Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC Antispyware 2010 and Rootkill Virus -- XP Tablet Edition


  • This topic is locked This topic is locked
33 replies to this topic

#1 rum2runner

rum2runner

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 04 September 2009 - 09:51 AM

Don't have much hope as I appear to have this and cannot get any logs to run...

Got the PC something virus and should have waited to get my XP disks as it said it was changing files, but it restarted before I could so....

I ran mallwarebytes antimallware and it failed and now like everything else won't allow me to run it again. I also tried windows live which caused it to kill firefox. They led me to your forum and I went to run the dds.scr and the rootrepeale but they won't run so I have no loggs to show you.

I was ablre to do a full backup so... I can wipe it and start over but would prefer not to....

I have a gateway PC -- with XP Tablet edition which might make a difference.

I did see some help that discussed getting logs for what seems like the program I had but don't want to jump the gun.....

Let me know what if nay information I can provide and I will do so.....

If not instructions on starting over would be nice....

Thanks -- Rum2Runner

BC AdBot (Login to Remove)

 


#2 rum2runner

rum2runner
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 04 September 2009 - 09:54 AM

Sorry, thought of two additional items....

XP firewall seems to be working and I have the pc offline and have been loading software via flash drive rather than vie the internet.

My desktop has mcAfee and I updated the viruse today to hopefully avoid cross contamination.

Thanks -- R2R

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:50 PM

Posted 04 September 2009 - 10:12 AM

Hi rum2runner,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Download and run Win32kDiag:Next......

#4 rum2runner

rum2runner
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 04 September 2009 - 11:05 AM

1st -- Thanks Fabar

Attached is the results from win32diag.exe

Thanks -- R2R

I also pasted it here ....

Starting up...
Log file is located at: C:\Documents and Settings\HSM\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Onfolio.Ap
i\Onfolio.Api
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Onfolio.Ca
pture.Api\Onfolio.Capture.Api
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Onfolio.Ci
teScrape\Onfolio.CiteScrape
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Onfolio.Ci
teScrapeAdmin\Onfolio.CiteScrapeAdmin
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Onfolio.Co
nstants\Onfolio.Constants
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Onfolio.Di
agnostics\Onfolio.Diagnostics
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Onfolio.En
dNoteSynch\Onfolio.EndNoteSynch
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Onfolio.Fe
eds\Onfolio.Feeds
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Onfolio.Fo
lderPublishing\Onfolio.FolderPublishing
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Onfolio.Fo
lderPublishing.WebView\Onfolio.FolderPublishing.WebView
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Onfolio.Ht
mlParser\Onfolio.HtmlParser
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Onfolio.Mo
zillaIntegration.DotNet\Onfolio.MozillaIntegration.DotNet
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Onfolio.No
tifications\Onfolio.Notifications
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Onfolio.Pr
eferences\Onfolio.Preferences
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Onfolio.Pu
blisher\Onfolio.Publisher
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Onfolio.Sp
ellChecker\Onfolio.SpellChecker
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Onfolio.Ta
skBarTrayIcon\Onfolio.TaskBarTrayIcon
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Project31.
ApplicationFramework\Project31.ApplicationFramework
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Project31.
BrowserControl\Project31.BrowserControl
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Project31.
BrowserExtensions\Project31.BrowserExtensions
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Project31.
Controls\Project31.Controls
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Project31.
CoreServices\Project31.CoreServices
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Project31.
Diagnostics\Project31.Diagnostics
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Project31.
EMail\Project31.EMail
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Project31.
Globalization\Project31.Globalization
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Project31.
Interop\Project31.Interop
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Project31.
Interop.Com.SHDocVw\Project31.Interop.Com.SHDocVw
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Project31.
MindShare.ApplicationCore\Project31.MindShare.ApplicationCore
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Project31.
MindShare.ApplicationSettings\Project31.MindShare.ApplicationSettings
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Project31.
MindShare.BrowserIntegration\Project31.MindShare.BrowserIntegration
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Project31.
MindShare.FileMonitor\Project31.MindShare.FileMonitor
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Project31.
MindShare.FormHost\Project31.MindShare.FormHost
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Project31.
MindShare.ItemEditor\Project31.MindShare.ItemEditor
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Project31.
MindShare.Model\Project31.MindShare.Model
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Project31.
MindShare.ServerManager\Project31.MindShare.ServerManager
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Project31.
MindShare.Storage\Project31.MindShare.Storage
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Project31.
MindShare.View\Project31.MindShare.View
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Project31.
MshtmlEditor\Project31.MshtmlEditor
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Project31.
Search\Project31.Search
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\WindowsLiv
e.Client\WindowsLive.Client
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\WindowsLiv
e.Writer.Api\WindowsLive.Writer.Api
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\WindowsLiv
e.Writer.ApplicationFramework\WindowsLive.Writer.ApplicationFramework
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\WindowsLiv
e.Writer.BlogClient\WindowsLive.Writer.BlogClient
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\WindowsLiv
e.Writer.BrowserControl\WindowsLive.Writer.BrowserControl
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\WindowsLiv
e.Writer.Controls\WindowsLive.Writer.Controls
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\WindowsLiv
e.Writer.CoreServices\WindowsLive.Writer.CoreServices
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\WindowsLiv
e.Writer.Extensibility\WindowsLive.Writer.Extensibility
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\WindowsLiv
e.Writer.FileDestinations\WindowsLive.Writer.FileDestinations
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\WindowsLiv
e.Writer.HtmlEditor\WindowsLive.Writer.HtmlEditor
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\WindowsLiv
e.Writer.HtmlParser\WindowsLive.Writer.HtmlParser
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\WindowsLiv
e.Writer.Interop\WindowsLive.Writer.Interop
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\WindowsLiv
e.Writer.Interop.Mshtml\WindowsLive.Writer.Interop.Mshtml
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\WindowsLiv
e.Writer.Interop.SHDocVw\WindowsLive.Writer.Interop.SHDocVw
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\WindowsLiv
e.Writer.Mshtml\WindowsLive.Writer.Mshtml
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\WindowsLiv
e.Writer.Passport\WindowsLive.Writer.Passport
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\WindowsLiv
e.Writer.PostEditor\WindowsLive.Writer.PostEditor
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\WindowsLiv
eWriter\WindowsLiveWriter
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Xceed.Grid
\Xceed.Grid
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZA
P3BD.tmp\ZAP3BD.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZA
P4D5.tmp\ZAP4D5.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\chsime\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\shared\res\res
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\inf\ASM\ASM
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F2
31838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3
D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.Net\Framework\v1.0.3705\Temporary
ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.Net\Framework\v1.1.4322\Temporary
ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.Net\Framework\v2.0.50727\Temporar
y ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\OemDir\OemDir
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
[1] 2004-08-04 08:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (
Microsoft Corporation)

Attached Files



#5 rum2runner

rum2runner
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 04 September 2009 - 11:07 AM

Promise to get your name right next time....


Thanks -- farbar

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:50 PM

Posted 04 September 2009 - 11:17 AM

No worries about the name. :(

I see your computer is infected with this nasty rootkit.

What is your Service Pack version?

Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.


#7 rum2runner

rum2runner
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 04 September 2009 - 11:30 AM

Attached is the peek log...

Here is the text....


Volume in drive C has no label.
Volume Serial Number is 442B-B0D3

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 08:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 08:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 08:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:11 PM 62,464 eventlog.dll
3 File(s) 650,752 bytes

Total Files Listed:
12 File(s) 2,583,040 bytes

Attached Files



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:50 PM

Posted 04 September 2009 - 11:35 AM

No need to attach the logs, thanks.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#9 rum2runner

rum2runner
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 04 September 2009 - 12:30 PM

here is the combofix log....

ComboFix 09-09-03.02 - HSM 09/04/2009 13:13.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.550 [GMT -4:00]
Running from: c:\documents and settings\HSM\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\atazo.dl
c:\documents and settings\All Users\Documents\ygowalo.bat
c:\documents and settings\HSM\Application Data\inst.exe
c:\documents and settings\HSM\Application Data\tisa.bat
c:\documents and settings\HSM\Cookies\dorox.vbs
c:\documents and settings\HSM\Cookies\zogawaki.dat
c:\documents and settings\HSM\Local Settings\Application Data\zaqi.pif
c:\program files\Common Files\dazid.reg
c:\program files\Common Files\gihe.exe
c:\program files\Common Files\nilusufy.vbs
c:\program files\Common Files\ufetexu.inf
c:\recycler\S-1-5-21-1868661091-1880482221-3482501127-500
c:\windows\AegisP.inf
c:\windows\dajezigeja.scr
c:\windows\ikuzycizan.dl
c:\windows\system32\cookie1.dat
c:\windows\system32\fequfabulu.exe
c:\windows\system32\rajefiwyk.exe
c:\windows\system32\SYIllnmp.ini
c:\windows\system32\SYIllnmp.ini2
c:\windows\system32\tb.dr
c:\windows\system32\wisdstr.exe
D:\Autorun.inf

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\logevent.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 )))))))))))))))))))))))))))))))
.

2009-09-04 13:44 . 2009-09-04 13:44 -------- d-----w- c:\temp\Trend Micro
2009-09-03 20:35 . 2009-09-03 20:35 -------- d-----w- c:\program files\ACW
2009-09-03 15:53 . 2009-09-03 15:53 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-09-03 15:52 . 2009-09-03 15:52 -------- d-----w- c:\program files\Cobian Backup 9
2009-09-03 15:51 . 2009-09-03 15:51 -------- d-----w- c:\program files\Enigma Software Group
2009-09-03 02:59 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 02:59 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-03 02:59 . 2009-09-03 02:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-03 02:49 . 2009-09-03 02:49 -------- d-----w- c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP
2009-09-03 02:27 . 2009-09-03 02:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-03 00:02 . 2009-09-03 00:11 -------- d-----w- c:\program files\Windows Live Safety Center
2009-09-02 21:50 . 2009-09-02 21:50 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-09-02 19:31 . 2009-09-04 17:13 -------- d-----w- c:\windows\system32\1033
2009-09-02 17:28 . 2009-09-02 17:28 -------- d-----w- c:\program files\Trend Micro
2009-09-02 14:48 . 2009-09-02 14:48 19968 ------w- C:\xvhu.exe
2009-09-02 14:48 . 2009-09-02 14:48 48640 ------w- C:\blyuwrjl.exe
2009-09-02 14:48 . 2009-09-02 14:48 17920 ------w- C:\osps.exe
2009-09-02 14:48 . 2009-09-02 14:48 21504 ------w- C:\emxtqjit.exe
2009-08-26 20:01 . 2009-09-04 13:35 -------- d-----w- c:\temp\New Folder
2009-08-16 23:36 . 2009-08-16 23:36 -------- d-----w- c:\program files\iPod
2009-08-16 23:36 . 2009-08-16 23:36 -------- d-----w- c:\program files\iTunes
2009-08-16 23:36 . 2009-08-16 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-16 23:33 . 2009-08-16 23:34 -------- d-----w- c:\program files\QuickTime
2009-08-16 23:30 . 2009-08-16 23:30 -------- d-----w- c:\program files\Bonjour
2009-08-12 08:30 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-09 08:48 . 2009-08-09 08:48 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-09 08:47 . 2009-08-09 08:47 -------- d-----w- c:\program files\MSBuild
2009-08-09 08:47 . 2009-08-09 08:47 -------- d-----w- c:\program files\Reference Assemblies
2009-08-09 08:43 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-09 08:43 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-09 08:43 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-09 08:43 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-09 08:43 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-09 08:43 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-09 08:43 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 17:15 . 2008-10-03 18:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-04 17:15 . 2006-07-27 17:03 -------- d-----w- c:\documents and settings\HSM\Application Data\Onfolio
2009-09-04 17:13 . 2006-07-21 00:17 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView
2009-09-03 20:28 . 2006-07-26 14:50 -------- d-----w- c:\documents and settings\HSM\Application Data\EndNote
2009-09-03 03:00 . 2006-07-24 16:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-02 19:36 . 2006-06-25 23:55 -------- d-----w- c:\program files\BigFix
2009-09-02 19:02 . 2008-10-03 18:57 -------- d-----w- c:\documents and settings\HSM\Application Data\SUPERAntiSpyware.com
2009-09-02 15:18 . 2009-09-02 15:18 17751 ------w- c:\program files\Common Files\suzel._sy
2009-08-26 19:58 . 2007-01-03 04:48 -------- d-----w- c:\documents and settings\HSM\Application Data\U3
2009-08-16 23:36 . 2009-01-05 02:41 -------- d-----w- c:\program files\Common Files\Apple
2009-08-14 10:58 . 2009-09-03 02:28 7396 ------w- c:\windows\system32\drivers\pctcore.cat
2009-08-10 13:02 . 2006-07-21 03:41 52816 ------w- c:\documents and settings\HSM\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 13:09 . 2009-07-22 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-06 13:09 . 2009-06-26 16:54 -------- d-----w- c:\program files\Norton Security Scan
2009-08-05 22:03 . 2008-11-17 15:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-05 21:47 . 2006-06-25 23:56 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2005-06-22 10:11 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-07-26 02:33 . 2006-08-04 15:31 -------- d-----w- c:\program files\DivX
2009-07-26 02:32 . 2009-07-26 00:52 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-26 02:24 . 2009-06-12 19:20 -------- d-----w- c:\documents and settings\HSM\Application Data\Vso
2009-07-26 01:17 . 2008-02-19 16:44 664 ------w- c:\windows\system32\d3d9caps.dat
2009-07-25 09:23 . 2009-06-09 21:44 411368 ------w- c:\windows\system32\deploytk.dll
2009-07-22 22:01 . 2006-07-27 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-22 22:00 . 2009-07-22 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-17 19:01 . 2005-06-22 10:11 58880 ------w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2005-06-22 10:12 286720 ------w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:50 . 2005-06-22 10:11 666624 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2005-06-22 10:11 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-16 14:36 . 2005-06-22 10:11 119808 ------w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-06-22 10:11 81920 ------w- c:\windows\system32\fontsub.dll
2009-06-12 19:20 . 2009-06-12 19:20 47360 ------w- c:\windows\system32\drivers\pcouffin.sys
2009-06-12 19:20 . 2009-06-12 19:20 47360 ------w- c:\documents and settings\HSM\Application Data\pcouffin.sys
2009-06-12 12:31 . 2005-06-22 10:11 80896 ------w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-06-22 10:11 76288 ------w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2005-06-22 10:11 84992 ------w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2005-06-22 10:26 2066432 ------w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2005-06-22 10:11 132096 ------w- c:\windows\system32\wkssvc.dll
2008-08-15 23:00 . 2008-08-15 23:00 0 ------w- c:\program files\New InterActual Skin.iti
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-27 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-14 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-14 271872]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"Snippet"="c:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-25 68296]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"OnfolioStorage"="c:\programs\Onfolio\onfserv.exe" [2005-10-11 45056]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"SansaDispatch"="c:\program files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-10-22 75584]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-11-01 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-11-01 1101824]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-23 111952]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2009-04-02 868352]
"Cobian Backup 9 interface"="c:\program files\Cobian Backup 9\cbInterface.exe" [2009-01-22 2749952]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-02-13 282624]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2006-01-20 544768]
"Multi-function Keyboard"="GWHotKey.exe" - c:\windows\GWHotKey.exe [2001-08-28 98361]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\HSM\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
SnagIt 8.lnk - c:\program files\TechSmith\SnagIt 8\SnagIt32.exe [2007-5-1 6395464]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2005-11-14 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-14 00:11 47104 ------w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 10:41 11776 ------w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-14 00:12 32256 ------w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Gateway\\HPA\\gwmenu.exe"=
"c:\\Programs\\BitTornado\\btdownloadgui.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\McAfee\\VirusScan Enterprise\\Mcshield.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Ink\\tabtip.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Ink\\keyboardsurrogate.exe"=
"c:\\Program Files\\Xi\\NetTransport 2\\NetTransport.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 CobianBackupAmanita;Cobian Backup 9 service;c:\program files\Cobian Backup 9\cbService.exe [9/3/2009 11:52 AM 583168]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [6/25/2006 7:40 PM 24736]
R3 MSTabBtn;Quanta Computer Tablet PC Buttons HID Driver;c:\windows\system32\drivers\mstabbtn.sys [6/25/2006 7:40 PM 10496]
S2 USBDriver;USBDriver;c:\windows\system32\svchost.exe -k netsvcs [6/22/2005 6:11 AM 14336]
S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [6/21/2005 11:25 PM 69692]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
USBDriver
.
Contents of the 'Scheduled Tasks' folder

2009-08-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-DW4 - (no file)
HKLM-Run-Anti Trojan Elite - c:\program files\Anti Trojan Elite\TJEnder.exe
HKLM-Run-sewizawego - c:\windows\system32\hukepoge.dll
Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX2724
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Capture Page to Onfolio... - c:\programs\Onfolio\Onfolio.WindowsResources.dll/AddLinkEntryFromDocument.html
IE: Capt&ure Target to Onfolio... - c:\programs\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
IE: Capture &Snippet to Onfolio... - c:\programs\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentSelection.html
IE: Capture Ima&ge to Onfolio... - c:\programs\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
IE: Capture Page and Selected &Links to Onfolio... - c:\programs\Onfolio\Onfolio.WindowsResources.dll/AddSiteSnippetFromDocumentSelection.html
IE: Capture Selected Ite&ms to Onfolio... - c:\programs\Onfolio\Onfolio.WindowsResources.dll/AddMultipleEntriesFromDocumentSelection.html
IE: Capture Site to &Onfolio... - c:\programs\Onfolio\Onfolio.WindowsResources.dll/AddSiteFromDocument.html
IE: Download all by Net Transport - c:\program files\Xi\NetTransport 2\NTAddList.html
IE: Download by Net Transport - c:\program files\Xi\NetTransport 2\NTAddLink.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{2fc2f9a4-c43e-42c0-9490-19d6be8b1726} - {2fc2f9a4-c43e-42c0-9490-19d6be8b1726} - mscoree.dll
IE: {{30e2a68b-20f5-419d-bbb9-dce92edc4e67} - {30e2a68b-20f5-419d-bbb9-dce92edc4e67} - mscoree.dll
FF - ProfilePath - c:\documents and settings\HSM\Application Data\Mozilla\Firefox\Profiles\f1dtr28x.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\programs\Firefox\plugins\nponf2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-04 13:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(2168)
c:\progra~1\WINDOW~3\wmpband.dll
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Qualcomm\Eudora\EuShlExt.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\program files\McAfee\VirusScan Enterprise\Scriptcl.dll
c:\windows\system32\netprovcredman.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Microsoft Shared\Ink\keyboardsurrogate.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\wisptis.exe
c:\windows\system32\tabbtnu.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Microsoft Shared\Ink\tcserver.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\TechSmith\SnagIt 8\TscHelp.exe
c:\program files\TechSmith\SnagIt 8\SnagPriv.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-04 13:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-04 17:25

Pre-Run: 14,731,206,656 bytes free
Post-Run: 17,057,308,672 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

328 --- E O F --- 2009-09-02 07:00

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:50 PM

Posted 04 September 2009 - 01:01 PM

  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    File::
    C:\xvhu.exe
    C:\blyuwrjl.exe
    C:\osps.exe
    C:\emxtqjit.exe
    Registry::
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Power2GoExpress"=-
    Driver::
    USBDriver
    NetSvc::
    USBDriver

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Go to start > Run copy/paste the following text in the run box and click OK.

    cmd /c (dir /o:d /a "C:\" & dir /a /s C:\WINDOWS\tasks) >log.txt&log.txt del log.txt

    A text file will be created on your desktop. Please post the content to your reply.

  • We need to run the tool with the following command to fix some malware related changes.
    Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK:

    "%userprofile%\desktop\win32kdiag.exe" -f -r

    When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.


#11 rum2runner

rum2runner
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 04 September 2009 - 01:55 PM

here is the combofix....

omboFix 09-09-03.02 - HSM 09/04/2009 14:29.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.542 [GMT -4:00]
Running from: c:\documents and settings\HSM\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HSM\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FILE ::
"C:\blyuwrjl.exe"
"C:\emxtqjit.exe"
"C:\osps.exe"
"C:\xvhu.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\blyuwrjl.exe
C:\emxtqjit.exe
C:\osps.exe
C:\xvhu.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_USBDRIVER
-------\Service_USBDriver


((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 )))))))))))))))))))))))))))))))
.

2009-09-04 13:44 . 2009-09-04 13:44 -------- d-----w- c:\temp\Trend Micro
2009-09-03 20:35 . 2009-09-03 20:35 -------- d-----w- c:\program files\ACW
2009-09-03 15:53 . 2009-09-03 15:53 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-09-03 15:52 . 2009-09-03 15:52 -------- d-----w- c:\program files\Cobian Backup 9
2009-09-03 15:51 . 2009-09-03 15:51 -------- d-----w- c:\program files\Enigma Software Group
2009-09-03 02:59 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 02:59 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-03 02:59 . 2009-09-03 02:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-03 02:49 . 2009-09-03 02:49 -------- d-----w- c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP
2009-09-03 02:27 . 2009-09-03 02:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-03 00:02 . 2009-09-03 00:11 -------- d-----w- c:\program files\Windows Live Safety Center
2009-09-02 21:50 . 2009-09-02 21:50 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-09-02 19:31 . 2009-09-04 17:13 -------- d-----w- c:\windows\system32\1033
2009-09-02 17:28 . 2009-09-02 17:28 -------- d-----w- c:\program files\Trend Micro
2009-08-26 20:01 . 2009-09-04 13:35 -------- d-----w- c:\temp\New Folder
2009-08-16 23:36 . 2009-08-16 23:36 -------- d-----w- c:\program files\iPod
2009-08-16 23:36 . 2009-08-16 23:36 -------- d-----w- c:\program files\iTunes
2009-08-16 23:36 . 2009-08-16 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-16 23:33 . 2009-08-16 23:34 -------- d-----w- c:\program files\QuickTime
2009-08-16 23:30 . 2009-08-16 23:30 -------- d-----w- c:\program files\Bonjour
2009-08-12 08:30 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-09 08:48 . 2009-08-09 08:48 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-09 08:47 . 2009-08-09 08:47 -------- d-----w- c:\program files\MSBuild
2009-08-09 08:47 . 2009-08-09 08:47 -------- d-----w- c:\program files\Reference Assemblies
2009-08-09 08:43 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-09 08:43 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-09 08:43 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-09 08:43 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-09 08:43 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-09 08:43 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-09 08:43 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 18:32 . 2008-10-03 18:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-04 18:22 . 2006-07-27 17:03 -------- d-----w- c:\documents and settings\HSM\Application Data\Onfolio
2009-09-03 20:28 . 2006-07-26 14:50 -------- d-----w- c:\documents and settings\HSM\Application Data\EndNote
2009-09-03 03:00 . 2006-07-24 16:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-02 19:36 . 2006-06-25 23:55 -------- d-----w- c:\program files\BigFix
2009-09-02 19:02 . 2008-10-03 18:57 -------- d-----w- c:\documents and settings\HSM\Application Data\SUPERAntiSpyware.com
2009-09-02 15:18 . 2009-09-02 15:18 17751 ------w- c:\program files\Common Files\suzel._sy
2009-08-26 19:58 . 2007-01-03 04:48 -------- d-----w- c:\documents and settings\HSM\Application Data\U3
2009-08-16 23:36 . 2009-01-05 02:41 -------- d-----w- c:\program files\Common Files\Apple
2009-08-14 10:58 . 2009-09-03 02:28 7396 ------w- c:\windows\system32\drivers\pctcore.cat
2009-08-10 13:02 . 2006-07-21 03:41 52816 ------w- c:\documents and settings\HSM\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 13:09 . 2009-07-22 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-06 13:09 . 2009-06-26 16:54 -------- d-----w- c:\program files\Norton Security Scan
2009-08-05 22:03 . 2008-11-17 15:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-05 21:47 . 2006-06-25 23:56 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2005-06-22 10:11 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-07-26 02:33 . 2006-08-04 15:31 -------- d-----w- c:\program files\DivX
2009-07-26 02:32 . 2009-07-26 00:52 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-26 02:24 . 2009-06-12 19:20 -------- d-----w- c:\documents and settings\HSM\Application Data\Vso
2009-07-26 01:17 . 2008-02-19 16:44 664 ------w- c:\windows\system32\d3d9caps.dat
2009-07-25 09:23 . 2009-06-09 21:44 411368 ------w- c:\windows\system32\deploytk.dll
2009-07-22 22:01 . 2006-07-27 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-22 22:00 . 2009-07-22 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-17 19:01 . 2005-06-22 10:11 58880 ------w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2005-06-22 10:12 286720 ------w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:50 . 2005-06-22 10:11 666624 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2005-06-22 10:11 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-16 14:36 . 2005-06-22 10:11 119808 ------w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-06-22 10:11 81920 ------w- c:\windows\system32\fontsub.dll
2009-06-12 19:20 . 2009-06-12 19:20 47360 ------w- c:\windows\system32\drivers\pcouffin.sys
2009-06-12 19:20 . 2009-06-12 19:20 47360 ------w- c:\documents and settings\HSM\Application Data\pcouffin.sys
2009-06-12 12:31 . 2005-06-22 10:11 80896 ------w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-06-22 10:11 76288 ------w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2005-06-22 10:11 84992 ------w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2005-06-22 10:26 2066432 ------w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2005-06-22 10:11 132096 ------w- c:\windows\system32\wkssvc.dll
2008-08-15 23:00 . 2008-08-15 23:00 0 ------w- c:\program files\New InterActual Skin.iti
.

((((((((((((((((((((((((((((( SnapShot@2009-09-04_17.21.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-04 18:35 . 2009-09-04 18:35 16384 c:\windows\temp\Perflib_Perfdata_c8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-27 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-14 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-14 271872]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"Snippet"="c:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-25 68296]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"OnfolioStorage"="c:\programs\Onfolio\onfserv.exe" [2005-10-11 45056]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"SansaDispatch"="c:\program files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-10-22 75584]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-11-01 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-11-01 1101824]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-23 111952]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2009-04-02 868352]
"Cobian Backup 9 interface"="c:\program files\Cobian Backup 9\cbInterface.exe" [2009-01-22 2749952]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-02-13 282624]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2006-01-20 544768]
"Multi-function Keyboard"="GWHotKey.exe" - c:\windows\GWHotKey.exe [2001-08-28 98361]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\HSM\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
SnagIt 8.lnk - c:\program files\TechSmith\SnagIt 8\SnagIt32.exe [2007-5-1 6395464]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2005-11-14 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-14 00:11 47104 ------w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 10:41 11776 ------w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-14 00:12 32256 ------w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Gateway\\HPA\\gwmenu.exe"=
"c:\\Programs\\BitTornado\\btdownloadgui.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\McAfee\\VirusScan Enterprise\\Mcshield.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Ink\\tabtip.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Ink\\keyboardsurrogate.exe"=
"c:\\Program Files\\Xi\\NetTransport 2\\NetTransport.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 CobianBackupAmanita;Cobian Backup 9 service;c:\program files\Cobian Backup 9\cbService.exe [9/3/2009 11:52 AM 583168]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [6/25/2006 7:40 PM 24736]
R3 MSTabBtn;Quanta Computer Tablet PC Buttons HID Driver;c:\windows\system32\drivers\mstabbtn.sys [6/25/2006 7:40 PM 10496]
S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [6/21/2005 11:25 PM 69692]
.
Contents of the 'Scheduled Tasks' folder

2009-08-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX2724
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Capture Page to Onfolio... - c:\programs\Onfolio\Onfolio.WindowsResources.dll/AddLinkEntryFromDocument.html
IE: Capt&ure Target to Onfolio... - c:\programs\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
IE: Capture &Snippet to Onfolio... - c:\programs\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentSelection.html
IE: Capture Ima&ge to Onfolio... - c:\programs\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
IE: Capture Page and Selected &Links to Onfolio... - c:\programs\Onfolio\Onfolio.WindowsResources.dll/AddSiteSnippetFromDocumentSelection.html
IE: Capture Selected Ite&ms to Onfolio... - c:\programs\Onfolio\Onfolio.WindowsResources.dll/AddMultipleEntriesFromDocumentSelection.html
IE: Capture Site to &Onfolio... - c:\programs\Onfolio\Onfolio.WindowsResources.dll/AddSiteFromDocument.html
IE: Download all by Net Transport - c:\program files\Xi\NetTransport 2\NTAddList.html
IE: Download by Net Transport - c:\program files\Xi\NetTransport 2\NTAddLink.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{2fc2f9a4-c43e-42c0-9490-19d6be8b1726} - {2fc2f9a4-c43e-42c0-9490-19d6be8b1726} - mscoree.dll
IE: {{30e2a68b-20f5-419d-bbb9-dce92edc4e67} - {30e2a68b-20f5-419d-bbb9-dce92edc4e67} - mscoree.dll
FF - ProfilePath - c:\documents and settings\HSM\Application Data\Mozilla\Firefox\Profiles\f1dtr28x.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-04 14:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(2808)
c:\progra~1\WINDOW~3\wmpband.dll
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Microsoft Shared\Ink\keyboardsurrogate.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\wisptis.exe
c:\windows\system32\tabbtnu.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Microsoft Shared\Ink\tcserver.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\TechSmith\SnagIt 8\TscHelp.exe
c:\program files\TechSmith\SnagIt 8\SnagPriv.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-04 14:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-04 18:40
ComboFix2.txt 2009-09-04 17:25

Pre-Run: 17,051,406,336 bytes free
Post-Run: 16,987,602,944 bytes free

284 --- E O F --- 2009-09-02 07:00

#12 rum2runner

rum2runner
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 04 September 2009 - 01:56 PM

here is the infor (log file ) from step 2.....

Step 3 is running ....

Volume in drive C has no label.
Volume Serial Number is 442B-B0D3

Directory of C:\

08/03/2004 11:00 PM 260,272 cmldr
08/04/2004 08:00 AM 47,564 NTDETECT.COM
06/22/2005 06:32 AM 0 AUTOEXEC.BAT
06/22/2005 06:32 AM 0 IO.SYS
06/22/2005 06:32 AM 0 CONFIG.SYS
06/22/2005 06:32 AM 0 MSDOS.SYS
06/25/2006 07:39 PM <DIR> CMPNENTS
06/25/2006 07:55 PM 2 AUDIT_INSTALL_IN_PROGRESS
06/25/2006 07:56 PM 191 touchpad.log
06/25/2006 07:57 PM <DIR> ses2_client_bin_2_8_13g
06/25/2006 08:00 PM 1,095 IPH.PH
06/25/2006 08:03 PM 186 RaidApp.log
07/20/2006 11:28 PM <DIR> Documents and Settings
07/27/2006 12:41 PM <DIR> Drivers
11/28/2006 09:00 PM <DIR> c749631cc5735ce1eb19872cb02f0fce
04/13/2007 10:23 PM 1,140 drmHeader.bin
01/05/2008 09:45 PM <DIR> MSOCache
09/30/2008 09:28 AM 250,048 ntldr
10/10/2008 04:03 PM 10,383 CLDMA.LOG
10/22/2008 12:39 PM <DIR> cabs
12/16/2008 07:16 PM 211 boot.ini.save
12/30/2008 05:51 PM <DIR> MRecord
01/17/2009 10:47 PM <DIR> My Music
02/05/2009 09:09 PM <DIR> backup
06/12/2009 06:11 PM <DIR> downloads
07/20/2009 10:02 AM <DIR> New Folder
08/24/2009 04:52 PM <DIR> sm
09/02/2009 10:50 AM 2 1143714003
09/02/2009 06:00 PM <DIR> QUARANTINE
09/03/2009 10:09 AM 12 SyncToyDirectoryId.txt
09/03/2009 11:27 AM 211 Boot.bak
09/03/2009 11:37 AM <DIR> Config.Msi
09/03/2009 04:29 PM <DIR> Programs
09/04/2009 09:44 AM <DIR> temp
09/04/2009 11:30 AM <DIR> Program Files
09/04/2009 11:30 AM 1,608 avenger.txt
09/04/2009 01:11 PM <DIR> cmdcons
09/04/2009 01:11 PM 281 boot.ini
09/04/2009 02:26 PM <DIR> System Volume Information
09/04/2009 02:35 PM 1,598,029,824 pagefile.sys
09/04/2009 02:35 PM 1,063,374,848 hiberfil.sys
09/04/2009 02:36 PM <DIR> WINDOWS
09/04/2009 02:40 PM 19,528 ComboFix.txt
09/04/2009 02:41 PM <DIR> Qoobox
22 File(s) 2,661,997,406 bytes
22 Dir(s) 17,024,610,304 bytes free
Volume in drive C has no label.
Volume Serial Number is 442B-B0D3

Directory of C:\WINDOWS\tasks

08/06/2009 09:09 AM <DIR> .
08/06/2009 09:09 AM <DIR> ..
08/29/2009 06:41 PM 284 AppleSoftwareUpdate.job
08/04/2004 08:00 AM 65 desktop.ini
09/04/2009 02:35 PM 6 SA.DAT
3 File(s) 355 bytes

Total Files Listed:
3 File(s) 355 bytes
2 Dir(s) 17,024,610,304 bytes free

#13 rum2runner

rum2runner
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 04 September 2009 - 02:07 PM

Here is the win32diag file....

og file is located at: C:\Documents and Settings\HSM\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2004-08-04 08:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Cannot access: C:\WINDOWS\system32\MRT.exe

Attempting to restore permissions of : C:\WINDOWS\system32\MRT.exe

[1] 2008-12-09 15:24:38 17593280 C:\WINDOWS\system32\MRT.exe (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\ntbackup.exe

Attempting to restore permissions of : C:\WINDOWS\system32\ntbackup.exe

[1] 2004-08-04 08:00:00 1200128 C:\WINDOWS\$NtServicePackUninstall$\ntbackup.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:30 1200640 C:\WINDOWS\ServicePackFiles\i386\ntbackup.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:30 1200640 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntbackup.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:30 1200640 C:\WINDOWS\system32\ntbackup.exe (Microsoft Corporation)





Finished!

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:50 PM

Posted 04 September 2009 - 02:20 PM

Well done rum2runner. :(

We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.


#15 rum2runner

rum2runner
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 04 September 2009 - 02:27 PM

Thanks -- I was wondering if I was making progress but didn't want to rush things....

Thanks so much for your help... Junction is running....




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users