Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

d1odlfesx [RESOLVED]

Started by xtr33m3b0rdn3ss , Aug 08 2008 01:39 PM

This topic is locked

#1
xtr33m3b0rdn3ss

Posted 08 August 2008 - 01:39 PM

Member

Member
31 posts

Hi

I don't know what's going on with my computer. I can't download anything so I'm not able to get Hijackthis or any of the other software provided on this site.

The following is what happened. I hope it will help since I can't provide a log.

This morning (around midnight) I think my computer downloaded something bad. It automatically restarted, and when I looked in the applications running, i found something by the name of "d1odlfesx" which I had never seen before.
I shut it down, went to bed, then around 11:00am I tried again.
This time, if my firewall was down and I was connected to the computer, the computer would automatically restart.
I went into Safe-mode and deleted anything created today, since it happened today. The only thing I couldn't delete was "mmchost.dll"
I ran CleanUp! and Ad-aware 2007 (last updated march 2008). There were around 77 tracking cookies that had to be deleted.

If there's anything else I could provide to help, please tell me.

Thank you so much, and I'm sorry for the lack of information.

#2
greyknight17

Posted 09 August 2008 - 11:49 AM

Malware Expert

Visiting Consultant
16,560 posts

Get HijackThis from another computer in that case and transfer it over to this one.

#3
xtr33m3b0rdn3ss

Posted 09 August 2008 - 01:55 PM

Member

Topic Starter
Member
31 posts

Hi,

thanks for the reply
fortunately, just now, I was able to update my spybot during a period where my computer didn't shut down, and that let me delete a whole bunch of malware.
i think that solved the problem.

so case closed.

thanks!

#4
xtr33m3b0rdn3ss

Posted 09 August 2008 - 04:43 PM

Member

Topic Starter
Member
31 posts

I'm sorry. I was wrong.
It happened again.

But I downloaded on another computer and transferred.
here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:42 PM, on 8/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AFinding.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\macidwe.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Nobicyt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\sobicyt.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\tdxdowkc.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\WServing.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Quicken\bagent.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray\sgtray.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Winzy Assistant - {039AF219-4B6F-4AC6-8763-7BF5BBD481B3} - C:\Program Files\Winzy\Winzy IE Toolbar\winzyietoolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Winzy Toolbar - {5B327C15-C1B7-4d1f-A5B7-A2F5FFDF2881} - C:\Program Files\Winzy\Winzy IE Toolbar\winzyietoolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [pmp] C:\WINDOWS\System32\pmp.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [MSHNetSetup] C:\WINDOWS\msbn\_setup.exe STATE_COPY_FILES (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [MSHNetSetup] C:\WINDOWS\msbn\_setup.exe STATE_COPY_FILES (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Post-itR Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\mmchost.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mmchost.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.goo...2/uploader2.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O20 - AppInit_DLLs: dbi102.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: afinding Service (afinding) - Unknown owner - C:\WINDOWS\system32\AFinding.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: macidwe Service (macidwe) - Unknown owner - C:\WINDOWS\system32\macidwe.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: nobicyt Service (nobicyt) - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: perfs Service (perfs) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: routing Service (routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: sobicyt Service (sobicyt) - Unknown owner - C:\WINDOWS\system32\sobicyt.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe
O23 - Service: wserving Service (wserving) - Unknown owner - C:\WINDOWS\system32\WServing.exe

--
End of file - 11607 bytes

#5
greyknight17

Posted 09 August 2008 - 05:25 PM

Malware Expert

Visiting Consultant
16,560 posts

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Download LSPFix http://www.greyknigh.../spy/LSPFix.exe and run it. Check the box that says I know what I'm doing. Click on c:\windows\system32\mmchost.dll on the left window and then click on the arrow pointing to the right. Click Finish and follow the prompts.

Uninstall the following via the Add/Remove Panel (Start->Settings->Control Panel->Add/Remove Programs) if found:

Winzy

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us10.hpwis.com/
O2 - BHO: Winzy Assistant - {039AF219-4B6F-4AC6-8763-7BF5BBD481B3} - C:\Program Files\Winzy\Winzy IE Toolbar\winzyietoolbar.dll
O3 - Toolbar: Winzy Toolbar - {5B327C15-C1B7-4d1f-A5B7-A2F5FFDF2881} - C:\Program Files\Winzy\Winzy IE Toolbar\winzyietoolbar.dll
O4 - HKLM\..\Policies\Explorer\Run: [pmp] C:\WINDOWS\System32\pmp.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [MSHNetSetup] C:\WINDOWS\msbn\_setup.exe STATE_COPY_FILES (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [MSHNetSetup] C:\WINDOWS\msbn\_setup.exe STATE_COPY_FILES (User 'Default user')
O20 - AppInit_DLLs: dbi102.dll
O23 - Service: afinding Service (afinding) - Unknown owner - C:\WINDOWS\system32\AFinding.exe
O23 - Service: macidwe Service (macidwe) - Unknown owner - C:\WINDOWS\system32\macidwe.exe
O23 - Service: nobicyt Service (nobicyt) - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe
O23 - Service: perfs Service (perfs) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: routing Service (routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: sobicyt Service (sobicyt) - Unknown owner - C:\WINDOWS\system32\sobicyt.exe
O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe
O23 - Service: wserving Service (wserving) - Unknown owner - C:\WINDOWS\system32\WServing.exe

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\Program Files\Winzy\
C:\WINDOWS\System32\pmp.exe
C:\WINDOWS\msbn\
c:\windows\system32\dbi102.dll
C:\WINDOWS\system32\AFinding.exe
C:\WINDOWS\system32\macidwe.exe
C:\WINDOWS\system32\Nobicyt.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\sobicyt.exe
C:\WINDOWS\system32\tdxdowkc.exe
C:\WINDOWS\system32\WServing.exe

Don't worry if you can't delete some of the above files....

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

#6
xtr33m3b0rdn3ss

Posted 10 August 2008 - 12:47 AM

Member

Topic Starter
Member
31 posts

Hi

Here's the log from pandasoftware:

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-08-09 23:03:17
PROTECTIONS: 3
MALWARE: 19
SUSPECTS: 6
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
Norton Antivirus 2004 10.00.10 No No
Norton Antivirus 2007 10.00.10 No No
Windows Defender 1.1.1904.0 No No
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00020994 W32/Bagle.pwdzip Virus No 0 Yes No C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver1.zip
00029434 spyware/virtumonde Spyware No 1 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
00029457 adware/toprebates Adware No 0 Yes No c:\windows\downloaded program files\winadx.inf
00032724 adware/portalscan Adware No 0 Yes No hkey_current_user\software\aun
00034463 adware/wupd Adware No 0 Yes No hkey_local_machine\software\preview adservice
00035328 Application/KillApp.A HackTools No 0 Yes No C:\hp\bin\Terminator.exe
00047660 adware/sqwire Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\tsa
00047660 adware/sqwire Adware No 0 Yes No hkey_current_user\software\tsl2
00064455 Adware/SAHAgent Adware No 0 Yes No C:\WINDOWS\inf\bi1.inf
00065260 adware/ipinsight Adware No 0 Yes No c:\windows\inf\polall1r.inf
00117113 adware/neededware Adware No 0 Yes No hkey_classes_root\clsid\{41aa3336-2d3f-4bc6-a06e-f8dcccd1a40a}
00117113 adware/neededware Adware No 0 Yes No hkey_classes_root\clsid\{55d798f7-ada2-4be4-afb6-3277f884b60d}
00117113 adware/neededware Adware No 0 Yes No hkey_classes_root\clsid\{84564147-251a-4f06-8fc5-8ae36b3a55ab}
00117113 adware/neededware Adware No 0 Yes No hkey_classes_root\clsid\{bf2d741d-6f32-4885-a96a-76725b64a8ce}
00117113 adware/neededware Adware No 0 Yes No hkey_local_machine\software\ndwserv030106
00117113 adware/neededware Adware No 0 Yes No hkey_classes_root\clsid\{17b8b110-fd82-4a50-9a46-328bb50c6ca4}
00117113 adware/neededware Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{17B8B110-FD82-4A50-9A46-328BB50C6CA4}
00117113 adware/neededware Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{41AA3336-2D3F-4BC6-A06E-F8DCCCD1A40A}
00117113 adware/neededware Adware No 0 Yes No hkey_classes_root\epxactivex.epxactivexctrl.1
00117113 adware/neededware Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{84564147-251A-4F06-8FC5-8AE36B3A55AB}
00117113 adware/neededware Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{55D798F7-ADA2-4BE4-AFB6-3277F884B60D}
00117113 adware/neededware Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{BF2D741D-6F32-4885-A96A-76725B64A8CE}
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Owner\Desktop\VundoFix\VundoFix\process.exe
00195751 Adware/Ndware Adware No 0 Yes No C:\Program Files\Microsoft AntiSpyware\Quarantine\79341867-A8BB-4D1A-8041-762417\FD7DC470-5DED-4BFD-9E87-B558D7
00265932 Adware/CWS.Yexe Adware No 0 Yes No C:\WINDOWS\system32\pylxmyut.exe
00271268 application/sysprotect HackTools No 0 Yes No hkey_local_machine\software\classes\checkprod.checkproduct
00271268 application/sysprotect HackTools No 0 Yes No c:\program files\common files\sysprotect
00271268 application/sysprotect HackTools No 0 Yes No hkey_current_user\software\sysprotect
00271268 application/sysprotect HackTools No 0 Yes No c:\windows\system32\drivers\sscan.sys
00271268 application/sysprotect HackTools No 0 Yes No hkey_local_machine\software\classes\appid\checkproduct2_1.dll
00299194 Application/WinAntispyware2006 HackTools No 0 Yes No C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP886\A0120414.sys
02908731 Rootkit/Agent.IJW Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP882\A0115245.sys
03018689 W32/Lineage.IND.worm Virus/Trojan No 1 Yes No K:\AUTORUN.INF
03032254 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\0E93239D
03471249 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP883\A0119295.dll
03471249 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP883\A0117278.dll
03471249 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP882\A0116275.dll
03471249 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP882\A0114238.dll
03471249 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP883\A0119277.dll
03471249 Generic Trojan Virus/Trojan Yes 0 Yes No C:\WINDOWS\system32\dbi102.dll
03471249 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP883\A0118277.dll
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location Q
;===============================================================================
=================================================================================
===================
No C:\DOCUME~1\Owner\LOCALS~1\Temp\WowInitcode.dll Q
No C:\WINDOWS\system32\mmchost.dll Q
No C:\Documents and Settings\Owner\Local Settings\Temp\WowInitcode.dll Q
No C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YHI123DW\sl[1].exe
No C:\hp\bin\KillIt.exe Q
No C:\WINDOWS\system32\mmchost.dll Q
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description Q
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================

and here is the log from ComboFix:

ComboFix 08-08-09.03 - Owner 2008-08-09 23:28:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.242 [GMT -7:00]
Running from: K:\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\XDNEQEEG\interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\XDNEQEEG\interclick.com\ud.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system\oeminfo.ini
C:\WINDOWS\system32\6to4ex.dll
C:\WINDOWS\system32\afinding.exe
C:\WINDOWS\system32\c.exe
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\fhpatch.dll
C:\WINDOWS\system32\IPHACTION.dll
C:\WINDOWS\system32\IPHOST.dll
C:\WINDOWS\system32\iphy.dll
C:\WINDOWS\system32\IpSvchostF.dll
C:\WINDOWS\system32\macidwe.exe
C:\WINDOWS\system32\mmchost.dll
C:\WINDOWS\system32\Nobicyt.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\riphy.dll
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\server.exe
C:\WINDOWS\system32\sss.exe
C:\WINDOWS\system32\syspilog.pil
C:\WINDOWS\system32\tdxdowkc.exe
C:\WINDOWS\system32\WServing.exe
D:\Autorun.inf
K:\autorun.inf

Infected copy of C:\WINDOWS\system32\svchost.exe was found & disinfected
Restored copy from - C:\WINDOWS\ServicePackFiles\i386\svchost.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_MACIDWE
-------\Legacy_PERFS
-------\Legacy_ROUTING
-------\Legacy_SEICTRL
-------\Legacy_TDXDOWKC
-------\Legacy_WSERVING
-------\Service_afinding
-------\Service_macidwe
-------\Service_perfs
-------\Service_routing
-------\Service_seictrl
-------\Service_tdxdowkc
-------\Service_wserving
-------\Legacy_nobicyt
-------\Service_nobicyt

((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-09 21:05 . 2008-08-09 21:05 <DIR> d-------- C:\Program Files\Panda Security
2008-08-09 21:05 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-09 15:41 . 2008-08-09 15:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-20 15:27 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-07-20 15:27 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-07-20 15:27 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-20 15:27 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-07-20 15:27 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-20 15:27 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-17 18:14 . 2008-08-08 11:43 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2008-07-17 18:14 . 2008-07-17 18:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Thunderbird
2008-07-17 18:14 . 2008-07-17 18:14 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-17 18:12 . 2008-07-17 18:12 <DIR> d-------- C:\Program Files\CU Services
2008-07-17 18:12 . 2008-07-17 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Cornell University

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 06:31 --------- d-----w C:\Program Files\Winzy
2008-08-09 22:36 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-08-09 19:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-09 19:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-09 07:09 --------- d-----w C:\Program Files\Lavasoft
2008-08-09 07:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-09 07:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-08 18:42 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-18 06:36 --------- d-----w C:\Program Files\AIM
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2004-07-12 02:35 2,500,776 ----a-w C:\Program Files\pn30lous.exe
2004-05-18 02:38 5,245,352 ----a-w C:\Program Files\SetupDl.EXE
2004-04-18 05:31 3,598,600 ----a-w C:\Program Files\ssfsetup1_12382497.exe
2004-03-21 01:35 3,616,400 ----a-w C:\Program Files\Install_AIM.exe
2004-02-26 04:09 32 --sha-w C:\WINDOWS\{4CA3B33B-C6C1-492D-8229-17E0E69878E7}.dat
2005-01-01 17:34 32 --sha-w C:\WINDOWS\{8421E372-02FC-410C-9A86-85314D38762E}.dat
2004-03-22 04:05 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2000-02-02 00:01 40,960 --sh--r C:\WINDOWS\system32\KarnaDrv.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2003-12-08 20:38 10,752 --sha-w C:\WINDOWS\system32\Proxy.dll
2003-12-08 20:38 10,752 --sha-w C:\WINDOWS\system32\_reproxy.dll
2005-01-01 17:34 32 --sha-w C:\WINDOWS\system32\{3BA19FA7-6CCA-4BDA-B74B-B9ED6BDC1724}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2004-02-25 12:53 665088]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.EXE" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"NVIEW"="nview.dll" [2003-08-19 02:56 852038 C:\WINDOWS\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 07:07 114688]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 07:23 90112]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 02:55 483328]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 20:02 61440]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-11-03 23:36 45056]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 21:42 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-19 02:56 4841472]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 21:11 139264]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-07 19:56 188416]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-05-21 22:16 100056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-11 17:49 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 15:18 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"nwiz"="nwiz.exe" [2003-08-19 02:56 323584 C:\WINDOWS\system32\nwiz.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 17:52 40960 C:\WINDOWS\ltmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 14:18 443968]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSub.exe [2003-10-13 22:24:52 557056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 08:20:40 45056]
Microsoft Broadband Networking.lnk - C:\WINDOWS\Installer\{2C84BB95-1DB9-4AC4-8750-F979BBCDD859}\_18be6784.exe [2004-02-25 21:31:53 25214]
Post-itR Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2004-10-15 15:26:54 2080768]
Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2004-10-15 15:26:54 2080768]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-30 04:49:48 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tdidrv32.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6838:TCP"= 6838:TCP:Microsoft standard protector

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 sobicyt;sobicyt Service;C:\WINDOWS\system32\sobicyt.exe [2002-08-29 05:00]
S1 tdidrv32.sys;tdidrv32.sys;C:\WINDOWS\system32\tdidrv32.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

*Newly Created Service* - 6TO4
*Newly Created Service* - PAVBOOT
.
Contents of the 'Scheduled Tasks' folder

2008-05-23 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-04-03 18:12]

2008-08-02 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
- C:\PROGRA~1\NORTON~1\Navw32.exe [2003-12-04 19:22]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Yahoo! Pager - C:\Program Files\Yahoo!\Messenger\ypager.exe
HKCU-Run-RecordNow! - (no file)
HKLM-Run-HPHUPD05 - c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HKLM-Run-ccApp - c:\Program Files\Common Files\Symantec Shared\ccApp.exe
HKLM-Run-ccRegVfy - c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
HKLM-Run-ISUSPM - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
HKLM-Run-VTTimer - VTTimer.exe
HKLM-Run-RegistryMechanic - (no file)
ShellExecuteHooks-{E60A0B68-2F3C-A1D2-A901-9381E036D21A} - (no file)
Notify-WgaLogon - (no file)

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R1 -: HKCU-Internet Settings,ProxyOverride = localhost;*.local
O8 -: &AIM Search - C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 23:32:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray\sgtray.exe
.
**************************************************************************
.
Completion time: 2008-08-09 23:40:26 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-08-10 06:40:22

Pre-Run: 106,286,952,448 bytes free
Post-Run: 106,189,852,672 bytes free

224 --- E O F --- 2008-08-09 19:16:05

#7
greyknight17

Posted 10 August 2008 - 10:55 AM

Malware Expert

Visiting Consultant
16,560 posts

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Driver::
tdidrv32
6TO4
File::
C:\WINDOWS\system32\pylxmyut.exe
c:\windows\system32\drivers\sscan.sys
C:\WINDOWS\inf\bi1.inf
c:\windows\inf\polall1r.inf
c:\windows\downloaded program files\winadx.inf
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver1.zip
Folder::
C:\Program Files\Winzy
c:\program files\common files\sysprotect
C:\Program Files\Microsoft AntiSpyware\Quarantine\79341867-A8BB-4D1A-8041-762417\FD7DC470-5DED-4BFD-9E87-B558D7
Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}]
[-hkey_current_user\software\aun]
[-hkey_local_machine\software\preview adservice]
[-hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\tsa]
[-hkey_current_user\software\tsl2]
[-hkey_classes_root\clsid\{41aa3336-2d3f-4bc6-a06e-f8dcccd1a40a}]
[-hkey_classes_root\clsid\{55d798f7-ada2-4be4-afb6-3277f884b60d}]
[-hkey_classes_root\clsid\{84564147-251a-4f06-8fc5-8ae36b3a55ab}]
[-hkey_classes_root\clsid\{bf2d741d-6f32-4885-a96a-76725b64a8ce}]
[-hkey_local_machine\software\ndwserv030106]
[-hkey_classes_root\clsid\{17b8b110-fd82-4a50-9a46-328bb50c6ca4}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{17B8B110-FD82-4A50-9A46-328BB50C6CA4}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{41AA3336-2D3F-4BC6-A06E-F8DCCCD1A40A}]
[-hkey_classes_root\epxactivex.epxactivexctrl.1]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{84564147-251A-4F06-8FC5-8AE36B3A55AB}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{55D798F7-ADA2-4BE4-AFB6-3277F884B60D}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{BF2D741D-6F32-4885-A96A-76725B64A8CE}]
[-hkey_local_machine\software\classes\checkprod.checkproduct]
[-hkey_current_user\software\sysprotect]
[-hkey_local_machine\software\classes\appid\checkproduct2_1.dll]

#8
xtr33m3b0rdn3ss

Posted 10 August 2008 - 12:44 PM

Member

Topic Starter
Member
31 posts

Here's what I got:

ComboFix 08-08-09.03 - Owner 2008-08-10 11:23:21.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.195 [GMT -7:00]
Running from: K:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver1.zip
c:\windows\downloaded program files\WinadX.inf
c:\windows\downloaded program files\winadx.inf
C:\WINDOWS\inf\bi1.inf
c:\windows\inf\polall1r.inf
c:\windows\system32\drivers\sscan.sys
C:\WINDOWS\system32\pylxmyut.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver1.zip
c:\program files\common files\sysprotect
c:\program files\common files\sysprotect\PCheck.dll
C:\Program Files\Winzy
c:\windows\downloaded program files\WinadX.inf
C:\WINDOWS\inf\bi1.inf
c:\windows\inf\polall1r.inf
C:\WINDOWS\system32\afinding.exe
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\dbi102.dll
c:\windows\system32\drivers\sscan.sys
C:\WINDOWS\system32\macidwe.exe
C:\WINDOWS\system32\Nobicyt.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\pylxmyut.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\tdxdowkc.exe
C:\WINDOWS\system32\WServing.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_AFINDING
-------\Legacy_MACIDWE
-------\Legacy_PERFS
-------\Legacy_ROUTING
-------\Legacy_TDXDOWKC
-------\Legacy_WSERVING
-------\Service_6to4
-------\Service_afinding
-------\Service_macidwe
-------\Service_perfs
-------\Service_routing
-------\Service_tdxdowkc
-------\Service_wserving
-------\Legacy_nobicyt
-------\Service_nobicyt

((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-09 21:05 . 2008-08-09 21:05 <DIR> d-------- C:\Program Files\Panda Security
2008-08-09 21:05 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-09 15:41 . 2008-08-09 15:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-20 15:27 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-07-20 15:27 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-07-20 15:27 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-20 15:27 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-07-20 15:27 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-20 15:27 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-17 18:14 . 2008-08-08 11:43 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2008-07-17 18:14 . 2008-07-17 18:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Thunderbird
2008-07-17 18:14 . 2008-07-17 18:14 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-17 18:12 . 2008-07-17 18:12 <DIR> d-------- C:\Program Files\CU Services
2008-07-17 18:12 . 2008-07-17 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Cornell University

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 22:36 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-08-09 19:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-09 19:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-09 07:09 --------- d-----w C:\Program Files\Lavasoft
2008-08-09 07:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-09 07:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-08 18:42 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-18 06:36 --------- d-----w C:\Program Files\AIM
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2004-07-12 02:35 2,500,776 ----a-w C:\Program Files\pn30lous.exe
2004-05-18 02:38 5,245,352 ----a-w C:\Program Files\SetupDl.EXE
2004-04-18 05:31 3,598,600 ----a-w C:\Program Files\ssfsetup1_12382497.exe
2004-03-21 01:35 3,616,400 ----a-w C:\Program Files\Install_AIM.exe
2004-02-26 04:09 32 --sha-w C:\WINDOWS\{4CA3B33B-C6C1-492D-8229-17E0E69878E7}.dat
2005-01-01 17:34 32 --sha-w C:\WINDOWS\{8421E372-02FC-410C-9A86-85314D38762E}.dat
2004-03-22 04:05 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2000-02-02 00:01 40,960 --sh--r C:\WINDOWS\system32\KarnaDrv.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2003-12-08 20:38 10,752 --sha-w C:\WINDOWS\system32\Proxy.dll
2003-12-08 20:38 10,752 --sha-w C:\WINDOWS\system32\_reproxy.dll
2005-01-01 17:34 32 --sha-w C:\WINDOWS\system32\{3BA19FA7-6CCA-4BDA-B74B-B9ED6BDC1724}.dat
.

((((((((((((((((((((((((((((( snapshot@2008-08-09_23.40.02.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-21 06:56:58 618,496 ----a-w C:\WINDOWS\Temp\mta36214.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2004-02-25 12:53 665088]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.EXE" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"NVIEW"="nview.dll" [2003-08-19 02:56 852038 C:\WINDOWS\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 07:07 114688]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 07:23 90112]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 02:55 483328]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 20:02 61440]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-11-03 23:36 45056]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 21:42 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-19 02:56 4841472]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 21:11 139264]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-07 19:56 188416]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-05-21 22:16 100056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-11 17:49 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 15:18 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"nwiz"="nwiz.exe" [2003-08-19 02:56 323584 C:\WINDOWS\system32\nwiz.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 17:52 40960 C:\WINDOWS\ltmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 14:18 443968]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSub.exe [2003-10-13 22:24:52 557056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 08:20:40 45056]
Microsoft Broadband Networking.lnk - C:\WINDOWS\Installer\{2C84BB95-1DB9-4AC4-8750-F979BBCDD859}\_18be6784.exe [2004-02-25 21:31:53 25214]
Post-itR Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2004-10-15 15:26:54 2080768]
Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2004-10-15 15:26:54 2080768]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-30 04:49:48 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tdidrv32.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6838:TCP"= 6838:TCP:Microsoft standard protector

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 sobicyt;sobicyt Service;C:\WINDOWS\system32\sobicyt.exe [2002-08-29 05:00]
S1 tdidrv32.sys;tdidrv32.sys;C:\WINDOWS\system32\tdidrv32.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-05-23 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-04-03 18:12]

2008-08-02 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
- C:\PROGRA~1\NORTON~1\Navw32.exe [2003-12-04 19:22]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 11:32:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe
.
**************************************************************************
.
Completion time: 2008-08-10 11:39:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-10 18:39:11
ComboFix2.txt 2008-08-10 06:40:27

Pre-Run: 106,155,212,800 bytes free
Post-Run: 106,149,552,128 bytes free

204 --- E O F --- 2008-08-09 19:16:05

#9
greyknight17

Posted 10 August 2008 - 02:03 PM

Malware Expert

Visiting Consultant
16,560 posts

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Driver::
tdidrv32.sys
File::
C:\WINDOWS\Temp\mta36214.dll

#10
xtr33m3b0rdn3ss

Posted 10 August 2008 - 03:07 PM

Member

Topic Starter
Member
31 posts

YAY! I just tried downloading Hijackthis and the other software and this time it let me do it!
So far there's been no more sudden shutdowns anymore.
As far as I can tell, everything is normal again. THANK YOU!!

Here is the log:

ComboFix 08-08-09.03 - Owner 2008-08-10 13:47:03.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.231 [GMT -7:00]
Running from: K:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\Temp\mta36214.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Temp\mta36214.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDIDRV32.SYS
-------\Service_tdidrv32.sys

((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-09 21:05 . 2008-08-09 21:05 <DIR> d-------- C:\Program Files\Panda Security
2008-08-09 21:05 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-09 15:41 . 2008-08-09 15:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-20 15:27 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-07-20 15:27 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-07-20 15:27 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-20 15:27 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-07-20 15:27 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-20 15:27 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-17 18:14 . 2008-08-08 11:43 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2008-07-17 18:14 . 2008-07-17 18:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Thunderbird
2008-07-17 18:14 . 2008-07-17 18:14 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-17 18:12 . 2008-07-17 18:12 <DIR> d-------- C:\Program Files\CU Services
2008-07-17 18:12 . 2008-07-17 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Cornell University

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 22:36 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-08-09 19:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-09 19:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-09 07:09 --------- d-----w C:\Program Files\Lavasoft
2008-08-09 07:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-09 07:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-08 18:42 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-18 06:36 --------- d-----w C:\Program Files\AIM
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2004-07-12 02:35 2,500,776 ----a-w C:\Program Files\pn30lous.exe
2004-05-18 02:38 5,245,352 ----a-w C:\Program Files\SetupDl.EXE
2004-04-18 05:31 3,598,600 ----a-w C:\Program Files\ssfsetup1_12382497.exe
2004-03-21 01:35 3,616,400 ----a-w C:\Program Files\Install_AIM.exe
2004-02-26 04:09 32 --sha-w C:\WINDOWS\{4CA3B33B-C6C1-492D-8229-17E0E69878E7}.dat
2005-01-01 17:34 32 --sha-w C:\WINDOWS\{8421E372-02FC-410C-9A86-85314D38762E}.dat
2004-03-22 04:05 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2000-02-02 00:01 40,960 --sh--r C:\WINDOWS\system32\KarnaDrv.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2003-12-08 20:38 10,752 --sha-w C:\WINDOWS\system32\Proxy.dll
2003-12-08 20:38 10,752 --sha-w C:\WINDOWS\system32\_reproxy.dll
2005-01-01 17:34 32 --sha-w C:\WINDOWS\system32\{3BA19FA7-6CCA-4BDA-B74B-B9ED6BDC1724}.dat
.

((((((((((((((((((((((((((((( snapshot@2008-08-09_23.40.02.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-21 06:56:58 618,496 ----a-w C:\WINDOWS\temp\mta59624.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2004-02-25 12:53 665088]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.EXE" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"NVIEW"="nview.dll" [2003-08-19 02:56 852038 C:\WINDOWS\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 07:07 114688]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 07:23 90112]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 02:55 483328]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 20:02 61440]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-11-03 23:36 45056]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 21:42 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-19 02:56 4841472]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 21:11 139264]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-07 19:56 188416]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-05-21 22:16 100056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-11 17:49 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 15:18 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"nwiz"="nwiz.exe" [2003-08-19 02:56 323584 C:\WINDOWS\system32\nwiz.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 17:52 40960 C:\WINDOWS\ltmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 14:18 443968]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSub.exe [2003-10-13 22:24:52 557056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 08:20:40 45056]
Microsoft Broadband Networking.lnk - C:\WINDOWS\Installer\{2C84BB95-1DB9-4AC4-8750-F979BBCDD859}\_18be6784.exe [2004-02-25 21:31:53 25214]
Post-itR Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2004-10-15 15:26:54 2080768]
Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2004-10-15 15:26:54 2080768]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-30 04:49:48 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6838:TCP"= 6838:TCP:Microsoft standard protector

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 sobicyt;sobicyt Service;C:\WINDOWS\system32\sobicyt.exe [2002-08-29 05:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-05-23 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-04-03 18:12]

2008-08-02 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
- C:\PROGRA~1\NORTON~1\Navw32.exe [2003-12-04 19:22]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 13:51:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe
.
**************************************************************************
.
Completion time: 2008-08-10 13:59:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-10 20:59:05
ComboFix2.txt 2008-08-10 18:39:15
ComboFix3.txt 2008-08-10 06:40:27

Pre-Run: 106,135,678,976 bytes free
Post-Run: 106,123,767,808 bytes free

165 --- E O F --- 2008-08-09 19:16:05

#11
greyknight17

Posted 10 August 2008 - 05:48 PM

Malware Expert

Visiting Consultant
16,560 posts

We're not done yet. Something is creating more of these files. Run ATF Cleaner again and then do the following:

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Driver::
sobicyt
File::
C:\WINDOWS\system32\sobicyt.exe
C:\WINDOWS\temp\mta59624.dll

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

Download SDFix at http://downloads.and...Tools/SDFix.exe and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt back on the forum with a new HijackThis log.

#12
xtr33m3b0rdn3ss

Posted 10 August 2008 - 08:17 PM

Member

Topic Starter
Member
31 posts

er.. this time I ran into a slight complication
I ran ComboFix and after it restarted the computer, it never came back up, although the computer time was still funky. so I had to run it again
i hope that didn't interfere with anything

here's the combofix log:

ComboFix 08-08-10.02 - Owner 2008-08-10 18:00:51.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.215 [GMT -7:00]
Running from: K:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\sobicyt.exe
C:\WINDOWS\temp\mta59624.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\XDNEQEEG\interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\XDNEQEEG\interclick.com\ud.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\atsxyzd.sys
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\KarnaDrv.dll
C:\WINDOWS\system32\sobicyt.exe
C:\WINDOWS\temp\mta59624.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SOBICYT
-------\Service_sobicyt

((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 )))))))))))))))))))))))))))))))
.

2008-08-09 21:05 . 2008-08-09 21:05 <DIR> d-------- C:\Program Files\Panda Security
2008-08-09 21:05 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-09 15:41 . 2008-08-09 15:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-20 15:27 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-07-20 15:27 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-07-20 15:27 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-20 15:27 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-07-20 15:27 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-20 15:27 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-17 18:14 . 2008-08-08 11:43 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2008-07-17 18:14 . 2008-07-17 18:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Thunderbird
2008-07-17 18:14 . 2008-07-17 18:14 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-17 18:12 . 2008-07-17 18:12 <DIR> d-------- C:\Program Files\CU Services
2008-07-17 18:12 . 2008-07-17 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Cornell University

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 22:36 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-08-09 19:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-09 19:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-09 07:09 --------- d-----w C:\Program Files\Lavasoft
2008-08-09 07:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-09 07:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-09 07:05 117,615 ----a-w C:\WINDOWS\system32\new2.exe
2008-08-08 18:42 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-18 06:36 --------- d-----w C:\Program Files\AIM
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2004-07-12 02:35 2,500,776 ----a-w C:\Program Files\pn30lous.exe
2004-05-18 02:38 5,245,352 ----a-w C:\Program Files\SetupDl.EXE
2004-04-18 05:31 3,598,600 ----a-w C:\Program Files\ssfsetup1_12382497.exe
2004-03-21 01:35 3,616,400 ----a-w C:\Program Files\Install_AIM.exe
2004-02-26 04:09 32 --sha-w C:\WINDOWS\{4CA3B33B-C6C1-492D-8229-17E0E69878E7}.dat
2005-01-01 17:34 32 --sha-w C:\WINDOWS\{8421E372-02FC-410C-9A86-85314D38762E}.dat
2004-03-22 04:05 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2003-12-08 20:38 10,752 --sha-w C:\WINDOWS\system32\Proxy.dll
2003-12-08 20:38 10,752 --sha-w C:\WINDOWS\system32\_reproxy.dll
2005-01-01 17:34 32 --sha-w C:\WINDOWS\system32\{3BA19FA7-6CCA-4BDA-B74B-B9ED6BDC1724}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2004-02-25 12:53 665088]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.EXE" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"NVIEW"="nview.dll" [2003-08-19 02:56 852038 C:\WINDOWS\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 07:07 114688]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 07:23 90112]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 02:55 483328]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 20:02 61440]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-11-03 23:36 45056]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 21:42 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-19 02:56 4841472]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 21:11 139264]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-07 19:56 188416]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-05-21 22:16 100056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-11 17:49 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 15:18 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"nwiz"="nwiz.exe" [2003-08-19 02:56 323584 C:\WINDOWS\system32\nwiz.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 17:52 40960 C:\WINDOWS\ltmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 14:18 443968]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSub.exe [2003-10-13 22:24:52 557056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 08:20:40 45056]
Microsoft Broadband Networking.lnk - C:\WINDOWS\Installer\{2C84BB95-1DB9-4AC4-8750-F979BBCDD859}\_18be6784.exe [2004-02-25 21:31:53 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6838:TCP"= 6838:TCP:Microsoft standard protector

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-08-02 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
- C:\PROGRA~1\NORTON~1\Navw32.exe [2003-12-04 19:22]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 18:03:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-08-10 18:06:49
ComboFix-quarantined-files.txt 2008-08-11 01:05:47
ComboFix2.txt 2008-08-10 20:59:09
ComboFix3.txt 2008-08-10 18:39:15
ComboFix4.txt 2008-08-10 06:40:27

Pre-Run: 106,065,219,584 bytes free
Post-Run: 106,051,641,344 bytes free

154 --- E O F --- 2008-08-09 19:16:05

and here's the SDFix report:

SDFix: Version 1.215
Run by Owner on Sun 08/10/2008 at 06:50 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\FDSA.EXE - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 19:07:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"="C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD:*:Enabled:Age of Empires II"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 10 Feb 2008 6,219,320 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Wed 30 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Wed 30 Jul 2008 4,891,984 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Wed 30 Jul 2008 1,829,712 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sun 21 Mar 2004 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Wed 3 May 2006 163,328 ..SHR --- "C:\WINDOWS\system32\flvDX.dll"
Wed 21 Feb 2007 31,232 ..SHR --- "C:\WINDOWS\system32\msfDX.dll"
Mon 8 Dec 2003 10,752 A.SH. --- "C:\WINDOWS\system32\Proxy.dll"
Mon 8 Dec 2003 10,752 A.SH. --- "C:\WINDOWS\system32\_reproxy.dll"
Sun 26 Jun 2005 616,448 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygwin1.dll"
Tue 21 Jun 2005 45,568 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygz.dll"
Thu 29 Nov 2007 72,704 ..SHR --- "C:\Program Files\eRightSoft\SUPER\Setup.exe"
Mon 3 Jun 2002 84,992 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll"
Mon 3 Jun 2002 44,032 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll"
Mon 9 Dec 2002 73,766 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll"
Mon 9 Dec 2002 65,575 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll"
Sun 9 Jun 2002 36,864 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll"
Mon 3 Jun 2002 20,480 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll"
Mon 9 Dec 2002 102,437 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll"
Mon 9 Dec 2002 176,165 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll"
Mon 9 Dec 2002 208,935 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll"
Mon 9 Dec 2002 217,127 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll"
Sun 9 Jun 2002 40,448 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll"
Sat 3 Nov 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll"
Tue 10 Apr 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll"
Fri 20 Feb 2004 232,960 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll"
Sun 9 Jun 2002 525,824 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll"
Mon 9 Dec 2002 245,805 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll"
Mon 9 Dec 2002 45,093 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll"
Mon 9 Dec 2002 98,341 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll"
Mon 9 Dec 2002 94,247 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll"
Mon 9 Dec 2002 90,151 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll"
Mon 9 Dec 2002 102,439 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll"
Sun 9 Jun 2002 49,152 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll"

Finished!

and here's the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:17:21 PM, on 8/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Quicken\bagent.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Post-itR Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.goo...2/uploader2.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)

--
End of file - 9470 bytes

#13
greyknight17

Posted 11 August 2008 - 07:03 PM

Malware Expert

Visiting Consultant
16,560 posts

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

File::
C:\WINDOWS\system32\new2.exe

#14
xtr33m3b0rdn3ss

Posted 11 August 2008 - 07:53 PM

Member

Topic Starter
Member
31 posts

ComboFix 08-08-10.06 - Owner 2008-08-11 18:17:36.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.214 [GMT -7:00]
Running from: K:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\new2.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\XDNEQEEG\interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\XDNEQEEG\interclick.com\ud.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\new2.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-12 to 2008-08-12 )))))))))))))))))))))))))))))))
.

2008-08-10 18:45 . 2008-08-10 18:45 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-10 18:41 . 2008-08-10 19:12 <DIR> d-------- C:\SDFix
2008-08-09 21:05 . 2008-08-09 21:05 <DIR> d-------- C:\Program Files\Panda Security
2008-08-09 21:05 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-09 15:41 . 2008-08-09 15:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-20 15:27 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-07-20 15:27 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-07-20 15:27 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-20 15:27 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-07-20 15:27 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-20 15:27 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-17 18:14 . 2008-08-08 11:43 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2008-07-17 18:14 . 2008-07-17 18:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Thunderbird
2008-07-17 18:14 . 2008-07-17 18:14 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-17 18:12 . 2008-07-17 18:12 <DIR> d-------- C:\Program Files\CU Services
2008-07-17 18:12 . 2008-07-17 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Cornell University

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 22:36 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-08-09 19:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-09 19:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-09 07:09 --------- d-----w C:\Program Files\Lavasoft
2008-08-09 07:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-09 07:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-08 18:42 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-18 06:36 --------- d-----w C:\Program Files\AIM
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2004-07-12 02:35 2,500,776 ----a-w C:\Program Files\pn30lous.exe
2004-05-18 02:38 5,245,352 ----a-w C:\Program Files\SetupDl.EXE
2004-04-18 05:31 3,598,600 ----a-w C:\Program Files\ssfsetup1_12382497.exe
2004-03-21 01:35 3,616,400 ----a-w C:\Program Files\Install_AIM.exe
2004-02-26 04:09 32 --sha-w C:\WINDOWS\{4CA3B33B-C6C1-492D-8229-17E0E69878E7}.dat
2005-01-01 17:34 32 --sha-w C:\WINDOWS\{8421E372-02FC-410C-9A86-85314D38762E}.dat
2004-03-22 04:05 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2003-12-08 20:38 10,752 --sha-w C:\WINDOWS\system32\Proxy.dll
2003-12-08 20:38 10,752 --sha-w C:\WINDOWS\system32\_reproxy.dll
2005-01-01 17:34 32 --sha-w C:\WINDOWS\system32\{3BA19FA7-6CCA-4BDA-B74B-B9ED6BDC1724}.dat
.

((((((((((((((((((((((((((((( snapshot@2008-08-09_23.40.02.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 23:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-08-11 01:45:49 9,973,760 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-08-11 01:45:50 2,920,448 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 23:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-08-11 01:45:31 9,973,760 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-08-11 01:45:32 2,920,448 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2002-08-29 12:00:00 50,620 ----a-w C:\WINDOWS\system32\command.com
+ 2001-08-18 20:00:00 50,620 ----a-w C:\WINDOWS\system32\command.com
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2004-02-25 12:53 665088]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.EXE" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"NVIEW"="nview.dll" [2003-08-19 02:56 852038 C:\WINDOWS\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 07:07 114688]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 07:23 90112]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 02:55 483328]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 20:02 61440]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-11-03 23:36 45056]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 21:42 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-19 02:56 4841472]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 21:11 139264]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-07 19:56 188416]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-05-21 22:16 100056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-11 17:49 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 15:18 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"nwiz"="nwiz.exe" [2003-08-19 02:56 323584 C:\WINDOWS\system32\nwiz.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 17:52 40960 C:\WINDOWS\ltmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 14:18 443968]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSub.exe [2003-10-13 22:24:52 557056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 08:20:40 45056]
Microsoft Broadband Networking.lnk - C:\WINDOWS\Installer\{2C84BB95-1DB9-4AC4-8750-F979BBCDD859}\_18be6784.exe [2004-02-25 21:31:53 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6838:TCP"= 6838:TCP:Microsoft standard protector

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
.
Contents of the 'Scheduled Tasks' folder

2008-08-02 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
- C:\PROGRA~1\NORTON~1\Navw32.exe [2003-12-04 19:22]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 18:21:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-08-11 18:24:03
ComboFix-quarantined-files.txt 2008-08-12 01:23:00
ComboFix2.txt 2008-08-11 01:06:50
ComboFix3.txt 2008-08-10 20:59:09
ComboFix4.txt 2008-08-10 18:39:15
ComboFix5.txt 2008-08-12 01:16:51

Pre-Run: 105,739,567,104 bytes free
Post-Run: 105,916,100,608 bytes free

151 --- E O F --- 2008-08-09 19:16:05

#15
greyknight17

Posted 12 August 2008 - 07:30 PM

Malware Expert

Visiting Consultant
16,560 posts

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.