Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HiJackThis Log for help with removing Malware?


  • This topic is locked This topic is locked
57 replies to this topic

#1 baypos

baypos

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 17 April 2009 - 05:52 PM

Hello Forum, first time user and I appreciate your assitance for removal of nasties on a PC.

Please find the logs requested and analyses is much appreciated with instructions on your findings!

Have a good weekend!

Thank you,

Roger

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 AM

Posted 02 May 2009 - 04:02 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
If you still require assistance post a new set of DDS Logs and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log please refer to this page and in step #6 there is instructions on downloading and running DDS. IF you have any problems just let me know in your next reply or simply post a Hijackthis log.

Thanks again and we apologzie for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 baypos

baypos
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 03 May 2009 - 10:20 PM

Hello, thank you for letting me know you are working on my assistance last month. I did not know you would be working on this and I uninstalled TrendMicro AV installed a few years ago with no updates, used a registry scanner without taking any actions on fixes, ran Microsoft Malicious Tool Remover. I run regularly on a limited user account for Internet and other work. I installed Kaspersky Labs and using it. This has not found the problem I still have. When I went into Administrator account to update XP to SP3 the malicious program? started and caused 100% CPU usage in the limited user account, I tried to end process but it would not let me (process only showed up in limited user account), rebooted PC back to limited user account and it tries to start up but cant without Administrator privelages, this is what I assume. Please find the DDS file. Thanks again for any help! Roger

DDS (Ver_09-03-16.01) - NTFSx86
Run by Anybody at 20:10:25.32 on Sun 05/03/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.111 [GMT -7:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated)
FW: Kaspersky Internet Security *enabled*

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Anybody\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
uDefault_Page_URL = hxxp://www.dellnet.com
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ssgrate.exe] c:\windows\system32\sysdoor.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uRun: [A00F1F544DD0.exe] c:\docume~1\anybody\locals~1\temp\_A00F1F544DD0.exe
uRun: [__c0054F53] rundll32.exe "c:\docume~1\anybody\locals~1\temp\__c0054F53.dat",B
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_05\bin\jusched.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
Trusted Zone: microsoft.com\mbs
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186004336203
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {9ABC72F8-700D-4948-AD0D-54F6F46EE897} = 206.13.28.12,206.13.31.12
Filter: text/html - {a0e24622-525b-4ce7-994e-f2ab86e77eca} -
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} -
Notify: igfxcui - igfxsrvc.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\anybody\applic~1\mozilla\firefox\profiles\hgb2o2pn.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-4-18 226832]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-11-11 206088]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]

=============== Created Last 30 ================

2009-04-23 21:26 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-23 21:22 221,184 a------- c:\windows\system32\wmpns.dll
2009-04-23 20:51 <DIR> --d----- c:\windows\system32\scripting
2009-04-23 20:51 <DIR> --d----- c:\windows\l2schemas
2009-04-23 20:51 <DIR> --d----- c:\windows\system32\en
2009-04-18 14:08 45 a------- c:\windows\system32\RPVersion.ini
2009-04-18 13:59 86,016 a------- c:\windows\unvise32.exe
2009-04-18 13:59 <DIR> --d----- c:\program files\RegistryPatrol3.0
2009-04-18 10:04 101,287 a------- c:\windows\system32\drivers\klin.dat
2009-04-18 10:04 89,601 a------- c:\windows\system32\drivers\klick.dat
2009-04-18 10:02 2,394,144 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-18 10:02 557,088 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-18 10:02 19,784 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-18 10:02 2,984 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-18 10:02 <DIR> --d----- c:\program files\Kaspersky Lab
2009-04-18 10:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-04-18 10:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-04-17 15:27 <DIR> --d----- c:\documents and settings\anybody\.housecall6.6
2009-04-17 15:26 49,265 a------- c:\windows\system32\jpicpl32.cpl

==================== Find3M ====================

2009-04-18 10:19 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 11:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 05:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 04:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 04:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 03:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 12:59 56,832 a------- c:\windows\system32\secur32.dll
2008-03-08 13:56 77,392 ac------ c:\docume~1\anybody\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 20:11:25.45 ===============

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 AM

Posted 04 May 2009 - 02:27 PM

Hello.

A few infections I see. Regarding the 100% CPU usage when you updated to SP3, let's see what we can do about that once we clear out any malware you still have on this machine.

Install Recovery Console and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Please download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 baypos

baypos
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 06 May 2009 - 12:57 PM

Hello EB, thanks for the continued help and downloaded ComboFix, I'm doing a backup of critical files before running. Please find a picture of the error that keeps popping up trying to run. Are you able to determine what this might be by the jpg?

Thanks and will let you know when I run Combofix.

Cheers!

Roger

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 AM

Posted 07 May 2009 - 03:00 PM

Thanks for letting me know.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 AM

Posted 10 May 2009 - 05:58 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 baypos

baypos
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 10 May 2009 - 10:19 PM

Hello EB,

I did a backup and waiting to talk with the client about using the Combofix. I will try to do so Monday or Tues.

Sorry for the dealy and thanks again for your patient and assistance.

Roger

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 AM

Posted 11 May 2009 - 02:23 PM

Okay then...

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 baypos

baypos
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 11 May 2009 - 08:43 PM

Hello EB, how are you? Hope you had a good weekend!

I ran Combfix and here is the log, not much I can tell from it.

ComboFix 09-05-03.6 - Administrator 05/11/2009 18:28:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.276 [GMT -7:00]
Running from: C:\Documents and Settings\Anybody\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
.

The dialog from my last post pops up at login to the limited user account.

Thanks again for the help!

Roger

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 AM

Posted 12 May 2009 - 02:51 PM

Hello again.

Is that Combofix log complete? Meaning is it the WHOLE log?

If so, then please delete Combofix.exe and re-download it from one of those links above and re-run it.

If not, then please post the complete Combofix log for me.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 baypos

baypos
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 12 May 2009 - 03:41 PM

Hello EB, that was it, I was surprised it was this short. Will do on re-download and re-run.

Cheers!

Roger

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 AM

Posted 12 May 2009 - 04:21 PM

Okay.

Hear from you soon then.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 baypos

baypos
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 12 May 2009 - 04:48 PM

Hello EB, I just re-ran CombFix, it did an update on it's own and has a longer file. Please find it zipped and attached.

Thanks again!

Roger

Attached Files



#15 baypos

baypos
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 12 May 2009 - 08:56 PM

Hello EB, how are you?

I see I sent you a DDS log and not the Combofix that you needed. I apologize for the blunder. Please find the correct log.

Thanks again!

Roger

ComboFix 09-05-12.04 - Administrator 05/12/2009 14:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.299 [GMT -7:00]
Running from: c:\documents and settings\Anybody\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\ban_list.txt
c:\windows\system32\drivers\fad.sys

.
((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 )))))))))))))))))))))))))))))))
.

2009-04-24 05:06 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-24 05:06 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-24 05:06 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-24 05:06 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-24 05:06 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-24 05:05 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-24 05:05 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-24 05:05 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-24 05:05 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-24 05:05 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-24 04:26 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-24 04:26 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-24 04:22 . 2004-08-04 07:56 221184 ----a-w c:\windows\system32\wmpns.dll
2009-04-24 03:51 . 2009-04-24 03:51 -------- d-----w c:\windows\system32\scripting
2009-04-24 03:51 . 2009-04-24 03:51 -------- d-----w c:\windows\l2schemas
2009-04-24 03:51 . 2009-04-24 03:51 -------- d-----w c:\windows\system32\en
2009-04-18 21:29 . 2009-04-18 21:29 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-18 20:59 . 1999-12-18 05:43 86016 ----a-w c:\windows\unvise32.exe
2009-04-18 20:59 . 2009-04-18 20:59 -------- d-----w c:\program files\RegistryPatrol3.0
2009-04-18 17:04 . 2009-04-18 17:19 101287 ----a-w c:\windows\system32\drivers\klin.dat
2009-04-18 17:04 . 2009-04-18 17:19 89601 ----a-w c:\windows\system32\drivers\klick.dat
2009-04-18 17:02 . 2009-05-12 01:32 2401312 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-18 17:02 . 2009-05-12 01:32 565280 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-18 17:02 . 2009-04-18 17:02 -------- d-----w c:\program files\Kaspersky Lab
2009-04-18 17:02 . 2009-05-12 01:38 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-04-18 17:01 . 2009-04-18 17:01 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-04-17 22:27 . 2009-04-18 15:08 -------- d-----w c:\documents and settings\Anybody\.housecall6.6
2009-04-17 22:25 . 2009-04-17 22:26 -------- d-----w c:\program files\Java
2009-04-17 22:25 . 2009-04-17 22:25 -------- d-----w c:\program files\Common Files\Java
2009-04-17 22:25 . 2009-04-17 22:25 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150050}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-12 01:32 . 2009-04-18 17:02 3012 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-05-12 01:32 . 2009-04-18 17:02 19840 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-24 04:04 . 2002-09-03 18:34 89063 ----a-w c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-04-18 21:28 . 2004-04-15 14:24 -------- d-----w c:\program files\Common Files\Adobe
2009-04-18 17:19 . 2008-01-30 00:29 33808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-03-06 14:22 . 2002-08-29 10:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-24 03:32 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-19 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-05-08 151597]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-27 36975]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-04-18 206088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:*:Disabled:UVNCTCP
"5900:UDP"= 5900:UDP:*:Disabled:UVNCUDP

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\SYSTEM32\DRIVERS\klbg.sys [1/29/2008 5:29 PM 33808]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\SYSTEM32\DRIVERS\klfltdev.sys [3/13/2008 6:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\SYSTEM32\DRIVERS\klim5.sys [4/30/2008 5:06 PM 24592]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6c999d3-3d83-11dd-a1f8-000bdb2b0331}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-05-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 00:57]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {9ABC72F8-700D-4948-AD0D-54F6F46EE897} = 206.13.28.12,206.13.31.12
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-12 14:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1136)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL

- - - - - - - > 'explorer.exe'(3220)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-12 14:44
ComboFix-quarantined-files.txt 2009-05-12 21:44

Pre-Run: 25,914,572,800 bytes free
Post-Run: 26,343,522,304 bytes free

142 --- E O F --- 2009-04-28 15:42




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users