Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan- Win32.conhook.D [CLOSED]


  • This topic is locked This topic is locked

#1
abrhles01

abrhles01

    New Member

  • Member
  • Pip
  • 3 posts
I keep getting insane pop-ups and notices from Norton regarding this specific virus that it can not removed. I tried following the "prerequisites" to post but honestly got confused as to which ones exactly applied to me. HELP! I need this off so I can get back to normal!

Edited by abrhles01, 07 April 2008 - 09:40 PM.

  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please read this topic and post your HijackThis log here when ready.

You may just go through the steps if you are unsure of the infection you have. Run through the other scans in that main page and post the HijackThis log when ready.

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
abrhles01

abrhles01

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I followed a lot of those instructions before you responded and I think I may have cleared up some of the problem. I'm still getting some messages when I first turn on the computer so I'll go ahead with this again to see if there is anything else I missed. I'm in the process of running the scans and will post the log in a few.
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem. The two main logs I need is the HijackThis and ComboFix logs.
  • 0

#5
abrhles01

abrhles01

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hijack Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:56, on 2008-04-14
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\SBC\update\SST.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\schtasks.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\CF13966.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\ComboFix\nircmd.cfexe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SBC_McciTrayApp] C:\Program Files\SBC\update\SST.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\RunOnce: [PCDrProfiler] C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe -r
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7343 bytes


Combo Fix Log

ComboFix 08-04-06.1 - Amber 2008-04-14 22:58:10.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.224 [GMT -5:00]
Running from: C:\Users\Amber\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\AutoRun.inf
C:\Windows\system32\jusched.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-14 22:53 . 2008-04-14 22:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-14 00:25 . 2008-04-14 00:25 <DIR> d-------- C:\Users\Amber\AppData\Roaming\Malwarebytes
2008-04-14 00:25 . 2008-04-14 00:25 <DIR> d-------- C:\Users\Amber\AppData\Roaming\Download Manager
2008-04-14 00:25 . 2008-04-14 00:25 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-04-14 00:25 . 2008-04-14 00:25 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-04-10 23:47 . 2008-04-10 23:47 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-10 23:45 . 2008-04-10 23:45 42 --a------ C:\END
2008-04-09 05:59 . 2008-02-14 18:19 944,184 --a------ C:\Windows\System32\winload.exe
2008-04-09 05:59 . 2008-02-19 00:10 620,088 --a------ C:\Windows\System32\ci.dll
2008-04-09 05:59 . 2008-02-29 01:39 371,712 --a------ C:\Windows\System32\srcore.dll
2008-04-09 05:59 . 2008-02-29 01:38 313,856 --a------ C:\Windows\System32\rstrui.exe
2008-04-09 05:59 . 2008-02-29 01:39 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-09 05:59 . 2008-02-29 01:51 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-09 05:59 . 2008-02-29 01:38 16,384 --a------ C:\Windows\System32\srdelayed.exe
2008-04-09 05:59 . 2008-02-29 01:34 7,168 --a------ C:\Windows\System32\f3ahvoas.dll
2008-04-09 05:59 . 2008-02-29 01:35 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-06 21:54 . 2008-04-14 06:44 <DIR> d-------- C:\Program Files\Panda Security
2008-04-06 20:37 . 2008-04-14 06:45 <DIR> d-------- C:\Users\Amber\AppData\Roaming\SUPERAntiSpyware.com
2008-04-06 20:37 . 2008-04-06 20:37 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-04-06 20:37 . 2008-04-06 20:37 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-04-06 20:37 . 2008-04-14 06:45 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-06 20:07 . 2008-04-06 20:07 <DIR> d-------- C:\VundoFix Backups
2008-04-06 09:39 . 2008-04-06 09:39 <DIR> d-------- C:\Deckard
2008-04-04 23:39 . 2008-04-04 23:40 96,577 --a------ C:\Windows\hpqins16.dat
2008-04-03 22:50 . 2008-04-03 22:50 <DIR> d-------- C:\Users\All Users\Google
2008-04-03 22:44 . 2008-04-03 22:44 0 --a------ C:\Windows\nsreg.dat
2008-03-29 03:02 . 2008-03-29 03:02 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-28 21:23 . 2008-03-28 21:23 <DIR> d-------- C:\Users\All Users\WEBREG
2008-03-28 21:23 . 2008-03-28 21:23 <DIR> d-------- C:\ProgramData\WEBREG
2008-03-27 22:25 . 2008-03-27 22:25 <DIR> d-------- C:\Users\Amber\AppData\Roaming\HPAppData
2008-03-27 22:23 . 2008-04-06 09:18 <DIR> d-------- C:\Users\All Users\HP Product Assistant
2008-03-27 22:23 . 2008-04-06 09:18 <DIR> d-------- C:\ProgramData\HP Product Assistant
2008-03-27 22:22 . 2008-03-27 22:22 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-03-27 22:20 . 2007-03-07 23:20 364,544 --a------ C:\Windows\System32\hppldcoi.dll
2008-03-27 22:20 . 2007-03-30 10:07 267,864 --a------ C:\Windows\System32\hpzids01.dll
2008-03-27 22:20 . 2007-03-28 14:01 117,760 --a------ C:\Windows\System32\hpzll5ha.dll
2008-03-27 22:19 . 2007-03-17 11:11 675,840 --a------ C:\Windows\System32\hpowiax3.dll
2008-03-27 22:19 . 2007-03-17 11:11 569,344 --a------ C:\Windows\System32\hpotscl3.dll
2008-03-27 22:19 . 2007-03-07 23:20 309,760 --a------ C:\Windows\System32\difxapi.dll
2008-03-27 22:19 . 2007-03-17 11:11 303,104 --a------ C:\Windows\System32\hpovst10.dll
2008-03-27 22:18 . 2008-04-09 16:50 141,197 --a------ C:\Windows\hpoins14.dat
2008-03-27 22:18 . 2007-09-19 20:14 2,000 --------- C:\Windows\hpomdl14.dat
2008-03-21 14:24 . 2007-11-14 15:18 553 --a------ C:\Windows\USetup.iss
2008-03-21 14:22 . 2008-01-15 11:26 4,874,240 --a------ C:\Windows\RtHDVCpl.exe
2008-03-21 14:22 . 2008-01-07 19:30 2,156,544 --a------ C:\Windows\System32\RtkAPO.dll
2008-03-21 14:22 . 2008-01-15 19:19 2,047,576 --a------ C:\Windows\System32\drivers\RTKVHDA.sys
2008-03-21 14:22 . 2007-11-07 17:31 1,191,936 --a------ C:\Windows\RtlUpd.exe
2008-03-21 14:22 . 2008-01-09 18:52 636,416 --a------ C:\Windows\System32\RtkPgExt.dll
2008-03-21 14:22 . 2007-11-13 12:35 532,480 --a------ C:\Windows\System32\RTSndMgr.cpl
2008-03-21 14:22 . 2008-01-14 16:18 29,696 --a------ C:\Windows\System32\RtkCoInst.dll
2008-03-18 14:21 . 2008-03-18 14:21 <DIR> d-------- C:\Users\Amber\AppData\Roaming\Oberon Games
2008-03-17 23:50 . 2008-03-21 16:03 <DIR> d-a------ C:\Users\All Users\TEMP
2008-03-17 23:50 . 2008-03-21 16:03 <DIR> d-a------ C:\ProgramData\TEMP
2008-03-17 22:48 . 2008-03-18 13:40 <DIR> d-------- C:\Program Files\Sallys Salon
2008-03-17 22:47 . 2008-03-17 22:47 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-03-17 22:30 . 2008-03-17 22:30 <DIR> d-------- C:\Program Files\bfgclient
2008-03-17 17:43 . 2008-03-17 17:43 4,096 --a------ C:\Windows\d3dx.dat
2008-03-17 17:35 . 2008-03-17 17:35 <DIR> d-------- C:\Users\All Users\{B3C2C1CD-6B77-4A96-B670-F734AC2A1CBC}
2008-03-17 17:35 . 2008-03-17 17:35 <DIR> d-------- C:\ProgramData\{B3C2C1CD-6B77-4A96-B670-F734AC2A1CBC}
2008-03-17 17:34 . 2008-03-17 17:35 <DIR> d-------- C:\Program Files\Activation Assistant for the 2007 Microsoft Office suites
2008-03-17 17:33 . 2006-10-26 19:56 32,592 --a------ C:\Windows\System32\msonpmon.dll
2008-03-17 17:32 . 2008-03-17 17:32 <DIR> d-------- C:\Windows\PCHEALTH
2008-03-17 17:32 . 2008-03-17 17:32 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-03-17 17:30 . 2008-04-09 23:50 <DIR> d-------- C:\Users\All Users\Microsoft Help
2008-03-17 17:30 . 2008-04-09 23:50 <DIR> d-------- C:\ProgramData\Microsoft Help
2008-03-17 17:29 . 2008-03-17 17:29 <DIR> dr-h----- C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 03:52 --------- d-----w C:\Users\Amber\AppData\Roaming\LimeWire
2008-04-15 03:45 --------- d-----w C:\ProgramData\Symantec
2008-04-15 03:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-14 04:22 13,146 ----a-w C:\Users\Amber\AppData\Roaming\wklnhst.dat
2008-04-11 01:35 --------- d-----w C:\Program Files\Windows Mail
2008-04-09 10:59 --------- d-----w C:\ProgramData\Yahoo!
2008-04-09 10:58 --------- d-----w C:\ProgramData\Yahoo! Companion
2008-04-09 10:58 --------- d-----w C:\Program Files\Yahoo!
2008-04-06 14:18 --------- d-----w C:\Program Files\Microsoft Works
2008-04-05 15:08 --------- d-----w C:\Program Files\HP
2008-03-29 02:22 --------- d-----w C:\ProgramData\HP
2008-03-29 02:21 --------- d-----w C:\ProgramData\Hewlett-Packard
2008-03-24 11:04 --------- d-----w C:\Program Files\Yahoo! Games
2008-03-21 19:22 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-03-17 18:30 --------- d-----w C:\Users\Amber\AppData\Roaming\Yahoo!
2008-03-06 12:46 --------- d-----w C:\Program Files\LimeWire
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-02-28 06:10 --------- d-----w C:\Users\Amber\AppData\Roaming\CyberLink
2008-02-28 06:10 --------- d-----w C:\ProgramData\CyberLink
2008-02-27 11:40 --------- d-----w C:\Users\Amber\AppData\Roaming\WinBatch
2008-02-23 14:10 --------- d-----w C:\ProgramData\Motive
2008-02-21 05:40 --------- d-----w C:\ProgramData\Trymedia
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-20 12:22 --------- d-----w C:\Program Files\Windows Sidebar
2008-02-20 05:32 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2008-02-20 05:32 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-02-20 05:32 542,720 ----a-w C:\Windows\System32\sysmain.dll
2008-02-20 05:32 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-02-20 05:32 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-02-20 05:32 297,984 ----a-w C:\Windows\System32\wlansec.dll
2008-02-20 05:32 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2008-02-20 05:32 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2008-02-20 05:32 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2008-02-20 05:32 2,923,520 ----a-w C:\Windows\explorer.exe
2008-02-20 05:31 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-20 05:31 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-20 05:29 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-20 05:29 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-02-20 05:29 3,505,720 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-20 05:29 3,471,928 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-20 05:29 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-20 05:29 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-20 05:29 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-20 05:29 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-02-20 05:29 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-02-20 05:29 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-20 05:29 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-20 05:29 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-02-20 05:29 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-02-20 05:28 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2008-02-20 05:28 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-20 05:28 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-20 05:28 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-20 05:28 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2008-02-20 05:28 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-20 05:28 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-20 05:28 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-02-20 05:28 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-02-20 05:28 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2008-02-20 05:27 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2008-02-20 05:27 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2008-02-20 05:27 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2008-02-20 05:27 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2008-02-20 05:17 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-20 03:24 --------- d-----w C:\Program Files\SBC
2008-02-20 03:24 --------- d-----w C:\Program Files\Common Files\Motive
2008-02-18 05:30 --------- d-----w C:\ProgramData\WildTangent
2008-02-16 18:23 --------- d-----w C:\Users\Amber\AppData\Roaming\iWin
2007-11-17 17:20 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-02-20 00:28 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 07:35 125440]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 11:41 223984]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 07:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-11-17 12:01 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 10:01 65536]
"KBD"="C:\HP\KBD\KbdStub.EXE" [2006-12-08 11:16 65536]
"OsdMaestro"="C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 06:59 118784]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-06 20:45 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-06 20:45 8466432]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-06 20:45 81920]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 11:26 4874240 C:\Windows\RtHDVCpl.exe]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [ ]
"SunJavaUpdateReg"="C:\Windows\system32\jureg.exe" [2007-04-07 05:56 54936]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"SBC_McciTrayApp"="C:\Program Files\SBC\update\SST.exe" [2007-02-28 14:35 1011200]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 11:41 223984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"PCDrProfiler"="C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe" [2007-06-25 16:21 73728]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

C:\Users\Amber\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 16:32:57 147456]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{4E6EB10C-9129-4722-ABC5-504FF37E78E5}"= c:\Program Files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{B59D2511-570D-4BC7-BBA9-51E4C3856264}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{87F132DE-963F-4EE7-9DED-89A8E7CB0848}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{31233530-1281-462A-A069-0F5616F08BEC}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{79057CC4-F207-4E43-AAFA-CE7190643D59}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D27F30C2-E8F2-40FD-BE93-33E944E5F79D}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{434E872E-A4F0-457B-BF60-02AF1A3A6120}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{40EE711D-123C-4152-BE7D-5966AA5C64D1}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{332852AE-7DD4-4767-8935-4DFCEBA51D71}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{831D0BC9-8A31-47AD-B9C3-36333C120850}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{31A0C9F2-CA86-4144-9B56-AAF025F753C8}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{9FB67D20-CDBA-40E2-96B8-74E8FB6F96E4}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{267CFF98-097C-488D-AF87-6BA1D77CC259}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{73F44DC8-93D4-468E-9CBF-3B48ACF69985}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{39F5C62B-7608-440D-90D4-D515005A804A}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-08-07 15:26]
S3 GameConsoleService;GameConsoleService;"C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe" [2007-07-23 18:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 02:07:28 C:\Windows\Tasks\User_Feed_Synchronization-{316E0029-34AA-4674-B780-74B04A66D520}.job"
- C:\Windows\system32\msfeedssync.exe
"2008-04-11 01:35:05 C:\Windows\Tasks\WebReg Deskjet F4100 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 23:00:17
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-14 23:00:45
ComboFix-quarantined-files.txt 2008-04-15 04:00:43
Pre-Run: 401,102,729,216 bytes free
Post-Run: 401,079,422,976 bytes free
.
2008-04-11 02:01:14 --- E O F ---
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Is that trojan still detected now? If so, does Norton say exactly where it's located?
  • 0

#7
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP