Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected: Fake Antispyware in System Tray


  • This topic is locked This topic is locked
10 replies to this topic

#1 ramapoguy

ramapoguy

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 21 October 2009 - 11:01 AM

Hi! I seem to be having an issue with a bit of fake antispyware my computer has acquired. It placed an icon in the system tray (in the corner, next to the clock) that pops up a dialogue balloon every few minutes telling me that it wants to download more antispyware "to pervent file loss". Clearly it has ulterior motives. Any help you could offer would be appreciated.

------------------------------------------------------------

DDS (Ver_09-10-13.01) - NTFSx86
Run by Tim Riley at 11:36:28.34 on Wed 10/21/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_04
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.50 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\Temp\wpv831255703227.exe
C:\WINDOWS\system32\restorer64_a.exe
C:\WINDOWS\system32\qtplugin.exe
C:\Documents and Settings\Tim Riley\restorer64_a.exe
C:\Documents and Settings\Tim Riley\Application Data\seres.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\rundll22.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\msiexec.exe
svchost
svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tim Riley\Application Data\svcst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_04\bin\jucheck.exe
C:\Documents and Settings\Tim Riley\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: Shell=Explorer.exe rundll32.exe cpcp.cpo bef0regiiav
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {84938242-5C5B-4A55-B6B9-A1507543B418} - No File
uRun: [Aim6]
uRun: [restorer64_a] c:\documents and settings\tim riley\restorer64_a.exe
uRun: [mserv] c:\documents and settings\tim riley\application data\seres.exe
uRun: [svchost] c:\documents and settings\tim riley\application data\svcst.exe
uRun: [ttool] c:\windows\rundll22.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_04\bin\jusched.exe"
mRun: [sysgif32] c:\windows\temp\wpv831255703227.exe
mRun: [restorer64_a] c:\windows\system32\restorer64_a.exe
mRun: [RegistryMonitor1] c:\windows\system32\qtplugin.exe
mRun: [Regedit32] c:\windows\system32\regedit.exe
mRun: [Rlinerul] rundll32.exe "c:\windows\obunamisunogewu.dll",Startup
StartupFolder: c:\documents and settings\tim riley\start menu\programs\startup\zavupd32.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-9600-000000000000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
LSA: Notification Packages = scecli esdvgras.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\timril~1\applic~1\mozilla\firefox\profiles\fqtbgok9.tim\
FF - prefs.js: browser.startup.homepage - hxxp://www.weather.com/weather/my/?from=hat_gotomp&ref=/weather/local/07430
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XULRunner: {F6A9ABF6-DB71-4FB4-B01F-D7BFB30DAC25} - c:\documents and settings\tim riley\local settings\application data\{F6A9ABF6-DB71-4FB4-B01F-D7BFB30DAC25}

============= SERVICES / DRIVERS ===============

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-10-11 24652]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-3-22 200192]
S1 DW;DW; [x]
S3 dwusbdnt;dwusbdnt;c:\windows\system32\drivers\dwusbdnt.sys [2002-5-24 10368]

=============== Created Last 30 ================

2009-10-21 11:25 0 a------- c:\windows\Pcuvibug.bin
2009-10-21 11:25 120 a------- c:\windows\Xjiqazob.dat
2009-10-21 11:23 59,904 a------- c:\windows\rundll22.exe
2009-10-21 11:23 292,352 a------- c:\windows\system32\qtplugin.exe
2009-10-21 11:22 27,136 a------- c:\windows\system32\cpcp.cpo
2009-10-21 11:22 159,856 a------- c:\docume~1\timril~1\applic~1\lizkavd.exe
2009-10-21 11:22 45,056 a------- c:\docume~1\timril~1\applic~1\svcst.exe
2009-10-21 11:22 45,056 a------- c:\docume~1\timril~1\applic~1\seres.exe
2009-10-21 11:21 58,729 a------- c:\documents and settings\tim riley\restorer64_a.exe
2009-10-21 11:21 58,729 a------- c:\windows\system32\restorer64_a.exe
2009-10-16 19:27 <DIR> --d----- c:\documents and settings\tim riley\.sbd
2009-10-12 17:52 <DIR> --d----- c:\docume~1\timril~1\applic~1\MozBackup
2009-10-11 18:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2009-10-11 18:02 <DIR> --d----- c:\program files\AIM6
2009-10-11 18:02 965 a---h--- C:\IPH.PH

==================== Find3M ====================

2009-10-21 09:31 38,590 a------- c:\docume~1\timril~1\applic~1\wklnhst.dat
2008-02-23 23:04 2,517,318 a------- c:\program files\AdwareAway.exe
2007-12-20 23:23 2,386,509 a------- c:\program files\dvdpeansetup38540.exe
2007-12-20 23:20 2,441,161 a------- c:\program files\dvdziplite38540.exe
2007-12-20 23:19 4,985,029 a------- c:\program files\iPodConv_r45520.exe
2007-12-20 23:06 3,414,763 a------- c:\program files\setup_yasamp4converter.exe
2007-12-20 17:19 2,518,239 a------- c:\program files\DVDFabHDDecrypter4012.exe
2006-10-26 15:52 164,056 ac------ c:\docume~1\timril~1\applic~1\FNTCACHE.BIN
2006-10-23 00:00 22,537 ac------ c:\docume~1\timril~1\applic~1\perfc012.dat
2005-08-19 12:09 8,715,352 ac------ c:\program files\AIM.exe
2005-08-19 09:48 10,958,640 ac------ c:\program files\GoogleEarth.exe
2005-08-18 15:26 42,524,211 ac------ c:\program files\Symantec_AntiVirus_Client.exe
2005-07-09 22:12 1,035,943 ac------ c:\program files\myTunesReduxInstaller.exe

============= FINISH: 11:37:34.65 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:17 PM

Posted 30 October 2009 - 09:06 AM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh dds log, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 ramapoguy

ramapoguy
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 30 October 2009 - 03:43 PM

Thanks. Here's the new DDS log, as requested.

--------------------------------------


DDS (Ver_09-10-26.01) - NTFSx86
Run by Tim Riley at 16:40:07.73 on Fri 10/30/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_04
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.124 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\rundll22.exe
C:\WINDOWS\system32\restorer64_a.exe
C:\Documents and Settings\Tim Riley\restorer64_a.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
svchost
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tim Riley\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: Shell=Explorer.exe rundll32.exe cpcp.cpo bef0regiiav
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {84938242-5C5B-4A55-B6B9-A1507543B418} - No File
uRun: [Aim6]
uRun: [restorer64_a] c:\documents and settings\tim riley\restorer64_a.exe
uRun: [mserv] c:\documents and settings\tim riley\application data\seres.exe
uRun: [svchost] c:\documents and settings\tim riley\application data\svcst.exe
uRun: [ttool] c:\windows\rundll22.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_04\bin\jusched.exe"
mRun: [sysgif32] c:\windows\temp\wpv831255703227.exe
mRun: [restorer64_a] c:\windows\system32\restorer64_a.exe
mRun: [RegistryMonitor1] c:\windows\system32\qtplugin.exe
mRun: [Regedit32] c:\windows\system32\regedit.exe
mRun: [Rlinerul] rundll32.exe "c:\windows\obunamisunogewu.dll",Startup
mRun: [17034520] c:\docume~1\alluse~1\applic~1\17034520\17034520.exe
mRun: [PromoReg] c:\windows\temp\_ex-08.exe
StartupFolder: c:\documents and settings\tim riley\start menu\programs\startup\zavupd32.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-9600-000000000000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
LSA: Notification Packages = scecli esdvgras.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\timril~1\applic~1\mozilla\firefox\profiles\fqtbgok9.tim\
FF - prefs.js: browser.startup.homepage - hxxp://www.weather.com/weather/my/?from=hat_gotomp&ref=/weather/local/USNJ0365
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XULRunner: {F6A9ABF6-DB71-4FB4-B01F-D7BFB30DAC25} - c:\documents and settings\tim riley\local settings\application data\{F6A9ABF6-DB71-4FB4-B01F-D7BFB30DAC25}

============= SERVICES / DRIVERS ===============

R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-10-11 24652]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-3-22 200192]
S1 DW;DW; [x]
S3 dwusbdnt;dwusbdnt;c:\windows\system32\drivers\dwusbdnt.sys [2002-5-24 10368]

=============== Created Last 30 ================

2009-10-29 19:31:09 1 ----a-w- c:\documents and settings\tim riley\oashdihasidhasuidhiasdhiashdiuasdhasd
2009-10-24 01:05:48 0 d-----w- c:\program files\WinPcap
2009-10-24 00:47:22 0 d-----w- c:\docume~1\alluse~1\applic~1\17034520
2009-10-24 00:47:04 159856 ----a-w- c:\docume~1\timril~1\applic~1\lizkavd.exe
2009-10-24 00:32:24 0 d-----w- c:\windows\ServicePackFiles
2009-10-24 00:26:29 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-10-21 15:25:45 0 ----a-w- c:\windows\Pcuvibug.bin
2009-10-21 15:25:44 120 ----a-w- c:\windows\Xjiqazob.dat
2009-10-21 15:23:52 59904 ----a-w- c:\windows\rundll22.exe
2009-10-21 15:22:57 27136 ----a-w- c:\windows\system32\cpcp.cpo
2009-10-21 15:21:53 58729 ----a-w- c:\documents and settings\tim riley\restorer64_a.exe
2009-10-21 15:21:51 58729 ----a-w- c:\windows\system32\restorer64_a.exe
2009-10-16 23:27:16 0 d-----w- c:\documents and settings\tim riley\.sbd
2009-10-12 21:52:10 0 d-----w- c:\docume~1\timril~1\applic~1\MozBackup
2009-10-11 22:03:50 0 d-----w- c:\docume~1\alluse~1\applic~1\acccore
2009-10-11 22:02:59 0 d-----w- c:\program files\AIM6
2009-10-11 22:02:56 965 ---ha-w- C:\IPH.PH

==================== Find3M ====================

2009-10-26 22:00:16 38518 ----a-w- c:\docume~1\timril~1\applic~1\wklnhst.dat
2009-08-21 09:46:35 450560 ------w- c:\windows\system32\dllcache\jscript.dll
2009-08-06 23:24:18 327896 ----a-w- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 23:24:18 209632 ----a-w- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 23:24:06 53472 ----a-w- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 23:24:04 96480 ----a-w- c:\windows\system32\dllcache\cdm.dll
2009-08-06 23:23:54 575704 ----a-w- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 23:23:46 1929952 ----a-w- c:\windows\system32\dllcache\wuaueng.dll
2009-08-04 14:00:46 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:00:46 2180352 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 13:58:28 2136064 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 13:13:35 2015744 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 13:13:32 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-04 13:13:32 2057728 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-02-24 03:04:31 2517318 ----a-w- c:\program files\AdwareAway.exe
2007-12-21 03:23:35 2386509 ----a-w- c:\program files\dvdpeansetup38540.exe
2007-12-21 03:20:41 2441161 ----a-w- c:\program files\dvdziplite38540.exe
2007-12-21 03:19:04 4985029 ----a-w- c:\program files\iPodConv_r45520.exe
2007-12-21 03:06:09 3414763 ----a-w- c:\program files\setup_yasamp4converter.exe
2007-12-20 21:19:50 2518239 ----a-w- c:\program files\DVDFabHDDecrypter4012.exe
2005-08-19 16:09:15 8715352 -c--a-w- c:\program files\AIM.exe
2005-08-19 13:48:15 10958640 -c--a-w- c:\program files\GoogleEarth.exe
2005-08-18 19:26:39 42524211 -c--a-w- c:\program files\Symantec_AntiVirus_Client.exe
2005-07-10 02:12:36 1035943 -c--a-w- c:\program files\myTunesReduxInstaller.exe

============= FINISH: 16:41:29.34 ===============

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:17 PM

Posted 30 October 2009 - 04:20 PM

Ok. Let's see it then :(


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 ramapoguy

ramapoguy
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 05 November 2009 - 11:34 AM

OK, here we are. Sorry for the delay; I was away from home for a few days because of work. Here's the ComboFix log, and the new DDS log.

-------------------------------------------

ComboFix 09-11-04.05 - Tim Riley 11/05/2009 11:11.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.211 [GMT -5:00]
Running from: c:\documents and settings\Tim Riley\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tim Riley\Application Data\lizkavd.exe
c:\documents and settings\Tim Riley\Application Data\wiaserva.log
c:\documents and settings\Tim Riley\Local Settings\Application Data\{F6A9ABF6-DB71-4FB4-B01F-D7BFB30DAC25}
c:\documents and settings\Tim Riley\Local Settings\Application Data\{F6A9ABF6-DB71-4FB4-B01F-D7BFB30DAC25}\chrome.manifest
c:\documents and settings\Tim Riley\Local Settings\Application Data\{F6A9ABF6-DB71-4FB4-B01F-D7BFB30DAC25}\chrome\content\_cfg.js
c:\documents and settings\Tim Riley\Local Settings\Application Data\{F6A9ABF6-DB71-4FB4-B01F-D7BFB30DAC25}\chrome\content\overlay.xul
c:\documents and settings\Tim Riley\Local Settings\Application Data\{F6A9ABF6-DB71-4FB4-B01F-D7BFB30DAC25}\install.rdf
c:\documents and settings\Tim Riley\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\Tim Riley\restorer64_a.exe
c:\documents and settings\Tim Riley\Start Menu\Programs\Startup\zavupd32.exe
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\recycler\S-1-5-21-1708537768-308236825-839522115-1003
c:\recycler\S-1-5-21-2738528725-3377773627-2742169642-1003
c:\windows\adaway.lic
c:\windows\obunamisunogewu.dll
c:\windows\rundll22.exe
c:\windows\system32\cpcp.cpo
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\qtplugin.exe
c:\windows\system32\restorer64_a.exe
c:\windows\system32\tmp.reg
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_npf


((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-10-31 23:30 . 2009-10-31 23:30 167856 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP1.exe
2009-10-31 23:02 . 2009-10-31 23:02 300352 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP0.exe
2009-10-24 00:47 . 2009-10-24 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\17034520
2009-10-24 00:32 . 2009-10-24 00:32 -------- d-----w- c:\windows\ServicePackFiles
2009-10-24 00:26 . 2008-04-21 10:02 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-10-21 15:25 . 2009-11-05 16:11 0 ----a-w- c:\windows\Pcuvibug.bin
2009-10-21 15:25 . 2009-11-05 16:11 120 ----a-w- c:\windows\Xjiqazob.dat
2009-10-16 23:27 . 2009-10-16 23:27 -------- d-----w- c:\documents and settings\Tim Riley\.sbd
2009-10-13 21:54 . 2009-10-13 21:54 -------- d-----w- c:\documents and settings\Tim Riley\Local Settings\Application Data\AIM
2009-10-12 21:52 . 2009-10-12 21:52 -------- d-----w- c:\documents and settings\Tim Riley\Application Data\MozBackup
2009-10-11 22:07 . 2006-10-12 16:29 83504 ----a-w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\TEMP\ProgUpd.dll
2009-10-11 22:04 . 2009-10-11 22:04 -------- d-----w- c:\documents and settings\Tim Riley\Application Data\acccore
2009-10-11 22:04 . 2009-10-11 22:04 -------- d-----w- c:\documents and settings\Tim Riley\Local Settings\Application Data\AOL
2009-10-11 22:03 . 2009-10-11 22:03 -------- d-----w- c:\documents and settings\Tim Riley\Local Settings\Application Data\AOL OCP
2009-10-11 22:03 . 2009-10-11 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-10-11 22:03 . 2009-10-11 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-10-11 22:02 . 2009-10-11 22:04 -------- d-----w- c:\program files\AIM6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 15:21 . 2006-10-26 16:57 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-10-26 22:00 . 2005-09-03 20:52 38518 ----a-w- c:\documents and settings\Tim Riley\Application Data\wklnhst.dat
2009-10-23 19:22 . 2007-05-09 21:46 -------- d-----w- c:\documents and settings\Tim Riley\Application Data\U3
2009-10-23 18:51 . 2007-01-11 18:21 -------- d-----w- c:\documents and settings\Tim Riley\Application Data\Viewpoint
2009-10-18 00:01 . 2005-07-17 19:31 -------- d-----w- c:\program files\Warcraft III
2009-10-11 22:03 . 2005-06-25 00:15 -------- d-----w- c:\program files\Viewpoint
2009-10-11 22:03 . 2005-06-25 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-11 22:03 . 2005-06-25 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-10-11 22:03 . 2005-06-25 00:12 -------- d-----w- c:\program files\Common Files\AOL
2009-10-11 22:01 . 2005-08-19 16:10 -------- d-----w- c:\program files\AIM
2008-02-24 03:04 . 2008-02-24 03:04 2517318 ----a-w- c:\program files\AdwareAway.exe
2007-12-21 03:23 . 2007-12-21 03:23 2386509 ----a-w- c:\program files\dvdpeansetup38540.exe
2007-12-21 03:20 . 2007-12-21 03:20 2441161 ----a-w- c:\program files\dvdziplite38540.exe
2007-12-21 03:19 . 2007-12-21 03:18 4985029 ----a-w- c:\program files\iPodConv_r45520.exe
2007-12-21 03:06 . 2007-12-21 03:06 3414763 ----a-w- c:\program files\setup_yasamp4converter.exe
2007-12-20 21:19 . 2007-12-20 21:19 2518239 ----a-w- c:\program files\DVDFabHDDecrypter4012.exe
2005-08-19 16:09 . 2005-08-19 16:08 8715352 -c--a-w- c:\program files\AIM.exe
2005-08-19 13:48 . 2005-08-19 13:48 10958640 -c--a-w- c:\program files\GoogleEarth.exe
2005-08-18 19:26 . 2005-08-18 19:26 42524211 -c--a-w- c:\program files\Symantec_AntiVirus_Client.exe
2005-07-10 02:12 . 2005-07-10 02:12 1035943 -c--a-w- c:\program files\myTunesReduxInstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 339968]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 794624]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-07 267064]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli esdvgras.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\myTunes Redux\\mDNSResponder.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"47119:TCP"= 47119:TCP:*:Disabled:null
"113:TCP"= 113:TCP:*:Disabled:null

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/11/2009 5:03 PM 24652]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [3/22/2005 9:39 AM 200192]
S1 DW;DW; [x]
S3 dwusbdnt;dwusbdnt;c:\windows\system32\drivers\dwusbdnt.sys [5/24/2002 10:52 AM 10368]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Tim Riley\Application Data\Mozilla\Firefox\Profiles\fqtbgok9.Tim\
FF - prefs.js: browser.startup.homepage - hxxp://www.weather.com/weather/my/?from=hat_gotomp&ref=/weather/local/USNJ0365
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{84938242-5C5B-4A55-B6B9-A1507543B418} - (no file)
HKCU-Run-Aim6 - (no file)
HKLM-Run-Rlinerul - c:\windows\obunamisunogewu.dll
HKLM-Run-17034520 - c:\docume~1\ALLUSE~1\APPLIC~1\17034520\17034520.exe
AddRemove-Xvid_is1 - c:\program files\Microsoft Games\Impossible Creatures\savegame\unfiled\Xvid\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-05 11:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????3?5?0?7??????? ???B?????????????hLC? ??????

scanning hidden files ...


c:\windows\system32\wbem\Performance\WmiApRpl_new.ini 924 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(760)
c:\windows\esdvgras.dll

- - - - - - - > 'explorer.exe'(2388)
c:\windows\esdvgras.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\windows\system32\cba\pds.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\cba\xfr.exe
c:\windows\system32\MsgSys.EXE
c:\windows\system32\Ati2evxx.exe
c:\program files\HPQ\SHARED\HPQWMI.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-05 11:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-05 16:29

Pre-Run: 9,477,693,440 bytes free
Post-Run: 10,004,926,464 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

----------------------------------------


DDS (Ver_09-10-26.01) - NTFSx86
Run by Tim Riley at 11:31:43.85 on Thu 11/05/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_04
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.130 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tim Riley\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_04\bin\jusched.exe"
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-9600-000000000000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
LSA: Notification Packages = scecli esdvgras.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\timril~1\applic~1\mozilla\firefox\profiles\fqtbgok9.tim\
FF - prefs.js: browser.startup.homepage - hxxp://www.weather.com/weather/my/?from=hat_gotomp&ref=/weather/local/USNJ0365
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-10-11 24652]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-3-22 200192]
S1 DW;DW; [x]
S3 dwusbdnt;dwusbdnt;c:\windows\system32\drivers\dwusbdnt.sys [2002-5-24 10368]

=============== Created Last 30 ================

2009-11-05 16:08:06 0 d-sha-r- C:\cmdcons
2009-11-05 16:06:58 77312 ----a-w- c:\windows\MBR.exe
2009-11-05 16:06:57 98816 ----a-w- c:\windows\sed.exe
2009-11-05 16:06:57 267264 ----a-w- c:\windows\PEV.exe
2009-11-05 16:06:57 161792 ----a-w- c:\windows\SWREG.exe
2009-11-05 16:06:40 0 d-----w- C:\ComboFix
2009-10-24 00:47:22 0 d-----w- c:\docume~1\alluse~1\applic~1\17034520
2009-10-24 00:32:24 0 d-----w- c:\windows\ServicePackFiles
2009-10-24 00:26:29 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-10-21 15:25:45 0 ----a-w- c:\windows\Pcuvibug.bin
2009-10-21 15:25:44 120 ----a-w- c:\windows\Xjiqazob.dat
2009-10-16 23:27:16 0 d-----w- c:\documents and settings\tim riley\.sbd
2009-10-12 21:52:10 0 d-----w- c:\docume~1\timril~1\applic~1\MozBackup
2009-10-11 22:03:50 0 d-----w- c:\docume~1\alluse~1\applic~1\acccore
2009-10-11 22:02:59 0 d-----w- c:\program files\AIM6
2009-10-11 22:02:56 965 ---ha-w- C:\IPH.PH

==================== Find3M ====================

2009-10-26 22:00:16 38518 ----a-w- c:\docume~1\timril~1\applic~1\wklnhst.dat
2009-08-21 09:46:35 450560 ------w- c:\windows\system32\dllcache\jscript.dll
2008-02-24 03:04:31 2517318 ----a-w- c:\program files\AdwareAway.exe
2007-12-21 03:23:35 2386509 ----a-w- c:\program files\dvdpeansetup38540.exe
2007-12-21 03:20:41 2441161 ----a-w- c:\program files\dvdziplite38540.exe
2007-12-21 03:19:04 4985029 ----a-w- c:\program files\iPodConv_r45520.exe
2007-12-21 03:06:09 3414763 ----a-w- c:\program files\setup_yasamp4converter.exe
2007-12-20 21:19:50 2518239 ----a-w- c:\program files\DVDFabHDDecrypter4012.exe
2005-08-19 16:09:15 8715352 -c--a-w- c:\program files\AIM.exe
2005-08-19 13:48:15 10958640 -c--a-w- c:\program files\GoogleEarth.exe
2005-08-18 19:26:39 42524211 -c--a-w- c:\program files\Symantec_AntiVirus_Client.exe
2005-07-10 02:12:36 1035943 -c--a-w- c:\program files\myTunesReduxInstaller.exe

============= FINISH: 11:31:57.07 ===============

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:17 PM

Posted 05 November 2009 - 11:52 AM

Hi again,


Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/t/265923/infected-fake-antispyware-in-system-tray/?p=1486691
Collect::
c:\windows\esdvgras.dll
DDS::
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
Folder::
c:\docume~1\alluse~1\applic~1\17034520
File::
c:\windows\Pcuvibug.bin
c:\windows\Xjiqazob.dat
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe. Have internet connection enabled so that file samples can be submitted.
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (9.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Uninstall your current Adobe shockwave player and get the fresh one here if needed.

Uninstall vulnerable Flash versions by following instructions here. Fresh version can be obtained here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 17.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.


Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 ramapoguy

ramapoguy
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 05 November 2009 - 02:18 PM

I followed your instructions. Specifically, I:

-Ran Combofix again, using the script you provided
-Uninstalled outdated Adobe Reader, and replaced it with the newest version
-Uninstalled outdated Shockwave player, and replaced it with the newest version
-Uninstalled outdated version of Flash, and replaced it with the newest version
-Uninstalled outdated versions of Java, and replaced it with the newest version
-Ran ATF Cleaner

I also attempted to run the online Kaspersky scan, but it got stuck downloading; it might be a temporary error with the site, and I will try again later if that is what you want me to do.

Additionally, Firefox seems to now be having difficulty rendering certain webpages, including this forum page. The formatting and links do not seem to be displaying correctly, mostly appearing as simple text. Can this be fixed?

Here are the newest Combofix and DDS logs.

-----------------------------------------

ComboFix 09-11-04.05 - Tim Riley 11/05/2009 12:48.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.237 [GMT -5:00]
Running from: c:\documents and settings\Tim Riley\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tim Riley\Desktop\CFScript.txt

FILE ::
"c:\windows\Pcuvibug.bin"
"c:\windows\Xjiqazob.dat"

file zipped: c:\windows\esdvgras.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\alluse~1\applic~1\17034520
c:\windows\esdvgras.dll
c:\windows\Pcuvibug.bin
c:\windows\Xjiqazob.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-10-31 23:30 . 2009-10-31 23:30 167856 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP1.exe
2009-10-31 23:02 . 2009-10-31 23:02 300352 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP0.exe
2009-10-24 00:32 . 2009-10-24 00:32 -------- d-----w- c:\windows\ServicePackFiles
2009-10-24 00:26 . 2008-04-21 10:02 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-10-16 23:27 . 2009-10-16 23:27 -------- d-----w- c:\documents and settings\Tim Riley\.sbd
2009-10-13 21:54 . 2009-10-13 21:54 -------- d-----w- c:\documents and settings\Tim Riley\Local Settings\Application Data\AIM
2009-10-12 21:52 . 2009-10-12 21:52 -------- d-----w- c:\documents and settings\Tim Riley\Application Data\MozBackup
2009-10-11 22:07 . 2006-10-12 16:29 83504 ----a-w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\TEMP\ProgUpd.dll
2009-10-11 22:04 . 2009-10-11 22:04 -------- d-----w- c:\documents and settings\Tim Riley\Application Data\acccore
2009-10-11 22:04 . 2009-10-11 22:04 -------- d-----w- c:\documents and settings\Tim Riley\Local Settings\Application Data\AOL
2009-10-11 22:03 . 2009-10-11 22:03 -------- d-----w- c:\documents and settings\Tim Riley\Local Settings\Application Data\AOL OCP
2009-10-11 22:03 . 2009-10-11 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-10-11 22:03 . 2009-10-11 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-10-11 22:02 . 2009-10-11 22:04 -------- d-----w- c:\program files\AIM6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 17:12 . 2006-10-26 16:57 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-10-26 22:00 . 2005-09-03 20:52 38518 ----a-w- c:\documents and settings\Tim Riley\Application Data\wklnhst.dat
2009-10-23 19:22 . 2007-05-09 21:46 -------- d-----w- c:\documents and settings\Tim Riley\Application Data\U3
2009-10-23 18:51 . 2007-01-11 18:21 -------- d-----w- c:\documents and settings\Tim Riley\Application Data\Viewpoint
2009-10-18 00:01 . 2005-07-17 19:31 -------- d-----w- c:\program files\Warcraft III
2009-10-11 22:03 . 2005-06-25 00:15 -------- d-----w- c:\program files\Viewpoint
2009-10-11 22:03 . 2005-06-25 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-11 22:03 . 2005-06-25 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-10-11 22:03 . 2005-06-25 00:12 -------- d-----w- c:\program files\Common Files\AOL
2009-10-11 22:01 . 2005-08-19 16:10 -------- d-----w- c:\program files\AIM
2008-02-24 03:04 . 2008-02-24 03:04 2517318 ----a-w- c:\program files\AdwareAway.exe
2007-12-21 03:23 . 2007-12-21 03:23 2386509 ----a-w- c:\program files\dvdpeansetup38540.exe
2007-12-21 03:20 . 2007-12-21 03:20 2441161 ----a-w- c:\program files\dvdziplite38540.exe
2007-12-21 03:19 . 2007-12-21 03:18 4985029 ----a-w- c:\program files\iPodConv_r45520.exe
2007-12-21 03:06 . 2007-12-21 03:06 3414763 ----a-w- c:\program files\setup_yasamp4converter.exe
2007-12-20 21:19 . 2007-12-20 21:19 2518239 ----a-w- c:\program files\DVDFabHDDecrypter4012.exe
2005-08-19 16:09 . 2005-08-19 16:08 8715352 -c--a-w- c:\program files\AIM.exe
2005-08-19 13:48 . 2005-08-19 13:48 10958640 -c--a-w- c:\program files\GoogleEarth.exe
2005-08-18 19:26 . 2005-08-18 19:26 42524211 -c--a-w- c:\program files\Symantec_AntiVirus_Client.exe
2005-07-10 02:12 . 2005-07-10 02:12 1035943 -c--a-w- c:\program files\myTunesReduxInstaller.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-11-05_16.24.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-07 13:10 . 2009-11-05 16:25 63930 c:\windows\system32\perfc009.dat
+ 2004-08-07 13:10 . 2009-11-05 16:28 63930 c:\windows\system32\perfc009.dat
+ 2004-08-07 13:10 . 2009-11-05 16:28 406896 c:\windows\system32\perfh009.dat
- 2004-08-07 13:10 . 2009-11-05 16:25 406896 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 339968]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 794624]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-07 267064]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\myTunes Redux\\mDNSResponder.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"47119:TCP"= 47119:TCP:*:Disabled:null
"113:TCP"= 113:TCP:*:Disabled:null

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/11/2009 5:03 PM 24652]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [3/22/2005 9:39 AM 200192]
S1 DW;DW; [x]
S3 dwusbdnt;dwusbdnt;c:\windows\system32\drivers\dwusbdnt.sys [5/24/2002 10:52 AM 10368]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Tim Riley\Application Data\Mozilla\Firefox\Profiles\fqtbgok9.Tim\
FF - prefs.js: browser.startup.homepage - hxxp://www.weather.com/weather/my/?from=hat_gotomp&ref=/weather/local/USNJ0365
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-05 12:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????3?5?0?7??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\windows\system32\cba\pds.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\cba\xfr.exe
c:\windows\system32\MsgSys.EXE
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\program files\HPQ\SHARED\HPQWMI.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-05 13:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-05 18:05
ComboFix2.txt 2009-11-05 16:29

Pre-Run: 10,014,965,760 bytes free
Post-Run: 9,973,383,168 bytes free

-----------------------------------------


DDS (Ver_09-10-26.01) - NTFSx86
Run by Tim Riley at 13:59:37.34 on Thu 11/05/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.48 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tim Riley\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-9600-000000000000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\timril~1\applic~1\mozilla\firefox\profiles\fqtbgok9.tim\
FF - prefs.js: browser.startup.homepage - hxxp://www.weather.com/weather/my/?from=hat_gotomp&ref=/weather/local/USNJ0365
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-3-22 200192]
S1 DW;DW; [x]
S3 dwusbdnt;dwusbdnt;c:\windows\system32\drivers\dwusbdnt.sys [2002-5-24 10368]

=============== Created Last 30 ================

2009-11-05 18:41:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-05 18:41:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-05 17:47:00 0 d-----w- C:\ComboFix
2009-11-05 16:08:06 0 d-sha-r- C:\cmdcons
2009-11-05 16:06:58 77312 ----a-w- c:\windows\MBR.exe
2009-11-05 16:06:57 98816 ----a-w- c:\windows\sed.exe
2009-11-05 16:06:57 267264 ----a-w- c:\windows\PEV.exe
2009-11-05 16:06:57 161792 ----a-w- c:\windows\SWREG.exe
2009-10-24 00:32:24 0 d-----w- c:\windows\ServicePackFiles
2009-10-24 00:26:29 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-10-16 23:27:16 0 d-----w- c:\documents and settings\tim riley\.sbd
2009-10-12 21:52:10 0 d-----w- c:\docume~1\timril~1\applic~1\MozBackup
2009-10-11 22:03:50 0 d-----w- c:\docume~1\alluse~1\applic~1\acccore
2009-10-11 22:02:59 0 d-----w- c:\program files\AIM6
2009-10-11 22:02:56 965 ---ha-w- C:\IPH.PH

==================== Find3M ====================

2009-10-26 22:00:16 38518 ----a-w- c:\docume~1\timril~1\applic~1\wklnhst.dat
2009-08-21 09:46:35 450560 ------w- c:\windows\system32\dllcache\jscript.dll
2008-02-24 03:04:31 2517318 ----a-w- c:\program files\AdwareAway.exe
2007-12-21 03:23:35 2386509 ----a-w- c:\program files\dvdpeansetup38540.exe
2007-12-21 03:20:41 2441161 ----a-w- c:\program files\dvdziplite38540.exe
2007-12-21 03:19:04 4985029 ----a-w- c:\program files\iPodConv_r45520.exe
2007-12-21 03:06:09 3414763 ----a-w- c:\program files\setup_yasamp4converter.exe
2007-12-20 21:19:50 2518239 ----a-w- c:\program files\DVDFabHDDecrypter4012.exe
2005-08-19 16:09:15 8715352 -c--a-w- c:\program files\AIM.exe
2005-08-19 13:48:15 10958640 -c--a-w- c:\program files\GoogleEarth.exe
2005-08-18 19:26:39 42524211 -c--a-w- c:\program files\Symantec_AntiVirus_Client.exe
2005-07-10 02:12:36 1035943 -c--a-w- c:\program files\myTunesReduxInstaller.exe

============= FINISH: 14:01:39.98 ===============

#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:17 PM

Posted 05 November 2009 - 04:20 PM

Hi,

Please look for zip file that name begins as [4]-Submit in c:\qoobox\quarantine folder and upload it here. Kindly include a link to this topic.

I also attempted to run the online Kaspersky scan, but it got stuck downloading; it might be a temporary error with the site, and I will try again later if that is what you want me to do.

See if you're able to make that run.

Additionally, Firefox seems to now be having difficulty rendering certain webpages, including this forum page. The formatting and links do not seem to be displaying correctly, mostly appearing as simple text. Can this be fixed?

Cache cleaning should do the trick. Instructions here.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 ramapoguy

ramapoguy
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 05 November 2009 - 04:29 PM

The zip file has been submitted, using the link provided. Clearing the cache solved the Firefox rendering problem. (Thank you!) I'm about to try to run the Kaspersky online scan again, and I'll post the log after I get it to work.

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:17 PM

Posted 06 November 2009 - 12:50 AM

Thanks for the submission. Let me know if Kaspersky online scanner doesn't work and we'll try another way then :(

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:17 PM

Posted 11 November 2009 - 09:36 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users