Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected...trojans


  • This topic is locked This topic is locked
15 replies to this topic

#1 sportman32922

sportman32922

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 22 May 2009 - 03:41 PM

i have several trojans that i cant seem to get off my computer, im running bitdefender and i have windows xp professional operating system, on a hp computer i just got a message last night trojan script 27807 i also have several other titles as well.. please help


DDS (Ver_09-05-14.01) - NTFSx86
Run by t at 16:32:44.48 on Fri 05/22/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.571 [GMT -4:00]

AV: Bitdefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Bitdefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\ehome\ehtray.exe
D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
D:\Program Files\Nero\Nero 7\InCD\InCD.exe
D:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
D:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\eHome\ehRecvr.exe
D:\WINDOWS\eHome\ehSched.exe
D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
svchost.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
D:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
D:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\System32\svchost.exe -kbdx
D:\WINDOWS\eHome\ehmsas.exe
D:\Program Files\HPQ\shared\hpqwmi.exe
D:\Documents and Settings\t\Local Settings\Temporary Internet Files\Content.IE5\1NG2BJS4\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.enigmasoftware.a013.com/congratulation_spyhunter_scanner.php
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - d:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - d:\program files\bitdefender\bitdefender 2008\IEToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - d:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [LightScribe Control Panel] d:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "d:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [AnyDVD] d:\program files\slysoft\anydvd\AnyDVD.exe
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
mRun: [ehTray] d:\windows\ehome\ehtray.exe
mRun: [SynTPEnh] d:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIPTA] "d:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Cpqset] d:\program files\hpq\default settings\cpqset.exe
mRun: [eabconfg.cpl] d:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
mRun: [hpWirelessAssistant] d:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [InCD] d:\program files\nero\nero 7\incd\InCD.exe
mRun: [HP Software Update] d:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [BDAgent] "d:\program files\bitdefender\bitdefender 2008\bdagent.exe"
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro2.cce.hp.com/ChatEntry/downloads/sysinfo.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 aawservice;Lavasoft Ad-Aware Service;d:\program files\lavasoft\ad-aware\aawservice.exe [2008-6-2 611664]
R2 McrdSvc;Media Center Extender Service;d:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;d:\windows\system32\drivers\bdfndisf.sys [2007-7-30 86792]
R3 HSFHWATI;HSFHWATI;d:\windows\system32\drivers\HSFHWATI.sys [2008-5-31 231424]
S2 MyWebSearchService;My Web Search Service; [x]
S2 websrvx;websrvx;d:\program files\websrvx\websrvx.exe --> d:\program files\websrvx\websrvx.exe [?]

=============== Created Last 30 ================

2009-05-17 16:11 <DIR> --d----- d:\docume~1\t\applic~1\Bitdefender
2009-05-17 16:10 <DIR> --d----- d:\docume~1\alluse~1\applic~1\BitDefender
2009-05-17 16:03 <DIR> --d----- d:\program files\common files\BitDefender
2009-05-15 11:39 <DIR> --d----- d:\program files\Vuze
2009-05-06 18:56 664 a------- d:\windows\system32\d3d9caps.dat
2009-05-05 21:40 <DIR> --d----- d:\program files\DVD Decrypter
2009-05-05 21:39 <DIR> --d----- d:\docume~1\t\applic~1\RipIt4Me
2009-05-05 16:43 <DIR> --d----- d:\program files\DVD Shrink
2009-05-05 16:31 <DIR> --d----- d:\docume~1\t\applic~1\Azureus
2009-05-05 16:28 410,984 a------- d:\windows\system32\deploytk.dll
2009-05-04 22:28 <DIR> --d----- d:\program files\Enigma Software Group

==================== Find3M ====================

2009-05-22 16:29 81,984 a------- d:\windows\system32\bdod.bin
2009-05-17 17:45 77,824 a------- d:\windows\system32\xcomm.dll
2009-05-17 16:37 86,792 a------- d:\windows\system32\drivers\bdfndisf.sys
2009-03-06 10:22 284,160 a------- d:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- d:\windows\system32\wininet.dll
2008-09-11 03:08 32,768 a--sh--- d:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091120080912\index.dat
2009-02-18 21:54 16,384 a--sh--- d:\windows\temp\cookies\index.dat
2009-02-18 21:54 16,384 a--sh--- d:\windows\temp\history\history.ie5\index.dat
2009-02-18 21:54 49,152 a--sh--- d:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 16:33:20.68 ===============

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:06 AM

Posted 22 May 2009 - 05:19 PM

Hi sportman32922,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Please run DDS and post both the logs. You don't need to zip the attach.txt just attaching it suffices.
Also please update me on the current condition of your computer.

#3 sportman32922

sportman32922
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 22 May 2009 - 06:46 PM

computer runs ok..i just have to redo my passwords on yahoo and several other sites that i use..then when i do a system scan, it list bugs and trojans found but it cant delete them.

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:06 AM

Posted 22 May 2009 - 08:08 PM

Hi again,

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions

You have run DDS from Temporary Internet Files. It means it will be removed when we run the cleaning tools. Please make sure you download the tools and save them to your desktop and then run them from there.
  • Empty all p2p download folders. They might contain infected files. Please avoid using these p2p applications until the system is clean. Using these applications at this stage might lead to reinfection or infecting other users.

  • You have the latest version of Java (Java 6 Update 13) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components:
    Click "start" and then "Control Panel" icon.
    Doubleclick the "Add or Remove Programs" icon
    A list of programs installed will be "populated" this may take a bit of time.
    Uninstall the following by clicking on the following entries and selecting "remove":

    J2SE Runtime Environment 5.0 Update 5
    Java™ 6 Update 7


  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

  • Also provide the last BitDefender scan log for review. To do that double-click on the BitDefender icon on the system tray => click on History (bottom right of the set up window)=> Select Antivirus => under "on-demand task events" double-click the last log. Select "view Scan Log". Under File menu select "Save As ..." and save the file to you desktop without changing the xml extension. Please attach the log to your reply.


#5 sportman32922

sportman32922
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 22 May 2009 - 09:18 PM

ComboFix 09-05-22.05 - t 05/22/2009 22:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.565 [GMT -4:00]
Running from: d:\documents and settings\t\Desktop\ComboFix.exe
AV: Bitdefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Bitdefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\Administrator\Desktop\Application Data\inst.exe
d:\windows\system32\nfr.assembly
d:\windows\system32\nfr.gpref
d:\windows\system32\xcomm.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2009-04-23 to 2009-05-23 )))))))))))))))))))))))))))))))
.

2009-05-22 00:57 . 2009-05-22 00:57 -------- d-----w d:\documents and settings\t\Application Data\Sonic
2009-05-22 00:57 . 2009-05-22 00:57 -------- d-----w d:\documents and settings\t\Application Data\Leadertech
2009-05-17 20:11 . 2009-05-17 20:11 -------- d-----w d:\documents and settings\t\Application Data\Bitdefender
2009-05-17 20:10 . 2009-05-17 20:11 -------- d-----w d:\documents and settings\All Users\Application Data\BitDefender
2009-05-17 20:03 . 2009-05-17 20:10 -------- d-----w d:\program files\Common Files\BitDefender
2009-05-16 14:54 . 2009-05-16 14:54 10684866 ----a-w d:\documents and settings\t\Application Data\Azureus\plugins\azump\mplayer.exe
2009-05-15 15:39 . 2009-05-15 15:40 -------- d-----w d:\program files\Vuze
2009-05-11 01:34 . 2009-05-11 03:36 -------- d-----w d:\windows\BDOSCAN8
2009-05-07 00:32 . 2009-05-07 00:32 -------- d-----w d:\documents and settings\t\Local Settings\Application Data\Apple
2009-05-06 23:14 . 2009-05-06 23:30 -------- d-----w d:\documents and settings\t\Application Data\vlc
2009-05-06 22:56 . 2009-05-21 04:33 664 ----a-w d:\windows\system32\d3d9caps.dat
2009-05-06 21:14 . 2009-05-21 23:26 -------- d-----w d:\documents and settings\t\Application Data\Vso
2009-05-06 02:32 . 2009-05-06 02:32 -------- d-----w d:\documents and settings\t\Application Data\DivX
2009-05-06 01:40 . 2009-05-06 01:40 -------- d-----w d:\program files\DVD Decrypter
2009-05-06 01:39 . 2009-05-06 01:40 -------- d-----w d:\documents and settings\t\Application Data\RipIt4Me
2009-05-06 01:39 . 2009-05-06 01:39 593920 ----a-w d:\documents and settings\t\Application Data\RipIt4Me\updater\ri4mupdater.exe
2009-05-05 20:43 . 2009-05-05 20:45 -------- d-----w d:\documents and settings\All Users\Application Data\DVD Shrink
2009-05-05 20:43 . 2009-05-05 20:43 -------- d-----w d:\program files\DVD Shrink
2009-05-05 20:31 . 2009-05-21 15:57 -------- d-----w d:\documents and settings\t\Application Data\Azureus
2009-05-05 20:27 . 2009-05-05 20:27 152576 ----a-w d:\documents and settings\t\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-05 02:28 . 2009-05-05 02:28 -------- d-----w d:\program files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-23 02:07 . 2008-06-06 20:30 81984 ----a-w d:\windows\system32\bdod.bin
2009-05-23 01:50 . 2008-05-31 07:26 -------- d-----w d:\program files\Java
2009-05-17 20:37 . 2007-07-30 22:47 86792 ----a-w d:\windows\system32\drivers\bdfndisf.sys
2009-05-17 20:10 . 2008-06-06 20:29 -------- d-----w d:\program files\BitDefender
2009-05-06 03:18 . 2009-04-14 00:56 -------- d-----w d:\documents and settings\t\Application Data\Ahead
2009-05-05 20:28 . 2009-05-05 20:28 57344 ----a-w d:\documents and settings\t\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-4801d17f-n\Decora-SSE.dll
2009-05-05 20:28 . 2009-05-05 20:28 24064 ----a-w d:\documents and settings\t\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-184ec788-n\Decora-D3D.dll
2009-05-05 20:28 . 2009-05-05 20:28 20480 ----a-w d:\documents and settings\t\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-57503e22-n\jogl_awt.dll
2009-05-05 20:28 . 2009-05-05 20:28 114688 ----a-w d:\documents and settings\t\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-57503e22-n\jogl_cg.dll
2009-05-05 20:28 . 2009-05-05 20:28 315392 ----a-w d:\documents and settings\t\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-57503e22-n\jogl.dll
2009-05-05 20:28 . 2009-05-05 20:28 20480 ----a-w d:\documents and settings\t\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-1f0e2f20-n\gluegen-rt.dll
2009-05-05 20:28 . 2009-05-05 20:28 499712 ----a-w d:\documents and settings\t\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-28b58c55-n\msvcp71.dll
2009-05-05 20:28 . 2009-05-05 20:28 499712 ----a-w d:\documents and settings\t\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-28b58c55-n\jmc.dll
2009-05-05 20:28 . 2009-05-05 20:28 348160 ----a-w d:\documents and settings\t\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-28b58c55-n\msvcr71.dll
2009-05-05 20:28 . 2009-05-05 20:28 410984 ----a-w d:\windows\system32\deploytk.dll
2009-04-16 01:02 . 2009-04-16 01:00 -------- d-----w d:\documents and settings\t-roy\Application Data\Apple Computer
2009-04-16 00:57 . 2009-04-16 00:57 -------- d-----w d:\documents and settings\t\Application Data\Apple Computer
2009-04-14 00:56 . 2009-04-14 00:56 25552 ----a-w d:\documents and settings\t\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-28 01:41 . 2009-03-28 01:16 -------- d-----w d:\documents and settings\All Users\Application Data\Lavasoft
2009-03-28 01:16 . 2009-03-28 01:16 -------- d-----w d:\program files\Lavasoft
2009-03-28 01:15 . 2009-03-28 01:15 -------- d-----w d:\program files\Common Files\Wise Installation Wizard
2009-03-07 04:38 . 2009-03-07 04:38 25552 ----a-w d:\documents and settings\t-roy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 14:22 . 2004-08-10 12:00 284160 ----a-w d:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-10 12:00 826368 ----a-w d:\windows\system32\wininet.dll
2009-03-01 01:20 . 2009-03-01 01:20 47360 ----a-w d:\windows\system32\drivers\pcouffin.sys
2009-03-01 01:20 . 2009-03-01 01:20 47360 ----a-w d:\documents and settings\Administrator\Desktop\Application Data\pcouffin.sys
2009-03-01 01:20 . 2009-03-01 01:20 47360 ----a-w d:\documents and settings\Administrator\Desktop\Application Data\pcouffin.sys
2009-02-27 22:34 . 2009-01-26 13:58 10684866 ----a-w d:\documents and settings\Administrator\Desktop\Application Data\Azureus\plugins\azump\mplayer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="d:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="d:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
"AnyDVD"="d:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2007-01-05 503808]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="d:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SynTPEnh"="d:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-18 729178]
"ATIPTA"="d:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-28 344064]
"Cpqset"="d:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"eabconfg.cpl"="d:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-10-11 409600]
"hpWirelessAssistant"="d:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]
"InCD"="d:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-09-26 1057064]
"HP Software Update"="d:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"BDAgent"="d:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2009-05-17 368640]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7070:TCP"= 7070:TCP:nfr

R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;d:\windows\system32\drivers\bdfndisf.sys [7/30/2007 6:47 PM 86792]
R3 HSFHWATI;HSFHWATI;d:\windows\system32\drivers\HSFHWATI.sys [5/31/2008 2:49 AM 231424]
S2 websrvx;websrvx;d:\program files\websrvx\websrvx.exe --> d:\program files\websrvx\websrvx.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"d:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-05-21 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-05-22 d:\windows\Tasks\ParetoLogic Registration.job
- d:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 17:25]

2009-05-22 d:\windows\Tasks\ParetoLogic Update Version2.job
- d:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 17:25]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.enigmasoftware.a013.com/congratulation_spyhunter_scanner.php
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-22 22:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = d:\program files\HPQ\Default Settings\cpqset.exe????????8?9?1?4??@???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1156)
d:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2408)
d:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
d:\program files\Common Files\Ahead\Lib\MFC71U.DLL
d:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
d:\windows\system32\WPDShServiceObj.dll
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\ati2evxx.exe
d:\program files\Lavasoft\Ad-Aware\aawservice.exe
d:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
d:\program files\Bonjour\mDNSResponder.exe
d:\windows\ehome\ehrecvr.exe
d:\windows\ehome\ehSched.exe
d:\program files\Nero\Nero 7\InCD\InCDsrv.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\Common Files\LightScribe\LSSrvc.exe
d:\program files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
d:\windows\ehome\mcrdsvc.exe
d:\windows\system32\dllhost.exe
d:\windows\system32\ati2evxx.exe
d:\windows\ehome\ehmsas.exe
d:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
d:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
d:\program files\iPod\bin\iPodService.exe
d:\program files\HPQ\shared\hpqwmi.exe
.
**************************************************************************
.
Completion time: 2009-05-23 22:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-23 02:12

Pre-Run: 21,902,229,504 bytes free
Post-Run: 60,579,512,320 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

193 --- E O F --- 2009-05-15 15:38

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:06 AM

Posted 22 May 2009 - 11:42 PM

Well done.

You forgot the BitDefender log.
  • Please first disable BitDefender:
    Double-click the BitDefender icon to open it.
    Select Settings => click Antivirus.
    Under Shield tab uncheck "Real-time protection enabled".
    In the drop down menu select "Until system restart" and click OK.

  • Open notepad and copy/paste the text in the code box below into it:

    http://www.bleepingcomputer.com/forums/t/228755/infectedtrojans/?p=1273503
    
    Collect::[4]
    d:\program files\websrvx\websrvx.exe
    Driver::
    websrvx
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "7070:TCP"=-

    Save this as CFScript.txt


    Posted Image


    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Post that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:06 AM

Posted 26 May 2009 - 06:49 PM

Are you still there?

#8 sportman32922

sportman32922
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 26 May 2009 - 07:05 PM

yes im still here..i appologize, ive been so busy with work and i cant seem to download my bitdefender log..actually had to reinstall it. so i dont know how good a log would do now..what should i do now..

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:06 AM

Posted 26 May 2009 - 07:16 PM

OK no BitDefender log, please proceed to the next step. I just wanted to see what BitDefender had seen (name and the path to the flagged file). We might have already removed it.

After running ComboFix it is optional to run BitDefender and post the logs, or just post the ComboFix log for a final review.

#10 sportman32922

sportman32922
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 26 May 2009 - 08:11 PM

sorry..i dont know what to do next...help please...

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:06 AM

Posted 26 May 2009 - 08:20 PM

Please follow the Step # 2 from post # 6.

Edited by farbar, 26 May 2009 - 08:21 PM.


#12 sportman32922

sportman32922
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 26 May 2009 - 08:50 PM

not understanding what notepad im suppose to put that into...

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:06 AM

Posted 27 May 2009 - 01:16 AM

If you mean you don't know how to open a notepad:

Go to start => Run => Copy and paste the following and click OK:

notepad

OR

Go to Start => All Programs => Accessories => Notepad

OR:

Download the attachment, save it on your desktop and drag it to ComboFix.

#14 sportman32922

sportman32922
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 27 May 2009 - 10:26 PM

ComboFix 09-05-26.05 - t 05/27/2009 23:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.607 [GMT -4:00]
Running from: d:\documents and settings\t\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\t\Desktop\cfscript.txt
AV: Bitdefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Bitdefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\system32\xcomm.dll
G:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WEBSRVX
-------\Service_websrvx


((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))
.

2009-05-24 19:46 . 2009-05-24 19:46 -------- d-----w d:\documents and settings\t\Application Data\Bitdefender
2009-05-24 19:46 . 2009-05-24 19:46 -------- d-----w d:\documents and settings\All Users\Application Data\BitDefender
2009-05-24 10:32 . 2009-05-24 10:39 -------- d-----w d:\windows\SxsCaPendDel
2009-05-22 00:57 . 2009-05-22 00:57 -------- d-----w d:\documents and settings\t\Application Data\Sonic
2009-05-22 00:57 . 2009-05-22 00:57 -------- d-----w d:\documents and settings\t\Application Data\Leadertech
2009-05-17 20:03 . 2009-05-24 19:46 -------- d-----w d:\program files\Common Files\BitDefender
2009-05-16 14:54 . 2009-05-16 14:54 10684866 ----a-w d:\documents and settings\t\Application Data\Azureus\plugins\azump\mplayer.exe
2009-05-15 15:39 . 2009-05-15 15:40 -------- d-----w d:\program files\Vuze
2009-05-11 01:34 . 2009-05-11 03:36 -------- d-----w d:\windows\BDOSCAN8
2009-05-07 00:32 . 2009-05-07 00:32 -------- d-----w d:\documents and settings\t\Local Settings\Application Data\Apple
2009-05-06 23:14 . 2009-05-06 23:30 -------- d-----w d:\documents and settings\t\Application Data\vlc
2009-05-06 22:56 . 2009-05-21 04:33 664 ----a-w d:\windows\system32\d3d9caps.dat
2009-05-06 21:14 . 2009-05-28 02:38 -------- d-----w d:\documents and settings\t\Application Data\Vso
2009-05-06 02:32 . 2009-05-06 02:32 -------- d-----w d:\documents and settings\t\Application Data\DivX
2009-05-06 01:40 . 2009-05-06 01:40 -------- d-----w d:\program files\DVD Decrypter
2009-05-06 01:39 . 2009-05-06 01:40 -------- d-----w d:\documents and settings\t\Application Data\RipIt4Me
2009-05-06 01:39 . 2009-05-06 01:39 593920 ----a-w d:\documents and settings\t\Application Data\RipIt4Me\updater\ri4mupdater.exe
2009-05-05 20:43 . 2009-05-05 20:45 -------- d-----w d:\documents and settings\All Users\Application Data\DVD Shrink
2009-05-05 20:43 . 2009-05-05 20:43 -------- d-----w d:\program files\DVD Shrink
2009-05-05 20:31 . 2009-05-27 03:47 -------- d-----w d:\documents and settings\t\Application Data\Azureus
2009-05-05 20:27 . 2009-05-05 20:27 152576 ----a-w d:\documents and settings\t\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-05 02:28 . 2009-05-05 02:28 -------- d-----w d:\program files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-28 03:05 . 2008-06-06 20:30 81984 ----a-w d:\windows\system32\bdod.bin
2009-05-27 00:10 . 2009-04-16 00:57 -------- d-----w d:\documents and settings\t\Application Data\Apple Computer
2009-05-24 20:11 . 2007-07-30 22:47 86792 ----a-w d:\windows\system32\drivers\bdfndisf.sys
2009-05-24 19:46 . 2008-06-06 20:29 -------- d-----w d:\program files\BitDefender
2009-05-23 01:50 . 2008-05-31 07:26 -------- d-----w d:\program files\Java
2009-05-06 03:18 . 2009-04-14 00:56 -------- d-----w d:\documents and settings\t\Application Data\Ahead
2009-05-05 20:28 . 2009-05-05 20:28 57344 ----a-w d:\documents and settings\t\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-4801d17f-n\Decora-SSE.dll
2009-05-05 20:28 . 2009-05-05 20:28 24064 ----a-w d:\documents and settings\t\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-184ec788-n\Decora-D3D.dll
2009-05-05 20:28 . 2009-05-05 20:28 20480 ----a-w d:\documents and settings\t\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-57503e22-n\jogl_awt.dll
2009-05-05 20:28 . 2009-05-05 20:28 114688 ----a-w d:\documents and settings\t\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-57503e22-n\jogl_cg.dll
2009-05-05 20:28 . 2009-05-05 20:28 315392 ----a-w d:\documents and settings\t\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-57503e22-n\jogl.dll
2009-05-05 20:28 . 2009-05-05 20:28 20480 ----a-w d:\documents and settings\t\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-1f0e2f20-n\gluegen-rt.dll
2009-05-05 20:28 . 2009-05-05 20:28 499712 ----a-w d:\documents and settings\t\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-28b58c55-n\msvcp71.dll
2009-05-05 20:28 . 2009-05-05 20:28 499712 ----a-w d:\documents and settings\t\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-28b58c55-n\jmc.dll
2009-05-05 20:28 . 2009-05-05 20:28 348160 ----a-w d:\documents and settings\t\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-28b58c55-n\msvcr71.dll
2009-05-05 20:28 . 2009-05-05 20:28 410984 ----a-w d:\windows\system32\deploytk.dll
2009-04-16 01:02 . 2009-04-16 01:00 -------- d-----w d:\documents and settings\t-roy\Application Data\Apple Computer
2009-04-14 00:56 . 2009-04-14 00:56 25552 ----a-w d:\documents and settings\t\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-07 04:38 . 2009-03-07 04:38 25552 ----a-w d:\documents and settings\t-roy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 14:22 . 2004-08-10 12:00 284160 ----a-w d:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-10 12:00 826368 ----a-w d:\windows\system32\wininet.dll
2009-03-01 01:20 . 2009-03-01 01:20 47360 ----a-w d:\windows\system32\drivers\pcouffin.sys
2009-03-01 01:20 . 2009-03-01 01:20 47360 ----a-w d:\documents and settings\Administrator\Desktop\Application Data\pcouffin.sys
2009-03-01 01:20 . 2009-03-01 01:20 47360 ----a-w d:\documents and settings\Administrator\Desktop\Application Data\pcouffin.sys
2009-02-27 22:34 . 2009-01-26 13:58 10684866 ----a-w d:\documents and settings\Administrator\Desktop\Application Data\Azureus\plugins\azump\mplayer.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-05-23_02.10.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-28 03:15 . 2009-05-28 03:15 16384 d:\windows\Temp\Perflib_Perfdata_304.dat
+ 2004-08-10 12:00 . 2009-05-27 20:40 63148 d:\windows\system32\perfc009.dat
- 2004-08-10 12:00 . 2009-05-22 20:28 63148 d:\windows\system32\perfc009.dat
+ 2009-05-24 19:47 . 2009-05-24 19:47 57344 d:\windows\Installer\{0F25993F-A294-4F9B-B794-E30EBBF7F86A}\texticon.exe
- 2009-05-17 20:11 . 2009-05-17 20:11 57344 d:\windows\Installer\{0F25993F-A294-4F9B-B794-E30EBBF7F86A}\texticon.exe
+ 2009-05-24 19:47 . 2009-05-24 19:47 22486 d:\windows\Installer\{0F25993F-A294-4F9B-B794-E30EBBF7F86A}\register_icon.exe
- 2009-05-17 20:11 . 2009-05-17 20:11 22486 d:\windows\Installer\{0F25993F-A294-4F9B-B794-E30EBBF7F86A}\register_icon.exe
- 2009-05-17 20:11 . 2009-05-17 20:11 32768 d:\windows\Installer\{0F25993F-A294-4F9B-B794-E30EBBF7F86A}\maintenance_icon.exe
+ 2009-05-24 19:47 . 2009-05-24 19:47 32768 d:\windows\Installer\{0F25993F-A294-4F9B-B794-E30EBBF7F86A}\maintenance_icon.exe
- 2009-05-17 20:11 . 2009-05-17 20:11 61440 d:\windows\Installer\{0F25993F-A294-4F9B-B794-E30EBBF7F86A}\helpicon.exe
+ 2009-05-24 19:47 . 2009-05-24 19:47 61440 d:\windows\Installer\{0F25993F-A294-4F9B-B794-E30EBBF7F86A}\helpicon.exe
- 2004-08-10 12:00 . 2009-05-22 20:28 402200 d:\windows\system32\perfh009.dat
+ 2004-08-10 12:00 . 2009-05-27 20:40 402200 d:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="d:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="d:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
"AnyDVD"="d:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2007-01-05 503808]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="d:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SynTPEnh"="d:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-18 729178]
"ATIPTA"="d:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-28 344064]
"Cpqset"="d:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"eabconfg.cpl"="d:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-10-11 409600]
"hpWirelessAssistant"="d:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]
"InCD"="d:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-09-26 1057064]
"HP Software Update"="d:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"BDAgent"="d:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2009-05-24 368640]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=

R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;d:\windows\system32\drivers\bdfndisf.sys [7/30/2007 6:47 PM 86792]
R3 HSFHWATI;HSFHWATI;d:\windows\system32\drivers\HSFHWATI.sys [5/31/2008 2:49 AM 231424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"d:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-05-28 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-05-27 d:\windows\Tasks\ParetoLogic Registration.job
- d:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 17:25]

2009-05-22 d:\windows\Tasks\ParetoLogic Update Version2.job
- d:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 17:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.enigmasoftware.a013.com/congratulation_spyhunter_scanner.php
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-27 23:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = d:\program files\HPQ\Default Settings\cpqset.exe????????8?9?1?4??P???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1180)
d:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4084)
d:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
d:\program files\Common Files\Ahead\Lib\MFC71U.DLL
d:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
d:\windows\system32\WPDShServiceObj.dll
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\ati2evxx.exe
d:\program files\Lavasoft\Ad-Aware\aawservice.exe
d:\windows\system32\ati2evxx.exe
d:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
d:\program files\Bonjour\mDNSResponder.exe
d:\windows\ehome\ehrecvr.exe
d:\windows\ehome\ehSched.exe
d:\program files\Nero\Nero 7\InCD\InCDsrv.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\Common Files\LightScribe\LSSrvc.exe
d:\program files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
d:\windows\ehome\mcrdsvc.exe
d:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
d:\windows\ehome\ehmsas.exe
d:\windows\system32\wscntfy.exe
d:\windows\system32\dllhost.exe
d:\program files\iPod\bin\iPodService.exe
d:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
d:\program files\HPQ\shared\hpqwmi.exe
.
**************************************************************************
.
Completion time: 2009-05-28 23:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-28 03:18
ComboFix2.txt 2009-05-23 02:12

Pre-Run: 60,261,343,232 bytes free
Post-Run: 60,341,723,136 bytes free

194 --- E O F --- 2009-05-15 15:38

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:06 AM

Posted 28 May 2009 - 07:55 AM

Everything looks good. :thumbup2:

Go to start > run and copy and paste or type next command in the field then hit enter:

ComboFix /u

Note: There's a space between Combofix and /

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore.

The first reboot might be a little slow, the next one will be faster.

Optional Recommendations
  • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  • I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. Update it manually (if you use the free version) once in 2-3 weeks and enable the restriction.
Happy Surfing.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users