Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Smitfraud-C.CoreService and Virtumonde

Started by nottageek , May 17 2008 11:25 AM

  • This topic is locked This topic is locked
16 replies to this topic

#1 nottageek

nottageek

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 17 May 2008 - 11:25 AM

I am trying to fix my friends computer.
He gets too frustrated. :pullhair:
He had no virus protection.
His Adaware disappeared.
All he had was Spybot that was not updated.
System restore has been shut off, and still is since I can't restore to a good point.
Each time Spybot runs Smitfraud-C.CoreService and Virtumonde take turns showing up.
Tried to uninstal Messenger, Firefox Beta, and Google toolbar and they still show up when exploring local disk (C:) --> Program files.
They do not show up Start --> All Programs
Also found some files my friend knows nothing about. These also do not show in Add/Remove, or All Programs. -- DBAR, PeoplePC(empty folder), winvi, VideoLAN, ComPlus Applications (empty folder),
On the desktop there is an application --- vlc-0.8.6c-win32.

I turned Remote Assistance Off, it was On.
I installed Windows Defender and Trend Micro. Updated Spybot.
Tried to install SP3 but computer hung and so stopped in middle of install. Now Windows update will no longer work in automatic even though it is turned on.
Because it won't work in auto it also doesn't want to work in manual.
Had to Down Load Malicious SW tool from downloads site. Didn't find anything when scanned wth MS tool.

Two issues in HJT.

1. Window opens reading:

For some reason your system denied write access to the Hosts file.
If any hijacked domains are in this file, HijackThis may NOT be able to fix this.

If that happens, you need to edit the file yourself. To do this, click Start, Run and type:

notepad "C:\WINDOWS|System32|drivers|etc|hosts"

and press Enter. Find the line(s) HijackThis reports and delete them. Save the file as "hosts." (with quotes), and reboot.


2. A second window opens reading:

An unexpected error has occurred at procedure: modMain_CheckOther1Item()
Error #75 - Path/File access error

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 7.0.5730.11
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.


Here is a HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:08:06 AM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Atheros\ACU\Utility\ACU.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Documents and Settings\laptop\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qwest.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsea...e.com/start.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qwest.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qwest.live.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Qwest
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2CCBC343-5535-4DB7-BE9D-3CEB947A8524} - (no file)
O2 - BHO: (no name) - {39959152-F787-451B-B01B-6D55F4E2FDE1} - (no file)
O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - (no file)
O2 - BHO: (no name) - {7CC25709-ABEC-461F-9918-589B047F22C9} - (no file)
O2 - BHO: (no name) - {8181a2fb-b63a-4fcb-b664-c9e4f96066d2} - C:\WINDOWS\system32\rsfbmtex.dll
O2 - BHO: (no name) - {9D8B14D1-D963-D6B3-1197-AB8F002479CA} - (no file)
O2 - BHO: (no name) - {CC11617C-259E-429c-9063-7D70B8355EBD} - (no file)
O2 - BHO: (no name) - {EBB444AE-61B8-4813-B46B-0716B287AEDE} - (no file)
O2 - BHO: (no name) - {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [ACU_QSB] C:\Program Files\Atheros\ACU\Utility\ACU.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [HP Mobile Printing] C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Qwest Live - {E9537A56-89B8-400D-BF5D-2CC989771215} - http://qwest.live.com (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecu...asyInstallX.CAB
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\
O20 - Winlogon Notify: nnnllJde - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Insight Web Agent (cpqWebDmi) - Hewlett-Packard Company - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Unknown owner - C:\Program Files\Trend Micro\BM\TMBMSRV.exe" /service (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

    Advertisements

Register to Remove

#2 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 19 May 2008 - 07:23 AM

Hello

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

#3 nottageek

nottageek

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 19 May 2008 - 07:39 PM

Thank you for taking the time to help us in this.
Here are the logs:
ComboFix 08-05-19.4 - laptop 2008-05-19 18:14:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.115 [GMT -7:00]
Running from: C:\Documents and Settings\laptop\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\laptop\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\laptop\My Documents\YMBOLS~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cenyqtsm.exe
C:\WINDOWS\system32\cstpyled.ini
C:\WINDOWS\system32\DfPrCcfe.ini
C:\WINDOWS\system32\DfPrCcfe.ini2
C:\WINDOWS\system32\drivers\ptilinkk.sys
C:\WINDOWS\system32\fmpclanr.ini
C:\WINDOWS\system32\icroso~1
C:\WINDOWS\system32\icroso~1\?icrosoft\
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\PrrsCfhk.ini
C:\WINDOWS\system32\PrrsCfhk.ini2
C:\WINDOWS\system32\vdvgucnw.ini
C:\WINDOWS\system32\vyuqwovy.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PTILINKK
-------\Service_ptilinkk


((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-05-17 09:54 . 2008-05-17 09:54 <DIR> d--h----- C:\WINDOWS\PIF
2008-05-17 00:26 . 2008-05-17 00:26 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-05-16 21:07 . 2008-05-16 21:07 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-05-16 21:01 . 2008-05-16 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\hpqwmi
2008-05-16 18:35 . 2008-05-16 18:35 294 --ahs---- C:\WINDOWS\system32\hxmhndsw.ini
2008-05-13 20:57 . 2008-05-13 20:57 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-05-13 20:57 . 2008-05-13 20:57 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-05-13 18:05 . 2008-05-13 19:39 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-05-13 17:28 . 2008-05-13 20:09 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-13 17:28 . 2008-05-13 20:09 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-13 17:28 . 2008-05-13 20:09 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-13 17:28 . 2008-05-13 20:09 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-13 17:03 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-05-13 16:55 . 2004-08-04 05:00 13,463,552 --a------ C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-05-13 16:54 . 2007-04-18 09:12 2,854,400 --a------ C:\WINDOWS\system32\msi.dll
2008-05-13 16:52 . 2007-02-28 02:10 2,180,352 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-05-13 16:49 . 2008-05-13 16:49 <DIR> d-------- C:\WINDOWS\EHome
2008-05-13 08:57 . 2008-05-13 08:57 124,416 --a------ C:\WINDOWS\system32\eaxsteji.dll
2008-05-12 20:56 . 2008-02-16 00:07 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-05-12 20:56 . 2008-02-16 00:07 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-05-12 20:55 . 2008-05-12 20:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-05-12 20:54 . 2008-05-12 20:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-12 19:55 . 2008-02-16 00:07 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-12 19:23 . 2008-05-13 16:29 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-12 07:40 . 2008-05-12 07:40 132,608 --a------ C:\WINDOWS\system32\rsfbmtex.dll
2008-05-12 07:31 . 2008-05-12 07:31 124,416 --a------ C:\WINDOWS\system32\bmqrbiho.dll
2008-05-11 22:01 . 2008-05-11 22:01 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-11 21:22 . 2008-05-11 21:22 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-11 21:22 . 2008-05-19 18:11 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-11 17:42 . 2008-05-12 20:02 <DIR> d-------- C:\Documents and Settings\laptop\.housecall6.6
2008-05-11 17:39 . 2008-05-11 21:46 <DIR> d-------- C:\Program Files\dbar
2008-05-11 17:27 . 2008-05-17 07:49 1,395 --a------ C:\WINDOWS\wininit.ini
2008-05-11 16:56 . 2008-05-11 16:56 134,656 --a------ C:\WINDOWS\system32\xwwmcuvq.dll
2008-05-11 16:48 . 2008-05-11 16:48 125,440 --a------ C:\WINDOWS\system32\ohusisey.dll
2008-05-11 16:48 . 2008-05-16 18:05 109,803 --a------ C:\WINDOWS\BM4f27cce1.xml
2008-05-11 16:42 . 2008-05-12 07:43 <DIR> d-------- C:\WINDOWS\system32\vdTMP
2008-05-11 16:42 . 2008-05-11 16:42 <DIR> d-------- C:\WINDOWS\system32\hNF
2008-05-11 16:42 . 2008-05-12 21:48 <DIR> d-------- C:\WINDOWS\system32\din3
2008-05-11 16:42 . 2008-05-13 19:33 <DIR> d-------- C:\WINDOWS\system32\bkEur01
2008-05-11 16:42 . 2008-05-12 07:43 <DIR> d-------- C:\WINDOWS\system32\2033b
2008-05-11 16:42 . 2008-05-13 12:47 <DIR> d-------- C:\TEMP\maxsv15
2008-05-11 16:42 . 2008-05-11 21:48 <DIR> d-------- C:\Program Files\winvi
2008-05-11 16:36 . 2008-05-11 16:36 <DIR> d-------- C:\WINDOWS\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 16:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-13 20:37 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-13 19:18 --------- d-----w C:\Program Files\Google
2008-05-13 02:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-12 20:13 --------- d-----w C:\Program Files\PeoplePC
2008-03-31 06:17 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-03-31 02:08 --------- d-----w C:\Program Files\CCleaner
2008-03-31 02:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-31 02:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-31 01:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-03-30 20:18 --------- d-----w C:\Program Files\Common Files\NSV
2008-03-29 23:47 --------- d-----w C:\Documents and Settings\laptop\Application Data\dvdcss
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2CCBC343-5535-4DB7-BE9D-3CEB947A8524}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39959152-F787-451B-B01B-6D55F4E2FDE1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7CC25709-ABEC-461F-9918-589B047F22C9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8181a2fb-b63a-4fcb-b664-c9e4f96066d2}]
2008-05-12 07:40 132608 --a------ C:\WINDOWS\system32\rsfbmtex.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9D8B14D1-D963-D6B3-1197-AB8F002479CA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC11617C-259E-429c-9063-7D70B8355EBD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EBB444AE-61B8-4813-B46B-0716B287AEDE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9DF827A-8FA7-48A3-B268-CA4DB563EA40}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Mobile Printing"="C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE" [2003-05-23 13:12 630784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-30 09:01 88267 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 12:09 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 12:08 618496]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 10:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 21:10 335872]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 13:05 200766]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2003-05-12 17:33 81920]
"ACU_QSB"="C:\Program Files\Atheros\ACU\Utility\ACU.exe" [2003-09-24 09:53 1716224]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 16:19 290816]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-08-04 15:47 286720]
"QUICKCARE"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-09 19:15 198800]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-26 14:19 1398024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CPQDFWAG"="C:\WINDOWS\Cpqdiag\CpqDfwAg.exe" [2003-03-13 16:14 212992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 17:48:22 565309]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnllJde]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM4f27cce1]
--a------ 2008-05-12 07:31 124416 C:\WINDOWS\system32\bmqrbiho.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

R1 ClntMgmt;HP Client Management Driver;C:\WINDOWS\system32\Drivers\ClntMgmt.sys [2003-03-06 09:50]
R2 cpqWebDmi;Insight Web Agent;C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe [2003-05-12 17:38]
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2003-07-28 17:49]
R3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2003-07-24 07:50]
R3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5211.sys [2003-07-17 17:06]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-20 01:26:49 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 18:24:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????9?4?2?2??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Compaq\Compaq Management Agents\Cpqalert.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\Compaq\COMPAQ~1\Cpqdmi.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
.
**************************************************************************
.
Completion time: 2008-05-19 18:27:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-20 01:27:15

Pre-Run: 45,610,635,264 bytes free
Post-Run: 45,533,732,864 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

196 --- E O F --- 2008-04-13 15:06:45


And the HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 18:32, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Atheros\ACU\Utility\ACU.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\laptop\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsea...e.com/start.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qwest.live.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2CCBC343-5535-4DB7-BE9D-3CEB947A8524} - (no file)
O2 - BHO: (no name) - {39959152-F787-451B-B01B-6D55F4E2FDE1} - (no file)
O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - (no file)
O2 - BHO: (no name) - {7CC25709-ABEC-461F-9918-589B047F22C9} - (no file)
O2 - BHO: (no name) - {8181a2fb-b63a-4fcb-b664-c9e4f96066d2} - C:\WINDOWS\system32\rsfbmtex.dll
O2 - BHO: (no name) - {9D8B14D1-D963-D6B3-1197-AB8F002479CA} - (no file)
O2 - BHO: (no name) - {CC11617C-259E-429c-9063-7D70B8355EBD} - (no file)
O2 - BHO: (no name) - {EBB444AE-61B8-4813-B46B-0716B287AEDE} - (no file)
O2 - BHO: (no name) - {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [ACU_QSB] C:\Program Files\Atheros\ACU\Utility\ACU.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [HP Mobile Printing] C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Qwest Live - {E9537A56-89B8-400D-BF5D-2CC989771215} - http://qwest.live.com (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecu...asyInstallX.CAB
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\
O20 - Winlogon Notify: nnnllJde - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Insight Web Agent (cpqWebDmi) - Hewlett-Packard Company - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Unknown owner - C:\Program Files\Trend Micro\BM\TMBMSRV.exe" /service (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe


When scanning Trend Micro interfered occasionally, I hope this wasn't a problem.

#4 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 20 May 2008 - 08:35 AM

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\DCEBoot.exe
C:\WINDOWS\system32\hxmhndsw.ini
C:\WINDOWS\system32\eaxsteji.dll
C:\WINDOWS\system32\rsfbmtex.dll
C:\WINDOWS\system32\bmqrbiho.dll
C:\WINDOWS\system32\xwwmcuvq.dll
C:\WINDOWS\system32\ohusisey.dll
C:\WINDOWS\system32\bmqrbiho.dll
C:\WINDOWS\BM4f27cce1.xml

Folder::
C:\WINDOWS\system32\vdTMP
C:\WINDOWS\system32\hNF
C:\WINDOWS\system32\din3
C:\WINDOWS\system32\bkEur01
C:\WINDOWS\system32\2033b
C:\TEMP\maxsv15
C:\Program Files\winvi

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM4f27cce1]
Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Also post a new HijackThis log

#5 nottageek

nottageek

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 20 May 2008 - 02:07 PM

Still not sure if Trend Micro Virus protection is causing problems with the fix or not.
It has been on and it quaranteens and blocks and warns about activity when fixing.
After the last HJT scan I was warned by MSSecurity center that it is turned off.
Now I just received a Trend Micro report that a new security report is available.
Went to check it and TM is enabled.
Until it is fixed this computer is only used on this site. I turn off wireless connection between fixes. Should I turn off TrendMicro?

Here is Combo fix Log:

ComboFix 08-05-19.4 - laptop 2008-05-20 12:35:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.155 [GMT -7:00]
Running from: C:\Documents and Settings\laptop\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\laptop\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\BM4f27cce1.xml
C:\WINDOWS\DCEBoot.exe
C:\WINDOWS\system32\bmqrbiho.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\eaxsteji.dll
C:\WINDOWS\system32\hxmhndsw.ini
C:\WINDOWS\system32\ohusisey.dll
C:\WINDOWS\system32\rsfbmtex.dll
C:\WINDOWS\system32\xwwmcuvq.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\winvi
C:\Program Files\winvi\dsktp\AC_RunActiveContent.js
C:\Program Files\winvi\dsktp\desktop.html
C:\Program Files\winvi\dsktp\internetDetection.swf
C:\Program Files\winvi\dsktp\settings.sol
C:\Program Files\winvi\icons\bufferthis.ico
C:\Program Files\winvi\icons\flashfunpages.ico
C:\Program Files\winvi\icons\funnies.ico
C:\Program Files\winvi\icons\funnyfunpages.ico
C:\Program Files\winvi\icons\goodcleanvideos.ico
C:\Program Files\winvi\icons\newfunpages.ico
C:\Program Files\winvi\icons\positivethoughts.ico
C:\Program Files\winvi\icons\removespyware.ico
C:\Program Files\winvi\icons\thissiterocks.ico
C:\Program Files\winvi\icons\Thumbs.db
C:\Program Files\winvi\temp\version.ini
C:\Program Files\winvi\version.ini
C:\TEMP\maxsv15
C:\WINDOWS\BM4f27cce1.xml
C:\WINDOWS\DCEBoot.exe
C:\WINDOWS\system32\2033b
C:\WINDOWS\system32\bkEur01
C:\WINDOWS\system32\bmqrbiho.dll
C:\WINDOWS\system32\din3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\eaxsteji.dll
C:\WINDOWS\system32\hNF
C:\WINDOWS\system32\hNF\srkawe3.exe
C:\WINDOWS\system32\hxmhndsw.ini
C:\WINDOWS\system32\ohusisey.dll
C:\WINDOWS\system32\rsfbmtex.dll
C:\WINDOWS\system32\vdTMP
C:\WINDOWS\system32\xwwmcuvq.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-05-19 18:29 . 2008-05-19 18:29 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-17 09:54 . 2008-05-17 09:54 <DIR> d--h----- C:\WINDOWS\PIF
2008-05-16 21:01 . 2008-05-16 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\hpqwmi
2008-05-13 20:57 . 2008-05-13 20:57 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-05-13 20:57 . 2008-05-13 20:57 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-05-13 18:05 . 2008-05-13 19:39 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-05-13 17:28 . 2008-05-13 20:09 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-13 17:28 . 2008-05-13 20:09 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-13 17:28 . 2008-05-13 20:09 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-13 17:28 . 2008-05-13 20:09 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-13 17:03 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-05-13 16:55 . 2004-08-04 05:00 13,463,552 --a------ C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-05-13 16:54 . 2007-04-18 09:12 2,854,400 --a------ C:\WINDOWS\system32\msi.dll
2008-05-13 16:52 . 2007-02-28 02:10 2,180,352 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-05-13 16:49 . 2008-05-13 16:49 <DIR> d-------- C:\WINDOWS\EHome
2008-05-12 20:56 . 2008-02-16 00:07 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-05-12 20:56 . 2008-02-16 00:07 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-05-12 20:55 . 2008-05-12 20:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-05-12 20:54 . 2008-05-12 20:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-12 19:55 . 2008-02-16 00:07 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-12 19:23 . 2008-05-13 16:29 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-11 22:01 . 2008-05-11 22:01 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-11 21:22 . 2008-05-11 21:22 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-11 21:22 . 2008-05-19 19:10 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-11 17:42 . 2008-05-12 20:02 <DIR> d-------- C:\Documents and Settings\laptop\.housecall6.6
2008-05-11 17:39 . 2008-05-11 21:46 <DIR> d-------- C:\Program Files\dbar
2008-05-11 17:27 . 2008-05-17 07:49 1,395 --a------ C:\WINDOWS\wininit.ini
2008-05-11 16:36 . 2008-05-11 16:36 <DIR> d-------- C:\WINDOWS\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 16:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-13 20:37 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-13 19:18 --------- d-----w C:\Program Files\Google
2008-05-13 02:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-12 20:13 --------- d-----w C:\Program Files\PeoplePC
2008-04-14 00:12 7,680 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
2008-03-31 06:17 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-03-31 02:08 --------- d-----w C:\Program Files\CCleaner
2008-03-31 02:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-31 02:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-31 01:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-03-30 20:18 --------- d-----w C:\Program Files\Common Files\NSV
2008-03-29 23:47 --------- d-----w C:\Documents and Settings\laptop\Application Data\dvdcss
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-19_18.26.52.61 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-23 04:56:21 554,008 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\dao360.dll
+ 2007-12-10 12:41:11 518,944 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexch40.dll
+ 2007-12-10 12:41:11 326,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexcl40.dll
+ 2007-12-10 12:41:11 1,516,568 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjet40.dll
+ 2007-12-10 12:41:11 355,112 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjetol1.dll
+ 2008-03-27 07:39:13 151,583 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjint40.dll
+ 2007-12-10 12:41:12 60,192 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjter40.dll
+ 2007-12-10 12:41:12 248,608 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjtes40.dll
+ 2007-12-10 12:41:12 219,936 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msltus40.dll
+ 2007-12-10 12:41:12 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mspbde40.dll
+ 2007-12-10 12:41:13 432,928 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd2x40.dll
+ 2007-12-10 12:41:13 322,336 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd3x40.dll
+ 2007-12-10 12:41:13 559,904 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrepl40.dll
+ 2007-12-10 12:41:13 264,992 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mstext40.dll
+ 2007-12-10 12:41:13 838,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswdat10.dll
+ 2007-12-10 12:41:14 621,344 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswstr10.dll
+ 2007-12-10 12:41:14 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msxbde40.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\updspapi.dll
- 2004-08-04 12:00:00 561,179 ----a-w C:\WINDOWS\system32\dllcache\dao360.dll
+ 2008-03-25 04:50:25 554,008 -c--a-w C:\WINDOWS\system32\dllcache\dao360.dll
- 2004-08-04 12:00:00 512,029 ----a-w C:\WINDOWS\system32\dllcache\msexch40.dll
+ 2008-03-25 04:50:28 518,944 -c--a-w C:\WINDOWS\system32\dllcache\msexch40.dll
- 2004-08-04 12:00:00 319,517 ----a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 -c--a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
- 2004-08-04 12:00:00 1,507,356 ----a-w C:\WINDOWS\system32\dllcache\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 -c--a-w C:\WINDOWS\system32\dllcache\msjet40.dll
- 2004-08-04 12:00:00 358,976 ----a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
+ 2008-03-25 04:50:40 355,112 -c--a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
- 2004-08-04 12:00:00 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
+ 2008-03-27 08:12:54 151,583 -c--a-w C:\WINDOWS\system32\dllcache\msjint40.dll
- 2004-08-04 12:00:00 53,279 ----a-w C:\WINDOWS\system32\dllcache\msjter40.dll
+ 2008-03-25 04:50:42 60,192 -c--a-w C:\WINDOWS\system32\dllcache\msjter40.dll
- 2004-08-04 12:00:00 241,693 ----a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 -c--a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
- 2004-08-04 12:00:00 213,023 ----a-w C:\WINDOWS\system32\dllcache\msltus40.dll
+ 2008-03-25 04:50:44 219,936 -c--a-w C:\WINDOWS\system32\dllcache\msltus40.dll
- 2004-08-04 12:00:00 348,189 ----a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 -c--a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
- 2004-08-04 12:00:00 421,919 ----a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 -c--a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
- 2004-08-04 12:00:00 315,423 ----a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 -c--a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
- 2004-08-04 12:00:00 552,989 ----a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 -c--a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
- 2004-08-04 12:00:00 258,077 ----a-w C:\WINDOWS\system32\dllcache\mstext40.dll
+ 2008-03-25 04:50:55 264,992 -c--a-w C:\WINDOWS\system32\dllcache\mstext40.dll
- 2004-08-04 12:00:00 831,519 ----a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 -c--a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
- 2004-08-04 12:00:00 614,429 ----a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 -c--a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
- 2004-08-04 12:00:00 348,189 ----a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 -c--a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
- 2004-08-04 12:00:00 512,029 ----a-w C:\WINDOWS\system32\msexch40.dll
+ 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\system32\msexch40.dll
- 2004-08-04 12:00:00 319,517 ----a-w C:\WINDOWS\system32\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\system32\msexcl40.dll
- 2004-08-04 12:00:00 1,507,356 ----a-w C:\WINDOWS\system32\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\system32\msjet40.dll
- 2004-08-04 12:00:00 358,976 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
+ 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
- 2004-08-04 12:00:00 53,279 ----a-w C:\WINDOWS\system32\msjter40.dll
+ 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\system32\msjter40.dll
- 2004-08-04 12:00:00 241,693 ----a-w C:\WINDOWS\system32\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\system32\msjtes40.dll
- 2004-08-04 12:00:00 213,023 ----a-w C:\WINDOWS\system32\msltus40.dll
+ 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
- 2004-08-04 12:00:00 348,189 ----a-w C:\WINDOWS\system32\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\system32\mspbde40.dll
- 2004-08-04 12:00:00 421,919 ----a-w C:\WINDOWS\system32\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\system32\msrd2x40.dll
- 2004-08-04 12:00:00 315,423 ----a-w C:\WINDOWS\system32\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\system32\msrd3x40.dll
- 2004-08-04 12:00:00 552,989 ----a-w C:\WINDOWS\system32\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\system32\msrepl40.dll
- 2004-08-04 12:00:00 258,077 ----a-w C:\WINDOWS\system32\mstext40.dll
+ 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\system32\mstext40.dll
- 2004-08-04 12:00:00 831,519 ----a-w C:\WINDOWS\system32\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\system32\mswdat10.dll
- 2004-08-04 12:00:00 614,429 ----a-w C:\WINDOWS\system32\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
- 2004-08-04 12:00:00 348,189 ----a-w C:\WINDOWS\system32\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\system32\msxbde40.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Mobile Printing"="C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE" [2003-05-23 13:12 630784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-30 09:01 88267 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 12:09 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 12:08 618496]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 10:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 21:10 335872]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 13:05 200766]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2003-05-12 17:33 81920]
"ACU_QSB"="C:\Program Files\Atheros\ACU\Utility\ACU.exe" [2003-09-24 09:53 1716224]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 16:19 290816]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-08-04 15:47 286720]
"QUICKCARE"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-09 19:15 198800]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-26 14:19 1398024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CPQDFWAG"="C:\WINDOWS\Cpqdiag\CpqDfwAg.exe" [2003-03-13 16:14 212992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 17:48:22 565309]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnllJde]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

R1 ClntMgmt;HP Client Management Driver;C:\WINDOWS\system32\Drivers\ClntMgmt.sys [2003-03-06 09:50]
R2 cpqWebDmi;Insight Web Agent;C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe [2003-05-12 17:38]
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2003-07-28 17:49]
R3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2003-07-24 07:50]
S3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5211.sys [2003-07-17 17:06]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-20 01:45:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 12:41:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????9?4?2?2??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-20 12:44:18
ComboFix-quarantined-files.txt 2008-05-20 19:44:04
ComboFix2.txt 2008-05-20 01:27:26

Pre-Run: 45,388,042,240 bytes free
Post-Run: 45,381,570,560 bytes free

268 --- E O F --- 2008-05-20 19:30:48


Here is HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:51, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Atheros\ACU\Utility\ACU.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Documents and Settings\laptop\Desktop\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsea...e.com/start.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qwest.live.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [ACU_QSB] C:\Program Files\Atheros\ACU\Utility\ACU.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [HP Mobile Printing] C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Qwest Live - {E9537A56-89B8-400D-BF5D-2CC989771215} - http://qwest.live.com (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecu...asyInstallX.CAB
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\
O20 - Winlogon Notify: nnnllJde - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Insight Web Agent (cpqWebDmi) - Hewlett-Packard Company - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Unknown owner - C:\Program Files\Trend Micro\BM\TMBMSRV.exe" /service (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe


We thank you for the time you are spending on this.

#6 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 20 May 2008 - 02:25 PM

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\
O20 - Winlogon Notify: nnnllJde - C:\WINDOWS\
/b]

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the [b]Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Reboot and post a new HijackThis log and tell me how the PC is running

#7 nottageek

nottageek

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 20 May 2008 - 07:17 PM

Thanks for helping here are the logs:

Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 20, 2008 17:14
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/05/2008
Kaspersky Anti-Virus database records: 788663
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 29762
Number of viruses found: 5
Number of infected objects: 20
Number of suspicious objects: 0
Duration of the scan process: 00:24:24

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-05112008-220145.log Object is locked skipped
C:\Documents and Settings\laptop\.housecall6.6\Quarantine\yazzsnet.exe.bac_a02944/data0003 Infected: Trojan.Win32.Scapur.k skipped
C:\Documents and Settings\laptop\.housecall6.6\Quarantine\yazzsnet.exe.bac_a02944 NSIS: infected - 1 skipped
C:\Documents and Settings\laptop\.housecall6.6\Quarantine\yazzsnet.exe.bac_a02944 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\laptop\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\laptop\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\laptop\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\laptop\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\laptop\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{85F793D4-F161-4953-9262-7F2D6E3799CE} Object is locked skipped
C:\Documents and Settings\laptop\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\laptop\Local Settings\History\History.IE5\MSHist012008052020080521\index.dat Object is locked skipped
C:\Documents and Settings\laptop\Local Settings\Temp\~DF6A2E.tmp Object is locked skipped
C:\Documents and Settings\laptop\Local Settings\Temp\~DF6A39.tmp Object is locked skipped
C:\Documents and Settings\laptop\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\laptop\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\laptop\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\laptop\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\mifdb\errors.log Object is locked skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\19.tmp Infected: not-virus:Hoax.Win32.Renos.cgu skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\9.tmp/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\9.tmp ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\9.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Av-test.txt Infected: EICAR-Test-File skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\Av-test_a98.VIR Infected: EICAR-Test-File skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\_bm1fcmlkbW03X21hX2t3MV9tYTRz_ZG93bmxvYWQ_bm1fMTUyMjE3XzkxZjgwYjFjMWZiNDExZ
GRhODBlMTUyMjE3Y2ZmZmZmXzhmM2U2NDIyNzhlNTQ4MGM5MjQ1NzQ3ODYxNzkzYTYx_[1].exe Infected: not-virus:Hoax.Win32.Renos.cgu skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hNF\srkawe3.exe.vir/stream/data0007/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hNF\srkawe3.exe.vir/stream/data0007/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hNF\srkawe3.exe.vir/stream/data0007 Infected: Trojan.NSIS.StartPage.c skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hNF\srkawe3.exe.vir/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hNF\srkawe3.exe.vir NSIS: infected - 4 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D7DFC5EC-7600-46B7-83C5-462BCE283F7E}\RP7\A0000148.exe/stream/data0007/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{D7DFC5EC-7600-46B7-83C5-462BCE283F7E}\RP7\A0000148.exe/stream/data0007/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{D7DFC5EC-7600-46B7-83C5-462BCE283F7E}\RP7\A0000148.exe/stream/data0007 Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{D7DFC5EC-7600-46B7-83C5-462BCE283F7E}\RP7\A0000148.exe/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{D7DFC5EC-7600-46B7-83C5-462BCE283F7E}\RP7\A0000148.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{D7DFC5EC-7600-46B7-83C5-462BCE283F7E}\RP7\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A4B2297D-E722-4A84-A424-8A7CE7B16A9E}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


HJT:

Logfile of HijackThis v1.99.1
Scan saved at 17:34, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Atheros\ACU\Utility\ACU.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Documents and Settings\laptop\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.whatth...alware_f97.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qwest.live.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [ACU_QSB] C:\Program Files\Atheros\ACU\Utility\ACU.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [HP Mobile Printing] C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Qwest Live - {E9537A56-89B8-400D-BF5D-2CC989771215} - http://qwest.live.com (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecu...asyInstallX.CAB
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Insight Web Agent (cpqWebDmi) - Hewlett-Packard Company - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Unknown owner - C:\Program Files\Trend Micro\BM\TMBMSRV.exe" /service (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

As far as how it is running:
It is not my computer but it seems to run efficiantly.
No longer getting Pop Ups just for being online.
Still have programs on the computer that do not show in the add/remove program list.
I think that at least one of these is an invader:

Folder: dbar
Application: dbaruninst
Location: C:\Program Files\dbar

It does not show up under Start/Programs. I only find it if I explore the C drive.

There are other programs I don't recognize such as C:\Program Files\VideoLAN\VLC\http Supposedly has a file (30.5 KB (31,232 bytes) in it but it doesn't show.
I have hidden file and folders set to show.

Other programs no longer show in add/remove but are found as C:\Program Files.

Under C:\Documents and Settings he has 4 users.
Was the Administrator acct. created by the Malware?

created May 11, 2008:
Administrator

created June 13, 2007:
All Users
Default User
laptop

I doubt it is significant ,as I know how to change it back, the clock is on a 24 hour setting (18:13).

I haven't noticed anything else of note at this time.

Thanks for all your help.

#8 nottageek

nottageek

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 20 May 2008 - 07:36 PM

ADD Under the new administrator acct. I noticed a "recent" folder it only has a shortcut to dbar in it.

#9 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 21 May 2008 - 04:35 AM

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::
C:\Program Files\dbar

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



VLC is legit

The admin account is legit as well

#10 nottageek

nottageek

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 21 May 2008 - 03:18 PM

As far as I can tell all Malware is gone.
Thank you very much.
The Administrator Account still bothers me since it was created after the attack and is the only acct. to have a shortcut to dbar in it.
My computer doesn't have such an acct.
I created one by going into safe mode then clicking on the Administrator choice.
When I restarted I found a new account created as Administrator.
I deleted it with no problems.
Since this computer is also a home computer and the owner has full Administration privilege's I believe I should be able to do the same.
But what do you think?

Also there is still the question about the leftover program files.
Many are empty folders:
Xerox - 0 bytes
PeoplePC - 0 bytes
ComPlus Applications - 0 bytes

I'm sure I can delete these.

I wonder about the Google toolbar:
601 KB 4 files 4 folders
All 4 files are TMP files.
I should just be able to delete this also or should I reinstall and remove again hoping to clean up everything.

I know I can uninstall HJT.
Do I just delete ComboFix?
Will that also remove QooBox?
Can I delete the items in Quarantine?

I would like to leave my friend with his computer more secure
I don't have problems on my computer I have installed:
NOD32
Spy Bot
AdAware
Windows Defender
Spyware Blaster
Spyware Guard
Fire Fox

I would like to do the same for him, unless you see some problem with the set up.
The SpyBot Tea Timer confuses him, (and irritates me because I can never be sure what the full name of the questionable threat is in the tiny window), and he isn't sure what to do.
Once NOD32 is installed I will remove Trend Micro.

Once again I can't thank you enough for helping me clean up this mess. :thumbup:


Here is the Combo Fix Log:

ComboFix 08-05-19.4 - laptop 2008-05-21 13:10:25.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.91 [GMT -7:00]
Running from: C:\Documents and Settings\laptop\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\laptop\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\dbar
C:\Program Files\dbar\dbaruninst.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-21 13:09 . 2008-05-21 13:09 <DIR> d-------- C:\327882R2FWJFW
2008-05-20 13:44 . 2008-05-20 13:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-20 13:44 . 2008-05-20 13:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 09:54 . 2008-05-17 09:54 <DIR> d--h----- C:\WINDOWS\PIF
2008-05-16 21:01 . 2008-05-16 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\hpqwmi
2008-05-13 20:57 . 2008-05-13 20:57 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-05-13 20:57 . 2008-05-13 20:57 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-05-13 18:05 . 2008-05-13 19:39 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-05-13 17:28 . 2008-05-13 20:09 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-13 17:28 . 2008-05-13 20:09 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-13 17:28 . 2008-05-13 20:09 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-13 17:28 . 2008-05-13 20:09 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-13 17:03 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-05-13 16:55 . 2004-08-04 05:00 13,463,552 --a------ C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-05-13 16:54 . 2007-04-18 09:12 2,854,400 --a------ C:\WINDOWS\system32\msi.dll
2008-05-13 16:52 . 2007-02-28 02:10 2,180,352 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-05-13 16:49 . 2008-05-13 16:49 <DIR> d-------- C:\WINDOWS\EHome
2008-05-12 20:56 . 2008-02-16 00:07 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-05-12 20:56 . 2008-02-16 00:07 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-05-12 20:55 . 2008-05-12 20:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-05-12 20:54 . 2008-05-12 20:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-12 19:55 . 2008-02-16 00:07 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-12 19:23 . 2008-05-13 16:29 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-11 22:01 . 2008-05-11 22:01 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-11 21:22 . 2008-05-11 21:22 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-11 21:22 . 2008-05-21 12:42 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-11 17:42 . 2008-05-12 20:02 <DIR> d-------- C:\Documents and Settings\laptop\.housecall6.6
2008-05-11 17:27 . 2008-05-17 07:49 1,395 --a------ C:\WINDOWS\wininit.ini
2008-05-11 16:36 . 2008-05-11 16:36 <DIR> d-------- C:\WINDOWS\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 16:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-13 20:37 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-13 19:18 --------- d-----w C:\Program Files\Google
2008-05-13 02:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-12 20:13 --------- d-----w C:\Program Files\PeoplePC
2008-04-14 00:12 7,680 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
2008-03-31 06:17 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-03-31 02:08 --------- d-----w C:\Program Files\CCleaner
2008-03-31 02:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-31 02:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-31 01:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-03-30 20:18 --------- d-----w C:\Program Files\Common Files\NSV
2008-03-29 23:47 --------- d-----w C:\Documents and Settings\laptop\Application Data\dvdcss
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot_2008-05-20_12.43.32.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-20 01:23:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 19:12:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 19:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 22:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 22:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Mobile Printing"="C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE" [2003-05-23 13:12 630784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-30 09:01 88267 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 12:09 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 12:08 618496]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 10:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 21:10 335872]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 13:05 200766]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2003-05-12 17:33 81920]
"ACU_QSB"="C:\Program Files\Atheros\ACU\Utility\ACU.exe" [2003-09-24 09:53 1716224]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 16:19 290816]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-08-04 15:47 286720]
"QUICKCARE"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-09 19:15 198800]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-26 14:19 1398024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CPQDFWAG"="C:\WINDOWS\Cpqdiag\CpqDfwAg.exe" [2003-03-13 16:14 212992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 17:48:22 565309]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

R1 ClntMgmt;HP Client Management Driver;C:\WINDOWS\system32\Drivers\ClntMgmt.sys [2003-03-06 09:50]
R2 cpqWebDmi;Insight Web Agent;C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe [2003-05-12 17:38]
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2003-07-28 17:49]
R3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2003-07-24 07:50]
R3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5211.sys [2003-07-17 17:06]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-21 19:15:25 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 13:12:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????9?4?2?2??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-21 13:13:42
ComboFix-quarantined-files.txt 2008-05-21 20:13:37
ComboFix2.txt 2008-05-20 19:44:24
ComboFix3.txt 2008-05-20 01:27:26

Pre-Run: 45,320,790,016 bytes free
Post-Run: 45,318,897,664 bytes free

141 --- E O F --- 2008-05-20 19:30:48

    Advertisements

Register to Remove

#11 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 21 May 2008 - 04:37 PM

Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

#12 nottageek

nottageek

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 21 May 2008 - 06:34 PM

Thanks for your help.

I did the ComboFix uninstall but I still find ComboFix on the computer.

Computer/C:/ComboFix/CF10774

CF10774 is an application. A Windows Command Processor.

There is also a Notepad document named "Bug" that mentions ComboFix:


pushd "C:\327882R2FWJFW\"

=============================================

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\laptop\Application Data
cfldr=327882R2FWJFW
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LAPTOOP-1D975B6
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\laptop
kmd=CF10774.exe
LOGONSERVER=\\LAPTOOP-1D975B6
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\327882R2FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\Bin;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem
PATHEXT=.cfexe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0905
ProgramFiles=C:\Program Files
PROMPT=$
QTJAVA=C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
SESSIONNAME=Console
sfxname=C:\Documents and Settings\laptop\Desktop\ComboFix.exe
system=C:\WINDOWS\system32
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\laptop\LOCALS~1\Temp
TMP=C:\DOCUME~1\laptop\LOCALS~1\Temp
USERDOMAIN=LAPTOOP-1D975B6
USERNAME=laptop
USERPROFILE=C:\Documents and Settings\laptop
WIN32DMIPATH=C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32
windir=C:\WINDOWS

=============================================


if not defined sfxname goto END

Nircmd win close ititle "ComboFix"

If [/u] == [] Set "SfxCmd="

if /I "C:\327882R2FWJFW" NEQ "C:\327882R2FWJFW" goto Abort

if exist "C:\DOCUME~1\laptop\LOCALS~1\Temp\327882R2FWJFW327882R2FWJFW.log" del "C:\DOCUME~1\laptop\LOCALS~1\Temp\327882R2FWJFW327882R2FWJFW.log"
SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
Ownerchange for "C:\WINDOWS\system32\cmd.exe" to Administrators group was successful

copy /y "C:\WINDOWS\system32\cmd.exe" "C:\WINDOWS\system32\CF10774.exe"
1 file(s) copied.

if not exist "C:\WINDOWS\system32\CF10774.exe" catchme -l nul -c "C:\WINDOWS\system32\cmd.exe" "C:\WINDOWS\system32\CF10774.exe"

For /F "tokens=*" %g in ("C:\Documents and Settings\laptop\Desktop\ComboFix.exe") do @(
set "FileName=%~ng"
set "FilePath=%~dpg"
)

Set FileName 2>nul | GREP -Gisqx "FileName=[-[:alnum:]@.]*" || (
nircmd infobox "You cannot rename ComboFix as ComboFix~n~nPlease use another name, preferbaly made up of alphanumeric characters" ""
goto END
)

DIR /AD/B C:\* | FindStr.exe -IVX ComboFix 1>dirname00

FindStr.exe -LIXC:"ComboFix" dirname00 1>nul && call :NameChk

If exist dirname0? del /Q dirname0?

If exist "\ComboFix" DIR /AD "\ComboFix" 1>nul && (
rd /s/q "\ComboFix"
If exist "\ComboFix" (
PV -kf findstr.exe *.cfexe
rd /s/q "\ComboFix"
)
If exist "\ComboFix" (
handle "C:\ComboFix" | SED -r "/pid:/!d; s/.*: (.*): .*/\1/" 1>temp00
for /F "tokens=1,2" %g in (temp00) do @echo.y | Handle -p %g -c %h
del /q temp00
rd /s/q "\ComboFix"
)
)

If exist "\ComboFix" rd /s/q "\ComboFix"

If exist "\ComboFix" goto :eof

VER | Findstr.exe -ic:"[Version 6.0" && (Call :Vista ) ||

CD ..

Set "comspec=C:\WINDOWS\system32\CF10774.exe"

(
echo.md "\ComboFix"
echo.Move /y "\327882R2FWJFW\*" "\ComboFix"
echo.RD /S/Q "\327882R2FWJFW"
echo.Start "." /d"C:\ComboFix" "C:\WINDOWS\system32\CF10774.exe" /k c.bat
echo.pv -kf cmd.exe
) 1>Start_.cmd

NirCmd exec hide "C:\WINDOWS\system32\CF10774.exe" /f:off /d /c call Start_.cmd

NirCmd execmd del "\327882R2FWJFW\prep.cmd"

EXIT

Can I delete these?

I told him everything was clean but I would like to Clean out the unnecessary remnants before I give his computer back to him.

#13 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 22 May 2008 - 07:07 AM

Yes you can delete those Anything else ?

#14 nottageek

nottageek

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 22 May 2008 - 08:15 AM

Anything else ?

I'm sorry, yes.
I hope this is the last one.
Is there some way to remove the Recovery Console?
I gave his computer back to him last night and forgot to see if it was in ADD/REMOVE.
He knows zero about computers and I'm wondering what would happen if he explored it.

I know twice as much as he does, I'm sure you can do the math.

You have been very helpful, and I'm sure you're very busy, sorry to keep buggin' you. :blush:

#15 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 22 May 2008 - 08:49 AM

I am not sure how you would remove it. I imagine it would take quite a bit of work You should leave that on as it is a safety net if the PC has trouble. Just tell him not to use it

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·