Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Infected with trojans and worm, vundo for sure [RESOLVED]


  • This topic is locked This topic is locked

#1
my_computer_is_screwed

my_computer_is_screwed

    New Member

  • Member
  • Pip
  • 8 posts
I've lost count of what all has come up to be quite honest. And I don't really know what I'm doing to remove any of this, but I do know that after following the directions for removing this in your forum, when I perform a virus scan online, I'm still infected. Vundo is one that comes up consistently. I just really need help because I am really clueless when it comes to computers. :) Here's my dss log-I finally got it to run. Please help! Thanks in advance.

Deckard's System Scanner v20071014.68
Run by libc1 on 2008-05-20 09:46:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as libc1.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:31 AM, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Documents and Settings\libc1\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\libc1.exe
C:\WINDOWS\system32\HPZinw12.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O1 - Hosts: hp973f8e HP0018FE973F8E
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [INPROCOMMWireless] C:\Program Files\Atheros\Wireless\Utility\WlanUtil.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\libc1\Application Data\Deskbar_{380C73FA-F65D-49d1-95D5-C938579255FE}\starter.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: Amazon Unbox.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9563.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1191525831828
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ahsstud.ahs.mcnairy.org
O17 - HKLM\Software\..\Telephony: DomainName = ahsstud.ahs.mcnairy.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ahsstud.ahs.mcnairy.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ahsstud.ahs.mcnairy.org
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9127 bytes

-- Files created between 2008-04-20 and 2008-05-20 -----------------------------

2008-05-19 22:32:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-19 22:32:55 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-19 21:28:01 0 d-------- C:\Program Files\Panda Security
2008-05-19 17:58:00 0 d-------- C:\Documents and Settings\libc1\Application Data\Malwarebytes
2008-05-19 17:57:55 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-19 17:57:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-19 17:57:10 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-19 06:41:42 0 d-------- C:\Documents and Settings\libc1\DoctorWeb
2008-05-19 06:39:48 0 d-------- C:\Program Files\Trend Micro
2008-05-19 06:12:23 0 d-------- C:\Documents and Settings\libc1\Application Data\Symantec
2008-05-19 02:16:12 0 d-------- C:\Program Files\Norton 360
2008-05-19 02:13:18 0 d-------- C:\Program Files\Symantec
2008-05-19 02:13:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-19 02:13:03 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-18 21:21:52 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-18 20:18:06 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-18 20:17:55 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-18 20:17:55 0 d-------- C:\Documents and Settings\libc1\Application Data\SUPERAntiSpyware.com
2008-05-18 20:17:17 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 19:47:22 0 d-------- C:\Program Files\Windows Live Safety Center
2008-05-18 19:07:26 0 d-------- C:\WINDOWS\system32\appmgmt
2008-05-18 18:56:21 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-18 18:55:25 0 d-------- C:\Program Files\SpywareBlaster
2008-05-18 18:32:50 25558 --ahs---- C:\WINDOWS\system32\CfggNXyb.ini2
2008-05-18 18:31:33 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-05-18 18:30:24 0 d-------- C:\WINDOWS\Sun
2008-05-18 18:30:24 0 d-------- C:\Documents and Settings\libc1\Application Data\Sun
2008-05-18 18:28:05 0 d--hs---- C:\WINDOWS\QUhT
2008-05-18 18:27:52 0 d-------- C:\WINDOWS\system32\polX
2008-05-18 18:27:52 0 d-------- C:\WINDOWS\system32\GUI2
2008-05-18 18:27:52 0 d-------- C:\WINDOWS\system32\binR
2008-05-18 18:27:52 0 d-------- C:\WINDOWS\system32\3036a
2008-05-18 18:27:46 0 d-------- C:\WINDOWS\system32\logXv18
2008-05-18 18:25:08 0 d-------- C:\Program Files\SurfingProgram
2008-05-18 18:21:25 0 d-------- C:\Documents and Settings\libc1\Application Data\LimeWire
2008-05-18 18:15:47 0 d-------- C:\Program Files\LimeWire
2008-05-10 08:28:59 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-09 13:36:13 2550 --a------ C:\WINDOWS\mozver.dat
2008-05-01 08:36:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Amazon
2008-05-01 08:36:27 0 d-------- C:\Program Files\Amazon
2008-05-01 08:35:20 0 d-------- C:\WINDOWS\RegisteredPackages
2008-05-01 08:30:04 0 d-------- C:\WINDOWS\Downloaded Installations


-- Find3M Report ---------------------------------------------------------------

2008-05-20 09:25:48 2812 --a------ C:\Documents and Settings\libc1\Application Data\evpro32.prf
2008-05-19 17:57:10 0 d-------- C:\Program Files\Common Files
2008-05-01 08:37:20 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-25 15:33:15 0 d-------- C:\Documents and Settings\libc1\Application Data\U3
2008-04-09 14:54:24 0 d-------- C:\Program Files\Hewlett-Packard
2008-04-09 14:54:22 0 d--h----- C:\Program Files\Zenographics
2008-04-04 21:57:55 0 d-------- C:\Documents and Settings\libc1\Application Data\Adobe
2008-04-04 20:57:02 0 d-------- C:\Documents and Settings\libc1\Application Data\Real
2008-04-04 20:51:51 0 d-------- C:\Program Files\Common Files\xing shared
2008-04-04 20:51:49 0 d-------- C:\Program Files\Common Files\Real
2008-04-04 20:51:42 0 d-------- C:\Program Files\Real
2008-04-04 20:43:00 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-04 20:42:58 0 d-------- C:\Documents and Settings\libc1\Application Data\Mozilla
2008-04-04 08:27:21 94123 --a------ C:\WINDOWS\hppins05.dat
2008-04-04 08:24:42 0 d-------- C:\Program Files\HP
2008-04-04 08:16:30 0 d-------- C:\Program Files\Common Files\SWF Studio
2008-03-03 22:50:28 61678 --a------ C:\Documents and Settings\libc1\Application Data\PFP100JPR.{PB
2008-03-03 22:50:28 12358 --a------ C:\Documents and Settings\libc1\Application Data\PFP100JCM.{PB
2008-02-26 17:57:32 117089 --a------ C:\WINDOWS\hpoins11.dat
2008-02-20 14:21:43 28672 --a------ C:\WINDOWS\system32\qttask.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [07/19/2006 09:42 AM C:\WINDOWS\SkyTel.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [12/21/2005 03:02 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [06/13/2006 09:57 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [06/13/2006 09:57 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [06/13/2006 09:57 AM]
"RTHDCPL"="RTHDCPL.EXE" [03/14/2006 05:01 PM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 06:43 PM C:\WINDOWS\Alcmtr.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [04/29/2006 06:13 AM]
"AGRSMMSG"="AGRSMMSG.exe" [03/16/2006 05:24 PM C:\WINDOWS\AGRSMMSG.exe]
"INPROCOMMWireless"="C:\Program Files\Atheros\Wireless\Utility\WlanUtil.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/16/2005 11:11 PM]
"hpbdfawep"="C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe" [12/23/2007 09:47 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/04/2008 08:51 PM]
"dbar_starter"="C:\Documents and Settings\libc1\Application Data\Deskbar_{380C73FA-F65D-49d1-95D5-C938579255FE}\starter.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/17/2007 08:54 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 05:38 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 07:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [10/20/2007 8:17:26 PM]
Amazon Unbox.lnk - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [7/11/2007 5:25:20 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2/19/2006 5:21:22 AM]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2/10/2006 8:56:20 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceActiveDesktopOn"=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\byXNggfC

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bb53831a-066e-11dd-a6a6-00197e72468e}]
AutoRun\command- D:\LaunchU3.exe -a

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-05-20 09:46:55 ------------
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please do not create duplicate topics for the same issue. Your other topic is now closed.

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
my_computer_is_screwed

my_computer_is_screwed

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
ComboFix 08-05-20.4 - libc1 2008-05-21 0:49:50.1 - NTFSx86
Running from: C:\Documents and Settings\libc1\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\'
C:\WINDOWS\system32\CfggNXyb.ini
C:\WINDOWS\system32\CfggNXyb.ini2
C:\WINDOWS\system32\Desktop_.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\uubnully.ini
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-19 22:32 . 2008-05-19 22:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-19 22:32 . 2008-05-19 22:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-19 21:28 . 2008-05-19 21:29 <DIR> d-------- C:\Program Files\Panda Security
2008-05-19 17:58 . 2008-05-19 17:58 <DIR> d-------- C:\Documents and Settings\libc1\Application Data\Malwarebytes
2008-05-19 17:57 . 2008-05-19 19:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-19 17:57 . 2008-05-19 17:57 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-19 17:57 . 2008-05-19 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-19 17:57 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-19 17:57 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-19 14:26 . 2008-05-19 14:26 <DIR> d-------- C:\Deckard
2008-05-19 06:41 . 2008-05-19 06:41 <DIR> d-------- C:\Documents and Settings\libc1\DoctorWeb
2008-05-19 06:39 . 2008-05-19 06:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-19 06:26 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-05-19 06:26 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-05-19 06:26 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-05-19 06:12 . 2008-05-19 06:12 <DIR> d-------- C:\Documents and Settings\libc1\Application Data\Symantec
2008-05-19 02:43 . 2007-03-21 20:39 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DL1
2008-05-19 02:16 . 2008-05-19 10:03 <DIR> d-------- C:\Program Files\Norton 360
2008-05-19 02:15 . 2008-05-19 02:40 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-19 02:15 . 2008-05-19 02:40 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-19 02:15 . 2008-05-19 02:40 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-19 02:15 . 2008-05-19 02:40 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-19 02:13 . 2008-05-19 02:40 <DIR> d-------- C:\Program Files\Symantec
2008-05-19 02:13 . 2008-05-20 12:56 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-19 02:13 . 2008-05-20 12:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-18 21:21 . 2008-05-18 21:21 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-18 20:18 . 2008-05-18 20:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-18 20:17 . 2008-05-18 20:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-18 20:17 . 2008-05-18 20:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 20:17 . 2008-05-18 20:17 <DIR> d-------- C:\Documents and Settings\libc1\Application Data\SUPERAntiSpyware.com
2008-05-18 19:47 . 2008-05-18 22:34 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-05-18 18:56 . 2008-05-18 18:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-18 18:55 . 2008-05-18 18:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-18 18:31 . 2008-05-18 18:31 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-05-18 18:30 . 2008-05-18 18:30 <DIR> d-------- C:\WINDOWS\Sun
2008-05-18 18:28 . 2008-05-18 20:33 <DIR> d--hs---- C:\WINDOWS\QUhT
2008-05-18 18:27 . 2008-05-19 19:01 <DIR> d-------- C:\WINDOWS\system32\polX
2008-05-18 18:27 . 2008-05-19 07:54 <DIR> d-------- C:\WINDOWS\system32\logXv18
2008-05-18 18:27 . 2008-05-18 20:31 <DIR> d-------- C:\WINDOWS\system32\GUI2
2008-05-18 18:27 . 2008-05-18 20:31 <DIR> d-------- C:\WINDOWS\system32\binR
2008-05-18 18:27 . 2008-05-18 20:31 <DIR> d-------- C:\WINDOWS\system32\3036a
2008-05-18 18:27 . 2008-05-18 18:27 <DIR> d-------- C:\TEMP\dmpxp32
2008-05-18 18:25 . 2008-05-18 20:33 <DIR> d-------- C:\Program Files\SurfingProgram
2008-05-18 18:21 . 2008-05-18 19:09 <DIR> d-------- C:\Documents and Settings\libc1\Application Data\LimeWire
2008-05-18 18:15 . 2008-05-18 18:34 <DIR> d-------- C:\Program Files\LimeWire
2008-05-10 08:28 . 2008-05-19 06:03 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-09 13:36 . 2008-05-19 21:28 2,550 --a------ C:\WINDOWS\mozver.dat
2008-05-01 08:38 . 2008-05-01 08:38 934 --a------ C:\Amazon Unbox.lnk
2008-05-01 08:36 . 2008-05-01 08:36 <DIR> d-------- C:\Program Files\Amazon
2008-05-01 08:36 . 2008-05-01 08:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Amazon
2008-05-01 08:30 . 2008-05-01 08:30 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-04-28 10:47 . 2008-05-18 00:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-28 10:47 . 2008-04-28 10:47 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 13:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-25 20:33 --------- d-----w C:\Documents and Settings\libc1\Application Data\U3
2008-04-09 19:54 --------- d--h--w C:\Program Files\Zenographics
2008-04-09 19:54 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-05 01:51 --------- d-----w C:\Program Files\Real
2008-04-05 01:51 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-05 01:51 --------- d-----w C:\Program Files\Common Files\Real
2008-04-04 13:24 --------- d-----w C:\Program Files\HP
2008-04-04 13:16 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-04-01 01:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-07-19 09:42 2879488 C:\WINDOWS\SkyTel.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 15:02 53248]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-06-13 09:57 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-06-13 09:57 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-06-13 09:57 118784]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-14 17:01 16010752 C:\WINDOWS\RTHDCPL.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-29 06:13 766041]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-16 17:24 88204 C:\WINDOWS\AGRSMMSG.exe]
"INPROCOMMWireless"="C:\Program Files\Atheros\Wireless\Utility\WlanUtil.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"hpbdfawep"="C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe" [2007-12-23 21:47 618496]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-04 20:51 185896]
"dbar_starter"="C:\Documents and Settings\libc1\Application Data\Deskbar_{380C73FA-F65D-49d1-95D5-C938579255FE}\starter.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 20:54 116072]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2007-10-20 20:17:26 45056]
Amazon Unbox.lnk - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2007-07-11 17:25:20 97320]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 08:56:20 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2005-04-22 16:57]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-22 16:57]
S1 nikedrvv;nikedrvv;C:\WINDOWS\system32\drivers\nikedrvv.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bb53831a-066e-11dd-a6a6-00197e72468e}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 01:01:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\HPZinw12.exe
.
**************************************************************************
.
Completion time: 2008-05-21 1:04:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-21 06:04:23

Pre-Run: 50,490,429,440 bytes free
Post-Run: 53,616,091,136 bytes free

201 --- E O F --- 2008-05-18 13:49:37
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I don't recommend using file sharing programs like Limewire as they can help contribute to malware infections.

Uninstall Deskbar and SurfingProgram via the Add/Remove Programs panel if found.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Driver::
nikedrvv
Folder::
C:\WINDOWS\QUhT
C:\WINDOWS\system32\polX
C:\WINDOWS\system32\logXv18
C:\WINDOWS\system32\GUI2
C:\WINDOWS\system32\binR
C:\WINDOWS\system32\3036a
C:\TEMP\dmpxp32
C:\Program Files\SurfingProgram
C:\Documents and Settings\libc1\Application Data\Deskbar_{380C73FA-F65D-49d1-95D5-C938579255FE}\
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dbar_starter"=-

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#5
my_computer_is_screwed

my_computer_is_screwed

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I removed surfing program, could not find deskbar.

Thank you so much for helping me. You don't know how much I appreciate your knowledge.

Here is my log:

ComboFix 08-05-20.4 - libc1 2008-05-22 9:57:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.369 [GMT -5:00]
Running from: C:\Documents and Settings\libc1\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\libc1\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\TEMP\dmpxp32
C:\TEMP\dmpxp32\sakldsr.log
C:\WINDOWS\QUhT
C:\WINDOWS\system32\3036a
C:\WINDOWS\system32\binR
C:\WINDOWS\system32\GUI2
C:\WINDOWS\system32\logXv18
C:\WINDOWS\system32\polX

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NIKEDRVV
-------\Service_nikedrvv


((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.

2008-05-19 22:32 . 2008-05-19 22:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-19 22:32 . 2008-05-19 22:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-19 21:28 . 2008-05-19 21:29 <DIR> d-------- C:\Program Files\Panda Security
2008-05-19 17:58 . 2008-05-19 17:58 <DIR> d-------- C:\Documents and Settings\libc1\Application Data\Malwarebytes
2008-05-19 17:57 . 2008-05-19 19:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-19 17:57 . 2008-05-19 17:57 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-19 17:57 . 2008-05-19 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-19 17:57 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-19 17:57 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-19 14:26 . 2008-05-19 14:26 <DIR> d-------- C:\Deckard
2008-05-19 06:41 . 2008-05-19 06:41 <DIR> d-------- C:\Documents and Settings\libc1\DoctorWeb
2008-05-19 06:39 . 2008-05-19 06:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-19 06:26 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-05-19 06:26 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-05-19 06:26 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-05-19 06:12 . 2008-05-19 06:12 <DIR> d-------- C:\Documents and Settings\libc1\Application Data\Symantec
2008-05-19 02:43 . 2007-03-21 20:39 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DL1
2008-05-19 02:16 . 2008-05-19 10:03 <DIR> d-------- C:\Program Files\Norton 360
2008-05-19 02:15 . 2008-05-19 02:40 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-19 02:15 . 2008-05-19 02:40 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-19 02:15 . 2008-05-19 02:40 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-19 02:15 . 2008-05-19 02:40 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-19 02:13 . 2008-05-19 02:40 <DIR> d-------- C:\Program Files\Symantec
2008-05-19 02:13 . 2008-05-22 10:04 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-19 02:13 . 2008-05-21 07:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-18 21:21 . 2008-05-18 21:21 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-18 20:18 . 2008-05-18 20:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-18 20:17 . 2008-05-18 20:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-18 20:17 . 2008-05-18 20:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 20:17 . 2008-05-18 20:17 <DIR> d-------- C:\Documents and Settings\libc1\Application Data\SUPERAntiSpyware.com
2008-05-18 19:47 . 2008-05-18 22:34 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-05-18 18:56 . 2008-05-18 18:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-18 18:55 . 2008-05-18 18:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-18 18:31 . 2008-05-18 18:31 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-05-18 18:30 . 2008-05-18 18:30 <DIR> d-------- C:\WINDOWS\Sun
2008-05-18 18:21 . 2008-05-18 19:09 <DIR> d-------- C:\Documents and Settings\libc1\Application Data\LimeWire
2008-05-18 18:15 . 2008-05-18 18:34 <DIR> d-------- C:\Program Files\LimeWire
2008-05-10 08:28 . 2008-05-19 06:03 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-09 13:36 . 2008-05-19 21:28 2,550 --a------ C:\WINDOWS\mozver.dat
2008-05-01 08:38 . 2008-05-01 08:38 934 --a------ C:\Amazon Unbox.lnk
2008-05-01 08:36 . 2008-05-01 08:36 <DIR> d-------- C:\Program Files\Amazon
2008-05-01 08:36 . 2008-05-01 08:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Amazon
2008-05-01 08:30 . 2008-05-01 08:30 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-04-28 10:47 . 2008-05-18 00:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-28 10:47 . 2008-04-28 10:47 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 13:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-25 20:33 --------- d-----w C:\Documents and Settings\libc1\Application Data\U3
2008-04-09 19:54 --------- d--h--w C:\Program Files\Zenographics
2008-04-09 19:54 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-05 01:51 --------- d-----w C:\Program Files\Real
2008-04-05 01:51 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-05 01:51 --------- d-----w C:\Program Files\Common Files\Real
2008-04-04 13:24 --------- d-----w C:\Program Files\HP
2008-04-04 13:16 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-04-01 01:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
.

((((((((((((((((((((((((((((( snapshot@2008-05-21_ 1.04.09.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-21 05:55:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-22 15:01:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-22 15:02:20 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_618.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-07-19 09:42 2879488 C:\WINDOWS\SkyTel.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 15:02 53248]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-06-13 09:57 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-06-13 09:57 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-06-13 09:57 118784]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-14 17:01 16010752 C:\WINDOWS\RTHDCPL.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-29 06:13 766041]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-16 17:24 88204 C:\WINDOWS\AGRSMMSG.exe]
"INPROCOMMWireless"="C:\Program Files\Atheros\Wireless\Utility\WlanUtil.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"hpbdfawep"="C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe" [2007-12-23 21:47 618496]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-04 20:51 185896]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 20:54 116072]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2007-10-20 20:17:26 45056]
Amazon Unbox.lnk - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2007-07-11 17:25:20 97320]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 08:56:20 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2005-04-22 16:57]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-22 16:57]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bb53831a-066e-11dd-a6a6-00197e72468e}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 10:03:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\HPZinw12.exe
.
**************************************************************************
.
Completion time: 2008-05-22 10:07:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-22 15:07:07
ComboFix2.txt 2008-05-21 06:04:29

Pre-Run: 53,612,666,880 bytes free
Post-Run: 53,601,226,752 bytes free

192 --- E O F --- 2008-05-18 13:49:37
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem. Glad to help out :)

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#7
my_computer_is_screwed

my_computer_is_screwed

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Everything seems to be fine. Thank you so much!

I don't quite understand what you mean by "go to Start->Run, copy/paste in combofix /u and hit OK to remove it"
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Go to your Start button and click on it. Then click on Run. Copy and paste (or just manually type in) combofix /u (notice the space there) and hit OK to remove Combofix.
  • 0

#9
my_computer_is_screwed

my_computer_is_screwed

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Got it. Thanks! :)
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP