Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91636 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] getting unhijacked


  • This topic is locked This topic is locked
36 replies to this topic

#31 Pundah

Pundah

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 03 July 2008 - 10:14 AM

Happy 4th of July! Here are the logs from 7/3. Thanks!

hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 12:06, on 2008-07-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\DAO\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [WinService32] svchost
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WinLiveUpdate] C:\Program Files\Common Files\Microsoft Shared\DAO\system32\svchost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsu...asp/tgctlsr.cab
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www1.snapfish...tlookImport.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119564746437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1119570358859
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://real.gamehous...mjolauncher.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://real.gamehous...outLauncher.cab
O16 - DPF: {E6182DB0-BE70-4EA3-A8FB-D402C6D951D5} (VUploader Control) - http://photofiddle.c...loaderProj1.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

Combofix:

ComboFix 08-07-02.5 - Owner 2008-07-03 11:44:26.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.209 [GMT -4:00]
Running from: C:\Documents and Settings\Owner.RESTOREFEB05\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.RESTOREFEB05\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\76.tmp
C:\WINDOWS\system32\blphc3bmj0eg6r.scr
C:\WINDOWS\system32\lphc3bmj0eg6r.exe
C:\WINDOWS\system32\phc3bmj0eg6r.bmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\76.tmp

.
((((((((((((((((((((((((( Files Created from 2008-06-03 to 2008-07-03 )))))))))))))))))))))))))))))))
.

2008-06-19 19:19 . 2008-07-03 11:32 <DIR> d-------- C:\Program Files\CleanUp!
2008-06-14 19:05 . 2008-06-14 18:55 52,736 --a------ C:\WINDOWS\system32\A3.tmp
2008-06-14 18:55 . 2008-06-14 18:45 52,736 --a------ C:\WINDOWS\system32\A0.tmp
2008-06-14 17:55 . 2008-06-14 17:45 52,736 --a------ C:\WINDOWS\system32\8E.tmp
2008-06-14 17:45 . 2008-06-14 17:34 52,736 --a------ C:\WINDOWS\system32\8B.tmp
2008-06-14 17:34 . 2008-06-14 17:24 52,736 --a------ C:\WINDOWS\system32\86.tmp
2008-06-14 17:24 . 2008-06-14 17:14 52,736 --a------ C:\WINDOWS\system32\81.tmp
2008-06-14 17:14 . 2008-06-14 17:04 52,736 --a------ C:\WINDOWS\system32\7D.tmp
2008-06-14 17:04 . 2008-06-14 16:54 52,736 --a------ C:\WINDOWS\system32\78.tmp
2008-06-14 16:54 . 2008-06-14 16:44 52,736 --a------ C:\WINDOWS\system32\75.tmp
2008-06-14 08:11 . 2008-06-14 08:01 52,736 --a------ C:\WINDOWS\system32\3AC.tmp
2008-06-14 08:01 . 2008-06-14 07:50 52,736 --a------ C:\WINDOWS\system32\3A9.tmp
2008-06-14 07:50 . 2008-06-14 07:40 52,736 --a------ C:\WINDOWS\system32\3A6.tmp
2008-06-14 07:40 . 2008-06-14 07:30 52,736 --a------ C:\WINDOWS\system32\3A3.tmp
2008-06-14 07:30 . 2008-06-14 07:19 52,736 --a------ C:\WINDOWS\system32\3A0.tmp
2008-06-14 07:19 . 2008-06-14 07:09 52,736 --a------ C:\WINDOWS\system32\39D.tmp
2008-06-14 07:09 . 2008-06-14 06:59 52,736 --a------ C:\WINDOWS\system32\39A.tmp
2008-06-14 06:58 . 2008-06-14 06:48 52,736 --a------ C:\WINDOWS\system32\397.tmp
2008-06-14 06:48 . 2008-06-14 06:38 52,736 --a------ C:\WINDOWS\system32\394.tmp
2008-06-14 06:38 . 2008-06-14 06:28 52,736 --a------ C:\WINDOWS\system32\391.tmp
2008-06-14 06:28 . 2008-06-14 06:17 52,736 --a------ C:\WINDOWS\system32\38E.tmp
2008-06-14 06:17 . 2008-06-14 06:07 52,736 --a------ C:\WINDOWS\system32\38B.tmp
2008-06-14 06:07 . 2008-06-14 05:56 52,736 --a------ C:\WINDOWS\system32\388.tmp
2008-06-14 05:56 . 2008-06-14 05:46 52,736 --a------ C:\WINDOWS\system32\385.tmp
2008-06-14 05:46 . 2008-06-14 05:36 52,736 --a------ C:\WINDOWS\system32\382.tmp
2008-06-14 05:36 . 2008-06-14 05:26 52,736 --a------ C:\WINDOWS\system32\37F.tmp
2008-06-14 05:26 . 2008-06-14 05:15 52,736 --a------ C:\WINDOWS\system32\37C.tmp
2008-06-14 05:15 . 2008-06-14 05:05 52,736 --a------ C:\WINDOWS\system32\379.tmp
2008-06-14 05:05 . 2008-06-14 04:55 52,736 --a------ C:\WINDOWS\system32\376.tmp
2008-06-14 04:55 . 2008-06-14 04:44 52,736 --a------ C:\WINDOWS\system32\373.tmp
2008-06-14 04:44 . 2008-06-14 04:34 52,736 --a------ C:\WINDOWS\system32\370.tmp
2008-06-14 04:34 . 2008-06-14 04:24 52,736 --a------ C:\WINDOWS\system32\36D.tmp
2008-06-14 04:24 . 2008-06-14 04:14 52,736 --a------ C:\WINDOWS\system32\36A.tmp
2008-06-14 04:14 . 2008-06-14 04:03 52,736 --a------ C:\WINDOWS\system32\367.tmp
2008-06-14 04:03 . 2008-06-14 03:53 52,736 --a------ C:\WINDOWS\system32\364.tmp
2008-06-14 03:53 . 2008-06-14 03:43 52,736 --a------ C:\WINDOWS\system32\361.tmp
2008-06-14 03:43 . 2008-06-14 03:33 52,736 --a------ C:\WINDOWS\system32\35E.tmp
2008-06-14 03:33 . 2008-06-14 03:22 52,736 --a------ C:\WINDOWS\system32\35B.tmp
2008-06-14 03:22 . 2008-06-14 03:12 52,736 --a------ C:\WINDOWS\system32\358.tmp
2008-06-14 03:12 . 2008-06-14 03:02 52,736 --a------ C:\WINDOWS\system32\355.tmp
2008-06-14 03:02 . 2008-06-14 02:52 52,736 --a------ C:\WINDOWS\system32\352.tmp
2008-06-14 02:52 . 2008-06-14 02:41 52,736 --a------ C:\WINDOWS\system32\34F.tmp
2008-06-14 02:41 . 2008-06-14 02:30 52,736 --a------ C:\WINDOWS\system32\34C.tmp
2008-06-14 02:30 . 2008-06-14 02:20 52,736 --a------ C:\WINDOWS\system32\348.tmp
2008-06-14 02:20 . 2008-06-14 02:09 52,736 --a------ C:\WINDOWS\system32\345.tmp
2008-06-14 02:09 . 2008-06-14 01:59 52,736 --a------ C:\WINDOWS\system32\342.tmp
2008-06-14 01:59 . 2008-06-14 01:49 52,736 --a------ C:\WINDOWS\system32\33F.tmp
2008-06-14 01:49 . 2008-06-14 01:39 52,736 --a------ C:\WINDOWS\system32\33C.tmp
2008-06-14 01:39 . 2008-06-14 01:29 52,736 --a------ C:\WINDOWS\system32\339.tmp
2008-06-14 01:29 . 2008-06-14 01:18 52,736 --a------ C:\WINDOWS\system32\336.tmp
2008-06-14 01:18 . 2008-06-14 01:08 52,736 --a------ C:\WINDOWS\system32\333.tmp
2008-06-14 01:08 . 2008-06-14 00:58 52,736 --a------ C:\WINDOWS\system32\330.tmp
2008-06-14 00:58 . 2008-06-14 00:48 52,736 --a------ C:\WINDOWS\system32\32D.tmp
2008-06-14 00:48 . 2008-06-14 00:38 52,736 --a------ C:\WINDOWS\system32\32A.tmp
2008-06-14 00:38 . 2008-06-14 00:27 52,736 --a------ C:\WINDOWS\system32\327.tmp
2008-06-14 00:27 . 2008-06-14 00:17 52,736 --a------ C:\WINDOWS\system32\324.tmp
2008-06-14 00:17 . 2008-06-14 00:04 52,736 --a------ C:\WINDOWS\system32\321.tmp
2008-06-14 00:04 . 2008-06-13 23:44 52,736 --a------ C:\WINDOWS\system32\31E.tmp
2008-06-13 23:44 . 2008-06-13 23:23 52,736 --a------ C:\WINDOWS\system32\31B.tmp
2008-06-13 23:23 . 2008-06-13 23:02 52,736 --a------ C:\WINDOWS\system32\318.tmp
2008-06-13 23:02 . 2008-06-13 22:42 52,736 --a------ C:\WINDOWS\system32\315.tmp
2008-06-13 22:41 . 2008-06-13 22:21 52,736 --a------ C:\WINDOWS\system32\312.tmp
2008-06-13 17:58 . 2008-06-13 17:58 <DIR> d-------- C:\Documents and Settings\Owner.RESTOREFEB05\Application Data\AXPFixer
2008-06-12 16:06 . 2008-06-12 15:56 52,736 --a------ C:\WINDOWS\system32\2A.tmp
2008-06-12 15:56 . 2008-06-12 15:46 52,736 --a------ C:\WINDOWS\system32\25.tmp
2008-06-12 15:46 . 2008-06-12 15:36 52,736 --a------ C:\WINDOWS\system32\21.tmp
2008-06-12 05:40 . 2008-06-12 05:29 52,736 --a------ C:\WINDOWS\system32\A1.tmp
2008-06-12 05:29 . 2008-06-12 05:19 52,736 --a------ C:\WINDOWS\system32\9E.tmp
2008-06-12 05:19 . 2008-06-12 05:08 52,736 --a------ C:\WINDOWS\system32\9B.tmp
2008-06-12 05:08 . 2008-06-12 04:58 52,736 --a------ C:\WINDOWS\system32\98.tmp
2008-06-12 04:58 . 2008-06-12 04:47 52,736 --a------ C:\WINDOWS\system32\95.tmp
2008-06-12 04:47 . 2008-06-12 04:36 52,736 --a------ C:\WINDOWS\system32\92.tmp
2008-06-12 04:36 . 2008-06-12 04:26 52,736 --a------ C:\WINDOWS\system32\8F.tmp
2008-06-12 04:26 . 2008-06-12 04:16 52,736 --a------ C:\WINDOWS\system32\8C.tmp
2008-06-12 04:16 . 2008-06-12 04:05 52,736 --a------ C:\WINDOWS\system32\89.tmp
2008-06-12 04:05 . 2008-06-12 03:55 52,736 --a------ C:\WINDOWS\system32\85.tmp
2008-06-12 03:55 . 2008-06-12 03:45 52,736 --a------ C:\WINDOWS\system32\82.tmp
2008-06-12 03:45 . 2008-06-12 03:34 52,736 --a------ C:\WINDOWS\system32\7F.tmp
2008-06-12 03:34 . 2008-06-12 03:24 52,736 --a------ C:\WINDOWS\system32\7C.tmp
2008-06-12 03:24 . 2008-06-12 03:14 52,736 --a------ C:\WINDOWS\system32\79.tmp
2008-06-12 03:04 . 2008-06-12 02:54 52,736 --a------ C:\WINDOWS\system32\73.tmp
2008-06-12 02:54 . 2008-06-12 02:43 52,736 --a------ C:\WINDOWS\system32\70.tmp
2008-06-12 02:43 . 2008-06-12 02:33 52,736 --a------ C:\WINDOWS\system32\6D.tmp
2008-06-12 02:33 . 2008-06-12 02:23 52,736 --a------ C:\WINDOWS\system32\6A.tmp
2008-06-12 02:23 . 2008-06-12 02:13 52,736 --a------ C:\WINDOWS\system32\67.tmp
2008-06-12 02:13 . 2008-06-12 02:01 52,736 --a------ C:\WINDOWS\system32\64.tmp
2008-06-12 02:01 . 2008-06-12 01:51 52,736 --a------ C:\WINDOWS\system32\61.tmp
2008-06-12 01:51 . 2008-06-12 01:41 52,736 --a------ C:\WINDOWS\system32\5D.tmp
2008-06-12 01:41 . 2008-06-12 01:31 52,736 --a------ C:\WINDOWS\system32\5A.tmp
2008-06-12 01:31 . 2008-06-12 01:21 52,736 --a------ C:\WINDOWS\system32\57.tmp
2008-06-12 01:21 . 2008-06-12 01:10 52,736 --a------ C:\WINDOWS\system32\54.tmp
2008-06-12 01:10 . 2008-06-12 01:00 52,736 --a------ C:\WINDOWS\system32\51.tmp
2008-06-12 01:00 . 2008-06-12 00:50 52,736 --a------ C:\WINDOWS\system32\4E.tmp
2008-06-12 00:50 . 2008-06-12 00:40 52,736 --a------ C:\WINDOWS\system32\4A.tmp
2008-06-12 00:40 . 2008-06-12 00:30 52,736 --a------ C:\WINDOWS\system32\47.tmp
2008-06-11 21:14 . 2008-06-11 21:04 52,736 --a------ C:\WINDOWS\system32\32.tmp
2008-06-11 21:04 . 2008-06-11 20:54 52,736 --a------ C:\WINDOWS\system32\2F.tmp
2008-06-11 20:54 . 2008-06-11 20:44 52,736 --a------ C:\WINDOWS\system32\2C.tmp
2008-06-11 20:44 . 2008-06-11 20:34 52,736 --a------ C:\WINDOWS\system32\29.tmp
2008-06-11 20:34 . 2008-06-11 20:24 52,736 --a------ C:\WINDOWS\system32\26.tmp
2008-06-11 20:24 . 2008-06-11 20:14 52,736 --a------ C:\WINDOWS\system32\23.tmp
2008-06-11 20:14 . 2008-06-11 20:04 52,736 --a------ C:\WINDOWS\system32\20.tmp
2008-06-11 20:04 . 2008-06-11 19:48 52,736 --a------ C:\WINDOWS\system32\1B.tmp
2008-06-11 19:48 . 2008-06-11 19:38 52,736 --a------ C:\WINDOWS\system32\17.tmp
2008-06-11 19:38 . 2008-06-11 19:28 52,736 --a------ C:\WINDOWS\system32\13.tmp
2008-06-11 19:28 . 2008-06-11 19:18 52,736 --a------ C:\WINDOWS\system32\10.tmp
2008-06-11 09:02 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-03 15:23 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-03 07:34 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-27 04:53 --------- d-----w C:\Program Files\AIM
2008-06-19 12:38 --------- d-----w C:\Documents and Settings\Owner.RESTOREFEB05\Application Data\AdobeUM
2008-06-17 22:22 --------- d-----w C:\Program Files\Java
2008-06-13 22:12 91,376 ----a-w C:\WINDOWS\system32\isafprod.dll
2008-06-13 22:12 32,240 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-06-13 22:12 26,352 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys
2008-06-13 22:12 21,488 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-06-13 22:12 21,104 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 22:36 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-04 22:37 880,560 ----a-w C:\WINDOWS\system32\drivers\vetefile.sys
2008-06-04 22:37 108,368 ----a-w C:\WINDOWS\system32\drivers\veteboot.sys
2008-05-31 22:27 --------- d-----w C:\Documents and Settings\Owner.RESTOREFEB05\Application Data\Malwarebytes
2008-05-31 22:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-31 21:40 --------- d-----w C:\Program Files\Furcadia
2008-05-31 21:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dragon's Eye Productions
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-12 22:47 0 ----a-w C:\Program Files\temp01
2007-06-22 23:15 512 ---ha-w C:\Documents and Settings\Owner.VIGGO.000\hpothb07.dat
2007-06-22 23:15 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2007-06-22 23:15 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2007-06-22 23:14 529 ---ha-w C:\Program Files\hpothb07.tif
2007-06-22 23:14 318 -c-ha-w C:\Program Files\hpothb07.dat
2007-06-22 23:14 185 ---ha-w C:\Documents and Settings\All Users\Application Data\hpothb07.dat
2006-11-18 21:50 524 ---ha-w C:\Documents and Settings\Owner.RESTOREFEB05\hpothb07.dat
2006-11-18 21:50 157 ---ha-w C:\Documents and Settings\Owner.VIGGO\hpothb07.dat
2006-01-22 16:09 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-11-26 01:33 167 ---ha-w C:\Documents and Settings\OWNERV~1~000\hpothb07.dat
2005-11-26 01:33 0 -c-ha-w C:\Documents and Settings\Royster\hpothb07.dat
2005-08-18 00:48 956 ---ha-w C:\Documents and Settings\Owner.RESTOREFEB05\Application Data\hpothb07.dat
2005-06-21 22:56 158 ---ha-w C:\Documents and Settings\Guest\hpothb07.dat
2005-06-21 22:56 158 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2005-06-21 22:56 0 -c-ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2004-06-09 15:54 390 ----a-w C:\Program Files\Shortcut to Program Files.lnk
2004-05-24 16:34 166,887 ----a-w C:\WINDOWS\system32\config\systemprofile\Application Data\tvmknwrd.dll
2004-05-24 16:34 166,887 ----a-w C:\Documents and Settings\Owner.VIGGO.000\Application Data\tvmknwrd.dll
2004-05-24 16:34 166,887 ----a-w C:\Documents and Settings\Owner.RESTOREFEB05\Application Data\tvmknwrd.dll
2004-05-24 16:34 166,887 ----a-w C:\Documents and Settings\Guest\Application Data\tvmknwrd.dll
2003-11-01 15:34 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-29_19.57.52.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-29 21:53:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-03 15:35:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 21:00 200767]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinService32"="svchost" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 15:51 118784]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 23:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-07-31 23:28 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-03-01 20:03 77824]
"tgcmd"="C:\Program Files\support.com\bin\tgcmd.exe" [2002-04-24 21:37 1544192]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 15:55 155648]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19 69632]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2008-06-13 18:12 234736]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-11 15:44 185896]
"cctray"="C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe" [2008-05-21 18:13 181512]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"WinLiveUpdate"="C:\Program Files\Common Files\Microsoft Shared\DAO\system32\svchost.exe" [2005-06-17 13:37 636416]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 19968 C:\WINDOWS\LOGI_MWX.EXE]

C:\Documents and Settings\Owner.VIGGO.000\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2004-06-15 21:13:40 256000]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-07-22 21:37:11 110592]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
LaunchU3.exe.lnk - C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2007-01-27 15:54:31 1078]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"C:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

S4 Boonty Games;Boonty Games;"C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe" [2006-01-03 14:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6a8777a-827f-11d9-9dc7-806d6172696f}]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-06 22:31:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7200#CN37Q2B178I3.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe$/#Hewlett-Packard#7200#CN37Q2B178I3
"2008-07-03 11:22:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe
"2008-07-03 00:23:18 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-AXPFixer - C:\Program Files\AXPFixer\AXPFixer.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-03 11:55:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-03 12:00:04
ComboFix-quarantined-files.txt 2008-07-03 15:58:55
ComboFix2.txt 2008-06-30 00:17:17
ComboFix3.txt 2008-06-29 23:59:15

Pre-Run: 41,190,322,176 bytes free
Post-Run: 41,177,804,800 bytes free

262 --- E O F --- 2008-06-20 13:56:39

    Advertisements

Register to Remove


#32 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 03 July 2008 - 02:56 PM

C:\WINDOWS\system32\8B.tmp

I would like to see a copy of the file in bold.

Click start / then my computer / local disk then follow the process tree.
Or using Windows Explorer, locate the first file you want to zip.
Right click on the file and select Send To and Compressed (zipped) Folder.
This makes a copy it does not delete it.
Please zip the file and upload it here
Or email it here

Please include a link to this thread.

#33 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 13 July 2008 - 04:54 PM

You still with me Pundah?

#34 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 18 July 2008 - 07:19 PM

Lets try running this program

http://stevengould.o.../CleanUp452.exe

Reboot and run ComboFix you may have to download it again fromfrom Here or Here to your Desktop. As the older version may not work.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.



1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again afterwards before connecting to the net


2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
  • If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

#35 Pundah

Pundah

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 22 July 2008 - 05:55 PM

Uh-oh. I'm not sure what happened! I am getting version 5.0 of AIM pop up and a very very old start up screen that was passworded and I havent used in ages. I ran clean up but when the log was starting, that SCVHOST box popped up and I guess did something. I was hoping the cleanup log would come back after I ran Combofix. I went into clean up again and couldnt find any logs, so I ran it again. That might have been a mistake. It was after that 2nd run that I got the old passworded start up screen. I do have the log for Combofix, below. I hope I didnt screw up too badly! Dopes it mean I've lost all the photographs that have been added all in the interim? Thanks as always for the tremendous time and patience you've given me!

ComboFix 08-07-21.2 - Owner 2008-07-22 19:23:17.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.202 [GMT -4:00]
Running from: C:\Documents and Settings\Owner.RESTOREFEB05\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Desktop\AXPFixer.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Fixer
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Fixer\Advanced XP Fixer.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Fixer\How to Register Advanced XP Fixer.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Fixer\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Fixer\Register Advanced XP Fixer.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Fixer\Uninstall.lnk
C:\Documents and Settings\Owner.RESTOREFEB05\Application Data\AXPFixer
C:\Documents and Settings\Owner.RESTOREFEB05\Application Data\Microsoft\Internet Explorer\Quick Launch\AXPFixer.lnk

.
((((((((((((((((((((((((( Files Created from 2008-06-22 to 2008-07-22 )))))))))))))))))))))))))))))))
.

2008-07-16 20:37 . 2008-07-16 20:37 42,174 --a------ C:\WINDOWS\system32\8B.zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-22 23:19 --------- d-----w C:\Program Files\CleanUp!
2008-07-22 05:31 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-17 00:57 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-27 04:53 --------- d-----w C:\Program Files\AIM
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 12:38 --------- d-----w C:\Documents and Settings\Owner.RESTOREFEB05\Application Data\AdobeUM
2008-06-17 22:22 --------- d-----w C:\Program Files\Java
2008-06-14 22:55 52,736 ----a-w C:\WINDOWS\system32\A3.tmp
2008-06-14 22:45 52,736 ----a-w C:\WINDOWS\system32\A0.tmp
2008-06-14 21:45 52,736 ----a-w C:\WINDOWS\system32\8E.tmp
2008-06-14 21:34 52,736 ----a-w C:\WINDOWS\system32\8B.tmp
2008-06-14 21:24 52,736 ----a-w C:\WINDOWS\system32\86.tmp
2008-06-14 21:14 52,736 ----a-w C:\WINDOWS\system32\81.tmp
2008-06-14 21:04 52,736 ----a-w C:\WINDOWS\system32\7D.tmp
2008-06-14 20:54 52,736 ----a-w C:\WINDOWS\system32\78.tmp
2008-06-14 20:44 52,736 ----a-w C:\WINDOWS\system32\75.tmp
2008-06-14 12:01 52,736 ----a-w C:\WINDOWS\system32\3AC.tmp
2008-06-14 11:50 52,736 ----a-w C:\WINDOWS\system32\3A9.tmp
2008-06-14 11:40 52,736 ----a-w C:\WINDOWS\system32\3A6.tmp
2008-06-14 11:30 52,736 ----a-w C:\WINDOWS\system32\3A3.tmp
2008-06-14 11:19 52,736 ----a-w C:\WINDOWS\system32\3A0.tmp
2008-06-14 11:09 52,736 ----a-w C:\WINDOWS\system32\39D.tmp
2008-06-14 10:59 52,736 ----a-w C:\WINDOWS\system32\39A.tmp
2008-06-14 10:48 52,736 ----a-w C:\WINDOWS\system32\397.tmp
2008-06-14 10:38 52,736 ----a-w C:\WINDOWS\system32\394.tmp
2008-06-14 10:28 52,736 ----a-w C:\WINDOWS\system32\391.tmp
2008-06-14 10:17 52,736 ----a-w C:\WINDOWS\system32\38E.tmp
2008-06-14 10:07 52,736 ----a-w C:\WINDOWS\system32\38B.tmp
2008-06-14 09:56 52,736 ----a-w C:\WINDOWS\system32\388.tmp
2008-06-14 09:46 52,736 ----a-w C:\WINDOWS\system32\385.tmp
2008-06-14 09:36 52,736 ----a-w C:\WINDOWS\system32\382.tmp
2008-06-14 09:26 52,736 ----a-w C:\WINDOWS\system32\37F.tmp
2008-06-14 09:15 52,736 ----a-w C:\WINDOWS\system32\37C.tmp
2008-06-14 09:05 52,736 ----a-w C:\WINDOWS\system32\379.tmp
2008-06-14 08:55 52,736 ----a-w C:\WINDOWS\system32\376.tmp
2008-06-14 08:44 52,736 ----a-w C:\WINDOWS\system32\373.tmp
2008-06-14 08:34 52,736 ----a-w C:\WINDOWS\system32\370.tmp
2008-06-14 08:24 52,736 ----a-w C:\WINDOWS\system32\36D.tmp
2008-06-14 08:14 52,736 ----a-w C:\WINDOWS\system32\36A.tmp
2008-06-14 08:03 52,736 ----a-w C:\WINDOWS\system32\367.tmp
2008-06-14 07:53 52,736 ----a-w C:\WINDOWS\system32\364.tmp
2008-06-14 07:43 52,736 ----a-w C:\WINDOWS\system32\361.tmp
2008-06-14 07:33 52,736 ----a-w C:\WINDOWS\system32\35E.tmp
2008-06-14 07:22 52,736 ----a-w C:\WINDOWS\system32\35B.tmp
2008-06-14 07:12 52,736 ----a-w C:\WINDOWS\system32\358.tmp
2008-06-14 07:02 52,736 ----a-w C:\WINDOWS\system32\355.tmp
2008-06-14 06:52 52,736 ----a-w C:\WINDOWS\system32\352.tmp
2008-06-14 06:41 52,736 ----a-w C:\WINDOWS\system32\34F.tmp
2008-06-14 06:30 52,736 ----a-w C:\WINDOWS\system32\34C.tmp
2008-06-14 06:20 52,736 ----a-w C:\WINDOWS\system32\348.tmp
2008-06-14 06:09 52,736 ----a-w C:\WINDOWS\system32\345.tmp
2008-06-14 05:59 52,736 ----a-w C:\WINDOWS\system32\342.tmp
2008-06-14 05:49 52,736 ----a-w C:\WINDOWS\system32\33F.tmp
2008-06-14 05:39 52,736 ----a-w C:\WINDOWS\system32\33C.tmp
2008-06-14 05:29 52,736 ----a-w C:\WINDOWS\system32\339.tmp
2008-06-14 05:18 52,736 ----a-w C:\WINDOWS\system32\336.tmp
2008-06-14 05:08 52,736 ----a-w C:\WINDOWS\system32\333.tmp
2008-06-14 04:58 52,736 ----a-w C:\WINDOWS\system32\330.tmp
2008-06-14 04:48 52,736 ----a-w C:\WINDOWS\system32\32D.tmp
2008-06-14 04:38 52,736 ----a-w C:\WINDOWS\system32\32A.tmp
2008-06-14 04:27 52,736 ----a-w C:\WINDOWS\system32\327.tmp
2008-06-14 04:17 52,736 ----a-w C:\WINDOWS\system32\324.tmp
2008-06-14 04:04 52,736 ----a-w C:\WINDOWS\system32\321.tmp
2008-06-14 03:44 52,736 ----a-w C:\WINDOWS\system32\31E.tmp
2008-06-14 03:23 52,736 ----a-w C:\WINDOWS\system32\31B.tmp
2008-06-14 03:02 52,736 ----a-w C:\WINDOWS\system32\318.tmp
2008-06-14 02:42 52,736 ----a-w C:\WINDOWS\system32\315.tmp
2008-06-14 02:21 52,736 ----a-w C:\WINDOWS\system32\312.tmp
2008-06-13 22:12 91,376 ----a-w C:\WINDOWS\system32\isafprod.dll
2008-06-13 22:12 32,240 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-06-13 22:12 26,352 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys
2008-06-13 22:12 21,488 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-06-13 22:12 21,104 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 22:36 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-12 19:56 52,736 ----a-w C:\WINDOWS\system32\2A.tmp
2008-06-12 19:46 52,736 ----a-w C:\WINDOWS\system32\25.tmp
2008-06-12 19:36 52,736 ----a-w C:\WINDOWS\system32\21.tmp
2008-06-12 09:29 52,736 ----a-w C:\WINDOWS\system32\A1.tmp
2008-06-12 09:19 52,736 ----a-w C:\WINDOWS\system32\9E.tmp
2008-06-12 09:08 52,736 ----a-w C:\WINDOWS\system32\9B.tmp
2008-06-12 08:58 52,736 ----a-w C:\WINDOWS\system32\98.tmp
2008-06-12 08:47 52,736 ----a-w C:\WINDOWS\system32\95.tmp
2008-06-12 08:36 52,736 ----a-w C:\WINDOWS\system32\92.tmp
2008-06-12 08:26 52,736 ----a-w C:\WINDOWS\system32\8F.tmp
2008-06-12 08:16 52,736 ----a-w C:\WINDOWS\system32\8C.tmp
2008-06-12 08:05 52,736 ----a-w C:\WINDOWS\system32\89.tmp
2008-06-12 07:55 52,736 ----a-w C:\WINDOWS\system32\85.tmp
2008-06-12 07:45 52,736 ----a-w C:\WINDOWS\system32\82.tmp
2008-06-12 07:34 52,736 ----a-w C:\WINDOWS\system32\7F.tmp
2008-06-12 07:24 52,736 ----a-w C:\WINDOWS\system32\7C.tmp
2008-06-12 07:14 52,736 ----a-w C:\WINDOWS\system32\79.tmp
2008-06-12 06:54 52,736 ----a-w C:\WINDOWS\system32\73.tmp
2008-06-12 06:43 52,736 ----a-w C:\WINDOWS\system32\70.tmp
2008-06-12 06:33 52,736 ----a-w C:\WINDOWS\system32\6D.tmp
2008-06-12 06:23 52,736 ----a-w C:\WINDOWS\system32\6A.tmp
2008-06-12 06:13 52,736 ----a-w C:\WINDOWS\system32\67.tmp
2003-11-01 15:34 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-29_19.57.52.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-20 10:44:38 138,368 -c----w C:\WINDOWS\system32\dllcache\afd.sys
- 2008-02-20 05:32:43 148,992 -c----w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:41:10 245,248 -c----w C:\WINDOWS\system32\dllcache\mswsock.dll
- 2007-10-30 17:20:55 360,064 -c----w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2008-06-20 10:45:13 360,320 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2006-08-16 09:37:30 225,664 -c----w C:\WINDOWS\system32\dllcache\tcpip6.sys
+ 2008-06-20 09:52:06 225,920 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
- 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-06-25 16:15:46 17,972,344 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 21:00 200767]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinService32"="svchost" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 15:51 118784]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 23:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-07-31 23:28 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-03-01 20:03 77824]
"tgcmd"="C:\Program Files\support.com\bin\tgcmd.exe" [2002-04-24 21:37 1544192]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 15:55 155648]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19 69632]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2008-06-13 18:12 234736]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-11 15:44 185896]
"cctray"="C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe" [2008-05-21 18:13 181512]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"WinLiveUpdate"="C:\Program Files\Common Files\Microsoft Shared\DAO\system32\svchost.exe" [2005-06-17 13:37 636416]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 19968 C:\WINDOWS\LOGI_MWX.EXE]

C:\Documents and Settings\Owner.VIGGO.000\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2004-06-15 21:13:40 256000]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-07-22 21:37:11 110592]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
LaunchU3.exe.lnk - C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2007-01-27 15:54:31 1078]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"C:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

S4 Boonty Games;Boonty Games;C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe [2006-01-03 14:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6a8777a-827f-11d9-9dc7-806d6172696f}]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
"2008-06-06 22:31:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7200#CN37Q2B178I3.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe$/#Hewlett-Packard#7200#CN37Q2B178I3
"2008-07-22 23:22:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe
"2008-07-21 16:24:28 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKCU-Main,Default_Search_URL = hxxp://www.google.com/ie
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKLM-Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 -: HKLM-Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 -: HKCU-Internet Settings,ProxyOverride = localhost
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &eBay Search - C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 -: &Search
O9 -: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
O9 -: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
O9 -: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {E6182DB0-BE70-4EA3-A8FB-D402C6D951D5} - hxxp://photofiddle.com/ocx/VUploaderProj1.cab
C:\WINDOWS\Downloaded Program Files\VUploaderProj1.ocx


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 19:27:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-07-22 19:30:38
ComboFix-quarantined-files.txt 2008-07-22 23:29:35
ComboFix2.txt 2008-07-03 16:00:13
ComboFix3.txt 2008-06-30 00:17:17
ComboFix4.txt 2008-06-29 23:59:15

Pre-Run: 40,778,772,480 bytes free
Post-Run: 40,773,599,232 bytes free

244 --- E O F --- 2008-07-08 22:24:32

#36 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 22 July 2008 - 10:03 PM

Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINDOWS\system32\A3.tmp
C:\WINDOWS\system32\A0.tmp
C:\WINDOWS\system32\8E.tmp
C:\WINDOWS\system32\8B.tmp
C:\WINDOWS\system32\86.tmp
C:\WINDOWS\system32\81.tmp
C:\WINDOWS\system32\7D.tmp
C:\WINDOWS\system32\78.tmp
C:\WINDOWS\system32\75.tmp
C:\WINDOWS\system32\3AC.tmp
C:\WINDOWS\system32\3A9.tmp
C:\WINDOWS\system32\3A6.tmp
C:\WINDOWS\system32\3A3.tmp
C:\WINDOWS\system32\3A0.tmp
C:\WINDOWS\system32\39D.tmp
C:\WINDOWS\system32\39A.tmp
C:\WINDOWS\system32\397.tmp
C:\WINDOWS\system32\394.tmp
C:\WINDOWS\system32\391.tmp
C:\WINDOWS\system32\38E.tmp
C:\WINDOWS\system32\38B.tmp
C:\WINDOWS\system32\388.tmp
C:\WINDOWS\system32\385.tmp
C:\WINDOWS\system32\382.tmp
C:\WINDOWS\system32\37F.tmp
C:\WINDOWS\system32\37C.tmp
C:\WINDOWS\system32\379.tmp
C:\WINDOWS\system32\376.tmp
C:\WINDOWS\system32\373.tmp
C:\WINDOWS\system32\370.tmp
C:\WINDOWS\system32\36D.tmp
C:\WINDOWS\system32\36A.tmp
C:\WINDOWS\system32\367.tmp
C:\WINDOWS\system32\364.tmp
C:\WINDOWS\system32\361.tmp
C:\WINDOWS\system32\35E.tmp
C:\WINDOWS\system32\35B.tmp
C:\WINDOWS\system32\358.tmp
C:\WINDOWS\system32\355.tmp
C:\WINDOWS\system32\352.tmp
C:\WINDOWS\system32\34F.tmp
C:\WINDOWS\system32\34C.tmp
C:\WINDOWS\system32\348.tmp
C:\WINDOWS\system32\345.tmp
C:\WINDOWS\system32\342.tmp

Save this as Save this as "CFScript"


Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

#37 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 06 August 2008 - 03:42 AM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users