Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91738 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] "55 critical system errors" popup...


  • This topic is locked This topic is locked
22 replies to this topic

#16 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 01 May 2008 - 06:07 PM

The infection is getting respawned

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

    Advertisements

Register to Remove


#17 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 06 May 2008 - 05:04 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

#18 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 06 May 2008 - 05:38 PM

Post the log

#19 dozinslosh

dozinslosh

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 06 May 2008 - 05:41 PM

ComboFix 08-05-01.3 - Owner 2008-05-06 18:06:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.267 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\screensavers.com
C:\Program Files\screensavers.com\ActiveDesktop\bin\ActiveDesktopExe.exe
C:\Program Files\screensavers.com\SSSInstaller\bin\screensavers.exe
C:\Program Files\screensavers.com\SSSInstaller\bin\sinstaller3.exe
C:\Program Files\screensavers.com\SSSInstaller\bin\SSSInstaller.dll
C:\Program Files\screensavers.com\SSSUninst.exe
C:\WINDOWS\system32\ban_list.txt
C:\WINDOWS\system32\hgGywxUk.dll
C:\WINDOWS\system32\kUxwyGgh.ini
C:\WINDOWS\system32\kUxwyGgh.ini2
C:\WINDOWS\system32\pibqvwme.dll
C:\WINDOWS\system32\vtUomjJB.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.

2008-05-06 11:12 . 2008-05-06 11:12 2,112 --a------ C:\WINDOWS\system32\leoxscbo.exe
2008-05-06 10:02 . 2008-05-06 10:02 1,635 --a------ C:\WINDOWS\system32\ycklj.exe
2008-05-06 10:01 . 2008-05-06 10:02 55,808 --a------ C:\WINDOWS\system32\clrgym.exe
2008-05-06 10:01 . 2008-05-06 10:01 1,635 --a------ C:\WINDOWS\system32\wljdpvn.exe
2008-05-06 09:58 . 2008-05-06 09:59 12,288 --a------ C:\WINDOWS\system32\ukcdiems.exe
2008-05-06 09:58 . 2008-05-06 09:59 8,192 --a------ C:\WINDOWS\system32\vkwk.exe
2008-05-06 09:58 . 2008-05-06 09:59 8,192 --a------ C:\WINDOWS\system32\ctvhb.exe
2008-05-06 09:58 . 2008-05-06 09:58 1,635 --a------ C:\WINDOWS\system32\xwgmaxg.exe
2008-05-06 09:58 . 2008-05-06 09:58 1,635 --a------ C:\WINDOWS\system32\qbrkq.exe
2008-05-05 19:55 . 2008-05-05 19:55 41,984 --a------ C:\WINDOWS\system32\xhcjktpu.exe
2008-05-05 19:55 . 2008-05-05 19:55 1,635 --a------ C:\WINDOWS\system32\okhx.exe
2008-05-05 19:55 . 2008-05-05 19:55 1,635 --a------ C:\WINDOWS\system32\aztsizh.exe
2008-05-05 18:29 . 2008-05-05 18:29 41,984 --a------ C:\WINDOWS\system32\mxsbcz.exe
2008-05-05 07:49 . 2008-05-05 07:50 41,984 --a------ C:\WINDOWS\system32\kpngg.exe
2008-05-05 07:49 . 2008-05-05 07:49 1,635 --a------ C:\WINDOWS\system32\vtjgwh.exe
2008-05-05 07:49 . 2008-05-05 07:49 1,635 --a------ C:\WINDOWS\system32\ssudcnbf.exe
2008-05-04 21:53 . 2008-05-04 21:54 53,248 --a------ C:\WINDOWS\system32\zycxc.exe
2008-05-04 21:53 . 2008-05-04 21:54 41,984 --a------ C:\WINDOWS\system32\ubqq.exe
2008-05-04 20:23 . 2008-05-04 20:24 55,808 --a------ C:\WINDOWS\system32\vnznf.exe
2008-05-04 20:23 . 2008-05-04 20:24 53,248 --a------ C:\WINDOWS\system32\ngih.exe
2008-05-04 20:23 . 2008-05-04 20:24 41,984 --a------ C:\WINDOWS\system32\ptvrrtog.exe
2008-05-04 20:23 . 2008-05-04 20:23 1,635 --a------ C:\WINDOWS\system32\ubtnt.exe
2008-05-04 20:23 . 2008-05-04 20:23 1,635 --a------ C:\WINDOWS\system32\bzuwjr.exe
2008-05-04 20:19 . 2008-05-04 20:20 55,808 --a------ C:\WINDOWS\system32\zcdrwby.exe
2008-05-04 20:19 . 2008-05-04 20:20 41,984 --a------ C:\WINDOWS\system32\wxsnca.exe
2008-05-04 20:19 . 2008-05-04 20:19 1,635 --a------ C:\WINDOWS\system32\qjcziixa.exe
2008-05-04 20:19 . 2008-05-04 20:19 1,635 --a------ C:\WINDOWS\system32\pasq.exe
2008-05-04 20:18 . 2008-05-04 20:19 41,984 --a------ C:\WINDOWS\system32\vkaxph.exe
2008-05-03 22:16 . 2008-05-03 22:17 55,808 --a------ C:\WINDOWS\system32\kztnphe.exe
2008-05-03 22:16 . 2008-05-03 22:17 41,984 --a------ C:\WINDOWS\system32\ghadyjo.exe
2008-05-03 22:16 . 2008-05-03 22:16 1,635 --a------ C:\WINDOWS\system32\slpxsf.exe
2008-05-03 22:16 . 2008-05-03 22:16 1,635 --a------ C:\WINDOWS\system32\agttiz.exe
2008-05-03 19:46 . 2008-05-03 19:47 41,984 --a------ C:\WINDOWS\system32\kioltsqg.exe
2008-05-03 19:46 . 2008-05-03 19:47 41,984 --a------ C:\WINDOWS\system32\iwttd.exe
2008-05-03 19:46 . 2008-05-03 19:46 1,635 --a------ C:\WINDOWS\system32\ngpjsrdp.exe
2008-05-03 19:26 . 2008-05-03 19:27 55,808 --a------ C:\WINDOWS\system32\azlgh.exe
2008-05-03 19:26 . 2008-05-03 19:26 41,984 --a------ C:\WINDOWS\system32\ndhsbu.exe
2008-05-03 19:26 . 2008-05-03 19:26 1,635 --a------ C:\WINDOWS\system32\wsvuat.exe
2008-05-03 19:26 . 2008-05-03 19:26 1,635 --a------ C:\WINDOWS\system32\kemqo.exe
2008-05-03 19:24 . 2008-05-03 19:25 41,984 --a------ C:\WINDOWS\system32\gxgug.exe
2008-05-02 22:06 . 2008-05-02 22:07 64,840 --a------ C:\WINDOWS\system32\dhaqaffd.exe
2008-05-02 22:06 . 2008-05-02 22:07 53,248 --a------ C:\WINDOWS\system32\tjkwpj.exe
2008-05-02 22:06 . 2008-05-02 22:06 27,409 --a------ C:\WINDOWS\system32\aibfysz.exe
2008-05-02 08:56 . 2008-05-02 08:56 64,840 --a------ C:\WINDOWS\system32\tfppuly.exe
2008-04-27 21:48 . 2008-04-27 21:49 53,248 --a------ C:\WINDOWS\system32\diwdwdw.exe
2008-04-27 20:02 . 2008-04-29 09:41 104 --a------ C:\WINDOWS\system32\o
2008-04-26 15:40 . 2008-04-26 15:40 0 -ra------ C:\WINDOWS\system32\TFTP876
2008-04-24 17:34 . 2008-04-24 17:34 <DIR> d-------- C:\_OTMoveIt
2008-04-19 11:55 . 2008-04-19 11:56 <DIR> d-------- C:\Program Files\Google
2008-04-15 17:47 . 2002-10-28 14:21 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-15 17:47 . 2008-04-15 17:47 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-04-15 17:47 . 2008-04-15 17:47 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-15 17:47 . 2008-05-06 18:06 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-10 17:53 . 2008-04-10 17:53 <DIR> d-------- C:\Deckard
2008-04-10 13:53 . 2008-04-10 13:53 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-10 13:53 . 2008-04-10 13:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 14:24 --------- d-----w C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-04-04 01:19 --------- d-----w C:\Program Files\AWS
2008-04-04 01:17 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-04-04 00:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2008-04-04 00:07 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-04 00:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-30 01:57 4,214 --sha-r C:\WINDOWS\system32\drivers\HP_D7218H-ABA 774Y_YC_Pavi_QMX312S_E31NAheBLU4_4_IMS-6577_SMICRO-STAR INTERNATIONAL CO., LTD_V020_B3.15_T030226_WXH1_L409_M512_J80_7Intel_8Pentium 4_92.53_1103300F2_N10EC8139_P_Z11C1044E_K_A11020002_U808624C2_G10DE0172.MRK
2008-03-30 01:51 --------- d-----w C:\Program Files\Creative
2008-03-30 00:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-30 00:29 --------- d-----w C:\Program Files\ReadIris
2008-03-29 23:22 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-03-29 23:20 82,380 ----a-w C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-03-29 23:16 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-03-29 00:20 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-03-20 14:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
.

------- Sigcheck -------

2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\ip6fw.sys
2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [2006-04-07 16:02 1343488]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-21 01:08 1511453]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-04 21:21 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 20:42 69632]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 02:11 69632]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-07 00:56 61440]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 11:01 155648]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-06-14 19:39 81920]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-28 09:31 579584]
"Spooler SubSystem App"="C:\WINDOWS\System32\spooIsv.exe" [2002-08-29 07:00 101888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-28 07:48 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMidi"="MIDIDEF.EXE" [2002-12-03 19:55 49152 C:\WINDOWS\mididef.exe]
"PlayCenter2"="C:\Program Files\Creative\SBLive\PlayCenter2\MDEntry.exe" [2001-07-20 12:00 131072]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-06-27 02:20:58 323646]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-06-27 02:21:30 147456]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-09-20 22:20:02 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUomjJB]
vtUomjJB.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHELPER]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]


.
Contents of the 'Scheduled Tasks' folder
"2008-04-29 03:06:04 C:\WINDOWS\Tasks\easy Internet sign-up.job"
- C:\Program Files\Hewlett-Packard\EZ Internet Signup\HPSdpApp.exe
"2008-05-01 23:53:03 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1206837060.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 18:11:22
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
.
**************************************************************************
.
Completion time: 2008-05-06 18:15:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-06 23:15:23

Pre-Run: 59,634,524,160 bytes free
Post-Run: 59,701,952,512 bytes free

180
Logfile of HijackThis v1.99.1
Scan saved at 6:37:50 PM, on 5/6/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\spooIsv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wundergro...ast?query=39648
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us7.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spooIsv.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O17 - HKLM\System\CCS\Services\Tcpip\..\{636C9EED-136E-4ABE-9FBC-ECFC341E31BF}: NameServer = 208.137.128.8 208.137.128.6
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: vtUomjJB - vtUomjJB.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#20 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 06 May 2008 - 06:18 PM

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\leoxscbo.exe
C:\WINDOWS\system32\ycklj.exe
C:\WINDOWS\system32\clrgym.exe
C:\WINDOWS\system32\wljdpvn.exe
C:\WINDOWS\system32\ukcdiems.exe
C:\WINDOWS\system32\vkwk.exe
C:\WINDOWS\system32\ctvhb.exe
C:\WINDOWS\system32\xwgmaxg.exe
C:\WINDOWS\system32\qbrkq.exe
C:\WINDOWS\system32\xhcjktpu.exe
C:\WINDOWS\system32\okhx.exe
C:\WINDOWS\system32\aztsizh.exe
C:\WINDOWS\system32\mxsbcz.exe
C:\WINDOWS\system32\kpngg.exe
C:\WINDOWS\system32\vtjgwh.exe
C:\WINDOWS\system32\ssudcnbf.exe
C:\WINDOWS\system32\zycxc.exe
C:\WINDOWS\system32\ubqq.exe
C:\WINDOWS\system32\vnznf.exe
C:\WINDOWS\system32\ngih.exe
C:\WINDOWS\system32\ptvrrtog.exe
C:\WINDOWS\system32\ubtnt.exe
C:\WINDOWS\system32\bzuwjr.exe
C:\WINDOWS\system32\zcdrwby.exe
C:\WINDOWS\system32\wxsnca.exe
C:\WINDOWS\system32\qjcziixa.exe
C:\WINDOWS\system32\pasq.exe
C:\WINDOWS\system32\vkaxph.exe
C:\WINDOWS\system32\kztnphe.exe
C:\WINDOWS\system32\ghadyjo.exe
C:\WINDOWS\system32\slpxsf.exe
C:\WINDOWS\system32\agttiz.exe
C:\WINDOWS\system32\kioltsqg.exe
C:\WINDOWS\system32\iwttd.exe
C:\WINDOWS\system32\ngpjsrdp.exe
C:\WINDOWS\system32\azlgh.exe
C:\WINDOWS\system32\ndhsbu.exe
C:\WINDOWS\system32\wsvuat.exe
C:\WINDOWS\system32\kemqo.exe
C:\WINDOWS\system32\gxgug.exe
C:\WINDOWS\system32\dhaqaffd.exe
C:\WINDOWS\system32\tjkwpj.exe
C:\WINDOWS\system32\aibfysz.exe
C:\WINDOWS\system32\tfppuly.exe
C:\WINDOWS\system32\diwdwdw.exe
C:\WINDOWS\system32\o
C:\WINDOWS\system32\TFTP876

Folder::

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Also post a new HijackThis log

#21 dozinslosh

dozinslosh

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 10 May 2008 - 04:13 PM

Hello,
I'm still getting the same popup and the computer is still barely functional online. Is it so badly infected that it just can't be cleaned up? Here are the combofix and hjt logs:
Thanks!


ComboFix 08-05-01.3 - Owner 2008-05-09 17:36:06.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.234 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point


FILE ::
C:\WINDOWS\system32\agttiz.exe
C:\WINDOWS\system32\aibfysz.exe
C:\WINDOWS\system32\azlgh.exe
C:\WINDOWS\system32\aztsizh.exe
C:\WINDOWS\system32\bzuwjr.exe
C:\WINDOWS\system32\clrgym.exe
C:\WINDOWS\system32\ctvhb.exe
C:\WINDOWS\system32\dhaqaffd.exe
C:\WINDOWS\system32\diwdwdw.exe
C:\WINDOWS\system32\ghadyjo.exe
C:\WINDOWS\system32\gxgug.exe
C:\WINDOWS\system32\iwttd.exe
C:\WINDOWS\system32\kemqo.exe
C:\WINDOWS\system32\kioltsqg.exe
C:\WINDOWS\system32\kpngg.exe
C:\WINDOWS\system32\kztnphe.exe
C:\WINDOWS\system32\leoxscbo.exe
C:\WINDOWS\system32\mxsbcz.exe
C:\WINDOWS\system32\ndhsbu.exe
C:\WINDOWS\system32\ngih.exe
C:\WINDOWS\system32\ngpjsrdp.exe
C:\WINDOWS\system32\o
C:\WINDOWS\system32\okhx.exe
C:\WINDOWS\system32\pasq.exe
C:\WINDOWS\system32\ptvrrtog.exe
C:\WINDOWS\system32\qbrkq.exe
C:\WINDOWS\system32\qjcziixa.exe
C:\WINDOWS\system32\slpxsf.exe
C:\WINDOWS\system32\ssudcnbf.exe
C:\WINDOWS\system32\tfppuly.exe
C:\WINDOWS\system32\TFTP876
C:\WINDOWS\system32\tjkwpj.exe
C:\WINDOWS\system32\ubqq.exe
C:\WINDOWS\system32\ubtnt.exe
C:\WINDOWS\system32\ukcdiems.exe
C:\WINDOWS\system32\vkaxph.exe
C:\WINDOWS\system32\vkwk.exe
C:\WINDOWS\system32\vnznf.exe
C:\WINDOWS\system32\vtjgwh.exe
C:\WINDOWS\system32\wljdpvn.exe
C:\WINDOWS\system32\wsvuat.exe
C:\WINDOWS\system32\wxsnca.exe
C:\WINDOWS\system32\xhcjktpu.exe
C:\WINDOWS\system32\xwgmaxg.exe
C:\WINDOWS\system32\ycklj.exe
C:\WINDOWS\system32\zcdrwby.exe
C:\WINDOWS\system32\zycxc.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\agttiz.exe
C:\WINDOWS\system32\aibfysz.exe
C:\WINDOWS\system32\azlgh.exe
C:\WINDOWS\system32\aztsizh.exe
C:\WINDOWS\system32\bzuwjr.exe
C:\WINDOWS\system32\cibdvfgb.dll
C:\WINDOWS\system32\clrgym.exe
C:\WINDOWS\system32\ctvhb.exe
C:\WINDOWS\system32\dhaqaffd.exe
C:\WINDOWS\system32\diwdwdw.exe
C:\WINDOWS\system32\ffilqtsx.dll
C:\WINDOWS\system32\firewall.exe
C:\WINDOWS\system32\geBuSIba.dll
C:\WINDOWS\system32\ghadyjo.exe
C:\WINDOWS\system32\gxgug.exe
C:\WINDOWS\system32\iifghedE.dll
C:\WINDOWS\system32\iwttd.exe
C:\WINDOWS\system32\jTtDNqss.ini
C:\WINDOWS\system32\jTtDNqss.ini2
C:\WINDOWS\system32\kemqo.exe
C:\WINDOWS\system32\kioltsqg.exe
C:\WINDOWS\system32\kpngg.exe
C:\WINDOWS\system32\kztnphe.exe
C:\WINDOWS\system32\leoxscbo.exe
C:\WINDOWS\system32\lmcjtils.dll
C:\WINDOWS\system32\mbbmgrgp.ini
C:\WINDOWS\system32\mxsbcz.exe
C:\WINDOWS\system32\ndhsbu.exe
C:\WINDOWS\system32\ngih.exe
C:\WINDOWS\system32\ngpjsrdp.exe
C:\WINDOWS\system32\o
C:\WINDOWS\system32\okhx.exe
C:\WINDOWS\system32\pasq.exe
C:\WINDOWS\system32\ptvrrtog.exe
C:\WINDOWS\system32\qbrkq.exe
C:\WINDOWS\system32\qjcziixa.exe
C:\WINDOWS\system32\slitjcml.ini
C:\WINDOWS\system32\slpxsf.exe
C:\WINDOWS\system32\ssqRlmJa.dll
C:\WINDOWS\system32\ssudcnbf.exe
C:\WINDOWS\system32\tfppuly.exe
C:\WINDOWS\system32\TFTP876
C:\WINDOWS\system32\tjkwpj.exe
C:\WINDOWS\system32\tqdeilqf.dll
C:\WINDOWS\system32\ubqq.exe
C:\WINDOWS\system32\ubtnt.exe
C:\WINDOWS\system32\ukcdiems.exe
C:\WINDOWS\system32\vkaxph.exe
C:\WINDOWS\system32\vkwk.exe
C:\WINDOWS\system32\vnznf.exe
C:\WINDOWS\system32\vtjgwh.exe
C:\WINDOWS\system32\wljdpvn.exe
C:\WINDOWS\system32\wsvuat.exe
C:\WINDOWS\system32\wxsnca.exe
C:\WINDOWS\system32\xhcjktpu.exe
C:\WINDOWS\system32\xwgmaxg.exe
C:\WINDOWS\system32\ycklj.exe
C:\WINDOWS\system32\zcdrwby.exe
C:\WINDOWS\system32\zycxc.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-09 10:49 . 2008-05-09 10:50 30,720 --a------ C:\WINDOWS\system32\bzhpijq.exe
2008-05-09 10:49 . 2008-05-09 10:49 1,635 --a------ C:\WINDOWS\system32\vblzeft.exe
2008-05-09 10:49 . 2008-05-09 10:49 1,635 --a------ C:\WINDOWS\system32\bfhq.exe
2008-05-08 21:51 . 2008-05-08 21:51 24,576 --a------ C:\WINDOWS\system32\aof.exe
2008-05-08 21:40 . 2008-05-08 21:41 55,808 --a------ C:\WINDOWS\system32\abdatee.exe
2008-05-08 21:40 . 2008-05-08 21:40 1,635 --a------ C:\WINDOWS\system32\yjwrvw.exe
2008-05-08 21:40 . 2008-05-08 21:40 1,635 --a------ C:\WINDOWS\system32\aemv.exe
2008-05-08 18:08 . 2008-05-08 18:08 1,635 --a------ C:\WINDOWS\system32\zkzhc.exe
2008-05-08 17:33 . 2008-05-08 17:33 83,968 --a------ C:\WINDOWS\system32\iwqwzy.exe
2008-05-08 17:10 . 2008-05-08 17:10 2,048 --a------ C:\WINDOWS\system32\ditwmsmo.exe
2008-05-08 17:09 . 2008-05-08 17:09 1,635 --a------ C:\WINDOWS\system32\odjnd.exe
2008-05-07 21:34 . 2008-05-07 21:34 0 -ra------ C:\WINDOWS\system32\TFTP3144
2008-05-07 21:32 . 2008-05-07 21:33 55,808 --a------ C:\WINDOWS\system32\tifdxk.exe
2008-05-07 21:32 . 2008-05-07 21:32 41,984 --a------ C:\WINDOWS\system32\xbmmws.exe
2008-05-07 16:59 . 2008-05-07 16:59 2,048 --a------ C:\WINDOWS\system32\fvkqjfnh.exe
2008-05-07 16:58 . 2008-05-07 16:58 55,808 --a------ C:\WINDOWS\system32\vfuwqemj.exe
2008-05-07 16:58 . 2008-05-07 16:58 41,984 --a------ C:\WINDOWS\system32\kbnog.exe
2008-05-07 16:58 . 2008-05-07 16:58 1,635 --a------ C:\WINDOWS\system32\wqjbvgan.exe
2008-05-07 16:58 . 2008-05-07 16:58 1,635 --a------ C:\WINDOWS\system32\brjptj.exe
2008-05-07 16:48 . 2008-05-07 16:49 41,984 --a------ C:\WINDOWS\system32\ngayk.exe
2008-05-07 16:48 . 2008-05-07 16:48 1,635 --a------ C:\WINDOWS\system32\xbprzyy.exe
2008-05-07 16:48 . 2008-05-07 16:48 1,635 --a------ C:\WINDOWS\system32\tueqvw.exe
2008-05-07 07:19 . 2008-05-07 07:23 316,096 --a------ C:\WINDOWS\system32\ssqNDtTj.dll
2008-05-07 07:13 . 2008-05-07 07:14 41,984 --a------ C:\WINDOWS\system32\koxd.exe
2008-05-07 07:13 . 2008-05-07 07:13 1,635 --a------ C:\WINDOWS\system32\xhxusgey.exe
2008-05-07 07:13 . 2008-05-07 07:13 1,635 --a------ C:\WINDOWS\system32\cwudac.exe
2008-05-06 18:18 . 2008-05-06 18:18 1,635 --a------ C:\WINDOWS\system32\ccuqkfhs.exe
2008-05-06 18:18 . 2008-05-06 18:18 1,635 --a------ C:\WINDOWS\system32\aecaqror.exe
2008-04-24 17:34 . 2008-04-24 17:34 <DIR> d-------- C:\_OTMoveIt
2008-04-19 11:55 . 2008-04-19 11:56 <DIR> d-------- C:\Program Files\Google
2008-04-15 17:47 . 2002-10-28 14:21 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-15 17:47 . 2008-04-15 17:47 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-04-15 17:47 . 2008-04-15 17:47 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-15 17:47 . 2008-05-06 18:06 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-10 17:53 . 2008-04-10 17:53 <DIR> d-------- C:\Deckard
2008-04-10 13:53 . 2008-04-10 13:53 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-10 13:53 . 2008-04-10 13:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 14:24 --------- d-----w C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-04-04 01:19 --------- d-----w C:\Program Files\AWS
2008-04-04 01:17 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-04-04 00:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2008-04-04 00:07 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-04 00:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-30 01:57 4,214 --sha-r C:\WINDOWS\system32\drivers\HP_D7218H-ABA 774Y_YC_Pavi_QMX312S_E31NAheBLU4_4_IMS-6577_SMICRO-STAR INTERNATIONAL CO., LTD_V020_B3.15_T030226_WXH1_L409_M512_J80_7Intel_8Pentium 4_92.53_1103300F2_N10EC8139_P_Z11C1044E_K_A11020002_U808624C2_G10DE0172.MRK
2008-03-30 01:51 --------- d-----w C:\Program Files\Creative
2008-03-30 00:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-30 00:29 --------- d-----w C:\Program Files\ReadIris
2008-03-29 23:22 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-03-29 23:20 82,380 ----a-w C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-03-29 23:16 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-03-29 00:20 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-03-20 14:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
.

------- Sigcheck -------

2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\ip6fw.sys
2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((( snapshot@2008-05-06_18.15.11.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-06 23:10:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-09 22:40:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-24 17:16:48 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-09 22:34:53 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-24 17:16:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-09 22:34:53 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-24 17:16:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-09 22:34:53 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F5E8FC3-F64F-48FB-B2D5-E777A0298D9F}]
2008-05-07 07:23 316096 --a------ C:\WINDOWS\System32\ssqNDtTj.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [2006-04-07 16:02 1343488]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-21 01:08 1511453]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-04 21:21 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 20:42 69632]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 02:11 69632]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-07 00:56 61440]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 11:01 155648]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-06-14 19:39 81920]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-28 09:31 579584]
"Spooler SubSystem App"="C:\WINDOWS\System32\spooIsv.exe" [2002-08-29 07:00 101888]
"Windows Network Firewall"="C:\WINDOWS\System32\firewall.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-28 07:48 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMidi"="MIDIDEF.EXE" [2002-12-03 19:55 49152 C:\WINDOWS\mididef.exe]
"PlayCenter2"="C:\Program Files\Creative\SBLive\PlayCenter2\MDEntry.exe" [2001-07-20 12:00 131072]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-06-27 02:20:58 323646]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-06-27 02:21:30 147456]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-09-20 22:20:02 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBuSIba]
geBuSIba.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUomjJB]
vtUomjJB.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\System32\ssqNDtTj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHELPER]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]


.
Contents of the 'Scheduled Tasks' folder
"2008-04-29 03:06:04 C:\WINDOWS\Tasks\easy Internet sign-up.job"
- C:\Program Files\Hewlett-Packard\EZ Internet Signup\HPSdpApp.exe
"2008-05-01 23:53:03 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1206837060.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 17:40:30
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
.
**************************************************************************
.
Completion time: 2008-05-09 17:44:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-09 22:44:29
ComboFix2.txt 2008-05-06 23:15:27

Pre-Run: 59,668,176,896 bytes free
Post-Run: 59,654,160,384 bytes free

275

*********************************************
*********************************************
Logfile of HijackThis v1.99.1
Scan saved at 6:11:56 PM, on 5/9/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\Rundll32.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wundergro...ast?query=39648
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spooIsv.exe
O4 - HKLM\..\Run: [Windows Network Firewall] C:\WINDOWS\System32\firewall.exe
O4 - HKLM\..\Run: [58eb1514] rundll32.exe "C:\WINDOWS\System32\tmnnmnxm.dll",b
O4 - HKLM\..\Run: [BM5bd82688] Rundll32.exe "C:\WINDOWS\System32\qwcoyxuu.dll",s
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#22 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 11 May 2008 - 04:39 AM

Hello

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Then delete ComboFix.exe and the folders C:\ComboFix and C:\qoobox then do this

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

#23 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 15 May 2008 - 06:12 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users