Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TR/Crypt trojan.gen2


  • This topic is locked This topic is locked
15 replies to this topic

#1 Heavenlyp

Heavenlyp

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 19 June 2010 - 01:56 AM

Hi,
I have a TR/Crypt.XPACK.gen2 Trojan virus.
I have Avira and when I boot up over 20 Avira warning popups occur with Deny already checked.
After I ok them all a small window that states Error C:/Windows/m7132tA.dll pops up 1 every 2 seconds.
I ran malwarebytes, it found nothing. Avira scan found nothing.
Free Windows Registry Repair found problem in m7132tA.dll but did not correct it.
Computer freezes I have been forced to unplug computer if booted in normal mode.
I am in safe mode with networking and I did all the preping e.g GMER,DDS, and Defogger in safemode.
TIA
Leona DeJean

DDS

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Owner at 20:04:12.85 on Fri 06/18/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.195 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Sunbelt Personal Firewall *enabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - Google Dictionary Compression sdch
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Bqewuriz] rundll32.exe "c:\windows\m7132tA.dll",Startup
mRun: [EPSON Stylus Photo R320 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB002" /M "Stylus Photo R320"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Pxufoyatup] rundll32.exe "c:\windows\ozicumiru.dll",Startup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} - hxxp://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} - file://e:\memdisc\album_a\view\plugin\HPODPCFC.CAB
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} - hxxp://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\p4l7tjec.default\
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {A798FE08-73D2-41F1-99B7-F8A449C042F0} - c:\documents and settings\owner\local settings\application data\{A798FE08-73D2-41F1-99B7-F8A449C042F0}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2010-6-3 270888]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2010-6-3 65576]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-21 11608]
S1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-6-21 66600]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-21 108289]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-21 185089]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-21 56816]
S2 SbPF.Launcher;SbPF.Launcher;c:\program files\sunbelt software\personal firewall\SbPFLnch.exe [2008-10-31 95528]
S2 SPF4;Sunbelt Personal Firewall 4;c:\program files\sunbelt software\personal firewall\SbPFSvc.exe [2008-10-31 1365288]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-3-17 15944]

=============== Created Last 30 ================

2010-06-17 19:05:56 44544 ----a-w- c:\docume~1\owner\applic~1\f658eabb.exe
2010-06-10 06:21:06 0 d-----w- c:\program files\Free Window Registry Repair
2010-06-03 17:10:57 65576 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2010-06-03 17:10:57 270888 ----a-r- c:\windows\system32\drivers\SbFw.sys
2010-06-01 18:34:10 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2010-06-01 18:34:09 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2010-06-01 18:34:07 271704 ----a-w- c:\windows\system32\hpzids01.dll
2010-06-01 18:34:03 364544 ----a-w- c:\windows\system32\hppldcoi.dll
2010-06-01 18:34:03 294912 ----a-w- c:\windows\system32\hpovst11.dll
2010-06-01 18:34:02 729088 ----a-w- c:\windows\system32\hpwwiax4.dll
2010-06-01 18:34:02 593920 ----a-w- c:\windows\system32\hpwtscl3.dll
2010-06-01 18:34:02 309760 ----a-w- c:\windows\system32\difxapi.dll
2010-06-01 18:31:36 176574 ----a-w- c:\windows\hpwins19.dat
2010-06-01 18:31:35 997 ----a-w- c:\windows\hpwmdl19.dat
2010-05-23 22:49:42 120 ----a-w- c:\windows\Wxavew.dat
2010-05-23 22:49:42 0 ----a-w- c:\windows\Fzovuwafon.bin
2010-05-23 22:45:50 741376 ----a-w- c:\windows\system32\drivers\wbpekiqk.sys
2010-05-23 22:45:01 40960 ---ha-w- c:\windows\system32\lodcices.dll
2010-05-23 22:45:01 116 ----a-w- c:\windows\system32\fjhdyfhsn.bat
2010-05-23 22:44:36 4 ----a-w- c:\docume~1\owner\applic~1\avdrn.dat

==================== Find3M ====================

2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-03-21 23:21:14 411368 ----a-w- c:\windows\system32\deploytk.dll

============= FINISH: 20:04:55.43 ===============

Attached Files


Edited by Heavenlyp, 19 June 2010 - 02:11 AM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:27 PM

Posted 24 June 2010 - 01:24 PM

Hi Heavenlyp,

Welcome to Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

If the issue is not resolved please update me on the current condition of your computer.

#3 Heavenlyp

Heavenlyp
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 24 June 2010 - 01:49 PM

Hi Farbar,
Glad you responded. smile.gif
I think I have things under control. I uninstalled Avira and installed cloud panda and upgraded to IE8 the TR/Crypt.XPACK.gen2 threat did not manifest itself again. Sunbelt is running fine. The error message still appears but only once at startup "Error C:/windows/m7132tA.dll Cannot be found." It causes no visible problems, no more freezing in normal mode at this time. If things go awry I will seek you out.
Thank you Farbar


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:27 PM

Posted 24 June 2010 - 01:56 PM

This will take care of error at start up.

Go to start > Run copy and paste the following line in the run box and click OK:

cmd /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Bqewuriz /f

A window flashes, this is normal.

I understand you want to close the topic?

#5 Heavenlyp

Heavenlyp
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 24 June 2010 - 03:07 PM

It worked, start up problem is cleared.

as we speak a panda pop up states that oziumiru file is infected and I have to follow the steps to eliminate the virus completely.
Should I trust pandas steps?

Too anxious to wait for response. I followed the step which was to restart the computer to eradicate virus.
At startup the error message appeaerd with a different file. "C:/windows/ozicumiru.dll Cannot be found". Is the virus jumping from dll file to another dll file.
I still need your help.

Edited by Heavenlyp, 24 June 2010 - 03:37 PM.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:27 PM

Posted 24 June 2010 - 04:00 PM

Please from now on make no changes.

Please run DDS, copy and paste DDS.txt and attach the Attach.txt to your reply and we will take it from there.


#7 Heavenlyp

Heavenlyp
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 25 June 2010 - 11:18 AM

Hi Farbar,
Sorry I took so long. Sysyem kept freezing during boot up
so I tried Windows Recovery Console this morning and it worked.


here is DDS

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 9:05:05.65 on Fri 06/25/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.178 [GMT -7:00]

AV: Panda Cloud Antivirus *On-access scanning enabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}
FW: Sunbelt Personal Firewall *enabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\wuauclt.exe

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - Google Dictionary Compression sdch
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [EPSON Stylus Photo R320 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB002" /M "Stylus Photo R320"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [Pxufoyatup] rundll32.exe "c:\windows\ozicumiru.dll",Startup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} - hxxp://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} - file://e:\memdisc\album_a\view\plugin\HPODPCFC.CAB
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} - hxxp://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\p4l7tjec.default\
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {A798FE08-73D2-41F1-99B7-F8A449C042F0} - c:\documents and settings\owner\local settings\application data\{A798FE08-73D2-41F1-99B7-F8A449C042F0}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R? hitmanpro35;Hitman Pro 3.5 Support Driver
S? NanoServiceMain;Panda Cloud Antivirus Service
S? PSINAflt;PSINAflt
S? PSINFile;PSINFile
S? PSINKNC;PSINKNC
S? PSINProc;PSINProc
S? PSINProt;PSINProt
S? SbFw;SbFw
S? SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport
S? sbhips;Sunbelt HIPS Driver
S? SbPF.Launcher;SbPF.Launcher
S? SPF4;Sunbelt Personal Firewall 4

=============== Created Last 30 ================

2010-06-24 03:36:45 0 d-----w- c:\windows\ie8updates
2010-06-24 03:12:28 264 ----a-w- c:\windows\system32\PSUNCpl.dat
2010-06-24 03:11:26 0 d-----w- c:\program files\Panda Security
2010-06-24 03:02:15 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 03:02:05 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-24 03:02:03 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 01:36:17 77350 ----a-w- c:\windows\hpqins05.dat
2010-06-24 00:40:37 937 ----a-w- C:\imageTable.bak
2010-06-24 00:40:37 786 ----a-w- C:\administrativeInfo.bak
2010-06-24 00:40:37 585 ----a-w- C:\albumTable.bak
2010-06-24 00:40:37 512 ----a-w- C:\imageTable.fpk
2010-06-24 00:40:37 489 ----a-w- C:\EXIFTable.bak
2010-06-24 00:40:37 457 ----a-w- C:\keywordTable.bak
2010-06-24 00:40:37 425 ----a-w- C:\pathnameTable.bak
2010-06-24 00:40:37 425 ----a-w- C:\albumImagesTable.bak
2010-06-24 00:40:37 393 ----a-w- C:\ROFTable.bak
2010-06-24 00:40:37 361 ----a-w- C:\ROFImagesTable.bak
2010-06-24 00:40:37 361 ----a-w- C:\managedFolderTable.bak
2010-06-24 00:40:37 361 ----a-w- C:\keywordImagesTable.bak
2010-06-21 17:34:42 0 d-sh--w- c:\documents and settings\owner\PrivacIE
2010-06-21 17:28:42 0 d-sh--w- c:\documents and settings\owner\IETldCache
2010-06-20 16:33:18 0 dc-h--w- c:\windows\ie8
2010-06-20 16:32:59 0 d--h--w- c:\windows\msdownld.tmp
2010-06-19 18:56:29 178 ----a-w- C:\handle.dat
2010-06-17 19:05:56 50176 ----a-w- c:\docume~1\owner\applic~1\f658eabb.exe
2010-06-10 06:21:06 0 d-----w- c:\program files\Free Window Registry Repair
2010-06-03 17:10:57 65576 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2010-06-03 17:10:57 270888 ----a-r- c:\windows\system32\drivers\SbFw.sys
2010-06-01 18:34:10 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2010-06-01 18:34:09 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2010-06-01 18:34:07 271704 ----a-w- c:\windows\system32\hpzids01.dll
2010-06-01 18:34:03 364544 ----a-w- c:\windows\system32\hppldcoi.dll
2010-06-01 18:34:03 294912 ----a-w- c:\windows\system32\hpovst11.dll
2010-06-01 18:34:02 729088 ----a-w- c:\windows\system32\hpwwiax4.dll
2010-06-01 18:34:02 593920 ----a-w- c:\windows\system32\hpwtscl3.dll
2010-06-01 18:34:02 309760 ----a-w- c:\windows\system32\difxapi.dll
2010-06-01 18:31:36 176574 ----a-w- c:\windows\hpwins19.dat
2010-06-01 18:31:35 997 ----a-w- c:\windows\hpwmdl19.dat
2010-05-28 01:39:30 141384 ----a-w- c:\windows\system32\drivers\PSINAflt.sys

==================== Find3M ====================

2010-06-25 16:05:35 741376 ----a-w- c:\windows\system32\drivers\wbpekiqk.sys
2010-05-23 22:44:36 4 ----a-w- c:\docume~1\owner\applic~1\avdrn.dat
2010-05-12 17:58:11 110920 ----a-w- c:\windows\system32\drivers\PSINProt.sys
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 15:36:53 129928 ----a-w- c:\windows\system32\drivers\PSINKNC.sys
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-30 20:46:51 111624 ----a-w- c:\windows\system32\drivers\PSINProc.sys
2010-04-30 20:46:50 97032 ----a-w- c:\windows\system32\drivers\PSINFile.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-31 07:16:34 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 07:10:40 295264 ----a-w- c:\windows\system32\PresentationHost.exe

============= FINISH: 9:07:37.70 ===============

Attached Files



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:27 PM

Posted 25 June 2010 - 12:37 PM

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#9 Heavenlyp

Heavenlyp
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 25 June 2010 - 02:34 PM

here is log

ComboFix 10-06-25.01 - Owner 06/25/2010 12:02:44.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.143 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Panda Cloud Antivirus *On-access scanning disabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}
FW: Sunbelt Personal Firewall *enabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\avdrn.dat
c:\documents and settings\Owner\Local Settings\Application Data\{A798FE08-73D2-41F1-99B7-F8A449C042F0}
c:\documents and settings\Owner\Local Settings\Application Data\{A798FE08-73D2-41F1-99B7-F8A449C042F0}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{A798FE08-73D2-41F1-99B7-F8A449C042F0}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{A798FE08-73D2-41F1-99B7-F8A449C042F0}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{A798FE08-73D2-41F1-99B7-F8A449C042F0}\install.rdf
c:\windows\system32\CBUTTON.OCX
c:\windows\system32\fjhdyfhsn.bat
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Created from 2010-05-25 to 2010-06-25 )))))))))))))))))))))))))))))))
.

2010-06-24 03:36 . 2010-06-24 04:03 -------- d-----w- c:\windows\ie8updates
2010-06-24 03:13 . 2010-06-24 03:13 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-24 03:12 . 2010-06-24 03:12 264 ----a-w- c:\windows\system32\PSUNCpl.dat
2010-06-24 03:11 . 2010-06-24 03:11 -------- d-----w- c:\program files\Panda Security
2010-06-24 03:02 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 03:02 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-24 03:02 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 01:44 . 2010-06-24 01:44 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-06-24 01:40 . 2010-06-24 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-06-24 01:36 . 2010-06-24 02:58 77350 ----a-w- c:\windows\hpqins05.dat
2010-06-21 17:34 . 2010-06-21 17:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Yahoo
2010-06-21 17:34 . 2010-06-21 17:34 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-06-21 17:33 . 2010-06-21 17:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-21 17:28 . 2010-06-21 17:28 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2010-06-20 16:35 . 2010-06-20 16:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-06-20 16:35 . 2010-06-20 16:35 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2010-06-20 16:33 . 2010-06-20 16:34 -------- dc-h--w- c:\windows\ie8
2010-06-20 16:32 . 2010-06-20 16:35 -------- d--h--w- c:\windows\msdownld.tmp
2010-06-19 18:56 . 2010-06-24 00:40 178 ----a-w- C:\handle.dat
2010-06-10 06:21 . 2010-06-10 06:33 -------- d-----w- c:\program files\Free Window Registry Repair
2010-06-03 17:10 . 2008-10-31 14:09 270888 ----a-r- c:\windows\system32\drivers\SbFw.sys
2010-06-03 17:10 . 2008-06-21 11:54 65576 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2010-06-01 18:34 . 2007-01-17 08:37 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2010-06-01 18:34 . 2007-01-17 08:37 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2010-06-01 18:34 . 2007-11-06 18:10 271704 ----a-w- c:\windows\system32\hpzids01.dll
2010-06-01 18:34 . 2007-01-17 08:37 364544 ----a-w- c:\windows\system32\hppldcoi.dll
2010-06-01 18:34 . 2007-01-17 08:31 294912 ----a-w- c:\windows\system32\hpovst11.dll
2010-06-01 18:34 . 2007-10-31 02:35 729088 ----a-w- c:\windows\system32\hpwwiax4.dll
2010-06-01 18:34 . 2007-10-31 02:35 593920 ----a-w- c:\windows\system32\hpwtscl3.dll
2010-06-01 18:34 . 2007-01-17 08:37 309760 ----a-w- c:\windows\system32\difxapi.dll
2010-06-01 18:31 . 2010-06-01 18:50 176574 ----a-w- c:\windows\hpwins19.dat
2010-06-01 18:31 . 2008-01-22 03:20 997 ----a-w- c:\windows\hpwmdl19.dat
2010-05-28 01:39 . 2010-05-28 01:39 141384 ----a-w- c:\windows\system32\drivers\PSINAflt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-24 19:45 . 2010-05-23 22:49 0 ----a-w- c:\windows\Fzovuwafon.bin
2010-06-24 15:56 . 2006-08-08 22:57 63320 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-24 03:13 . 2010-03-17 04:11 -------- d-----w- c:\documents and settings\Owner\Application Data\Panda Security
2010-06-24 03:11 . 2010-03-17 04:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2010-06-24 03:03 . 2006-08-10 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-06-24 03:00 . 2008-04-05 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-06-23 18:42 . 2010-03-17 09:07 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-22 16:21 . 2010-06-17 19:05 50176 ----a-w- c:\documents and settings\Owner\Application Data\f658eabb.exe
2010-06-22 16:21 . 2010-06-17 19:05 50176 ----a-w- c:\documents and settings\Owner\Application Data\f658eabb.exe
2010-06-20 16:35 . 2006-08-10 21:23 -------- d-----w- c:\program files\Yahoo!
2010-06-14 04:14 . 2010-02-14 07:29 -------- d-----w- c:\program files\Diablo II
2010-06-06 16:23 . 2009-01-12 22:16 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 18:33 . 2006-08-08 14:04 -------- d-----w- c:\program files\HP
2010-05-25 00:10 . 2010-05-25 00:10 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23c347a2-n\msvcp71.dll
2010-05-25 00:10 . 2010-05-25 00:10 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23c347a2-n\jmc.dll
2010-05-25 00:10 . 2010-05-25 00:10 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23c347a2-n\msvcr71.dll
2010-05-25 00:10 . 2010-05-25 00:10 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-79ffb9e3-n\decora-sse.dll
2010-05-25 00:10 . 2010-05-25 00:10 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-79ffb9e3-n\decora-d3d.dll
2010-05-24 22:38 . 2010-05-23 22:49 120 ----a-w- c:\windows\Wxavew.dat
2010-05-23 22:44 . 2010-05-23 22:44 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\khiteb.dat
2010-05-12 17:58 . 2010-05-12 17:58 110920 ----a-w- c:\windows\system32\drivers\PSINProt.sys
2010-05-06 10:41 . 2006-08-07 05:36 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 15:36 . 2010-05-04 15:36 129928 ----a-w- c:\windows\system32\drivers\PSINKNC.sys
2010-05-02 05:22 . 2006-08-07 05:36 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-30 20:46 . 2010-04-30 20:46 111624 ----a-w- c:\windows\system32\drivers\PSINProc.sys
2010-04-30 20:46 . 2010-04-30 20:46 97032 ----a-w- c:\windows\system32\drivers\PSINFile.sys
2010-04-20 05:30 . 2006-08-07 05:33 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-31 07:16 . 2010-03-31 07:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 07:10 . 2010-03-31 07:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-08-18 18:49 . 2005-08-18 18:49 307200 c:\program files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe

2004-11-03 21:03 . 2004-11-03 21:03 125528 c:\program files\Common Files\AOL\1154931251\EE\bak\AOLHostManager.exe

2006-08-07 06:04 . 2005-01-12 10:01 32768 c:\program files\CyberLink\PowerDVD\bak\PDVDServ.exe

2005-08-27 12:09 . 2005-08-27 12:09 139264 c:\program files\Digital Media Reader\bak\readericon45G.exe

2004-02-12 20:38 . 2004-02-12 20:38 49152 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
2007-10-15 04:17 . 2007-10-15 04:17 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

2006-08-07 06:15 . 2006-08-07 06:15 98304 c:\program files\QuickTime\bak\qttask.exe
2009-05-27 00:18 . 2009-05-27 00:18 413696 c:\program files\QuickTime\QTTask.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2010-05-14 22:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2010-05-14 22:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-12 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R320 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" [2004-04-26 98304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-21 177472]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2010-05-14 406848]
"Pxufoyatup"="c:\windows\ozicumiru.dll" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverCure]
2009-08-07 19:36 3993368 -c--a-w- c:\program files\ParetoLogic\DriverCure\DriverCure.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [5/4/2010 8:36 AM 129928]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [6/3/2010 10:10 AM 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [6/21/2008 4:54 AM 66600]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [4/30/2010 1:47 PM 136448]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [5/27/2010 6:39 PM 141384]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [4/30/2010 1:46 PM 97032]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/30/2010 1:46 PM 111624]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [5/12/2010 10:58 AM 110920]
R2 SbPF.Launcher;SbPF.Launcher;c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [10/31/2008 7:24 AM 95528]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [10/31/2008 7:24 AM 1365288]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [6/3/2010 10:10 AM 65576]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [3/17/2010 11:41 AM 15944]

--- Other Services/Drivers In Memory ---

*Deregistered* - wbpekiqk

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} - file://e:\memdisc\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\p4l7tjec.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-25 12:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RkPavproc1]


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wbpekiqk]

.
Completion time: 2010-06-25 12:29:22
ComboFix-quarantined-files.txt 2010-06-25 19:29
ComboFix2.txt 2010-03-21 03:35

Pre-Run: 90,210,246,656 bytes free
Post-Run: 90,806,808,576 bytes free

- - End Of File - - E7BC98FF39BDFA337F47CBEE2BF2C3EF


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:27 PM

Posted 25 June 2010 - 03:15 PM

Close any open browsers.

Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

CODE
Driver::
wbpekiqk
RegLockDel::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RkPavproc1]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wbpekiqk]
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pxufoyatup"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RkPavproc1]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wbpekiqk]
DDS::
uInternet Connection Wizard,ShellNext = iexplore


Save this as CFScript.txt, in the same location as ComboFix.exe




Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#11 Heavenlyp

Heavenlyp
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 25 June 2010 - 06:49 PM

Here's the log



ComboFix 10-06-25.01 - Owner 06/25/2010 13:42:09.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.169 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Panda Cloud Antivirus *On-access scanning disabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}
FW: Sunbelt Personal Firewall *enabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WBPEKIQK
-------\Service_wbpekiqk


((((((((((((((((((((((((( Files Created from 2010-05-25 to 2010-06-25 )))))))))))))))))))))))))))))))
.

2010-06-24 03:36 . 2010-06-24 04:03 -------- d-----w- c:\windows\ie8updates
2010-06-24 03:13 . 2010-06-24 03:13 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-24 03:12 . 2010-06-24 03:12 264 ----a-w- c:\windows\system32\PSUNCpl.dat
2010-06-24 03:11 . 2010-06-24 03:11 -------- d-----w- c:\program files\Panda Security
2010-06-24 03:02 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 03:02 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-24 03:02 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 01:44 . 2010-06-24 01:44 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-06-24 01:40 . 2010-06-24 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-06-24 01:36 . 2010-06-24 02:58 77350 ----a-w- c:\windows\hpqins05.dat
2010-06-21 17:34 . 2010-06-21 17:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Yahoo
2010-06-21 17:34 . 2010-06-21 17:34 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-06-21 17:33 . 2010-06-21 17:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-21 17:28 . 2010-06-21 17:28 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2010-06-20 16:35 . 2010-06-20 16:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-06-20 16:35 . 2010-06-20 16:35 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2010-06-20 16:33 . 2010-06-20 16:34 -------- dc-h--w- c:\windows\ie8
2010-06-20 16:32 . 2010-06-20 16:35 -------- d--h--w- c:\windows\msdownld.tmp
2010-06-19 18:56 . 2010-06-24 00:40 178 ----a-w- C:\handle.dat
2010-06-10 06:21 . 2010-06-10 06:33 -------- d-----w- c:\program files\Free Window Registry Repair
2010-06-03 17:10 . 2008-10-31 14:09 270888 ----a-r- c:\windows\system32\drivers\SbFw.sys
2010-06-03 17:10 . 2008-06-21 11:54 65576 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2010-06-01 18:34 . 2007-01-17 08:37 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2010-06-01 18:34 . 2007-01-17 08:37 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2010-06-01 18:34 . 2007-11-06 18:10 271704 ----a-w- c:\windows\system32\hpzids01.dll
2010-06-01 18:34 . 2007-01-17 08:37 364544 ----a-w- c:\windows\system32\hppldcoi.dll
2010-06-01 18:34 . 2007-01-17 08:31 294912 ----a-w- c:\windows\system32\hpovst11.dll
2010-06-01 18:34 . 2007-10-31 02:35 729088 ----a-w- c:\windows\system32\hpwwiax4.dll
2010-06-01 18:34 . 2007-10-31 02:35 593920 ----a-w- c:\windows\system32\hpwtscl3.dll
2010-06-01 18:34 . 2007-01-17 08:37 309760 ----a-w- c:\windows\system32\difxapi.dll
2010-06-01 18:31 . 2010-06-01 18:50 176574 ----a-w- c:\windows\hpwins19.dat
2010-06-01 18:31 . 2008-01-22 03:20 997 ----a-w- c:\windows\hpwmdl19.dat
2010-05-28 01:39 . 2010-05-28 01:39 141384 ----a-w- c:\windows\system32\drivers\PSINAflt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-25 20:57 . 2010-05-23 22:45 741376 ----a-w- c:\windows\system32\drivers\wbpekiqk.sys
2010-06-24 19:45 . 2010-05-23 22:49 0 ----a-w- c:\windows\Fzovuwafon.bin
2010-06-24 15:56 . 2006-08-08 22:57 63320 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-24 03:13 . 2010-03-17 04:11 -------- d-----w- c:\documents and settings\Owner\Application Data\Panda Security
2010-06-24 03:11 . 2010-03-17 04:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2010-06-24 03:03 . 2006-08-10 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-06-24 03:00 . 2008-04-05 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-06-23 18:42 . 2010-03-17 09:07 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-22 16:21 . 2010-06-17 19:05 50176 ----a-w- c:\documents and settings\Owner\Application Data\f658eabb.exe
2010-06-20 16:35 . 2006-08-10 21:23 -------- d-----w- c:\program files\Yahoo!
2010-06-14 04:14 . 2010-02-14 07:29 -------- d-----w- c:\program files\Diablo II
2010-06-06 16:23 . 2009-01-12 22:16 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 18:33 . 2006-08-08 14:04 -------- d-----w- c:\program files\HP
2010-05-24 22:38 . 2010-05-23 22:49 120 ----a-w- c:\windows\Wxavew.dat
2010-05-23 22:44 . 2010-05-23 22:44 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\khiteb.dat
2010-05-12 17:58 . 2010-05-12 17:58 110920 ----a-w- c:\windows\system32\drivers\PSINProt.sys
2010-05-06 10:41 . 2006-08-07 05:36 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 15:36 . 2010-05-04 15:36 129928 ----a-w- c:\windows\system32\drivers\PSINKNC.sys
2010-05-02 05:22 . 2006-08-07 05:36 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-30 20:46 . 2010-04-30 20:46 111624 ----a-w- c:\windows\system32\drivers\PSINProc.sys
2010-04-30 20:46 . 2010-04-30 20:46 97032 ----a-w- c:\windows\system32\drivers\PSINFile.sys
2010-04-20 05:30 . 2006-08-07 05:33 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-31 07:16 . 2010-03-31 07:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 07:10 . 2010-03-31 07:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-08-18 18:49 . 2005-08-18 18:49 307200 c:\program files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe

2004-11-03 21:03 . 2004-11-03 21:03 125528 c:\program files\Common Files\AOL\1154931251\EE\bak\AOLHostManager.exe

2006-08-07 06:04 . 2005-01-12 10:01 32768 c:\program files\CyberLink\PowerDVD\bak\PDVDServ.exe

2005-08-27 12:09 . 2005-08-27 12:09 139264 c:\program files\Digital Media Reader\bak\readericon45G.exe

2004-02-12 20:38 . 2004-02-12 20:38 49152 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
2007-10-15 04:17 . 2007-10-15 04:17 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

2006-08-07 06:15 . 2006-08-07 06:15 98304 c:\program files\QuickTime\bak\qttask.exe
2009-05-27 00:18 . 2009-05-27 00:18 413696 c:\program files\QuickTime\QTTask.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2010-05-14 22:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2010-05-14 22:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-12 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R320 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" [2004-04-26 98304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-21 177472]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2010-05-14 406848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverCure]
2009-08-07 19:36 3993368 -c--a-w- c:\program files\ParetoLogic\DriverCure\DriverCure.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [5/4/2010 8:36 AM 129928]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [6/3/2010 10:10 AM 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [6/21/2008 4:54 AM 66600]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [4/30/2010 1:47 PM 136448]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [5/27/2010 6:39 PM 141384]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [4/30/2010 1:46 PM 97032]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/30/2010 1:46 PM 111624]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [5/12/2010 10:58 AM 110920]
R2 SbPF.Launcher;SbPF.Launcher;c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [10/31/2008 7:24 AM 95528]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [10/31/2008 7:24 AM 1365288]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [6/3/2010 10:10 AM 65576]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [3/17/2010 11:41 AM 15944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} - file://e:\memdisc\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\p4l7tjec.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-25 14:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3544)
c:\windows\system32\WININET.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Sunbelt Software\Personal Firewall\SbPFCl.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2010-06-25 14:17:53 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-25 21:17
ComboFix2.txt 2010-06-25 19:29
ComboFix3.txt 2010-03-21 03:35

Pre-Run: 90,779,164,672 bytes free
Post-Run: 90,721,300,480 bytes free

- - End Of File - - 949DF141BC836D8B8A5652E971860BA3


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:27 PM

Posted 25 June 2010 - 07:41 PM

We just run ComboFix once more to upload a file and remove it from your system.

Open notepad and copy/paste the text in the code box below into it:

CODE
http://www.bleepingcomputer.com/forums/t/325521/trcrypt-trojangen2/

Collect::[4]
c:\windows\system32\drivers\wbpekiqk.sys


Save this as CFScript.txt





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Please copy and paste that log in your next reply.

**Important Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

#13 Heavenlyp

Heavenlyp
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 25 June 2010 - 08:41 PM


next log

ComboFix 10-06-25.01 - Owner 06/25/2010 18:18:36.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.162 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Panda Cloud Antivirus *On-access scanning enabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}
FW: Sunbelt Personal Firewall *enabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}

file zipped: c:\windows\system32\drivers\wbpekiqk.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\wbpekiqk.sys

.
((((((((((((((((((((((((( Files Created from 2010-05-26 to 2010-06-26 )))))))))))))))))))))))))))))))
.

2010-06-24 03:36 . 2010-06-24 04:03 -------- d-----w- c:\windows\ie8updates
2010-06-24 03:13 . 2010-06-24 03:13 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-24 03:11 . 2010-06-24 03:11 -------- d-----w- c:\program files\Panda Security
2010-06-24 03:02 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 03:02 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-24 03:02 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 01:44 . 2010-06-24 01:44 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-06-24 01:40 . 2010-06-24 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-06-24 01:36 . 2010-06-24 02:58 77350 ----a-w- c:\windows\hpqins05.dat
2010-06-21 17:34 . 2010-06-21 17:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Yahoo
2010-06-21 17:34 . 2010-06-21 17:34 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-06-21 17:33 . 2010-06-21 17:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-21 17:28 . 2010-06-21 17:28 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2010-06-20 16:35 . 2010-06-20 16:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-06-20 16:35 . 2010-06-20 16:35 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2010-06-20 16:33 . 2010-06-20 16:34 -------- dc-h--w- c:\windows\ie8
2010-06-20 16:32 . 2010-06-20 16:35 -------- d--h--w- c:\windows\msdownld.tmp
2010-06-19 18:56 . 2010-06-24 00:40 178 ----a-w- C:\handle.dat
2010-06-10 06:21 . 2010-06-10 06:33 -------- d-----w- c:\program files\Free Window Registry Repair
2010-06-03 17:10 . 2008-10-31 14:09 270888 ----a-r- c:\windows\system32\drivers\SbFw.sys
2010-06-03 17:10 . 2008-06-21 11:54 65576 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2010-06-01 18:34 . 2007-01-17 08:37 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2010-06-01 18:34 . 2007-01-17 08:37 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2010-06-01 18:34 . 2007-11-06 18:10 271704 ----a-w- c:\windows\system32\hpzids01.dll
2010-06-01 18:34 . 2007-01-17 08:37 364544 ----a-w- c:\windows\system32\hppldcoi.dll
2010-06-01 18:34 . 2007-01-17 08:31 294912 ----a-w- c:\windows\system32\hpovst11.dll
2010-06-01 18:34 . 2007-10-31 02:35 729088 ----a-w- c:\windows\system32\hpwwiax4.dll
2010-06-01 18:34 . 2007-10-31 02:35 593920 ----a-w- c:\windows\system32\hpwtscl3.dll
2010-06-01 18:34 . 2007-01-17 08:37 309760 ----a-w- c:\windows\system32\difxapi.dll
2010-06-01 18:31 . 2010-06-01 18:50 176574 ----a-w- c:\windows\hpwins19.dat
2010-06-01 18:31 . 2008-01-22 03:20 997 ----a-w- c:\windows\hpwmdl19.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-26 01:13 . 2010-06-26 01:13 70 ----a-w- c:\windows\RAVTC.TMP
2010-06-24 19:45 . 2010-05-23 22:49 0 ----a-w- c:\windows\Fzovuwafon.bin
2010-06-24 15:56 . 2006-08-08 22:57 63320 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-24 03:13 . 2010-03-17 04:11 -------- d-----w- c:\documents and settings\Owner\Application Data\Panda Security
2010-06-24 03:11 . 2010-03-17 04:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2010-06-24 03:03 . 2006-08-10 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-06-24 03:00 . 2008-04-05 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-06-23 18:42 . 2010-03-17 09:07 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-22 16:21 . 2010-06-17 19:05 50176 ----a-w- c:\documents and settings\Owner\Application Data\f658eabb.exe
2010-06-22 16:21 . 2010-06-17 19:05 50176 ----a-w- c:\documents and settings\Owner\Application Data\f658eabb.exe
2010-06-20 16:35 . 2006-08-10 21:23 -------- d-----w- c:\program files\Yahoo!
2010-06-14 04:14 . 2010-02-14 07:29 -------- d-----w- c:\program files\Diablo II
2010-06-06 16:23 . 2009-01-12 22:16 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 18:33 . 2006-08-08 14:04 -------- d-----w- c:\program files\HP
2010-05-25 00:10 . 2010-05-25 00:10 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23c347a2-n\msvcp71.dll
2010-05-25 00:10 . 2010-05-25 00:10 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23c347a2-n\jmc.dll
2010-05-25 00:10 . 2010-05-25 00:10 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23c347a2-n\msvcr71.dll
2010-05-25 00:10 . 2010-05-25 00:10 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-79ffb9e3-n\decora-sse.dll
2010-05-25 00:10 . 2010-05-25 00:10 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-79ffb9e3-n\decora-d3d.dll
2010-05-24 22:38 . 2010-05-23 22:49 120 ----a-w- c:\windows\Wxavew.dat
2010-05-23 22:44 . 2010-05-23 22:44 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\khiteb.dat
2010-05-06 10:41 . 2006-08-07 05:36 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2006-08-07 05:36 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2006-08-07 05:33 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-31 07:16 . 2010-03-31 07:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 07:10 . 2010-03-31 07:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-08-18 18:49 . 2005-08-18 18:49 307200 c:\program files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe

2004-11-03 21:03 . 2004-11-03 21:03 125528 c:\program files\Common Files\AOL\1154931251\EE\bak\AOLHostManager.exe

2006-08-07 06:04 . 2005-01-12 10:01 32768 c:\program files\CyberLink\PowerDVD\bak\PDVDServ.exe

2005-08-27 12:09 . 2005-08-27 12:09 139264 c:\program files\Digital Media Reader\bak\readericon45G.exe

2004-02-12 20:38 . 2004-02-12 20:38 49152 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
2007-10-15 04:17 . 2007-10-15 04:17 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

2006-08-07 06:15 . 2006-08-07 06:15 98304 c:\program files\QuickTime\bak\qttask.exe
2009-05-27 00:18 . 2009-05-27 00:18 413696 c:\program files\QuickTime\QTTask.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-12 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R320 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" [2004-04-26 98304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-21 177472]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverCure]
2009-08-07 19:36 3993368 -c--a-w- c:\program files\ParetoLogic\DriverCure\DriverCure.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [6/3/2010 10:10 AM 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [6/21/2008 4:54 AM 66600]
R2 SbPF.Launcher;SbPF.Launcher;c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [10/31/2008 7:24 AM 95528]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [10/31/2008 7:24 AM 1365288]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [6/3/2010 10:10 AM 65576]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [3/17/2010 11:41 AM 15944]

--- Other Services/Drivers In Memory ---

*Deregistered* - PSINAflt
*Deregistered* - PSINKNC
*Deregistered* - PSINProt

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} - file://e:\memdisc\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\p4l7tjec.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-25 18:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-06-25 18:37:43
ComboFix-quarantined-files.txt 2010-06-26 01:37
ComboFix2.txt 2010-06-25 21:17
ComboFix3.txt 2010-06-25 19:29
ComboFix4.txt 2010-03-21 03:35

Pre-Run: 90,866,106,368 bytes free
Post-Run: 90,853,711,872 bytes free

- - End Of File - - C50E81AC0152763C33A688A20ECA2DBF
Upload was successful


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:27 PM

Posted 25 June 2010 - 09:26 PM

It looks good. thumbup2.gif
  1. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  2. You may delete any tool or log we used from your computer.

Happy Surfing Heavenlyp. smile.gif

#15 Heavenlyp

Heavenlyp
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 26 June 2010 - 12:55 AM

Combofix uninstall is complete. Everything is A OK

Thanks again Farbar

Couldn't surf without you. thumbup2.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users