Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WHS infected?


  • Please log in to reply
54 replies to this topic

#1 damnitbeavis

damnitbeavis

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Santa Rosa, CA
  • Local time:01:13 PM

Posted 28 August 2009 - 09:19 PM

Hello community,

I'm not sure if you're going to be able to help me with this, because the problem I have is currently on my server running WHS sp2... Here's a quick rundown of what happened to my home computers over the past week:

A few days ago, our laptop running vista home premium had some of its user profiles get corrupted, so that I had to restore them from old copies.

While I was working on fixing that, my desktop starts to randomly BSOD. Eventually, it won't even boot in safe mode, and I have to restore it from a previous backup on my WHS. After doing that once, and leaving the computer for a few days, it starts BSODing again, so I restored it again from a restore point on the same computer, and then run antimalware, antivirus, and disconnect it from the server. Since then the desktop has worked fine.

While I was working on fixing the BSOD'ing desktop, the server starts randomly BSOD'ing with IRQL_NOT LESS THAN whatever, and MEMORY errors. while searching for a fix for this on google, the browser starts acting funny, with "the page was reloaded." notices, random freezing of the browser when I try to access some sites, etc. I try to run antimalware software on the server, and it either won't remove found issues, or BSODs during the scans. This is where we are at now.

All these problems happened within a day or so of each other, and prior to this, I had not had any problems of this sort for YEARS, so it is very strange to me.

I'm hoping that you all can help me get this working, but if worst comes to worst I guess I will just have to format the whole server and reload it, losing all my backups for the other two computers.

Unfortunately, DDS doesn't run on my WHS, so I only have the root repeal log...

Hopeful that someone can help me sort out this mess,
Eric

Attached Files


Edited by damnitbeavis, 28 August 2009 - 11:21 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:13 PM

Posted 13 September 2009 - 06:11 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:13 PM

Posted 20 September 2009 - 03:32 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:13 PM

Posted 24 September 2009 - 01:32 PM

Reopened at request of topic starter. :(
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 damnitbeavis

damnitbeavis
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Santa Rosa, CA
  • Local time:01:13 PM

Posted 27 September 2009 - 02:06 PM

So dds still doesn't run, and the computer still Bsods.

The last error I got was

0x0000008e (0xc0000005, 0x808b746f, 0xf78864cc, 0x00000000)

I don't know if I'm supposed to wait again until my topic is closed, or if someone will get back to me before that. Thanks for your help in advance.

Eric

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:13 PM

Posted 27 September 2009 - 04:02 PM

Hello there,

Tell you what.....I do believe your log has been posted to pick up, but I'm going to take it myself. I understand you can't run DDS, so we'll go from there. :( Also please understand that tools that might have run on both Vista and XP may not run the same on this server set up. We can try though....and this is the only one in question, correct? You said the other two are all right now?

Try running this:

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 damnitbeavis

damnitbeavis
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Santa Rosa, CA
  • Local time:01:13 PM

Posted 27 September 2009 - 08:24 PM

Teacup,


Thanks so much for your help on this.... I was getting ready to drop my computers off at the *shudder* geek squad. Unfortunately, both my desktop (running xp pro sp3) and the server (whs) are still bsoding. I figured I would start with one, and then move on to the other, unless you would rather do them both at the same time.

I ran your file, but I don't know if it worked, here are the results:

Running from: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:13 PM

Posted 27 September 2009 - 09:27 PM

You're welcome. :) I hate to say, but there are many many times when I've come in behind Geek Squad and clean up their mess. :( I'm sure there are some of them that actually know their stuff, but the majority do not and the prices they charge are a total rip off. :)

Well with that report we know what we're *not* dealing with. I know you're concerned with the data on the server, but let's get the XP machine going first, please. Then we'll move on. :(

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :)

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If ComboFix will not run the first time, then rename ComboFix.exe to beavis.exe and try it again. :)

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 damnitbeavis

damnitbeavis
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Santa Rosa, CA
  • Local time:01:13 PM

Posted 27 September 2009 - 11:30 PM

Awesome, those ran okay. Here's the logs:

ComboFix 09-09-25.01 - E 09/27/2009 21:15.1.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1126 [GMT -7:00]
Running from: f:\documents and settings\E\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1351 [VPS 090927-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\docume~1\E\LOCALS~1\Temp\pdk-E\054a515a11c7920cfc4d7faea7af4932\XS.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\0fdf6651ec58af7738a5f192a16308f3\WinError.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\12913763d8b9f06d2ca82771fcb306f1\Parser.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\14f8cfecb15e1c87916789ed739489ff\Expat.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\1c4c331123ae5269fbd179de68e18722\Socket.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\37dbb36b1afb4153f311e1937d13beb9\Win32.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\463172d63e5c347ebd2a2c9f3e30a769\Cwd.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\4698d6dad1d9192f189448cd2250e41c\Registry.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\480ac5427cb6705921c199c825f6feda\File.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\4e2f70cf514e42eb8319b6c42723ed06\Dumper.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\514f58c7649fa1fe7afd0239e90bf91d\SHA1.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\531074183cd92c8ee6e38095fed64379\Detector.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\563d7ead40b59c49009856a0b10f2014\Array.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\5665e9d91ffd5329b4b069811edd98e1\XS.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\5f4010392d26de2972604a5df777f946\perl58.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\619eb23c53abde1a9d9d6b8d81ccd746\Util.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\6b58dab08175faa9470d9b8f08345f77\Byte.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\6ecc81286663495601d2499da7def595\Zlib.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\776043a051266bed6315875a8a879b49\GD.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\804a82b53759189a7786eee16508a628\Unicode.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\8715287e64467664fda73ee36a680ad6\ReadKey.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\899240261dde99660e14431e6d8d1fe9\DBI.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\8d9ba91df5b696882e70aa59f4766acb\Storable.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\93e8018418e0dd3aeabcea5210c424d9\IO.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\95e9a2327e375c6b6f41bca6adf49352\Registry.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\9e11e8cf40c66b8d30f95ce783f2ac0b\Hostname.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\a507fccf2be25b878761a66bf411c201\mysql.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\ad76515ff4d1de346e3888790190a3c0\API.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\b1ef31ab16378a4b392b3d07f25c074a\Service.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\b2a041897a5d2e9486f60c2f6017af23\Peek.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\b44b56de153a5879c1b84993c5cdadfa\Shortcut.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\b5ac0b87ff26ec339558537436e82acd\HiRes.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\baf7b671cd22e344218d4404c5715954\FileSecurity.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\bbd2dcfa51103025d57caa776bc1047b\B.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\c0bb48510a66e6fdcb5936be6801222d\MD5.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\c147fa650a1a0662dceef2f7ea370a7d\List.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\c537490a8d5597db7ef38c63a14dd378\Base64.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\c92f1c7d4396f53f4c5d352e2bd8c9a9\Syck.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\cd6be9554293967a36ad1075b097a79b\OLE.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\e247dd11d21a2bfdb97ad0cdd295b32d\Encode.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\e51718032942dd5fb4b1590be1ec8d83\Process.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\ea8f9cce13d067ab0d898ca399b403ed\Fcntl.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\fa142febd5dc53f93f911452e1a99387\Hebrew.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\fb2e449d6244301907de33f5adebdb35\POSIX.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\054a515a11c7920cfc4d7faea7af4932\XS.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\0fdf6651ec58af7738a5f192a16308f3\WinError.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\12913763d8b9f06d2ca82771fcb306f1\Parser.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\14f8cfecb15e1c87916789ed739489ff\Expat.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\1c4c331123ae5269fbd179de68e18722\Socket.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\37dbb36b1afb4153f311e1937d13beb9\Win32.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\463172d63e5c347ebd2a2c9f3e30a769\Cwd.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\4698d6dad1d9192f189448cd2250e41c\Registry.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\480ac5427cb6705921c199c825f6feda\File.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\4e2f70cf514e42eb8319b6c42723ed06\Dumper.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\514f58c7649fa1fe7afd0239e90bf91d\SHA1.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\531074183cd92c8ee6e38095fed64379\Detector.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\563d7ead40b59c49009856a0b10f2014\Array.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\5665e9d91ffd5329b4b069811edd98e1\XS.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\5f4010392d26de2972604a5df777f946\perl58.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\619eb23c53abde1a9d9d6b8d81ccd746\Util.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\6b58dab08175faa9470d9b8f08345f77\Byte.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\6ecc81286663495601d2499da7def595\Zlib.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\776043a051266bed6315875a8a879b49\GD.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\804a82b53759189a7786eee16508a628\Unicode.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\8715287e64467664fda73ee36a680ad6\ReadKey.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\899240261dde99660e14431e6d8d1fe9\DBI.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\8d9ba91df5b696882e70aa59f4766acb\Storable.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\93e8018418e0dd3aeabcea5210c424d9\IO.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\95e9a2327e375c6b6f41bca6adf49352\Registry.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\9e11e8cf40c66b8d30f95ce783f2ac0b\Hostname.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\a507fccf2be25b878761a66bf411c201\mysql.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\ad76515ff4d1de346e3888790190a3c0\API.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\b1ef31ab16378a4b392b3d07f25c074a\Service.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\b2a041897a5d2e9486f60c2f6017af23\Peek.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\b44b56de153a5879c1b84993c5cdadfa\Shortcut.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\b5ac0b87ff26ec339558537436e82acd\HiRes.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\baf7b671cd22e344218d4404c5715954\FileSecurity.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\bbd2dcfa51103025d57caa776bc1047b\B.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\c0bb48510a66e6fdcb5936be6801222d\MD5.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\c147fa650a1a0662dceef2f7ea370a7d\List.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\c537490a8d5597db7ef38c63a14dd378\Base64.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\c92f1c7d4396f53f4c5d352e2bd8c9a9\Syck.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\cd6be9554293967a36ad1075b097a79b\OLE.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\e247dd11d21a2bfdb97ad0cdd295b32d\Encode.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\e51718032942dd5fb4b1590be1ec8d83\Process.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\ea8f9cce13d067ab0d898ca399b403ed\Fcntl.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\fa142febd5dc53f93f911452e1a99387\Hebrew.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\fb2e449d6244301907de33f5adebdb35\POSIX.dll
f:\windows\system32\NetMW14x.inf

.
((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-28 )))))))))))))))))))))))))))))))
.

2009-09-28 00:33 . 2009-09-28 00:33 -------- d-----w- f:\program files\File Shredder
2009-09-28 00:33 . 2009-09-28 00:33 1221104 ----a-w- F:\file_shredder_setup.exe
2009-09-27 19:53 . 2009-09-27 19:54 -------- d-----w- f:\documents and settings\E\Application Data\HpUpdate
2009-09-27 19:53 . 2009-09-27 19:53 -------- d-----w- f:\windows\Hewlett-Packard
2009-09-26 08:26 . 2009-09-26 08:26 -------- d-----w- F:\Windows Home Server Drivers for Restore
2009-09-24 05:47 . 2009-09-24 05:47 54624 ----a-w- f:\windows\system32\0fb2.sys
2009-09-12 17:02 . 2009-09-12 17:02 737280 ----a-w- f:\windows\iun6002.exe
2009-09-12 17:02 . 2009-09-12 17:02 628832 ----a-w- F:\pdsetup.exe
2009-09-11 14:14 . 2009-09-11 14:14 1925024 ----a-w- F:\install_flash_player.exe
2009-09-10 04:25 . 2009-09-10 04:25 -------- d-----w- F:\Shares
2009-09-09 08:49 . 2009-06-21 21:44 153088 -c----w- f:\windows\system32\dllcache\triedit.dll
2009-09-09 03:38 . 2009-09-09 03:38 -------- d-----w- f:\program files\MSECache
2009-09-09 03:38 . 2009-09-09 03:38 28868320 ----a-w- F:\FileFormatConverters.exe
2009-09-09 03:02 . 2009-09-09 03:02 -------- d-----w- f:\program files\iPod
2009-09-09 03:02 . 2009-09-09 03:02 -------- d-----w- f:\program files\iTunes
2009-09-09 03:01 . 2009-09-09 03:01 -------- d-----w- f:\program files\Bonjour
2009-09-09 03:00 . 2009-09-09 03:01 -------- d-----w- f:\program files\QuickTime
2009-09-09 02:59 . 2009-09-09 03:00 -------- d-----w- f:\program files\Apple Software Update
2009-09-08 01:37 . 2009-09-08 01:37 -------- d-----w- f:\program files\Trend Micro
2009-09-08 01:36 . 2009-09-08 01:37 812344 ----a-w- F:\HijackThisInstaller.exe
2009-09-08 01:29 . 2009-09-08 01:29 -------- d-----w- f:\program files\ERUNT
2009-09-08 01:28 . 2009-09-08 01:28 791393 ----a-w- F:\erunt-setup.exe
2009-09-08 01:18 . 2009-09-08 01:18 -------- d-----w- f:\documents and settings\E\Application Data\InstallShield
2009-09-08 01:10 . 2009-09-08 01:10 16409960 ----a-w- F:\spybotsd162.exe
2009-09-07 05:17 . 2009-09-07 05:17 3293992 ----a-w- F:\ccsetup223.exe
2009-09-06 20:48 . 2009-08-17 16:04 23152 ----a-w- f:\windows\system32\drivers\aswRdr.sys
2009-09-06 20:48 . 2009-08-17 16:04 51376 ----a-w- f:\windows\system32\drivers\aswTdi.sys
2009-09-06 20:48 . 2009-08-17 16:03 26944 ----a-w- f:\windows\system32\drivers\aavmker4.sys
2009-09-06 20:48 . 2009-08-17 16:06 93392 ----a-w- f:\windows\system32\drivers\aswmon.sys
2009-09-06 20:48 . 2009-08-17 16:06 94160 ----a-w- f:\windows\system32\drivers\aswmon2.sys
2009-09-06 20:48 . 2009-08-17 16:05 114768 ----a-w- f:\windows\system32\drivers\aswSP.sys
2009-09-06 20:48 . 2009-08-17 16:05 20560 ----a-w- f:\windows\system32\drivers\aswFsBlk.sys
2009-09-06 20:48 . 2009-08-17 16:02 97480 ----a-w- f:\windows\system32\AvastSS.scr
2009-09-06 20:48 . 2009-08-17 16:10 1279456 ----a-w- f:\windows\system32\aswBoot.exe
2009-09-06 20:44 . 2009-09-06 20:44 308160 ----a-w- F:\avast_pro_setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-27 19:54 . 2007-10-13 20:43 -------- d-----w- f:\program files\HP
2009-09-27 19:41 . 2007-10-08 08:00 -------- d-----w- f:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-27 18:54 . 2007-10-08 08:00 -------- d-----w- f:\program files\Spybot - Search & Destroy
2009-09-24 05:53 . 2007-10-03 04:54 28920 ----a-w- f:\documents and settings\E\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-21 16:14 . 2007-10-15 05:43 -------- d-----w- f:\program files\Common Files\Apple
2009-09-20 18:58 . 2009-09-06 20:41 90112 ----a-w- f:\windows\DUMP4527.tmp
2009-09-12 20:35 . 2009-08-25 04:41 -------- d-----w- f:\documents and settings\E\Application Data\Winamp
2009-09-10 04:25 . 2009-02-04 06:02 -------- d-----w- f:\program files\Windows Home Server
2009-09-09 01:32 . 2007-10-03 04:59 -------- d--h--w- f:\program files\InstallShield Installation Information
2009-09-07 05:21 . 2009-01-31 05:08 -------- d-----w- f:\program files\Common Files\Wise Installation Wizard
2009-09-07 05:21 . 2009-08-22 21:06 -------- d-----w- f:\documents and settings\E\Application Data\SUPERAntiSpyware.com
2009-09-07 05:21 . 2009-08-22 21:06 -------- d-----w- f:\program files\SUPERAntiSpyware
2009-08-25 04:41 . 2007-10-03 06:53 -------- d-----w- f:\program files\Winamp
2009-08-25 04:39 . 2009-08-25 04:39 14224112 ----a-w- F:\winamp556_full_emusic-7plus_all.exe
2009-08-25 04:06 . 2009-08-25 04:06 803 ----a-w- f:\program files\CoreTemp.ini
2009-08-25 04:06 . 2009-08-25 04:06 11 ----a-w- f:\program files\Plugins.ini
2009-08-24 05:04 . 2009-08-24 05:04 -------- d-----w- f:\documents and settings\E\Application Data\IObit
2009-08-24 05:04 . 2009-08-24 05:04 -------- d-----w- f:\program files\IObit
2009-08-24 05:03 . 2009-08-24 05:03 3021976 ----a-w- F:\DefragSetup.exe
2009-08-24 04:45 . 2009-08-24 04:45 -------- d-----w- f:\program files\EASEUS
2009-08-24 04:26 . 2007-10-05 04:13 -------- d-----w- f:\program files\ATITool
2009-08-24 04:22 . 2007-10-12 16:49 -------- d-----w- f:\program files\Logitech
2009-08-24 04:12 . 2007-11-16 17:03 -------- d-----w- f:\documents and settings\Administrator\Application Data\Logitech
2009-08-24 04:12 . 2007-10-12 16:50 -------- d-----w- f:\documents and settings\E\Application Data\Logitech
2009-08-24 04:12 . 2007-10-12 16:50 -------- d-----w- f:\documents and settings\All Users\Application Data\Logitech
2009-08-24 03:59 . 2008-10-31 18:57 -------- d-----w- f:\program files\Yahoo!
2009-08-24 03:58 . 2008-01-03 02:36 -------- d-----w- f:\program files\Acoustica Spin It Again
2009-08-24 02:10 . 2009-08-24 02:10 654920 ----a-w- F:\mtinst(2).exe
2009-08-23 19:27 . 2007-10-12 07:33 -------- d-----w- f:\program files\Java
2009-08-23 18:53 . 2009-08-23 18:52 126233 ----a-w- F:\MGlogs.zip
2009-08-23 12:02 . 2009-08-20 04:08 90112 ----a-w- f:\windows\DUMP57a5.tmp
2009-08-22 23:24 . 2009-08-22 23:24 -------- d-----w- f:\documents and settings\E\Application Data\Malwarebytes
2009-08-22 23:24 . 2009-08-22 23:24 -------- d-----w- f:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-22 23:20 . 2009-08-22 23:20 -------- d-----w- f:\documents and settings\All Users\Application Data\Windows Home Server
2009-08-22 21:26 . 2009-08-22 21:25 8050536 ----a-w- F:\Firefox Setup 3.5.2.exe
2009-08-22 21:06 . 2009-08-22 21:06 -------- d-----w- f:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-22 21:05 . 2009-08-22 21:05 1344235 ----a-w- F:\MGtools.exe
2009-08-22 20:48 . 2008-10-31 18:57 -------- d-----w- f:\program files\CCleaner
2009-08-21 04:28 . 2007-12-14 16:35 -------- d-----w- f:\program files\Common Files\Logishrd
2009-08-20 15:43 . 2009-08-20 15:43 229208 ----a-w- f:\windows\system32\drivers\VMM.sys
2009-08-05 19:48 . 2009-08-05 19:48 378384 ----a-w- f:\program files\Core Temp.exe
2009-08-05 09:01 . 2001-08-23 12:00 204800 ----a-w- f:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2001-08-23 12:00 81920 ----a-w- f:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2001-08-23 12:00 119808 ----a-w- f:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2001-08-23 12:00 58880 ----a-w- f:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-08-04 07:56 286208 ------w- f:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2001-08-23 12:00 915456 ----a-w- f:\windows\system32\wininet.dll
2001-08-23 12:00 . 2001-08-23 12:00 94784 --sh--w- f:\windows\twain.dll
2008-04-14 00:12 . 2001-08-23 12:00 50688 --sh--w- f:\windows\twain_32.dll
2006-10-27 19:40 . 2006-10-27 19:40 12288 --sh--w- f:\windows\Twunk_16.dll
2006-10-27 19:40 . 2006-10-27 19:40 12288 --sh--w- f:\windows\Twunk_32.dll
2008-04-14 00:11 . 2001-08-23 12:00 1028096 --sha-w- f:\windows\system32\mfc42.dll
2008-04-14 00:12 . 2001-08-23 12:00 57344 --sh--w- f:\windows\system32\msvcirt.dll
2008-04-14 00:12 . 2001-08-23 12:00 413696 --sha-w- f:\windows\system32\msvcp60.dll
2008-04-14 00:12 . 2001-08-23 12:00 343040 --sha-w- f:\windows\system32\msvcrt.dll
2008-04-14 00:12 . 2001-08-23 12:00 551936 --sh--w- f:\windows\system32\oleaut32.dll
2008-04-14 00:12 . 2001-08-23 12:00 84992 --sha-w- f:\windows\system32\olepro32.dll
2008-04-14 00:12 . 2001-08-23 12:00 11776 --sh--w- f:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="f:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="f:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"QuickTime Task"="f:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="f:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"WinampAgent"="f:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"NvMediaCenter"="f:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"HP Software Update"="f:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]
"CXMon"="f:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-27 45056]
"nwiz"="nwiz.exe" - f:\windows\system32\nwiz.exe [2009-01-15 1657376]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - f:\windows\KHALMNPR.Exe [2007-09-21 55824]
"CTxfiHlp"="CTXFIHLP.EXE" - f:\windows\system32\Ctxfihlp.exe [2008-07-11 19968]

f:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - f:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-4 113664]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\WINDOWS\\system32\\spoolsv.exe"=
"f:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"f:\\Program Files\\Windows Home Server\\Discovery.exe"=
"f:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"f:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp
"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp
"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp
"58344:TCP"= 58344:TCP:*:Disabled:Pando P2P TCP Listening Port
"58344:UDP"= 58344:UDP:*:Disabled:Pando P2P UDP Listening Port

R1 aswSP;avast! Self Protection;f:\windows\system32\drivers\aswSP.sys [9/6/2009 1:48 PM 114768]
R2 aswFsBlk;aswFsBlk;f:\windows\system32\drivers\aswFsBlk.sys [9/6/2009 1:48 PM 20560]
R2 WHSConnector;Windows Home Server Connector Service;f:\program files\Windows Home Server\WHSConnector.exe [4/20/2009 9:37 PM 335728]
S2 SqueezeMySQL;SqueezeMySQL;f:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=f:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL --> f:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=f:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL [?]
S3 0fb2;0fb2;f:\windows\system32\0fb2.sys [9/23/2009 10:47 PM 54624]
S3 ALSysIO;ALSysIO;\??\f:\docume~1\E\LOCALS~1\Temp\ALSysIO.sys --> f:\docume~1\E\LOCALS~1\Temp\ALSysIO.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;f:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [10/31/2008 11:44 AM 79360]
S3 epmntdrv;epmntdrv;f:\windows\system32\epmntdrv.sys [8/23/2009 9:45 PM 8704]
S3 EuGdiDrv;EuGdiDrv;f:\windows\system32\EuGdiDrv.sys [8/23/2009 9:45 PM 3072]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\f:\windows\system32\drivers\mbamswissarmy.sys --> f:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 NETMW145;Belkin N1 Wireless Desktop Card Service for Windows XP;f:\windows\system32\DRIVERS\NETMW145.sys --> f:\windows\system32\DRIVERS\NETMW145.sys [?]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;f:\windows\system32\DRIVERS\RTL8187.sys --> f:\windows\system32\DRIVERS\RTL8187.sys [?]
S3 SjyPkt;SjyPkt;\??\f:\windows\System32\Drivers\SjyPkt.sys --> f:\windows\System32\Drivers\SjyPkt.sys [?]
S3 TCCrystalCpuInfo;TCCrystalCpuInfo;\??\f:\docume~1\E\LOCALS~1\Temp\TCCpuInfo.sys --> f:\docume~1\E\LOCALS~1\Temp\TCCpuInfo.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"f:\windows\system32\rundll32.exe" "f:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-21 f:\windows\Tasks\SmartDefrag.job
- f:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-08-24 16:22]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - f:\documents and settings\E\Application Data\Mozilla\Firefox\Profiles\1xtvu5l9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 2
FF - plugin: f:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - f:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-Octoshape add-in for Adobe Flash Player - f:\documents and settings\E\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-27 21:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3340)
f:\windows\system32\WININET.dll
f:\windows\system32\ieframe.dll
f:\windows\system32\webcheck.dll
f:\windows\system32\WPDShServiceObj.dll
f:\program files\Microsoft Virtual PC\VPCShExH.DLL
f:\windows\system32\PortableDeviceTypes.dll
f:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
f:\program files\Alwil Software\Avast4\aswUpdSv.exe
f:\program files\Alwil Software\Avast4\ashServ.exe
f:\program files\Creative\Shared Files\CTAudSvc.exe
f:\program files\Bonjour\mDNSResponder.exe
f:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
f:\windows\system32\nvsvc32.exe
f:\windows\system32\HPZipm12.exe
f:\program files\Alwil Software\Avast4\ashMaiSv.exe
f:\program files\Alwil Software\Avast4\ashWebSv.exe
f:\windows\system32\rundll32.exe
f:\windows\system32\CTxfispi.exe
f:\program files\iPod\bin\iPodService.exe
f:\program files\Palm\Hotsync.exe
f:\program files\SqueezeCenter\SqueezeTray.exe
f:\program files\Windows Home Server\WHSTrayApp.exe
f:\windows\system32\wscntfy.exe
f:\program files\WinZip\WZQKPICK.EXE
f:\progra~1\SQUEEZ~1\server\SQUEEZ~1.EXE
f:\program files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2009-09-28 21:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-28 04:26

Pre-Run: 364,696,846,336 bytes free
Post-Run: 364,647,497,728 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
323 --- E O F --- 2009-09-09 10:03






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:34 PM, on 9/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Creative\Shared Files\CTAudSvc.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\HPZipm12.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Windows Home Server\WHSConnector.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
F:\WINDOWS\system32\CTXFIHLP.EXE
F:\WINDOWS\SYSTEM32\CTXFISPI.EXE
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Palm\Hotsync.exe
F:\Program Files\SqueezeCenter\SqueezeTray.exe
F:\Program Files\Windows Home Server\WHSTrayApp.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\WinZip\WZQKPICK.EXE
F:\PROGRA~1\SQUEEZ~1\server\SQUEEZ~1.EXE
F:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
F:\WINDOWS\explorer.exe
F:\WINDOWS\system32\notepad.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BrowserHelper Class - {9A065C65-4EE7-4DDD-9918-F129089A894A} - F:\Program Files\Windows Home Server\WHSDeskBands.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Home Server Banner - {D73E76A3-F902-45BD-8FC8-95AE8E014671} - F:\Program Files\Windows Home Server\WHSDeskBands.dll
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] "F:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CXMon] "F:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O4 - Global Startup: Belkin Wireless Networking Utility.lnk = F:\Program Files\Belkin\F5D8001v2\Belkinwcui.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = F:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SqueezeCenter Tray Tool.lnk = F:\Program Files\SqueezeCenter\SqueezeTray.exe
O4 - Global Startup: Windows Home Server.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191385614654
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {FC6703A7-5B7E-4f58-BE6D-2693AA3906AE} (HP Content Update) - http://h30155.www3.hp.com/ediags/hpna/66/i...hp.cab?1,0,0,94
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - F:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - F:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - F:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - F:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - F:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - F:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - Unknown owner - F:\Program Files\Common Files\element5 Share`\Service\Licence Manager ESD.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SqueezeMySQL - Unknown owner - F:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe

--
End of file - 8515 bytes

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:13 PM

Posted 28 September 2009 - 12:16 AM

Hi there,

How is it running now please? :( I see you have MBAM already. Please be sure it's updated to the latest definitions and have a scan with it. Post the report, if there is anything to post. :(

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 damnitbeavis

damnitbeavis
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Santa Rosa, CA
  • Local time:01:13 PM

Posted 28 September 2009 - 11:06 AM

So the first time I tried running MBAM, I got a BSOD. I rebooted, and it ran to completion, and here is the log:

Malwarebytes' Anti-Malware 1.41
Database version: 2866
Windows 5.1.2600 Service Pack 3

9/28/2009 9:03:54 AM
mbam-log-2009-09-28 (09-03-54).txt

Scan type: Full Scan (C:\|D:\|F:\|G:\|)
Objects scanned: 305846
Time elapsed: 1 hour(s), 30 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





I still think there is something wrong, given the BSOD. Any more ideas?


Thanks!
Eric

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:13 PM

Posted 28 September 2009 - 01:27 PM

Hello,

Well good that you got that to run to completion, but one run fixes don't usually happen and I have no doubt there is something still amiss. This file : f:\windows\System32\Drivers\SjyPkt.sys worries me, and I need for it to be analysed. http://www.prevx.com/filenames/13528632015...SJYPKT.SYS.html

Please navigate to the following file: f:\windows\System32\Drivers\SjyPkt.sys

Please go to VirusTotal and submit the file for a scan and post the results in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 damnitbeavis

damnitbeavis
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Santa Rosa, CA
  • Local time:01:13 PM

Posted 28 September 2009 - 01:43 PM

Hmmmm.... I tried to navigate to that file to upload it, but I cannot seem to find it. I even tried looking in safe mode, still no luck. Ideas? Maybe you're on to something here!

Eric

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:13 PM

Posted 28 September 2009 - 01:54 PM

Hi Eric,

I have to ask the most basic question.....did you unhide hidden files when you looked for it? I wonder if GMER would see it. I don't want to nuke it if it's a legit, if not badly named, file/driver.

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 damnitbeavis

damnitbeavis
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Santa Rosa, CA
  • Local time:01:13 PM

Posted 28 September 2009 - 02:08 PM

Thanks for asking: yes, hidden files should have been visible.

I tried unzipping GMER to the desktop and running it ->BSOD

I unzipped it to the desktop, renamed it beavis.exe, ran -> ran for about 45 seconds, then "encountered an error, and had to close."

Ideas?

Eric




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users