Tech Support Forum - View Single Post - [SOLVED] Comp shutting down with BSOD and then restarting on its own

pmb116 · 06-06-2008, 12:52 AM

sorry for my slow response and thank you very much for your help ....here are my combofix log and hijack this log....again thank you

ComboFix 08-06-05.3 - Rob 2008-06-06 2:21:36.1 - NTFSx86

Running from: C:\Documents and Settings\Rob\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rob\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Rob\Application Data\macromedia\Flash Player\#SharedObjects\Y72CLM6K\www.broadcaster.com
C:\Documents and Settings\Rob\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Rob\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aHilRXyb.ini
C:\WINDOWS\system32\aHilRXyb.ini2
C:\WINDOWS\system32\awttttQi.dll
C:\WINDOWS\system32\byXRliHa.dll
C:\WINDOWS\system32\cbXNFvTk.dll
C:\WINDOWS\system32\dotkaggc.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\ghvbpexn.ini
C:\WINDOWS\system32\iQttttwa.ini
C:\WINDOWS\system32\iQttttwa.ini2
C:\WINDOWS\system32\kfhonnef.ini
C:\WINDOWS\system32\mssrv32.exe
C:\WINDOWS\system32\stvsqsto.ini
C:\WINDOWS\system32\tuvWoppO.dll
C:\WINDOWS\system32\vwjewsgv.ini
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\wtehmsst.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSUPDATE
-------\Legacy_NPF
-------\Service_msupdate
-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.

2008-06-06 02:44 . 2008-06-06 02:44 294 ---hs---- C:\WINDOWS\system32\kfhonnef.ini
2008-06-05 17:44 . 2008-06-05 17:44 96,128 --a------ C:\WINDOWS\system32\fennohfk.dll
2008-06-04 23:54 . 2008-06-04 23:54 <DIR> d-------- C:\WINDOWS\Sun
2008-06-04 23:54 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-04 23:53 . 2008-06-04 23:54 <DIR> d-------- C:\Program Files\Java
2008-06-04 23:53 . 2008-06-04 23:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-04 20:06 . 2008-06-04 20:15 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-04 20:06 . 2008-06-04 20:15 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-04 20:04 . 2008-06-04 20:04 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-04 20:04 . 2008-06-04 21:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-04 20:04 . 2008-06-06 02:46 1,336,864 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-04 20:04 . 2008-06-06 02:32 18,932 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-04 20:04 . 2008-06-06 02:44 1,824 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-04 20:04 . 2008-06-06 02:32 1,148 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-04 20:02 . 2008-06-04 20:02 <DIR> d-------- C:\kav
2008-06-04 19:33 . 2008-06-04 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-04 18:08 . 2008-06-04 18:08 <DIR> d-------- C:\Deckard
2008-06-04 17:44 . 2008-06-04 17:44 95,232 --a------ C:\WINDOWS\system32\nxepbvhg.dll
2008-06-01 00:43 . 2008-06-01 00:43 <DIR> d-------- C:\ie-spyad_zo
2008-06-01 00:38 . 2008-06-01 00:38 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-01 00:38 . 2008-06-04 17:59 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-01 00:38 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-06-01 00:38 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-06-01 00:38 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-31 23:43 . 2008-05-31 23:43 <DIR> d-------- C:\Program Files\Panda Security
2008-05-31 03:21 . 2008-05-31 03:21 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\AXPFixer
2008-05-31 03:06 . 2008-06-04 19:20 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-30 23:51 . 2008-05-30 23:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-05-30 23:50 . 2008-05-30 23:50 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-30 23:30 . 2008-06-04 19:17 269,334 --a------ C:\WINDOWS\system32\ctfmonb.bmp
2008-05-30 23:25 . 2008-05-31 03:06 <DIR> d-------- C:\Program Files\Google
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-15 23:25 . 2008-06-06 02:44 4,104 --a------ C:\logfile

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 00:16 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-04 23:33 --------- d-----w C:\Program Files\Lavasoft
2008-06-04 23:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-01 03:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-15 02:31 --------- d-----w C:\Program Files\World of Warcraft
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-10 16:37 --------- d-----w C:\Program Files\MSXML 4.0
2008-04-09 04:47 --------- d-----w C:\Program Files\Kodak
2008-04-09 04:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-04-09 04:46 --------- d-----w C:\Program Files\Common Files\Kodak
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC7A758B-8CA3-4FB5-987D-F6147DAA28C6}]
C:\WINDOWS\boqnrwdmfrp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 11:20 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 12:43 8466432]
"nwiz"="nwiz.exe" [2007-06-28 12:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 12:43 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"1455bd2b"="C:\WINDOWS\system32\fennohfk.dll" [2008-06-05 17:44 96128]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 11:23:10 1404928]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\nsX04.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxd26.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\kav\\kav7\\setup.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

.
Contents of the 'Scheduled Tasks' folder
"2008-05-21 04:43:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 02:44:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\kfhonnef.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\fennohfk.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-06-06 2:48:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-06 06:48:24

Pre-Run: 2,251,739,136 bytes free
Post-Run: 2,477,133,824 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

185 --- E O F --- 2008-05-29 16:04:50

Logfile of HijackThis v1.99.1
Scan saved at 2:51:38 AM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aaim6.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Rob\My Documents\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: QXK Olive - {CC7A758B-8CA3-4FB5-987D-F6147DAA28C6} - C:\WINDOWS\boqnrwdmfrp.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [1455bd2b] rundll32.exe "C:\WINDOWS\system32\fennohfk.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL/...ws-i586-jc.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

06-06-2008, 12:52 AM	#4 (permalink)
pmb116 Registered User Join Date: May 2008 Posts: 5 OS: xp	Re: Comp shutting down with BSOD and then restarting on its own sorry for my slow response and thank you very much for your help ....here are my combofix log and hijack this log....again thank you ComboFix 08-06-05.3 - Rob 2008-06-06 2:21:36.1 - NTFSx86 Running from: C:\Documents and Settings\Rob\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Rob\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Rob\Application Data\macromedia\Flash Player\#SharedObjects\Y72CLM6K\www.broadcaster.com C:\Documents and Settings\Rob\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\Documents and Settings\Rob\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\WINDOWS\cookies.ini C:\WINDOWS\system32\aHilRXyb.ini C:\WINDOWS\system32\aHilRXyb.ini2 C:\WINDOWS\system32\awttttQi.dll C:\WINDOWS\system32\byXRliHa.dll C:\WINDOWS\system32\cbXNFvTk.dll C:\WINDOWS\system32\dotkaggc.ini C:\WINDOWS\system32\drivers\npf.sys C:\WINDOWS\system32\ghvbpexn.ini C:\WINDOWS\system32\iQttttwa.ini C:\WINDOWS\system32\iQttttwa.ini2 C:\WINDOWS\system32\kfhonnef.ini C:\WINDOWS\system32\mssrv32.exe C:\WINDOWS\system32\stvsqsto.ini C:\WINDOWS\system32\tuvWoppO.dll C:\WINDOWS\system32\vwjewsgv.ini C:\WINDOWS\system32\WinCtrl32.dl_ C:\WINDOWS\system32\WinCtrl32.dll C:\WINDOWS\system32\wtehmsst.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MSUPDATE -------\Legacy_NPF -------\Service_msupdate -------\Service_NPF ((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 ))))))))))))))))))))))))))))))) . 2008-06-06 02:44 . 2008-06-06 02:44 294 ---hs---- C:\WINDOWS\system32\kfhonnef.ini 2008-06-05 17:44 . 2008-06-05 17:44 96,128 --a------ C:\WINDOWS\system32\fennohfk.dll 2008-06-04 23:54 . 2008-06-04 23:54 <DIR> d-------- C:\WINDOWS\Sun 2008-06-04 23:54 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-06-04 23:53 . 2008-06-04 23:54 <DIR> d-------- C:\Program Files\Java 2008-06-04 23:53 . 2008-06-04 23:53 <DIR> d-------- C:\Program Files\Common Files\Java 2008-06-04 20:06 . 2008-06-04 20:15 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat 2008-06-04 20:06 . 2008-06-04 20:15 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat 2008-06-04 20:04 . 2008-06-04 20:04 <DIR> d-------- C:\Program Files\Kaspersky Lab 2008-06-04 20:04 . 2008-06-04 21:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-06-04 20:04 . 2008-06-06 02:46 1,336,864 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-06-04 20:04 . 2008-06-06 02:32 18,932 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2008-06-04 20:04 . 2008-06-06 02:44 1,824 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2008-06-04 20:04 . 2008-06-06 02:32 1,148 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2008-06-04 20:02 . 2008-06-04 20:02 <DIR> d-------- C:\kav 2008-06-04 19:33 . 2008-06-04 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-04 18:08 . 2008-06-04 18:08 <DIR> d-------- C:\Deckard 2008-06-04 17:44 . 2008-06-04 17:44 95,232 --a------ C:\WINDOWS\system32\nxepbvhg.dll 2008-06-01 00:43 . 2008-06-01 00:43 <DIR> d-------- C:\ie-spyad_zo 2008-06-01 00:38 . 2008-06-01 00:38 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-06-01 00:38 . 2008-06-04 17:59 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-01 00:38 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX 2008-06-01 00:38 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL 2008-06-01 00:38 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX 2008-05-31 23:43 . 2008-05-31 23:43 <DIR> d-------- C:\Program Files\Panda Security 2008-05-31 03:21 . 2008-05-31 03:21 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\AXPFixer 2008-05-31 03:06 . 2008-06-04 19:20 160,256 --a------ C:\WINDOWS\system32\blackster.scr 2008-05-30 23:51 . 2008-05-30 23:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft 2008-05-30 23:50 . 2008-05-30 23:50 <DIR> d-------- C:\Documents and Settings\Administrator 2008-05-30 23:30 . 2008-06-04 19:17 269,334 --a------ C:\WINDOWS\system32\ctfmonb.bmp 2008-05-30 23:25 . 2008-05-31 03:06 <DIR> d-------- C:\Program Files\Google 2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe 2008-05-15 23:25 . 2008-06-06 02:44 4,104 --a------ C:\logfile . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-05 00:16 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys 2008-06-04 23:33 --------- d-----w C:\Program Files\Lavasoft 2008-06-04 23:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-06-01 03:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-05-15 02:31 --------- d-----w C:\Program Files\World of Warcraft 2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys 2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys 2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys 2008-04-10 16:37 --------- d-----w C:\Program Files\MSXML 4.0 2008-04-09 04:47 --------- d-----w C:\Program Files\Kodak 2008-04-09 04:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak 2008-04-09 04:46 --------- d-----w C:\Program Files\Common Files\Kodak 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC7A758B-8CA3-4FB5-987D-F6147DAA28C6}] C:\WINDOWS\boqnrwdmfrp.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 11:20 50528] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928] "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 12:43 8466432] "nwiz"="nwiz.exe" [2007-06-28 12:43 1626112 C:\WINDOWS\system32\nwiz.exe] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 12:43 81920] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] "1455bd2b"="C:\WINDOWS\system32\fennohfk.dll" [2008-06-05 17:44 96128] "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Belkin Wireless USB Utility.lnk - C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 11:23:10 1404928] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\nsX04.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxd26.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "C:\\kav\\kav7\\setup.exe"= "C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 . Contents of the 'Scheduled Tasks' folder "2008-05-21 04:43:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job" - C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16 . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-06 02:44:24 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\kfhonnef.ini 294 bytes scan completed successfully hidden files: 1 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\WINDOWS\system32\fennohfk.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\verclsid.exe . ************************************************************************ . Completion time: 2008-06-06 2:48:29 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-06 06:48:24 Pre-Run: 2,251,739,136 bytes free Post-Run: 2,477,133,824 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 185 --- E O F --- 2008-05-29 16:04:50 Logfile of HijackThis v1.99.1 Scan saved at 2:51:38 AM, on 6/6/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\AIM6\aaim6.exe C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\Rob\My Documents\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: QXK Olive - {CC7A758B-8CA3-4FB5-987D-F6147DAA28C6} - C:\WINDOWS\boqnrwdmfrp.dll (file missing) O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [1455bd2b] rundll32.exe "C:\WINDOWS\system32\fennohfk.dll",b O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL/...ws-i586-jc.cab O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe