Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help please. Rootkit max++?


  • This topic is locked This topic is locked
25 replies to this topic

#1 FrogmanMickey

FrogmanMickey

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 06 November 2009 - 02:10 AM

I tried posting the log here with Copy/Paste but, in Word it is 195 pages and that is too much for the post. I don't know how many different posts it would take to accommodate the file (the error message just says it is too big. It doesn't advise the post size limit. So I have uploaded the text file generated by Win32Diag.exe. I hope that works for you. If not, I will try splitting up the file. How many pages will the post accept?
Frogman Mickey

BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:01 PM

Posted 06 November 2009 - 08:07 AM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am Posted Image and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

==========

Please note..........
  • Use Notepad to copy and paste all your logs directly into your replies!!
  • Open Notepad and choose the Format tab.
  • Make certain Wordwrap is unchecked!
==========

Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
==========

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

With your next post please provide:

* Log.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 FrogmanMickey

FrogmanMickey
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 07 November 2009 - 03:32 AM

Hi

Thanks so much for taking the time to help me with this.

I ran peek.bat and the black box appeared for an instant then disappeared. It generated a log, but this is all that was in it:

Volume in drive C has no label.
Volume Serial Number is 2FE0-E8DF

I was expecting more, so I tried running it a second time to see if the result was any different. The first time I had run it directly from the flash drive onto which I had downloaded it, so the second time I copied it onto the Desktop and ran it from there. The result was different, alright. This time I got the by now infamous error mesage:

"Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item"

I had used the "Run as Administrator" command, so that was not the problem

I deleted that version of peek.bat and downloaded a fresh copy using my clean computer in case the virus had somehow corrupted it. I also fake named the fresh version in case the virus was on the lookout for its name. Didn't matter. It won't run again. I suspect the virus "knows" what it is and is blocking it.

You didn't say to run peek.bat with the computer in safe mode. Should I try that?

Thanks

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:01 PM

Posted 07 November 2009 - 12:21 PM

Hang in there. It can be tricky but we will get it.

You have a critical system file that a rootkit has patched and renamed!!. I need to find out which one. As soon as we figure that out then I can work on fixing it. Please stick to my instructions. Do nothing else!!!!!!! While this rootkit is active the more you do the harder it will be for me to help you.

Do this......
  • Select Posted Image
  • Select All Programs
  • Select Accessories
  • Right click Command Prompt and choose Run as administrator

    Posted Image
  • If you have the User Account Control (UAC) enabled you will be asked for authorization prior to the command prompt opening.
  • You may simply need to press the Continue button if you are the administrator or insert the administrator password.

Copy-paste the following command (the bolded text) into the "cmd" box, and click enter.

DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll %windir%\cngaudit.dll >Log.txt&log.txt

A log will be produced.

Please post that log for my review.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 FrogmanMickey

FrogmanMickey
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 08 November 2009 - 12:09 AM

Sorry. No go. I followed the instructions, but when I right-clicked and selected "Run as Administrator", I got the error message

"Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item"

So I could not get to the "cmd" box. It looks like the steps you advised are a way to access and run C:\Windows\system32\cmd.exe. That file appears to be locked out too.

Would it do any good to try this in "safe" mode? You were clear in stating that I should only do exactly as you direct, so I haven't tried that yet.
Frogman Mickey

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:01 PM

Posted 08 November 2009 - 08:52 AM

It is a permissions issue so it should not matter whether it is done in safe or normal mode. Don't worry. One way or another we will get it! :(

Let's see if we can get Combofix to work. It might be able to tackle this. Regardless of the warning it throws at you just keep on proceeding through the steps. You will probably receive prompts and warning that differ from what I describe below!

RKill by Grinler

Link #1
Link #2
Link #3
Link #4

  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen with briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 FrogmanMickey

FrogmanMickey
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 09 November 2009 - 03:55 AM

Well, we seemed to have accomplished something this time. I hope this helps:

BTW: as to the notation that AVG was still active when the scan ran, I followed the instructions on your web site and disabled the AVG Resident Shield. That was the only instruction there was regarding AVG. I could not find a way to disable the entire program, so I guess some of it was still active during the scan. I hope that didn't mess things up. If it did, I can remove the entire program and try again.

One other note: Before contacting you I had attempted to eradicat this virus using RegRun Reanimator by Greatis Software. Now, every time the computer starts I see a message displayed before Windows starts, something like RegRun Partizan Bootwatch Anti Rootkit by Greatis Software. This is supposed to detect and remove any kernel/usermode rootkit. Maybe it is beneficial, or at least harmless, I don't know, but I also don't know how to shut it off. There is no listing for it in the Uninstall Programs list. I mention it because I see entries for Partizan in the log and wanted you to know where that came from. I hope it didn't interfere with what ComboFix was trying to do.

I ran rkill. The black box did open and a message displayed that said something like “Removing known malware. Please wait…” That lasted for about 30 seconds and then the box disappeared. Since that appeared to be what you had described, I ran ComboFix (renamed as thcbytes.exe). When it loaded, a message appeared saying that rootkit activity had been detected and it needed to reboot. After the reboot, a blue box appeared which displayed various messages. One said that the Combofix date had expired and it would run in “reduced functionality mode”. That was a bit worrisome, but the program did go ahead and run. I watched the screen as it performed a scan and noted the following:

Two folders and two files were deleted

Message displayed:
System file is infected. Attempting to restore. cngaudit.dll
Successfully restored.

Then the computer rebooted. When it returned, the ComboFix screen opened again and said it was preparing a log. When that completed, it displayed a log in Notepad. Here are the contents of the log ComboFix.txt:

ComboFix 09-10-28.08 - Cheryl 11/09/2009 0:12.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3002.2061 [GMT -8:00]
Running from: c:\users\Cheryl\Desktop\thcbytes.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1438956240-1906425865-3165537870-500
c:\$recycle.bin\S-1-5-21-1438956240-1906425865-3165537870-500\desktop.ini
c:\$recycle.bin\S-1-5-21-3592008421-2714273408-2601181930-500
c:\$recycle.bin\S-1-5-21-3592008421-2714273408-2601181930-500\desktop.ini

Infected copy of c:\windows\system32\cngaudit.dll was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 )))))))))))))))))))))))))))))))
.

2009-11-09 08:14 . 2009-11-09 08:18 -------- d-----w- c:\users\Cheryl\AppData\Local\temp
2009-11-09 08:14 . 2009-11-09 08:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-05 03:04 . 2009-11-05 03:04 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2009-11-05 02:55 . 2009-11-05 02:55 35040 ----a-w- c:\windows\system32\Partizan.exe
2009-11-05 02:55 . 2009-11-05 02:55 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2009-11-05 02:53 . 2009-11-05 02:53 2 --shatr- c:\windows\winstart.bat
2009-11-05 02:52 . 2009-11-05 02:52 -------- d-----w- c:\program files\Greatis
2009-11-05 01:06 . 2009-11-05 03:34 -------- d-----w- c:\program files\Sophos
2009-11-05 00:26 . 2009-11-05 00:26 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-11-05 00:15 . 2009-11-05 00:15 -------- d-----w- c:\program files\FileASSASSIN
2009-10-31 06:33 . 2009-10-31 06:33 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys
2009-10-30 09:08 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-30 09:08 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-30 09:08 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-30 09:08 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-30 09:08 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-30 09:08 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-30 09:08 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-30 09:08 . 2009-08-07 02:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-30 09:08 . 2009-08-07 01:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-30 06:26 . 2009-11-09 07:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-30 03:45 . 2009-10-30 03:45 -------- d-----w- c:\windows\system32\EventProviders
2009-10-30 03:38 . 2009-11-09 07:37 0 ----a-r- c:\windows\win32k.sys
2009-10-28 13:42 . 2009-09-10 15:21 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 13:42 . 2009-09-10 15:21 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-14 14:15 . 2009-08-05 14:22 3597896 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 14:15 . 2009-08-05 14:22 3546184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-14 14:14 . 2009-09-04 12:24 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-10-14 14:14 . 2009-09-14 09:44 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-14 14:14 . 2009-04-02 12:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-09 07:55 . 2008-12-26 21:45 -------- d-----w- c:\programdata\avg8
2009-11-08 20:54 . 2009-02-03 03:01 -------- d-----w- c:\programdata\Google Updater
2009-11-07 02:22 . 2008-12-26 20:47 10074 ----a-w- c:\users\Cheryl\AppData\Roaming\wklnhst.dat
2009-11-05 03:36 . 2008-12-26 21:42 -------- d-----w- c:\programdata\Lavasoft
2009-11-05 03:29 . 2008-12-26 21:53 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-05 03:28 . 2008-12-26 22:09 -------- d-----w- c:\program files\SpywareGuard
2009-11-05 03:26 . 2008-12-26 19:04 -------- d-----w- c:\programdata\Viewpoint
2009-11-05 03:26 . 2008-12-26 19:04 -------- d-----w- c:\program files\Viewpoint
2009-11-05 00:27 . 2009-04-29 04:03 -------- d-----w- c:\program files\livetvbar
2009-11-05 00:27 . 2009-04-29 04:03 -------- d-----w- c:\program files\Conduit
2009-11-03 04:42 . 2009-10-02 16:14 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-30 03:55 . 2009-10-30 03:55 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_HpqKbFiltr_01005.Wdf
2009-10-15 10:19 . 2009-03-31 20:47 1356 ----a-w- c:\users\Cheryl\AppData\Local\d3d9caps.dat
2009-10-15 10:13 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-15 10:03 . 2008-07-01 08:23 -------- d-----w- c:\programdata\Microsoft Help
2009-10-10 03:04 . 2009-10-10 03:04 -------- d-----w- c:\program files\DivX
2009-10-10 03:04 . 2009-10-10 03:04 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-04 00:56 . 2008-12-27 06:43 -------- d-----w- c:\users\Cheryl\AppData\Roaming\CyberLink
2009-09-29 13:29 . 2009-06-29 05:34 -------- d-----w- c:\program files\Common Files\Real
2009-09-24 22:16 . 2008-07-01 08:48 -------- d-----w- c:\program files\Java
2009-09-24 15:39 . 2008-12-26 19:38 147904 ----a-w- c:\users\Cheryl\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-14 22:01 . 2009-09-14 22:01 -------- d-----w- c:\program files\Common Files\Apple
2009-09-14 22:01 . 2009-09-14 22:01 -------- d-----w- c:\program files\QuickTime
2009-09-14 22:01 . 2009-09-14 22:01 -------- d-----w- c:\programdata\Apple Computer
2009-09-10 17:30 . 2009-10-14 14:16 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-31 13:55 . 2009-10-14 14:16 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-31 13:55 . 2009-10-14 14:16 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-08-28 15:39 . 2008-12-26 21:45 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 15:39 . 2008-12-26 21:45 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 15:39 . 2008-12-26 21:45 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-28 12:39 . 2009-09-02 21:06 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-02 21:06 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 13:32 . 2009-10-14 14:16 833024 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:29 . 2009-10-14 14:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 10:58 . 2009-10-14 14:16 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-18 06:33 . 2009-08-18 06:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 17:07 . 2009-09-08 22:23 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-08 22:23 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-08 22:23 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-08 22:23 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-08 22:23 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-08 22:23 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-08 22:23 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-08 22:23 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-08 22:23 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-08 22:23 10240 ----a-w- c:\windows\system32\finger.exe
2008-07-01 05:39 . 2008-07-01 05:39 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-03 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe" [2009-03-19 460216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-18 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-18 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-18 145944]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-04-24 468264]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-11-02 554288]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 70912]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-11-20 488752]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-02 2028312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-29 198160]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-06-28 442467]

c:\users\Cheryl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

R0 fsbts;fsbts;c:\windows\System32\drivers\fsbts.sys [10/30/2009 10:33 PM 33920]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [12/26/2008 1:45 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2/2/2009 9:45 AM 108552]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_a7e996cd\AEstSrv.exe [6/27/2008 8:53 PM 77824]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/26/2008 1:45 PM 297752]
R2 hpsrv;HP Service;c:\windows\System32\hpservice.exe [3/18/2008 4:24 PM 24880]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [7/1/2008 12:44 AM 341328]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [6/30/2008 11:33 PM 193840]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [1/24/2008 5:23 AM 52736]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [6/4/2008 9:54 AM 113664]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/4/2009 7:51 AM 908056]
S2 gupdate1c985ac2b872cb0;Google Update Service (gupdate1c985ac2b872cb0);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2009 7:04 PM 133104]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 F-Secure BlackLight Sensor;F-Secure BlackLight Sensor;c:\users\Cheryl\AppData\Local\Temp\F-Secure\Anti-Virus\fsblsrv.exe --> c:\users\Cheryl\AppData\Local\Temp\F-Secure\Anti-Virus\fsblsrv.exe [?]
S3 Partizan;Partizan;c:\windows\System32\drivers\Partizan.sys [11/4/2009 6:55 PM 34760]
S3 RegGuard;RegGuard;c:\windows\System32\drivers\regguard.sys [11/4/2009 7:04 PM 24416]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-11-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-03 15:42]

2009-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 03:04]

2009-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 03:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

BHO-{ad55c869-668e-457c-b270-0cfb2f61116f} - (no file)
HKCU-Run-PopRock - c:\users\Cheryl\AppData\Local\Temp\a.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-09 00:18
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP00000055954CB227CBEC3DA6 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\7983.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_a7e996cd\STacSV.exe
c:\windows\system32\WLANExt.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\WUDFHost.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\servicing\TrustedInstaller.exe
c:\windows\System32\vdsldr.exe
.
**************************************************************************
.
Completion time: 2009-11-09 0:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-09 08:22

Pre-Run: 79,700,275,200 bytes free
Post-Run: 79,832,641,536 bytes free

- - End Of File - - 84ED79F9357B9E48A916A6C7776956F3
Frogman Mickey

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:01 PM

Posted 09 November 2009 - 08:03 AM

Well done. :(

I appreciate your detailed feedback!

==========

I can remove the entire program and try again.

Let's do that.
Use this AVG uninstaller please.
We will reinstall it later. Only use this computer for cleanup. Do not surf until we reinstall AVG.

==========

I also don't know how to shut it off.

I will nuke it for you.

==========

“reduced functionality mode”

Let it "update" if it asks permission.

==========

Message displayed:
System file is infected. Attempting to restore. cngaudit.dll
Successfully restored.

:(

==========

Uninstall Spybot via Add/remove. It might interfere with our fix.

==========

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

==========

Let's continue........

:) Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\regguard.sys
c:\windows\system32\Partizan.exe
c:\windows\system32\drivers\Partizan.sys
c:\windows\winstart.bat
c:\windows\_MSRSTRT.EXE
c:\windows\win32k.sys
c:\windows\System32\drivers\fsbts.sys
c:\users\Cheryl\AppData\Local\Temp\F-Secure\Anti-Virus\fsblsrv.exe
c:\windows\System32\drivers\Partizan.sys
c:\windows\System32\drivers\regguard.sys
c:\windows\TEMP\TMP00000055954CB227CBEC3DA6

Folder::
c:\program files\Greatis
c:\program files\SpywareGuard
c:\programdata\Viewpoint
c:\program files\Viewpoint

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00

Driver::
fsbts
Viewpoint Manager Service
F-Secure BlackLight Sensor
Partizan
RegGuard

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

We need to scan the system with this special tool:

* Please download and save:

Junction.zip

* Unzip it and place Junction.exe in the Windows directory (C:\Windows).
* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.

==========

Reinstall AVG free antivirus
  • Visit http://free.avg.com/download?prd=afe to download AVG 8 setup file to your desktop.
  • Double click the downloaded setup file to Install AVG 8 then update it.
  • On the left side click Computer scanner and select Scan whole computer.
  • When the scan finished under Result Overview tap at the end of scan result click Export overview to file
  • Select File Type: All files Name:scan.txt and save it on your desktop.
  • Under Warnings tap press Remove all unhealed infections. Then close the application.
  • Copy/paste the content of scan.txt located on your desktop to your reply.
==========

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.Posted Image
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
==========

With your next post please provide:

* Combofix.txt
* Junction log
* AVG log
* OTL.txt & Extra.txt
* How is your computer running?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 FrogmanMickey

FrogmanMickey
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 09 November 2009 - 03:05 PM

Thank you for your continued assistance. I did the downloads, printed the instructions and began working my way through them. I ran into a couple of snags that I need assistance with before I can proceed further.

Before contacting you, based on a forum I read, I knew that antivirus software might interfere with the fix. So I uninstalled all the antivirus software on that computer except AVG. I thought. I looked on the Uninstall Programs listing and Spybot does not show up there, and the Teatimer icon that used to appear in the system tray is gone. So if the log I sent shows that Spybot is still active, I don't know how to get rid of it. Do you have a Spybot zapper similar to what you provided for AVG (which worked fine by the way)?

I also did not see any program with Viewpoint in the title on the Uninstall Programs list. I would like to get rid of any "foistware" my wife has acquired, but if Viewpoint is in the computer, I don't know how to delete it. (I wish I could get my wife to quit downloading things like that, but she sees things she thinks are interesting and "clicky-clicky". Then I end up having to deal with the fallout because she is technically challenged when it comes to computers. Maybe this experience with this intractable virus will cure her. LOL. Something I read somewhere indicated that this virus may have been propagated through Facebook, which personally I have no use for, but which she accesses constantly. Maybe you can tell me a way to prevent her computer from being able to go to Facebook :-) )

As to letting ComboFix update if it asks permission (which it did not do previously). I have shut off the wireless on my wife's computer so it can't connect to the internet during this fix since there is no antivirus protection of any kind running now. I am using my clean laptop to do the communications and a flash drive for the downloads. So if ComboFix asks to update, is it OK to connect the wireless and let it do so? (I read somewhere that, without virus protection, the Mean Time Before Infection is milliseconds due to the number of viruses constantly circulating on the net looking for an unprotected machine)

Thanks.

#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:01 PM

Posted 09 November 2009 - 04:29 PM

Good questions....

I looked on the Uninstall Programs listing and Spybot does not show up there, and the Teatimer icon that used to appear in the system tray is gone.

No worries. The rootkit stripped it of its permissions. Its useless for now. I will fix it later.

==========

I would like to get rid of any "foistware" my wife has acquired, but if Viewpoint is in the computer, I don't know how to delete it.

No worries. I got it set for removal in the script I wrote in my prior post.

==========

As to letting ComboFix update if it asks permission (which it did not do previously). I have shut off the wireless on my wife's computer so it can't connect to the internet during this fix since there is no antivirus protection of any kind running now. I am using my clean laptop to do the communications and a flash drive for the downloads. So if ComboFix asks to update, is it OK to connect the wireless and let it do so? (I read somewhere that, without virus protection, the Mean Time Before Infection is milliseconds due to the number of viruses constantly circulating on the net looking for an unprotected machine)

I want you reconnected but only visit the sites I direct you too. This is very important!!! It will be okay as long as you do as I instruct. :(

Thanks,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 FrogmanMickey

FrogmanMickey
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 09 November 2009 - 05:16 PM

Thanks. I thought I had previously identified all of the snags, but I found another. I went to download OTL.exe from the mirror site you posted and got this pop-up message:

Unsafe Download Security Warning.
This download has been reported as unsafe.
The file you are downloading has been reported to be unsafe.
The download website contains links to viruses or other software that can harm your computer
or reveal your personal information.
For your safety, we recommend you cancel this file download.

It had a line I could click to disregard the warning:

Disregard and download unsafe file (not recommended)

But I did not proceed. The warning sounded quite ominous so I wanted to get confirmation from you before ignoring it.

Thanks.
Frogman Mickey

#12 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:01 PM

Posted 09 November 2009 - 05:48 PM

Your still infected!! It is a bogus warning.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#13 FrogmanMickey

FrogmanMickey
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 09 November 2009 - 06:51 PM

Um, I got that message on my laptop which is supposedly clean, not the infected computer. Maybe I had better scan the "clean" computer with something. What do you recommend?

In any case, I proceeded with the download of OTL despite the warning.

#14 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:01 PM

Posted 09 November 2009 - 08:10 PM

:(
You didn't tell me you downloaded it from a clean computer!! There is only 2 reasons that you might get that warning. Either your antivirus falsely tags it as malware or your infected. With this new tidbit of info I suspect the former!

==========

I asked you to please reconnect and visit the sites I have recommended for direct download.

I want you reconnected but only visit the sites I direct you too. This is very important!!! It will be okay as long as you do as I instruct.

Since I presumed that you were actually following my instructions it necessarily rules out an AV falsely tagging the download as malware leaving infection as the only option.

But now that I know that you downloaded from another computer it might simply be a false alarm. We have been seeing that alot lately with OTL.

Here is another link. Do it like I have directed please. :(
http://ottools.noahdfear.net/OTL.exe

We will deal with your other computer later if necessary. Keep them separated for now please.

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#15 FrogmanMickey

FrogmanMickey
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 09 November 2009 - 10:24 PM

Hi

Sorry about that. I didn’t think it mattered how the programs were acquired, as long as they ended up on the “infected” computer. I was trying to do as little as possible with the infected computer so as not to inadvertently disturb what we are trying to do. Anyway, I went back and did the downloads from the “infected” computer. I got no download warnings. Here is a record of what I was able to accomplish so far. But I was not able to fulfill all of your instructions yet, as explained below.

-----

I dragged the CFscript.txt onto ComboFix and watched it as it ran.

Even though I had applied the tool you gave me to uninstall AVG, ComboFix still advised that AVG anti-virus was active and asked me to disable it. But the AVG icon has disappeared from the Desktop and System Tray, so I still proceeded to let ComboFix run the script.

Here is what I saw it do:

Completed stage 1,2,3,4,5,6,6A,7,8,9,10,11,12,13,14,15,16,17,18,19,19B,20,21,22,23,24,25,26,27,28,29,30,31,32,32A,33,34,35,36,37,38,39,40,41,42.43.44.45,46,47,48,49,50,

Deleted a bunch of file and folders

Automatic reboot. [Note: I did not get the Greatis Software Partizan Bootwatch message this time.]

ComboFix message:
Could not find file: white[something] the message disappeared too fast to catch the full file name.

ComboFix generated a log

ComboFix message: Preparing log Report. Do not run any programs until ComboFix has finished.

BUT, it looks like the computer tried to run something on its own. I got a pop-up box that said:

Yahoo Widgets error
Create process failed: Illegal operation attempted on a registry key that has been marked for deletion.

I had to accept that message 3 times before it went away. I know my wife had some widgets she had downloaded, like a local weather report that resided on the desktop. That icon is gone now.

Also Windows Live messenger opened itself (I closed it).

I hope these auto start programs didn’t mess things up. The ComboFix log did complete.

ComboFix message: Log complete, wait for the report log to pop up

A pop-up message box appeared saying:

Submit files for further analysis
ComboFix needs to submit malware files for further analysis
Please ensure that you’re connected to the internet before clicking OK

I was, so I clicked OK

Uploaded files to server… 100%

Notepad opened with the ComboFix log

I downloaded junction.zip, unzipped it, and put junction.exe in C:/Windows.

[Note: the cursor froze up three times when I was doing this, but I managed to unstick it by logging off and back on again using CTRL-ALT-DEL]

I copied and pasted the command line you provided into Start/Run and clicked OK. A box flashed onto the screen for the briefest instant, then disappeared. It came and went too fast to see anything other than that it was a box. I waited for a log file to appear, but after an hour, during which time there was no indication the computer was doing anything other than the ocasional blip of the hard drive light, nothing had popped up. I thought maybe it had generated the log and stashed it somewhere on the hard drive, but I did a search on “log” and “txt” and didn’t find anything. I also navigated to the C:\Windows directory and confirmed that junction.exe is, in fact, there. So I am contacting you again. Maybe I have just not waited long enough? I know a full scan with AVG can take hours. How long is the junction.exe scan supposed to take?

In any case I have not proceeded beyond that point of your instructions since it seems the order in which the steps are taken is important. I have provided the ComboFix log but that is all:


ComboFix 09-11-08.03 - Cheryl 11/09/2009 15:59.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3002.1814 [GMT -8:00]
Running from: c:\users\Cheryl\Desktop\thcbytes.exe
Command switches used :: c:\users\Cheryl\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\users\Cheryl\AppData\Local\Temp\F-Secure\Anti-Virus\fsblsrv.exe"
"c:\windows\_MSRSTRT.EXE"
"c:\windows\System32\drivers\fsbts.sys"
"c:\windows\system32\drivers\Partizan.sys"
"c:\windows\system32\drivers\regguard.sys"
"c:\windows\system32\Partizan.exe"
"c:\windows\TEMP\TMP00000055954CB227CBEC3DA6"
"c:\windows\win32k.sys"
"c:\windows\winstart.bat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Greatis
c:\program files\Greatis\Reanimator\database.rdb
c:\program files\SpywareGuard
c:\program files\SpywareGuard\dlbdata1backup.dtb
c:\program files\SpywareGuard\dlbdata2backup.dtb
c:\program files\SpywareGuard\dlprotect.dll
c:\program files\SpywareGuard\sglog.txt
c:\program files\SpywareGuard\spywareguard.dll
c:\program files\Viewpoint
c:\program files\Viewpoint\Common\VIEWPOINTSERVICE.EXE.del
c:\programdata\Viewpoint
c:\windows\_MSRSTRT.EXE
c:\windows\System32\drivers\fsbts.sys
c:\windows\system32\drivers\Partizan.sys
c:\windows\system32\drivers\regguard.sys
c:\windows\system32\oem12.inf
c:\windows\system32\oem2.inf
c:\windows\system32\Partizan.exe
c:\windows\win32k.sys
c:\windows\winstart.bat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FSBTS
-------\Legacy_PARTIZAN
-------\Legacy_REGGUARD
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_F-Secure BlackLight Sensor
-------\Service_fsbts
-------\Service_Partizan
-------\Service_RegGuard
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2009-10-10 to 2009-11-10 )))))))))))))))))))))))))))))))
.

2009-11-10 00:08 . 2009-11-10 00:08 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-11-10 00:08 . 2009-11-10 00:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-09 21:10 . 2009-11-09 21:10 -------- d-----w- c:\users\Cheryl\AppData\Local\Apple
2009-11-09 08:14 . 2009-11-10 00:12 4096 d-----w- c:\users\Cheryl\AppData\Local\temp
2009-11-05 01:06 . 2009-11-05 03:34 -------- d-----w- c:\program files\Sophos
2009-11-05 00:15 . 2009-11-05 00:15 4096 d-----w- c:\program files\FileASSASSIN
2009-10-30 09:08 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-30 09:08 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-30 09:08 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-30 09:08 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-30 09:08 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-30 09:08 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-30 09:08 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-30 09:08 . 2009-08-07 02:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-30 09:08 . 2009-08-07 01:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-30 06:26 . 2009-11-09 07:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-30 03:45 . 2009-10-30 03:45 4096 d-----w- c:\windows\system32\EventProviders
2009-10-28 13:42 . 2009-09-10 15:21 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 13:42 . 2009-09-10 15:21 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-14 14:15 . 2009-08-05 14:22 3597896 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 14:15 . 2009-08-05 14:22 3546184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-14 14:14 . 2009-09-04 12:24 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-10-14 14:14 . 2009-09-14 09:44 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-14 14:14 . 2009-04-02 12:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-09 21:55 . 2009-02-03 03:01 4096 d-----w- c:\programdata\Google Updater
2009-11-09 14:31 . 2008-12-26 20:47 10074 ----a-w- c:\users\Cheryl\AppData\Roaming\wklnhst.dat
2009-11-05 03:36 . 2008-12-26 21:42 -------- d-----w- c:\programdata\Lavasoft
2009-11-05 03:29 . 2008-12-26 21:53 4096 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-05 00:27 . 2009-04-29 04:03 -------- d-----w- c:\program files\livetvbar
2009-11-05 00:27 . 2009-04-29 04:03 -------- d-----w- c:\program files\Conduit
2009-11-03 04:42 . 2009-10-02 16:14 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-30 04:07 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-30 03:55 . 2009-10-30 03:55 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_HpqKbFiltr_01005.Wdf
2009-10-15 10:19 . 2009-03-31 20:47 1356 ----a-w- c:\users\Cheryl\AppData\Local\d3d9caps.dat
2009-10-15 10:13 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-10-15 10:03 . 2008-07-01 08:23 8192 d-----w- c:\programdata\Microsoft Help
2009-10-10 03:04 . 2009-10-10 03:04 4096 d-----w- c:\program files\DivX
2009-10-10 03:04 . 2009-10-10 03:04 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-04 00:56 . 2008-12-27 06:43 4096 d-----w- c:\users\Cheryl\AppData\Roaming\CyberLink
2009-09-29 13:29 . 2009-06-29 05:34 4096 d-----w- c:\program files\Common Files\Real
2009-09-29 13:27 . 2009-09-29 13:27 452104 ----a-w- c:\users\Cheryl\AppData\Roaming\Real\RealPlayer\setup\AU_setup9.exe
2009-09-24 22:16 . 2008-07-01 08:48 4096 d-----w- c:\program files\Java
2009-09-24 15:39 . 2008-12-26 19:38 147904 ----a-w- c:\users\Cheryl\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-14 22:01 . 2009-09-14 22:01 -------- d-----w- c:\program files\Common Files\Apple
2009-09-14 22:01 . 2009-09-14 22:01 4096 d-----w- c:\program files\QuickTime
2009-09-14 22:01 . 2009-09-14 22:01 -------- d-----w- c:\programdata\Apple Computer
2009-09-10 17:30 . 2009-10-14 14:16 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-31 13:55 . 2009-10-14 14:16 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-31 13:55 . 2009-10-14 14:16 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-08-28 12:39 . 2009-09-02 21:06 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-02 21:06 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 13:32 . 2009-10-14 14:16 833024 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:29 . 2009-10-14 14:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 10:58 . 2009-10-14 14:16 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-18 06:33 . 2009-08-18 06:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 17:07 . 2009-09-08 22:23 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-08 22:23 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-08 22:23 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-08 22:23 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-08 22:23 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-08 22:23 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-08 22:23 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-08 22:23 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-08 22:23 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-08 22:23 10240 ----a-w- c:\windows\system32\finger.exe
2008-07-01 05:39 . 2008-07-01 05:39 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-11-09_08.18.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2009-11-09 19:33 47670 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-11-10 00:11 96068 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-12-19 08:18 . 2009-11-09 07:37 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-12-19 08:18 . 2009-11-09 19:31 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-12-19 08:18 . 2009-11-09 19:31 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-19 08:18 . 2009-11-09 07:37 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-19 08:18 . 2009-11-09 19:31 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-12-19 08:18 . 2009-11-09 07:37 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-12-26 19:03 . 2009-11-10 00:11 5652 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3592008421-2714273408-2601181930-1000_UserData.bin
- 2009-11-09 08:15 . 2009-11-09 08:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-11-10 00:09 . 2009-11-10 00:09 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-11-09 08:15 . 2009-11-09 08:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-11-10 00:09 . 2009-11-10 00:09 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-12-27 00:50 . 2009-11-09 17:16 293058 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2006-11-02 10:33 . 2009-11-09 08:13 595684 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-11-09 19:38 595684 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-11-09 08:13 101350 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-11-09 19:38 101350 c:\windows\System32\perfc009.dat
+ 2009-05-18 10:00 . 2009-11-09 13:22 198091861 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-03 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe" [2009-03-19 460216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-18 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-18 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-18 145944]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-04-24 468264]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-11-02 554288]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 70912]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-11-20 488752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-29 198160]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-06-28 442467]

c:\users\Cheryl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_a7e996cd\AEstSrv.exe [6/27/2008 8:53 PM 77824]
R2 hpsrv;HP Service;c:\windows\System32\hpservice.exe [3/18/2008 4:24 PM 24880]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [7/1/2008 12:44 AM 341328]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [6/30/2008 11:33 PM 193840]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [1/24/2008 5:23 AM 52736]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [6/4/2008 9:54 AM 113664]
S2 gupdate1c985ac2b872cb0;Google Update Service (gupdate1c985ac2b872cb0);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2009 7:04 PM 133104]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-11-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-03 15:42]

2009-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 03:04]

2009-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 03:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-09 16:11
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\7983.tmp"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_a7e996cd\STacSV.exe
c:\windows\system32\WLANExt.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\System32\vdsldr.exe
.
**************************************************************************
.
Completion time: 2009-11-10 16:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-10 00:17
ComboFix2.txt 2009-11-09 08:22

Pre-Run: 83,304,067,072 bytes free
Post-Run: 83,062,702,080 bytes free

- - End Of File - - 3B06519DE7CDA989F2109D056AA09358




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users