-03-17 19:21 101,287 --a------ c:\windows\system32\drivers\klin.dat
2009-03-15 01:52 . 2009-03-17 19:21 89,601 --a------ c:\windows\system32\drivers\klick.dat
2009-03-15 01:52 . 2009-03-22 22:04 57,888 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2009-03-15 01:52 . 2009-03-22 20:43 19,772 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-03-15 01:52 . 2009-03-22 20:43 5,564 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2009-03-12 17:59 . 2005-01-22 12:12 679,936 --a------ c:\windows\system32\D3DX81ab.dll
2009-03-12 17:58 . 2009-03-12 17:58 <DIR> d-------- c:\program files\WinPcap
2009-03-11 20:26 . 2009-03-11 20:26 <DIR> d-------- c:\program files\Common Files\DivX Shared
2009-02-25 22:35 . 2008-07-10 17:28 79,896 --a------ c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2009-02-25 22:35 . 2008-07-10 17:28 50,200 --a------ c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2009-02-25 22:33 . 2009-02-25 22:33 <DIR> d-------- c:\windows\system32\RsFx
2009-02-25 22:30 . 2009-02-25 22:30 <DIR> d-------- c:\program files\MSXML 6.0
2009-02-25 22:08 . 2009-02-25 22:33 <DIR> d-------- c:\program files\Microsoft SQL Server
2009-02-25 22:00 . 2009-02-25 22:04 <DIR> d-------- c:\program files\Microsoft Visual Studio 9.0
2009-02-25 22:00 . 2009-02-25 22:02 <DIR> d-------- c:\program files\Common Files\Merge Modules
2009-02-25 22:00 . 2009-02-25 22:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-25 21:22 . 2009-01-09 12:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-02-25 21:06 . 2009-02-25 21:06 <DIR> d-------- c:\program files\Microsoft SDKs
2009-02-25 20:28 . 2009-02-25 20:28 <DIR> d-------- c:\windows\system32\XPSViewer
2009-02-25 20:28 . 2009-02-25 20:28 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-25 20:28 . 2009-02-25 20:28 <DIR> d-------- c:\program files\MSBuild
2009-02-25 20:26 . 2009-02-25 20:27 <DIR> d-------- C:\e9fd88fdce50f28aa807
2009-02-25 20:26 . 2008-07-06 05:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-02-25 20:26 . 2008-07-06 05:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2009-02-25 20:26 . 2008-07-06 03:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-25 20:26 . 2008-07-06 05:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-02-25 20:26 . 2008-07-06 05:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-25 20:26 . 2008-07-06 05:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-02-25 20:26 . 2008-07-06 05:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-23 05:07 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2009-03-22 22:41 --------- d-----w c:\program files\Warcraft III
2009-03-22 22:39 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-03-21 21:28 --------- d-----w c:\program files\DAEMON Tools Toolbar
2009-03-18 02:39 --------- d-----w c:\documents and settings\Owner\Application Data\MP3Rocket
2009-03-18 02:17 --------- d-----w c:\program files\Symantec
2009-03-18 02:17 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-18 02:09 --------- d-----w c:\program files\MP3 Rocket
2009-03-15 08:48 --------- d-----w c:\program files\Norton AntiVirus
2009-03-15 08:47 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-13 00:59 --------- d-----w c:\program files\WC3Banlist
2009-03-12 03:27 --------- d-----w c:\program files\DivX
2009-03-03 04:54 --------- d-----w c:\program files\Safari
2009-03-03 04:52 --------- d-----w c:\program files\Bonjour
2009-02-28 03:37 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-26 05:30 --------- d-----w c:\program files\Microsoft.NET
2009-02-22 21:07 --------- d-----w c:\program files\Microsoft
2009-02-22 01:36 --------- d-----w c:\documents and settings\Owner\Application Data\Mount&Blade
2009-02-20 20:14 --------- d-----w c:\program files\Easy Internet signup
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 04:23 --------- d-----w c:\program files\MySpace
2009-02-09 04:23 --------- d-----w c:\documents and settings\Owner\Application Data\MySpace
2009-02-07 02:52 49,504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-05 07:02 --------- d-----w c:\program files\HP
2009-02-04 00:29 --------- d-----w c:\documents and settings\Owner\Application Data\HP
2009-02-04 00:15 --------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-02-02 08:01 --------- d-----w c:\program files\Mount&Blade
2009-02-02 07:44 --------- d-----w c:\program files\Windows Live Safety Center
2009-02-02 05:51 360,320 ----a-w c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-02-02 05:42 --------- d-----w c:\program files\uTorrent
2009-01-31 20:27 --------- d-----w c:\documents and settings\Owner\Application Data\Leadertech
2009-01-31 20:26 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-31 20:26 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-31 20:26 --------- d-----w c:\program files\Atari
2009-01-31 11:23 --------- d-----w c:\program files\MagicISO
2009-01-31 11:04 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2009-01-31 11:02 --------- d-----w c:\program files\Bus Driver
2009-01-31 10:48 --------- d-----w c:\program files\Frets on Fire
2009-01-31 09:28 --------- d-----w c:\program files\Control Monger
2009-01-31 09:27 --------- d-----w c:\documents and settings\All Users\Application Data\CMData
2009-01-31 09:15 --------- d-s---w c:\program files\Xfire
2009-01-31 09:15 --------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2009-01-31 09:15 --------- d-----w c:\documents and settings\Owner\Application Data\CMData
2009-01-31 08:25 --------- d-----w c:\program files\BoltSoft
2009-01-31 08:08 --------- d-----w c:\program files\Sierra
2009-01-31 07:54 98,304 ----a-w c:\windows\system32\CmdLineExt.dll
2009-01-28 04:46 --------- d-----w c:\program files\DAEMON Tools Lite
2009-01-28 04:39 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-01-26 04:59 --------- d-----w c:\program files\iTunes
2009-01-26 04:57 --------- d-----w c:\program files\QuickTime
2009-01-24 06:03 --------- d-----w c:\program files\NCH Swift Sound
2009-01-24 06:03 --------- d-----w c:\documents and settings\Owner\Application Data\NCH Swift Sound
2009-01-24 06:03 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-01-24 05:43 --------- d-----w c:\program files\NCH Software
2009-01-23 23:31 --------- d-----w c:\program files\Quicken
2009-01-23 23:28 --------- d-----w c:\program files\Cheat Engine
2009-01-23 23:28 --------- d-----w c:\documents and settings\Owner\Application Data\IGN_DLM
2009-01-23 23:28 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-23 23:26 --------- d-----w c:\program files\Perfect World Entertainment
2009-01-23 11:44 --------- d-----w c:\documents and settings\Owner\Application Data\Any Video Converter
2009-01-23 05:06 --------- d-----w c:\program files\Philips
2009-01-23 02:54 --------- d-----w c:\program files\Windows Live SkyDrive
2009-01-23 02:53 --------- d-----w c:\program files\Windows Live
2009-01-23 02:42 --------- d-----w c:\program files\Common Files\Windows Live
2009-01-23 02:23 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-23 02:22 --------- d-----w c:\program files\Java
2009-01-21 20:14 3,888 ----a-w c:\windows\viassary-hp.reg
2008-12-25 23:50 31 ----a-w c:\documents and settings\Owner\jagex_runescape_preferences.dat
2009-01-27 01:34 1,044,480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 200,704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-03-20_15.17.13.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 03:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-03-18 02:08:58 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-23 03:44:25 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-18 02:08:58 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-23 03:44:25 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-03-18 02:08:58 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-23 03:44:25 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-23 03:44:32 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_e0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]
"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-01-26 151597]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2003-11-03 221184]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-12-11 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-22 136600]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-08-20 155648]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Raptr.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Raptr.lnk
backup=c:\windows\pss\Raptr.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=c:\windows\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-12-29 03:40 687560 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2009-01-06 14:06 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2008-12-12 11:46 9555968 c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-01-26 03:24 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-10 47128]
R4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-10 369688]


--- Other Services/Drivers In Memory ---

*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - AudioSrv
*Deregistered* - AVP
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - hpqcxs08
*Deregistered* - hpqddsvc
*Deregistered* - HTTP
*Deregistered* - ImapiService
*Deregistered* - IpNat
*Deregistered* - iPod Service
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - kl1
*Deregistered* - klif
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - MSSQL$SQLEXPRESS
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - Net Driver HPZ12
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - nv_agp
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SISAGP
*Deregistered* - Spooler
*Deregistered* - sptd
*Deregistered* - SQLWriter
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - viaagp1
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WS2IFSL
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-03-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-21 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-06-19 01:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://qus10.hpwis.com/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13116&gct=&gc=1&q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: SpSubLSP.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-22 22:04:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(696)
c:\windows\system32\SpSubLSP.dll

- - - - - - - > 'explorer.exe'(3012)
c:\program files\PCSecurityShield\The Shield Deluxe 2008\scrchpg.dll
c:\windows\system32\msi.dll
.
Completion time: 2009-03-22 22:18:47
ComboFix-quarantined-files.txt 2009-03-23 05:17:19
ComboFix2.txt 2009-03-23 04:40:42
ComboFix3.txt 2009-03-20 22:19:39

Pre-Run: 6,160,560,128 bytes free
Post-Run: 6,135,517,184 bytes free

365 --- E O F --- 2009-03-13 01:10:45

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:43 PM

Posted 23 March 2009 - 04:14 AM

Hi,

Yes, remove PcSecurityshield asap. Also read here: http://www.mywot.com/en/scorecard/pcsecurityshield.com
Get a decent Antivirus instead, for example Avira Antivir: http://www.free-av.com/

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 ashton_r

ashton_r
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, WA
  • Local time:08:43 AM

Posted 23 March 2009 - 05:31 PM

"error 1921.service the shield deluxe 2008 (avp) could not be stopped. verify that you have sufficient privelages to stop system services" wont lemme uninstall... and i did combofix command

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:43 PM

Posted 23 March 2009 - 05:40 PM

Then uninstall it from Windows safe mode or end the process avp.exe from taskmanager first.
By the way, did you purchase shield deluxe 2008?
Also, can you give me the exact url from where you downloaded it? This to make sure we're talking about the same one...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 ashton_r

ashton_r
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, WA
  • Local time:08:43 AM

Posted 23 March 2009 - 06:20 PM

http://thepiratebay.org/torrent/4730361/Th...2008__ANTIVIRUS

i was looking for a free full version of an antivirus cause i h8 the fact most antiviruses have a premium feature u have to pay for, but most of the stuff i got from TPB is legit

im working on installing it, have to go to safe mode holdon

#13 ashton_r

ashton_r
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, WA
  • Local time:08:43 AM

Posted 23 March 2009 - 06:46 PM

It says installer wont run in safe mode, which i need to uninstall it... so, basically, i cant uninstall, what now?

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:43 PM

Posted 23 March 2009 - 07:09 PM

Good advise.. NEVER install software from P2P resources. No wonder you got infected.
You don't need to install it, you have to uninstall it.
End the process avp.exe via taskmanager > process
Then try to uninstall again.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 ashton_r

ashton_r
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, WA
  • Local time:08:43 AM

Posted 23 March 2009 - 07:11 PM

i did it twice... even in safe mode, in order to uninstall, it needs to rune thwe windows installer, then i get an option to modify,repair, or remove, and it says something about permission, maybe thats part of the program, they dont want u to remove it...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users