Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Likely multiple infections [RESOLVED]


  • This topic is locked This topic is locked

#1
hhv100

hhv100

    New Member

  • Member
  • Pip
  • 4 posts
This should teach me. One of my co-workers has been running her home computers without any antivirus or antispyware protection. I successfully got the laptop clean, but the desktop has been tougher. I've completed the steps in the "...before posting a Hijackthis log" topic as well as running SDfix and a bunch of other antimalware/antivirus programs. Initially, the computer had insects eating the screen. I seem to have cured that, but I still don't think it's clean. Any help greatly appreciated. Log follows:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:23 PM, on 7/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\Belkinwcui.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\Belkinwcui.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7056 bytes
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Looks good so far. Let's have a deeper look...

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Download Malwarebytes ' Anti-Malware at http://www.besttechi.../mbam-setup.exe or http://www.majorgeek...ware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
hhv100

hhv100

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Sorry it took awhile. Here goes:
Malwarebytes' Anti-Malware 1.20
Database version: 944
Windows 5.1.2600 Service Pack 2

5:52:35 PM 7/18/2008
mbam-log-7-18-2008 (17-52-35).txt

Scan type: Quick Scan
Objects scanned: 47326
Time elapsed: 7 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





ComboFix 08-07-17.4 - Compaq_Owner 2008-07-18 18:04:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.168 [GMT -4:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Compaq_Owner\Application Data\ASEMBL~1
C:\Documents and Settings\Compaq_Owner\Application Data\MCROSO~1.NET
C:\Documents and Settings\Compaq_Owner\Application Data\SKS~1
C:\Documents and Settings\Compaq_Owner\Application Data\SMANTE~1
C:\Documents and Settings\Compaq_Owner\Application Data\SSTEM~1
C:\Documents and Settings\Compaq_Owner\Application Data\STEM~1
C:\Documents and Settings\Compaq_Owner\Application Data\TSKS~1
C:\Documents and Settings\Compaq_Owner\Application Data\YSTEM~1
C:\Documents and Settings\Compaq_Owner\My Documents\CROSOF~1
C:\Documents and Settings\Compaq_Owner\My Documents\CROSOF~1.NET
C:\Documents and Settings\Compaq_Owner\My Documents\DOBE~1
C:\Documents and Settings\Compaq_Owner\My Documents\FNTS~1
C:\Documents and Settings\Compaq_Owner\My Documents\FNTS~1\F?nts\
C:\Documents and Settings\Compaq_Owner\My Documents\MCROSO~1
C:\Documents and Settings\Compaq_Owner\My Documents\SMBOLS~1
C:\Documents and Settings\Compaq_Owner\My Documents\STEM32~1
C:\Documents and Settings\Compaq_Owner\My Documents\YSTEM3~1
C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\#SharedObjects\SFVBVFAT\www.broadcaster.com
C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\#SharedObjects\SFVBVFAT\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\#SharedObjects\SFVBVFAT\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\install.exe
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\Common Files\pppatc~1
C:\Program Files\Common Files\sembly~1
C:\Program Files\Common Files\sstem3~1
C:\Program Files\crosof~1.net
C:\Program Files\dobe~1
C:\Program Files\icroso~1
C:\Program Files\icroso~1.net
C:\Program Files\icroso~2
C:\Program Files\mbols~1
C:\Program Files\pppatc~1
C:\Program Files\stem~1
C:\Program Files\ymante~1
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\WINDOWS\bobsaver.exe
C:\WINDOWS\bobsaver.scr
C:\WINDOWS\IA
C:\WINDOWS\pskt.ini
C:\WINDOWS\racle~1
C:\WINDOWS\racle~2
C:\WINDOWS\scurit~1
C:\WINDOWS\sembly~1
C:\WINDOWS\smbols~1
C:\WINDOWS\sstem3~1
C:\WINDOWS\wnsxs~1
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 )))))))))))))))))))))))))))))))
.

2008-07-13 19:06 . 2008-07-13 19:06 <DIR> d-------- C:\WINDOWS\LastGood
2008-07-13 19:06 . 2008-07-13 19:06 <DIR> d-------- C:\Program Files\Panda Security
2008-07-13 19:06 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-13 18:48 . 2008-07-13 18:48 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-13 18:45 . 2006-08-01 14:51 <DIR> d-------- C:\Documents and Settings\Administrator.COMPAQ\WINDOWS
2008-07-13 18:45 . 2006-08-01 14:52 <DIR> d-------- C:\Documents and Settings\Administrator.COMPAQ\Application Data\Intuit
2008-07-13 18:45 . 2008-07-13 18:45 <DIR> d-------- C:\Documents and Settings\Administrator.COMPAQ
2008-07-13 18:37 . 2008-07-13 18:37 <DIR> d-------- C:\sdfix
2008-07-12 21:40 . 2008-07-12 21:40 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-02 20:27 . 2008-07-02 20:27 <DIR> d-------- C:\Deckard
2008-07-02 19:04 . 2008-04-23 00:16 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-02 19:04 . 2007-04-17 05:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-02 19:04 . 2007-03-08 01:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-02 19:04 . 2008-04-23 00:16 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-02 19:04 . 2008-04-23 00:16 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-02 19:04 . 2008-04-23 00:16 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-02 19:04 . 2008-04-23 00:16 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-02 19:04 . 2008-04-23 00:16 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-02 19:04 . 2008-04-22 03:39 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-02 17:59 . 2008-07-12 21:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-02 17:59 . 2008-07-02 17:59 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Malwarebytes
2008-07-02 17:59 . 2008-07-02 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-02 17:59 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-02 17:59 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-02 16:32 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-02 16:32 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-02 16:29 . 2008-07-02 16:29 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-02 16:03 . 2008-07-02 16:04 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-02 16:02 . 2008-07-02 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-02 15:44 . 2008-07-02 15:44 20,747 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-07-02 15:43 . 2005-10-03 09:49 204,800 --a------ C:\WINDOWS\system32\UploadDLL.dll
2008-07-02 15:43 . 2005-11-20 04:31 192,512 --a------ C:\WINDOWS\system32\blkwcd.dll
2008-07-02 15:43 . 2005-10-03 09:50 167,936 --a------ C:\WINDOWS\system32\BelkinwcuiDLL.dll
2008-07-02 15:43 . 2005-10-03 09:50 101,888 --a------ C:\WINDOWS\system32\CrashRpt.dll
2008-07-02 15:43 . 2005-10-03 09:49 81,920 --a------ C:\WINDOWS\system32\brdcm2k.dll
2008-07-02 15:43 . 2005-10-03 09:49 61,440 --a------ C:\WINDOWS\system32\BelkinHWStatus.dll
2008-07-02 15:43 . 2004-10-29 12:09 53,248 --a------ C:\WINDOWS\system32\preflib.dll
2008-07-02 15:43 . 2003-07-24 12:10 17,149 --a------ C:\WINDOWS\system32\DNINDIS5.SYS
2008-07-02 00:32 . 2008-07-02 00:32 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\HPQ
2008-07-02 00:22 . 2008-07-02 00:27 8,192 --a------ C:\WINDOWS\system32\edb.chk
2008-07-02 00:22 . 2008-07-02 00:22 1,688 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_CPC_RE467AA-ABA SR2010NX NA640_YC_0Pres_QCNH636_E64NAheREA2_48_INAOS_SASUSTek Computer INC._V1.05_B3.00_T060630_WXH2_L409_M447_J120_7AMD_8Sempron_91.8_#061226_N_Z14F12
F20_G10DE0241_OLITE-ON COMBO SOHC-4836K.MRK
2008-07-02 00:21 . 2006-08-01 14:51 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\WINDOWS
2008-07-02 00:21 . 2006-08-01 14:52 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Intuit
2008-07-02 00:21 . 2008-07-02 16:33 <DIR> d-------- C:\Documents and Settings\Compaq_Owner
2008-07-02 00:18 . 2006-08-01 14:51 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-07-02 00:18 . 2006-08-01 15:21 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2008-07-02 00:18 . 2006-08-01 14:52 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit
2008-07-01 23:45 . 2008-07-12 22:15 <DIR> dr-hs---- C:\WINDOWS\system32\dllcache
2008-07-01 23:14 . 2008-07-01 23:14 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-13 19:01 --------- d-----w C:\Program Files\Dealio
2008-07-02 21:53 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-02 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-02 21:15 --------- d-----w C:\Program Files\music_now
2008-07-02 21:04 --------- d-----w C:\Program Files\filesubmit
2008-07-02 20:00 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\AdobeUM
2008-07-02 19:50 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\LimeWire
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-24 02:16 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-21 06:56 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-04-21 06:56 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2008-04-21 06:56 1,499,136 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-04-21 06:56 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2008-04-21 06:56 1,024,000 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-11 00:48 246 ----a-w C:\Program Files\Common Files\qufaq770
2008-02-15 02:17 452 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2007-10-13 12:32 128 ----a-w C:\Documents and Settings\Guest\psw.exe
2007-06-30 03:36 167 ----a-w C:\Documents and Settings\Guest\4352.bat
2007-06-29 14:39 167 ----a-w C:\Documents and Settings\Guest\3739.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 18:50 7311360]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-23 01:14 237568]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 01:34 249856]
"IcoSet"="c:\hp\bin\cloaker.exe" [1999-11-07 03:11 27136]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2004-12-14 05:23 663552]
"regcmdcons"="c:\hp\bin\cloaker.exe" [1999-11-07 03:11 27136]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 19:19 79224]
"ftutil2"="ftutil2.dll" [2004-06-07 17:05 106496 C:\WINDOWS\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 23:05 16239616 C:\WINDOWS\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2006-05-09 18:50 1519616 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-08-01 14:08:00 27136]

C:\Documents and Settings\Administrator.COMPAQ\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-08-01 14:08:00 27136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Belkin Wireless Utility.lnk - C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\Belkinwcui.exe [2006-12-26 14:34:16 1523712]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-08-01 14:56:30 36903]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 05:01:04 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2003-07-24 16:10]

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-18 18:06:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-07-18 18:08:54
ComboFix-quarantined-files.txt 2008-07-18 22:07:51

Pre-Run: 96,100,327,424 bytes free
Post-Run: 96,093,732,864 bytes free

188 --- E O F --- 2008-07-13 02:15:37



Thanks!
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Looks like that got rid of a bunch of junk :)

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#5
hhv100

hhv100

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks very much for your help!
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP