Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Multiple System32 issues - I've been hacked but can't fix it


  • Please log in to reply

#1
jsticeto

jsticeto

    New Member

  • Member
  • Pip
  • 5 posts
I have found keyloggers, trojans, and worms on my computer which I recently removed. My other half is not very computer savy and I think infected me. I thought I got the issue. I just recently reformatted my hard drive and reinstalled everything with hopes this would help me. No success. My computer is now being taken over again. I don't know what to do at this point. :)

Symptoms: Desktop items are changing. My MSN login page - names keep changing and moving positions. System crashes when online. Start menu keeps acting funny...new buttons appear or disappear. I have found multiple .txt log file information in my documents.

Programs Used: McAfee is my primary protection, AVG, Adaware...I'm now trying Trend Micro.

I just ran HiJackThis and I have attached the bottom log. Does anyone know a way to find the issue? :)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:52 AM, on 5/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Home\Desktop\trend\sysclean.com
C:\Documents and Settings\Home\Desktop\trend\sysclean.exe
C:\Documents and Settings\Home\My Documents\My Downloads\HiJackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Home\Desktop\trend\VSCANTM.BIN
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo....?fr=mcafee&p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1242166144020
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1242166580155
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...614/mcfscan.cab
O18 - Protocol: linkscanner - (no CLSID) - (no file)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6580 bytes

Attached Files


Edited by jsticeto, 16 May 2009 - 11:53 AM.

  • 0

Advertisements


#2
jsticeto

jsticeto

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Here is the combo Fix log as well. I just don't know where to go from here.

ComboFix 09-05-15.08 - Administrator 05/16/2009 13:39.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.813 [GMT -6:00]
Running from: c:\documents and settings\Business\My Documents\My Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1614895754-1547161642-725345543-1004\Dc1.doc
c:\recycler\S-1-5-21-1614895754-1547161642-725345543-1004\INFO2
c:\recycler\S-1-5-21-1614895754-1547161642-725345543-1005\Dc1.txt
c:\recycler\S-1-5-21-1614895754-1547161642-725345543-1005\Dc2.txt
c:\recycler\S-1-5-21-1614895754-1547161642-725345543-1005\INFO2
c:\windows\opuc.dll
c:\windows\system32\WINKRNME.DLL
G:\Autorun.inf
g:\recycler\S-1-5-21-527237240-2111687655-839522115-1005\Df1.jpg
g:\recycler\S-1-5-21-527237240-2111687655-839522115-1005\Df2.JPG
g:\recycler\S-1-5-21-527237240-2111687655-839522115-1005\INFO2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-16 19:23 . 2009-05-16 19:23 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-16 19:23 . 2009-04-06 21:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-16 19:23 . 2009-04-06 21:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-16 19:23 . 2009-05-16 19:23 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-16 19:23 . 2009-05-16 19:23 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-16 18:51 . 2009-05-16 18:51 -------- d-----w c:\windows\LastGood.Tmp
2009-05-16 18:18 . 2009-05-16 18:18 578560 -c--a-w c:\windows\system32\dllcache\user32.dll
2009-05-16 18:17 . 2009-05-16 18:17 -------- d-----w c:\windows\ERUNT
2009-05-16 18:13 . 2009-05-16 19:05 -------- d-----w C:\SDFix
2009-05-16 16:30 . 2009-05-16 16:30 -------- d-----w c:\documents and settings\Business\Local Settings\Application Data\WinZip
2009-05-16 06:04 . 2009-05-16 06:32 -------- d--h--w C:\$AVG8.VAULT$
2009-05-16 05:10 . 2009-05-16 05:10 -------- d-----w c:\program files\AVG
2009-05-16 05:10 . 2009-05-16 18:46 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-16 04:52 . 2009-05-16 04:52 -------- d-----w c:\documents and settings\Home\Application Data\AVG8
2009-05-16 04:03 . 2009-05-16 04:03 -------- d-----w c:\program files\MSN Messenger
2009-05-16 03:52 . 2009-05-16 04:27 -------- d-----w c:\documents and settings\Home\Application Data\MSNInstaller
2009-05-16 01:11 . 2009-05-16 01:13 -------- d-----w c:\program files\Microsoft Digital Image 2006
2009-05-15 01:33 . 2009-05-15 01:33 -------- d-----w c:\documents and settings\Home\Application Data\AdobeUM
2009-05-15 01:32 . 2009-05-15 01:32 -------- d-----w c:\documents and settings\Home\Local Settings\Application Data\Adobe
2009-05-15 00:48 . 2009-05-15 00:48 -------- d-----w c:\documents and settings\Home\Local Settings\Application Data\Help
2009-05-15 00:43 . 2009-05-15 00:43 -------- d-----w c:\program files\Avaya
2009-05-15 00:42 . 2009-05-15 00:42 -------- d-----w c:\documents and settings\Home\Local Settings\Application Data\WinZip
2009-05-14 23:35 . 2009-05-14 23:35 -------- d-----w c:\documents and settings\Home\Application Data\OfficeUpdate12
2009-05-14 22:27 . 2009-03-25 17:06 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-05-14 22:27 . 2009-03-25 17:06 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-05-14 22:27 . 2009-03-25 17:06 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-05-14 22:22 . 2009-03-25 17:05 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-05-14 19:16 . 2009-05-14 19:16 -------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-05-14 06:24 . 2009-05-14 06:24 -------- d-----w c:\windows\McAfee.com
2009-05-14 04:55 . 2009-05-16 01:11 -------- d-----w c:\program files\Windows Media Connect 2
2009-05-14 04:52 . 2009-05-14 04:53 -------- d-----w c:\windows\system32\drivers\UMDF
2009-05-14 04:49 . 2009-05-16 01:29 -------- d-----w c:\documents and settings\Home\Tracing
2009-05-14 04:42 . 2009-05-14 04:43 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-14 04:42 . 2009-05-14 04:43 -------- d-----w c:\program files\iTunes
2009-05-14 04:40 . 2009-05-14 04:40 -------- d-----w c:\program files\Bonjour
2009-05-14 04:37 . 2009-05-14 04:37 -------- d-----w c:\documents and settings\Home\Local Settings\Application Data\Apple
2009-05-14 04:37 . 2009-05-14 04:37 -------- d-----w c:\program files\Apple Software Update
2009-05-14 04:36 . 2009-05-14 04:42 -------- d-----w c:\program files\Common Files\Apple
2009-05-14 04:36 . 2009-05-14 04:36 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-05-14 04:24 . 2009-05-14 04:24 -------- d-----w c:\documents and settings\Home\Application Data\Apple Computer
2009-05-14 04:24 . 2009-05-14 04:35 -------- d-----w c:\documents and settings\Home\Local Settings\Application Data\Apple Computer
2009-05-14 04:18 . 2009-05-14 06:37 -------- d-----w c:\documents and settings\All Users\Application Data\InterVideo
2009-05-14 04:18 . 2009-05-14 06:38 -------- d-----w c:\documents and settings\Home\Application Data\InterVideo
2009-05-14 01:52 . 2009-05-14 01:52 -------- d-----w c:\documents and settings\All Users\Application Data\Packages
2009-05-14 00:49 . 2003-09-11 05:36 21060 ------w c:\windows\system32\drivers\iviaspi.sys
2009-05-14 00:49 . 2003-09-11 05:36 21060 ----a-w c:\windows\system32\iviaspi.sys
2009-05-14 00:48 . 2009-05-14 00:48 -------- d-----w c:\program files\Common Files\InterVideo
2009-05-14 00:47 . 2003-09-19 07:47 10368 ------w c:\windows\system32\drivers\pfc.sys
2009-05-14 00:46 . 2001-12-10 23:42 204800 ----a-w c:\windows\system32\IVIresizeW7.dll
2009-05-14 00:46 . 2001-12-10 23:42 188416 ----a-w c:\windows\system32\IVIresizePX.dll
2009-05-14 00:46 . 2001-12-10 23:42 192512 ----a-w c:\windows\system32\IVIresizeP6.dll
2009-05-14 00:46 . 2001-12-10 23:42 192512 ----a-w c:\windows\system32\IVIresizeM6.dll
2009-05-14 00:46 . 2001-12-10 23:42 200704 ----a-w c:\windows\system32\IVIresizeA6.dll
2009-05-14 00:46 . 2001-12-10 23:42 20480 ----a-w c:\windows\system32\IVIresize.dll
2009-05-14 00:46 . 2009-05-14 00:49 -------- d-----w c:\program files\InterVideo
2009-05-14 00:42 . 2000-06-26 17:45 106496 ----a-w c:\windows\system32\TwnLib20.dll
2009-05-14 00:42 . 2001-06-26 14:15 38912 ------w c:\windows\system32\picn20.dll
2009-05-14 00:42 . 2001-07-06 18:44 544768 ------w c:\windows\system32\imagx5.dll
2009-05-14 00:42 . 2001-07-06 20:41 569344 ------w c:\windows\system32\imagr5.dll
2009-05-14 00:42 . 2001-07-07 00:24 283920 ------w c:\windows\system32\ImagXpr5.dll
2009-05-14 00:41 . 2009-05-14 00:42 -------- d-----w c:\program files\Common Files\Ahead
2009-05-14 00:41 . 2001-07-09 17:50 155648 ----a-w c:\windows\system32\NeroCheck.exe
2009-05-14 00:41 . 2009-05-14 00:42 -------- d-----w c:\program files\Ahead
2009-05-14 00:29 . 2009-05-14 04:52 -------- d-----w c:\windows\system32\LogFiles
2009-05-13 23:29 . 2009-05-13 23:29 -------- d-----w c:\documents and settings\All Users\Application Data\Macrovision
2009-05-13 23:29 . 2009-05-13 23:29 -------- d-----w c:\program files\Common Files\Adobe Systems Shared
2009-05-13 21:44 . 2008-12-16 12:30 354304 -c----w c:\windows\system32\dllcache\winhttp.dll
2009-05-13 20:48 . 2009-05-13 20:48 -------- d-----w c:\documents and settings\Home\Local Settings\Application Data\IsolatedStorage
2009-05-13 20:48 . 2009-05-13 20:48 -------- d-----w c:\documents and settings\Home\Application Data\HP
2009-05-13 20:47 . 2009-05-13 20:47 -------- d-----w c:\documents and settings\Home\Local Settings\Application Data\HP
2009-05-13 20:47 . 2009-05-13 20:47 127 ----a-w c:\documents and settings\Home\Local Settings\Application Data\fusioncache.dat
2009-05-13 20:47 . 2009-05-16 16:02 -------- d-----w c:\documents and settings\Home\Local Settings\Application Data\ApplicationHistory
2009-05-13 19:52 . 2001-10-26 21:16 16384 ----a-w c:\windows\system32\FileOps.exe
2009-05-13 19:30 . 2009-05-13 19:30 -------- d-----w c:\documents and settings\Business\Application Data\Apple Computer
2009-05-13 19:30 . 2009-05-13 19:30 -------- d-----w c:\documents and settings\Business\Local Settings\Application Data\Apple Computer
2009-05-13 19:28 . 2009-05-14 04:40 -------- d-----w c:\program files\QuickTime
2009-05-13 19:26 . 2004-12-19 02:32 38229 ------w c:\windows\system32\drivers\StMp3Rec.sys
2009-05-13 19:26 . 2009-05-14 04:42 -------- d-----w c:\program files\iPod
2009-05-13 18:56 . 2009-05-13 18:56 -------- d-----w c:\program files\Microsoft.NET
2009-05-13 18:55 . 2009-05-13 18:55 -------- d--h--r C:\MSOCache
2009-05-13 17:48 . 2009-05-14 00:25 -------- d-----w c:\documents and settings\Business\Application Data\MSNInstaller
2009-05-13 17:28 . 2009-05-13 17:28 -------- d-----w c:\documents and settings\Business\Local Settings\Application Data\IsolatedStorage
2009-05-13 17:28 . 2009-05-13 17:28 -------- d-----w c:\documents and settings\Business\Application Data\HP
2009-05-13 17:27 . 2009-05-13 17:27 -------- d-----w c:\documents and settings\Business\Local Settings\Application Data\HP
2009-05-13 17:27 . 2009-05-13 17:27 131 ----a-w c:\documents and settings\Business\Local Settings\Application Data\fusioncache.dat
2009-05-13 17:26 . 2009-05-14 00:29 -------- d-----w c:\documents and settings\Business\Local Settings\Application Data\ApplicationHistory
2009-05-13 17:22 . 2009-05-13 17:22 70120 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-13 17:20 . 2009-05-13 17:20 -------- d-----w c:\documents and settings\LocalService\Application Data\HP
2009-05-13 17:20 . 2009-05-13 17:20 -------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-05-13 17:18 . 2009-05-16 18:46 -------- d-----w c:\documents and settings\Default User\Local Settings\Application Data\Microsoft
2009-05-13 17:17 . 2009-05-13 17:17 -------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2009-05-13 17:17 . 2009-05-13 17:17 -------- d-----w c:\program files\Common Files\Sonic Shared
2009-05-13 17:15 . 2009-05-13 17:15 -------- d-----w c:\windows\system32\URTTEMP
2009-05-13 17:14 . 2009-05-13 17:17 -------- d-----w c:\program files\Common Files\HP
2009-05-13 17:12 . 2009-05-13 17:13 -------- d-----w c:\program files\Hewlett-Packard
2009-05-13 17:12 . 2009-05-13 17:12 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-05-13 17:09 . 2005-03-09 07:25 57344 ----a-w c:\windows\system32\HPZisn12.dll
2009-05-13 17:09 . 2005-03-09 07:25 94208 ----a-w c:\windows\system32\HPZipt12.dll
2009-05-13 17:09 . 2005-03-15 07:35 204800 ----a-w c:\windows\system32\HPZipr12.dll
2009-05-13 17:09 . 2005-11-23 03:58 69632 ----a-w c:\windows\system32\HPZipm12.exe
2009-05-13 17:09 . 2005-03-15 09:09 65536 ----a-w c:\windows\system32\HPZinw12.exe
2009-05-13 17:09 . 2005-03-15 07:33 278584 ----a-w c:\windows\system32\HPZidr12.dll
2009-05-13 17:06 . 2009-05-13 17:22 118667 ----a-w c:\windows\hpoins09.dat
2009-05-13 17:01 . 2008-10-16 20:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-05-13 16:37 . 2006-02-01 00:48 16496 ----a-r c:\windows\system32\drivers\HPZipr12.sys
2009-05-13 16:37 . 2006-02-01 00:48 49664 ----a-r c:\windows\system32\drivers\HPZid412.sys
2009-05-13 16:36 . 2006-01-04 08:12 77824 ----a-r c:\windows\system32\HPZIDS01.dll
2009-05-13 16:36 . 2006-02-09 21:45 38400 ----a-w c:\windows\system32\hpz3l054.dll
2009-05-13 16:36 . 2008-04-13 18:45 15104 -c--a-w c:\windows\system32\dllcache\usbscan.sys
2009-05-13 16:36 . 2008-04-13 18:45 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-05-13 14:41 . 2009-05-13 05:55 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-05-13 08:00 . 2007-08-14 00:54 33792 -c--a-w c:\windows\system32\dllcache\custsat.dll
2009-05-13 07:56 . 2009-02-20 18:09 63488 -c----w c:\windows\system32\dllcache\icardie.dll
2009-05-13 07:56 . 2009-02-20 18:09 268288 -c----w c:\windows\system32\dllcache\iertutil.dll
2009-05-13 07:56 . 2009-02-20 18:09 52224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
2009-05-13 07:56 . 2009-02-20 10:20 13824 -c----w c:\windows\system32\dllcache\ieudinit.exe
2009-05-13 07:56 . 2009-02-20 18:09 459264 -c----w c:\windows\system32\dllcache\msfeeds.dll
2009-05-13 07:56 . 2008-07-09 14:25 2455488 -c----w c:\windows\system32\dllcache\ieapfltr.dat
2009-05-13 07:56 . 2009-02-20 18:09 383488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
2009-05-13 07:56 . 2009-02-20 18:09 6066176 -c----w c:\windows\system32\dllcache\ieframe.dll
2009-05-13 06:32 . 2009-05-13 06:32 -------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2009-05-13 05:55 . 2009-05-16 07:46 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-05-13 05:51 . 2009-05-13 05:51 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-13 05:51 . 2009-05-13 05:51 -------- d-----w c:\program files\Lavasoft
2009-05-13 05:51 . 2009-05-13 05:55 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 01:43 . 2009-05-13 00:34 77624 ----a-w c:\documents and settings\Home\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-14 00:49 . 2009-05-12 18:42 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-13 19:46 . 2009-05-12 18:42 -------- d-----w c:\program files\Common Files\InstallShield
2009-05-13 05:09 . 2009-05-12 18:31 -------- d-----w c:\program files\microsoft frontpage
2009-05-12 18:56 . 2009-05-12 18:56 40960 ----a-w c:\windows\uneng.exe
2009-05-12 18:45 . 2009-05-12 18:45 -------- d-----w c:\program files\Intel
2009-05-12 18:44 . 2009-05-12 18:44 -------- d-----w c:\program files\Analog Devices
2009-05-12 18:29 . 2009-05-12 18:29 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-25 17:06 . 2009-03-25 17:06 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-19 22:32 . 2005-02-02 07:21 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 14:22 . 2001-08-18 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2001-08-18 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-13 516440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AdobeVersionCue"="c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 1732608]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"FastTVSync"="c:\program files\Common Files\InterVideo\FastTVSync\FastTVSync.exe" [2004-03-11 245760]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
$McRebootA5E6DEAA56$.lnk - c:\windows\system32\cmd.exe [2009-5-12 389120]
Acrobat Assistant.lnk - c:\program files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2009-5-13 229376]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-3-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\nvdesk32.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave2"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/12/2009 11:55 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 1:06 PM 953168]
S4 Fecbfil;Fecbfil; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-05-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 05:54]

2009-05-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-16 13:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-05-16 13:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-16 19:48

Pre-Run: 61,539,069,952 bytes free
Post-Run: 62,030,184,448 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

245 --- E O F --- 2009-05-16 15:57
  • 0

#3
jsticeto

jsticeto

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Symptoms - I was just recently infected with Trojan Exploit Viruses and FakeAlert. McAfee caught them and removed them. I'm also running spy sweeper which blocked the installb file for FakeAlert-C.dr. My system did a reboot on it's own when notified of infections removed. As soon as I got back on I went to startup on msconfig and disabled braviax.exe which was on my startup menu. Any assistance to help with extra removal as it did not caught everything is appreciated.

Thank you so much.

FakeAlert-C.dr = system32/figaro.sys file
Process: temp file named installb[1].com - blocked access by McAfee

Exploit-PDF.b = temp file
Process: C:\Program Files\MSN/MSNCoreFiles\msn.exe

JS/Exploit-BO = temp file
Process: C:\Program Files\MSN/MSNCoreFiles\msn.exe

Misc...startup item located - braviax.exe


HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:17 PM, on 8/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo....?fr=mcafee&p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] "C:\PROGRA~1\McAfee\MHN\McENUI.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AdobeVersionCue] "C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1249084081090
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP