Tech Support Forum - View Single Post

cjcasey · 12-05-2007, 01:51 PM

Sorry about that. I attached the old log. Here is the new one:

ComboFix 07-12-02.6 - Owner 2007-12-04 23:31:41.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.602 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\1074239785.dat
C:\WINDOWS\system32\apcupsx.exe
C:\WINDOWS\system32\hostwl.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\7iFXbk8sWb.exe.bak
C:\WINDOWS\system32\1074239785.dat
C:\WINDOWS\system32\apcupsx.exe
C:\WINDOWS\system32\hostwl.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_THEMESNETMAN
-------\ThemesNetman

((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 )))))))))))))))))))))))))))))))
.

2007-12-03 14:37 . 2007-12-03 14:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-12-03 14:12 . 2004-08-27 04:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-03 14:12 . 2006-05-04 18:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2007-12-03 14:12 . 2006-05-04 18:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-12-03 13:49 . 2007-12-03 13:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-03 13:49 . 2007-12-03 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-03 13:46 . 2007-12-03 13:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-28 15:14 . 2007-11-28 15:14 <DIR> d-------- C:\Deckard
2007-11-28 15:08 . 2007-11-28 15:10 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-28 00:16 . 2007-11-28 15:06 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-28 00:16 . 2007-11-28 15:04 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-28 00:16 . 2007-11-28 15:04 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-28 00:16 . 2007-11-28 15:04 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-27 15:16 . 2007-11-27 15:16 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-27 15:15 . 2007-11-27 15:15 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-26 19:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-11-25 23:48 . 2007-11-27 15:15 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-25 21:46 . 2007-12-03 09:50 4,195,315 --a------ C:\WINDOWS\pfirewall.log.old
2007-11-25 21:21 . 2007-11-25 21:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 20:15 --------- d-----w C:\Documents and Settings\Owner\Application Data\RipIt4Me
2007-11-27 20:14 --------- d-----w C:\Documents and Settings\Owner\Application Data\McAfee.com Personal Firewall
2007-11-27 03:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2007-11-26 05:53 --------- d-----w C:\Program Files\Google
2007-11-22 17:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\dvdcss
2006-05-27 00:45 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2006-05-03 10:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 11:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\Administrator\WINDOWS ----

((((((((((((((((((((((((((((( snapshot@2007-12-04_ 0.30.46.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 15:57:10 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-08 17:42]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 05:01]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 09:47]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 09:47]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-28 23:05]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" []
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 17:18]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 00:02]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 17:29]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 11:05]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 12:26]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 15:16]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 14:49]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 16:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 15:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-10 23:20]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 13:25]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 18:15]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-02 23:40:25]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26]
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2006-05-04 18:11:34]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08]

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-12-05 04:20:01 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 23:37:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-04 23:39:28 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-04 00:31
.
--- E O F ---

12-05-2007, 01:51 PM	#10 (permalink)
cjcasey Registered User Join Date: Nov 2007 Posts: 9 OS: xp home sp 2	Re: Help with Trojans Sorry about that. I attached the old log. Here is the new one: ComboFix 07-12-02.6 - Owner 2007-12-04 23:31:41.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.602 [GMT -5:00] Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt * Created a new restore point FILE C:\WINDOWS\system32\1074239785.dat C:\WINDOWS\system32\apcupsx.exe C:\WINDOWS\system32\hostwl.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\PerfInfo C:\WINDOWS\PerfInfo\7iFXbk8sWb.exe.bak C:\WINDOWS\system32\1074239785.dat C:\WINDOWS\system32\apcupsx.exe C:\WINDOWS\system32\hostwl.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_THEMESNETMAN -------\ThemesNetman ((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 ))))))))))))))))))))))))))))))) . 2007-12-03 14:37 . 2007-12-03 14:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft 2007-12-03 14:12 . 2004-08-27 04:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS 2007-12-03 14:12 . 2006-05-04 18:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver 2007-12-03 14:12 . 2006-05-04 18:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView 2007-12-03 13:49 . 2007-12-03 13:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-12-03 13:49 . 2007-12-03 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-12-03 13:46 . 2007-12-03 13:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-11-28 15:14 . 2007-11-28 15:14 <DIR> d-------- C:\Deckard 2007-11-28 15:08 . 2007-11-28 15:10 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-11-28 00:16 . 2007-11-28 15:06 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-11-28 00:16 . 2007-11-28 15:04 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2007-11-28 00:16 . 2007-11-28 15:04 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2007-11-28 00:16 . 2007-11-28 15:04 1,406 --a------ C:\WINDOWS\system32\Help.ico 2007-11-27 15:16 . 2007-11-27 15:16 <DIR> d-------- C:\Program Files\MSXML 4.0 2007-11-27 15:15 . 2007-11-27 15:15 <DIR> d--h----- C:\WINDOWS\PIF 2007-11-26 19:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui 2007-11-25 23:48 . 2007-11-27 15:15 <DIR> d-------- C:\Program Files\Windows Defender 2007-11-25 21:46 . 2007-12-03 09:50 4,195,315 --a------ C:\WINDOWS\pfirewall.log.old 2007-11-25 21:21 . 2007-11-25 21:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-27 20:15 --------- d-----w C:\Documents and Settings\Owner\Application Data\RipIt4Me 2007-11-27 20:14 --------- d-----w C:\Documents and Settings\Owner\Application Data\McAfee.com Personal Firewall 2007-11-27 03:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall 2007-11-26 05:53 --------- d-----w C:\Program Files\Google 2007-11-22 17:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\dvdcss 2006-05-27 00:45 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat 2006-05-03 10:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll 2007-02-21 11:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of C:\Documents and Settings\Administrator\WINDOWS ---- ((((((((((((((((((((((((((((( snapshot@2007-12-04_ 0.30.46.23 ))))))))))))))))))))))))))))))))))))))))) . + 2007-03-13 15:57:10 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-08 17:42] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00] "Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 05:01] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 09:47] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 09:47] "Reminder"="%WINDIR%\Creator\Remind_XP.exe" [] "Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-28 23:05] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [] "VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 17:18] "OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 00:02] "MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 17:29] "MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 11:05] "MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 12:26] "MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 15:16] "VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 14:49] "MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 16:00] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 15:24] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-10 23:20] "Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 13:25] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 18:15] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Power2GoExpress"="NA" [] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-02 23:40:25] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26] BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2006-05-04 18:11:34] HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08] R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 . Contents of the 'Scheduled Tasks' folder "2007-12-05 04:20:01 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe . ************************************************************************ catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-04 23:37:31 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2007-12-04 23:39:28 - machine was rebooted C:\ComboFix2.txt ... 2007-12-04 00:31 . --- E O F ---