Tech Support Forum - View Single Post - 2nd thread, malware: blue screen, bugs &amp; more

mrskoz · 06-14-2008, 02:26 PM

Thank you for the quick response. I really appreciate that you all volunteer your time to help us all.

I had to run both programs twice... the first time combofix tried to reboot & create a log, I kept getting a pop-up for SVCHOST that a jpg dll was missing, and I needed to reinstall the program. The 2nd time I ran it it went through okay.

Hijack this hung the first time through on something sounding like 015 enumeration? It ran the 2nd time through.

Below are the logs.

&&&&&&&&&&&&&&&&&&&&&&&&
ComboFix 08-06-12.2 - CHRISTOPHER 2008-06-14 16:10:07.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1551 [GMT -4:00]
Running from: C:\Documents and Settings\CHRISTOPHER\Desktop\ComboFix.exe
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\winhelp.ini
.
---- Previous Run -------
.
C:\WINDOWS\system32\_004266_.tmp.dll
C:\WINDOWS\system32\_004267_.tmp.dll
C:\WINDOWS\system32\_004268_.tmp.dll
C:\WINDOWS\system32\_004269_.tmp.dll
C:\WINDOWS\system32\_004276_.tmp.dll
C:\WINDOWS\system32\_004277_.tmp.dll
C:\WINDOWS\system32\_004278_.tmp.dll
C:\WINDOWS\system32\_004279_.tmp.dll
C:\WINDOWS\system32\_004281_.tmp.dll
C:\WINDOWS\system32\_004282_.tmp.dll
C:\WINDOWS\system32\_004285_.tmp.dll
C:\WINDOWS\system32\_004286_.tmp.dll
C:\WINDOWS\system32\_004288_.tmp.dll
C:\WINDOWS\system32\_004289_.tmp.dll
C:\WINDOWS\system32\_004290_.tmp.dll
C:\WINDOWS\system32\_004292_.tmp.dll
C:\WINDOWS\system32\_004295_.tmp.dll
C:\WINDOWS\system32\_004296_.tmp.dll
C:\WINDOWS\system32\_004300_.tmp.dll
C:\WINDOWS\system32\_004301_.tmp.dll
C:\WINDOWS\system32\_004303_.tmp.dll
C:\WINDOWS\system32\_004306_.tmp.dll
C:\WINDOWS\system32\_004308_.tmp.dll
C:\WINDOWS\system32\_004309_.tmp.dll
C:\WINDOWS\system32\_004310_.tmp.dll
C:\WINDOWS\system32\_004311_.tmp.dll
C:\WINDOWS\system32\_004312_.tmp.dll
C:\WINDOWS\system32\_004315_.tmp.dll
C:\WINDOWS\system32\_004316_.tmp.dll
C:\WINDOWS\system32\_004317_.tmp.dll
C:\WINDOWS\system32\_004318_.tmp.dll
C:\WINDOWS\system32\_004319_.tmp.dll
C:\WINDOWS\system32\_004324_.tmp.dll
C:\WINDOWS\system32\_004326_.tmp.dll
C:\WINDOWS\system32\_004327_.tmp.dll
C:\WINDOWS\system32\2.tmp
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\ijl11pro.dll
C:\WINDOWS\winhelp.ini
G:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_SYSREST.SYS
-------\Service_sysrest.sys

((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-14 11:37 . 2008-06-14 11:37 <DIR> d-------- C:\Deckard
2008-06-13 07:06 . 2008-06-13 07:06 <DIR> d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\Vso
2008-06-13 07:06 . 2008-06-13 07:06 87,608 --a------ C:\Documents and Settings\CHRISTOPHER\Application Data\ezpinst.exe
2008-06-13 07:06 . 2008-06-13 07:06 47,360 --a------ C:\Documents and Settings\CHRISTOPHER\Application Data\pcouffin.sys
2008-06-12 03:02 . 2008-06-12 03:02 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-11 22:50 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 22:50 . 2008-04-14 07:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-07 05:38 . 2008-06-06 17:27 52,736 --a------ C:\WINDOWS\system32\71.tmp
2008-06-05 14:50 . 2008-06-05 14:50 <DIR> d-------- C:\Documents and Settings\GENEVIEVE\Application Data\ESET
2008-06-05 14:39 . 2008-06-05 14:39 <DIR> d-------- C:\Documents and Settings\LAURYN\Application Data\ESET
2008-06-05 06:39 . 2008-06-05 06:39 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-05 06:22 . 2008-06-05 06:22 <DIR> d-------- C:\Documents and Settings\BRITTNEY\Application Data\ESET
2008-06-04 17:41 . 2008-06-04 17:41 <DIR> d-------- C:\Program Files\ESET
2008-06-04 17:41 . 2008-06-04 17:41 <DIR> d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\ESET
2008-06-04 17:41 . 2008-06-04 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-06-04 17:39 . 2008-06-04 17:39 <DIR> d-------- C:\Program Files\iPod
2008-06-04 17:39 . 2008-06-14 16:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-04 17:39 . 2008-06-04 17:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-04 17:38 . 2008-06-04 17:39 <DIR> d-------- C:\Program Files\iTunes
2008-06-04 15:20 . 2008-06-04 15:20 392 --a------ C:\sslist.sss
2008-06-04 15:19 . 2008-06-04 15:20 21,976 --a------ C:\ssave0.sss
2008-06-04 14:46 . 2008-06-04 15:03 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-04 14:46 . 2008-06-04 15:03 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-04 14:46 . 2008-06-04 15:03 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-04 14:46 . 2008-06-04 15:02 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-04 14:45 . 2008-06-04 14:47 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-04 14:39 . 2007-10-25 23:36 8,454,656 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-06-04 14:38 . 2008-06-04 14:38 <DIR> d-------- C:\WINDOWS\EHome
2008-06-04 14:38 . 2004-08-04 02:58 2,012,670 --------- C:\WINDOWS\nt5.cat
2008-06-04 14:38 . 2001-03-02 20:52 15,360 --a------ C:\WINDOWS\system32\asfsipc.dll
2008-06-04 14:32 . 2008-04-13 20:12 8,461,312 --a------ C:\WINDOWS\system32\SET278.tmp
2008-06-04 14:23 . 2008-06-04 15:01 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-04 10:20 . 2008-06-04 10:20 <DIR> d-------- C:\Program Files\Panda Security
2008-06-03 23:25 . 2008-06-03 23:25 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-03 21:11 . 2008-06-03 21:11 <DIR> d-------- C:\Documents and Settings\GENEVIEVE\Application Data\SUPERAntiSpyware.com
2008-06-03 21:11 . 2008-06-03 21:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-25 22:05 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-05-18 12:31 . 2008-05-18 12:31 <DIR> d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\HPAppData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 04:34 --------- d-----w C:\Program Files\D-Link Media Server
2008-06-13 11:11 --------- d-----w C:\Program Files\Qualcomm
2008-06-12 21:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-12 16:39 --------- d-----w C:\Program Files\BitLord
2008-06-10 23:41 --------- d-----w C:\Documents and Settings\CHRISTOPHER\Application Data\.purple
2008-06-05 10:21 --------- d-----w C:\Program Files\Apple Software Update
2008-06-04 21:37 --------- d-----w C:\Program Files\QuickTime
2008-06-04 21:36 --------- d-----w C:\Program Files\Java
2008-06-04 03:35 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-04 00:51 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-04 00:33 3,168 ----a-w C:\WINDOWS\system32\tmp.reg
2008-06-04 00:13 --------- d-----w C:\Program Files\The Learning Company
2008-06-04 00:07 --------- d-----w C:\Program Files\GameHouse
2008-06-04 00:03 --------- d-----w C:\Program Files\PopCap Games
2008-06-01 20:24 --------- d-----w C:\Documents and Settings\BRITTNEY\Application Data\.purple
2008-05-27 22:25 --------- d-----w C:\Documents and Settings\GENEVIEVE\Application Data\uTorrent
2008-05-26 22:18 --------- d-----w C:\Program Files\dl_Cats
2008-05-20 10:41 --------- d-----w C:\Program Files\Picasa2
2008-05-18 18:42 --------- d-----w C:\Documents and Settings\CHRISTOPHER\Application Data\uTorrent
2008-05-15 13:16 --------- d-----w C:\Documents and Settings\GENEVIEVE\Application Data\HPAppData
2008-05-12 17:25 --------- d-----w C:\Documents and Settings\GENEVIEVE\Application Data\.purple
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-06 10:35 --------- d-----w C:\Documents and Settings\BRITTNEY\Application Data\HPAppData
2008-04-29 16:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG
2008-04-29 16:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-04-29 16:29 --------- d-----w C:\Program Files\HP
2008-04-29 16:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-04-29 16:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-04-29 16:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-04-29 16:26 --------- d-----w C:\Program Files\Common Files\HP
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-15 04:04 --------- d-----w C:\Program Files\ItsDeductible2006
2008-04-14 16:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-04-14 16:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-14 00:15 218,134 ----a-w C:\WINDOWS\AppPatch\SET5B0.tmp
2008-04-14 00:15 204,396 ----a-w C:\WINDOWS\AppPatch\SET5AF.tmp
2008-04-14 00:15 1,202,774 ----a-w C:\WINDOWS\AppPatch\SET5AE.tmp
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\SET35C.tmp
2008-04-14 00:09 16,896 ----a-w C:\WINDOWS\system32\SET498.tmp
2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\SET29D.tmp
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\SET41A.tmp
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\SET2EF.tmp
2008-04-13 17:26 90,112 ----a-w C:\WINDOWS\system32\SET25B.tmp
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\SET36A.tmp
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\SET2EC.tmp
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\SET345.tmp
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\SET4A8.tmp
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\SET27A.tmp
2008-04-13 16:26 1,351,168 ----a-w C:\WINDOWS\system32\SET357.tmp
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\SET341.tmp
2008-04-13 15:42 16,896 ----a-w C:\WINDOWS\system32\SET24A.tmp
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\SET34D.tmp
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-25 21:16 25,840 ----a-w C:\Documents and Settings\BRITTNEY\Application Data\GDIPFONTCACHEV1.DAT
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-18 23:36 36,734 ----a-w C:\WINDOWS\system32\OggDSuninst.exe
2007-07-16 15:20 27,016 ----a-w C:\Documents and Settings\GENEVIEVE\Application Data\GDIPFONTCACHEV1.DAT
2007-04-17 01:39 87,608 ----a-w C:\Documents and Settings\GENEVIEVE\Application Data\ezpinst.exe
2007-04-17 01:39 47,360 ----a-w C:\Documents and Settings\GENEVIEVE\Application Data\pcouffin.sys
2007-11-29 15:54 56 --sh--r C:\WINDOWS\system32\8F26DE8530.sys
2007-11-29 15:54 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2005-03-01 21:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 12:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2006-12-19 12:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-04 00:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2006-12-19 10:17 2180352 8f0deab1f81fb83f9c5995853ce48b9f C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe
2005-03-01 20:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\$NtUninstallKB929338_0$\ntoskrnl.exe
2006-12-19 12:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2qfe\ntoskrnl.exe
2008-04-13 15:27 2188928 0c89243c7c3ee199b96fcc16990e0679 C:\WINDOWS\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\ntoskrnl.exe
2008-04-13 15:27 2188928 0c89243c7c3ee199b96fcc16990e0679 C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\system32\dllcache\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"User Themes"="C:\Program Files\Common Files\Microsoft Shared\DAO\DADDYKOZ\SVCHOST.exe" [ ]
"WD Button Manager"="WDBtnMgr.exe" [2007-03-18 19:59 339968 C:\WINDOWS\system32\WDBtnMgr.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 16:24 71216]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 17:24 86016]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 11:43 57344]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 16:21 54832]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 11:35 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 11:36 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 11:32 77824]
"FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [2006-12-12 04:22 312200]
"dlcqmon.exe"="C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe" [2007-01-12 13:21 292336]
"CmPCIaudio"="CMICNFG3.CPL" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.divxa32"= divxa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoteBurner]
C:\Program Files\NoteBurner\VTBurnerGUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProfileWatcher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-14 18:22 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
C:\Program Files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneNetworkSvc"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\WINDOWS\\system32\\MediaServerDump\\LiveUpdate\\OLUpdate.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\D-Link Media Server\\MediaGUI.exe"=
"C:\\Program Files\\D-Link Media Server\\MediaServer.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"C:\\WINDOWS\\system32\\dlcqcoms.exe"=
"C:\\Program Files\\Pidgin\\pidgin.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys []
S3 DMSKSSRh;DMSKSSRh;C:\DOCUME~1\GENEVI~1\LOCALS~1\Temp\DMSKSSRh.sys []
S3 RTIUSB;RTI USB Driver;C:\WINDOWS\system32\Drivers\RTIusb.sys [2005-09-30 16:04]
S4 dlcq_device;dlcq_device;C:\WINDOWS\system32\dlcqcoms.exe [2006-12-12 04:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e3b6ae5-416c-11dc-a119-0016e665bbdc}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-06-10 12:07:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 16:12:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-06-14 16:13:34
ComboFix-quarantined-files.txt 2008-06-14 20:13:20

Pre-Run: 38,149,578,752 bytes free
Post-Run: 38,136,213,504 bytes free

284 --- E O F --- 2008-06-12 07:02:45
**********************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:31 PM, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [User Themes] C:\Program Files\Common Files\Microsoft Shared\DAO\DADDYKOZ\SVCHOST.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcqmon.exe] "C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe"
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 4865 bytes

06-14-2008, 02:26 PM	#3 (permalink)
mrskoz Registered User Join Date: May 2005 Posts: 35 OS: XP	Re: 2nd thread, malware: blue screen, bugs & more Thank you for the quick response. I really appreciate that you all volunteer your time to help us all. I had to run both programs twice... the first time combofix tried to reboot & create a log, I kept getting a pop-up for SVCHOST that a jpg dll was missing, and I needed to reinstall the program. The 2nd time I ran it it went through okay. Hijack this hung the first time through on something sounding like 015 enumeration? It ran the 2nd time through. Below are the logs. &&&&&&&&&&&&&&&&&&&&&&&& ComboFix 08-06-12.2 - CHRISTOPHER 2008-06-14 16:10:07.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1551 [GMT -4:00] Running from: C:\Documents and Settings\CHRISTOPHER\Desktop\ComboFix.exe * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\winhelp.ini . ---- Previous Run ------- . C:\WINDOWS\system32\_004266_.tmp.dll C:\WINDOWS\system32\_004267_.tmp.dll C:\WINDOWS\system32\_004268_.tmp.dll C:\WINDOWS\system32\_004269_.tmp.dll C:\WINDOWS\system32\_004276_.tmp.dll C:\WINDOWS\system32\_004277_.tmp.dll C:\WINDOWS\system32\_004278_.tmp.dll C:\WINDOWS\system32\_004279_.tmp.dll C:\WINDOWS\system32\_004281_.tmp.dll C:\WINDOWS\system32\_004282_.tmp.dll C:\WINDOWS\system32\_004285_.tmp.dll C:\WINDOWS\system32\_004286_.tmp.dll C:\WINDOWS\system32\_004288_.tmp.dll C:\WINDOWS\system32\_004289_.tmp.dll C:\WINDOWS\system32\_004290_.tmp.dll C:\WINDOWS\system32\_004292_.tmp.dll C:\WINDOWS\system32\_004295_.tmp.dll C:\WINDOWS\system32\_004296_.tmp.dll C:\WINDOWS\system32\_004300_.tmp.dll C:\WINDOWS\system32\_004301_.tmp.dll C:\WINDOWS\system32\_004303_.tmp.dll C:\WINDOWS\system32\_004306_.tmp.dll C:\WINDOWS\system32\_004308_.tmp.dll C:\WINDOWS\system32\_004309_.tmp.dll C:\WINDOWS\system32\_004310_.tmp.dll C:\WINDOWS\system32\_004311_.tmp.dll C:\WINDOWS\system32\_004312_.tmp.dll C:\WINDOWS\system32\_004315_.tmp.dll C:\WINDOWS\system32\_004316_.tmp.dll C:\WINDOWS\system32\_004317_.tmp.dll C:\WINDOWS\system32\_004318_.tmp.dll C:\WINDOWS\system32\_004319_.tmp.dll C:\WINDOWS\system32\_004324_.tmp.dll C:\WINDOWS\system32\_004326_.tmp.dll C:\WINDOWS\system32\_004327_.tmp.dll C:\WINDOWS\system32\2.tmp C:\WINDOWS\system32\AutoRun.inf C:\WINDOWS\system32\ijl11pro.dll C:\WINDOWS\winhelp.ini G:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NPF -------\Legacy_SYSREST.SYS -------\Service_sysrest.sys ((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 ))))))))))))))))))))))))))))))) . 2008-06-14 11:37 . 2008-06-14 11:37 <DIR> d-------- C:\Deckard 2008-06-13 07:06 . 2008-06-13 07:06 <DIR> d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\Vso 2008-06-13 07:06 . 2008-06-13 07:06 87,608 --a------ C:\Documents and Settings\CHRISTOPHER\Application Data\ezpinst.exe 2008-06-13 07:06 . 2008-06-13 07:06 47,360 --a------ C:\Documents and Settings\CHRISTOPHER\Application Data\pcouffin.sys 2008-06-12 03:02 . 2008-06-12 03:02 118 --a------ C:\WINDOWS\system32\MRT.INI 2008-06-11 22:50 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-11 22:50 . 2008-04-14 07:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-07 05:38 . 2008-06-06 17:27 52,736 --a------ C:\WINDOWS\system32\71.tmp 2008-06-05 14:50 . 2008-06-05 14:50 <DIR> d-------- C:\Documents and Settings\GENEVIEVE\Application Data\ESET 2008-06-05 14:39 . 2008-06-05 14:39 <DIR> d-------- C:\Documents and Settings\LAURYN\Application Data\ESET 2008-06-05 06:39 . 2008-06-05 06:39 <DIR> d-------- C:\Program Files\MSXML 6.0 2008-06-05 06:22 . 2008-06-05 06:22 <DIR> d-------- C:\Documents and Settings\BRITTNEY\Application Data\ESET 2008-06-04 17:41 . 2008-06-04 17:41 <DIR> d-------- C:\Program Files\ESET 2008-06-04 17:41 . 2008-06-04 17:41 <DIR> d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\ESET 2008-06-04 17:41 . 2008-06-04 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET 2008-06-04 17:39 . 2008-06-04 17:39 <DIR> d-------- C:\Program Files\iPod 2008-06-04 17:39 . 2008-06-14 16:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-06-04 17:39 . 2008-06-04 17:39 1,409 --a------ C:\WINDOWS\QTFont.for 2008-06-04 17:38 . 2008-06-04 17:39 <DIR> d-------- C:\Program Files\iTunes 2008-06-04 15:20 . 2008-06-04 15:20 392 --a------ C:\sslist.sss 2008-06-04 15:19 . 2008-06-04 15:20 21,976 --a------ C:\ssave0.sss 2008-06-04 14:46 . 2008-06-04 15:03 <DIR> d-------- C:\WINDOWS\system32\scripting 2008-06-04 14:46 . 2008-06-04 15:03 <DIR> d-------- C:\WINDOWS\system32\en 2008-06-04 14:46 . 2008-06-04 15:03 <DIR> d-------- C:\WINDOWS\system32\bits 2008-06-04 14:46 . 2008-06-04 15:02 <DIR> d-------- C:\WINDOWS\l2schemas 2008-06-04 14:45 . 2008-06-04 14:47 <DIR> d-------- C:\WINDOWS\ServicePackFiles 2008-06-04 14:39 . 2007-10-25 23:36 8,454,656 --a------ C:\WINDOWS\system32\dllcache\shell32.dll 2008-06-04 14:38 . 2008-06-04 14:38 <DIR> d-------- C:\WINDOWS\EHome 2008-06-04 14:38 . 2004-08-04 02:58 2,012,670 --------- C:\WINDOWS\nt5.cat 2008-06-04 14:38 . 2001-03-02 20:52 15,360 --a------ C:\WINDOWS\system32\asfsipc.dll 2008-06-04 14:32 . 2008-04-13 20:12 8,461,312 --a------ C:\WINDOWS\system32\SET278.tmp 2008-06-04 14:23 . 2008-06-04 15:01 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak 2008-06-04 10:20 . 2008-06-04 10:20 <DIR> d-------- C:\Program Files\Panda Security 2008-06-03 23:25 . 2008-06-03 23:25 <DIR> d-------- C:\Program Files\Enigma Software Group 2008-06-03 21:11 . 2008-06-03 21:11 <DIR> d-------- C:\Documents and Settings\GENEVIEVE\Application Data\SUPERAntiSpyware.com 2008-06-03 21:11 . 2008-06-03 21:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-05-25 22:05 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll 2008-05-18 12:31 . 2008-05-18 12:31 <DIR> d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\HPAppData . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-14 04:34 --------- d-----w C:\Program Files\D-Link Media Server 2008-06-13 11:11 --------- d-----w C:\Program Files\Qualcomm 2008-06-12 21:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-12 16:39 --------- d-----w C:\Program Files\BitLord 2008-06-10 23:41 --------- d-----w C:\Documents and Settings\CHRISTOPHER\Application Data\.purple 2008-06-05 10:21 --------- d-----w C:\Program Files\Apple Software Update 2008-06-04 21:37 --------- d-----w C:\Program Files\QuickTime 2008-06-04 21:36 --------- d-----w C:\Program Files\Java 2008-06-04 03:35 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-06-04 00:51 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-06-04 00:33 3,168 ----a-w C:\WINDOWS\system32\tmp.reg 2008-06-04 00:13 --------- d-----w C:\Program Files\The Learning Company 2008-06-04 00:07 --------- d-----w C:\Program Files\GameHouse 2008-06-04 00:03 --------- d-----w C:\Program Files\PopCap Games 2008-06-01 20:24 --------- d-----w C:\Documents and Settings\BRITTNEY\Application Data\.purple 2008-05-27 22:25 --------- d-----w C:\Documents and Settings\GENEVIEVE\Application Data\uTorrent 2008-05-26 22:18 --------- d-----w C:\Program Files\dl_Cats 2008-05-20 10:41 --------- d-----w C:\Program Files\Picasa2 2008-05-18 18:42 --------- d-----w C:\Documents and Settings\CHRISTOPHER\Application Data\uTorrent 2008-05-15 13:16 --------- d-----w C:\Documents and Settings\GENEVIEVE\Application Data\HPAppData 2008-05-12 17:25 --------- d-----w C:\Documents and Settings\GENEVIEVE\Application Data\.purple 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2008-05-06 10:35 --------- d-----w C:\Documents and Settings\BRITTNEY\Application Data\HPAppData 2008-04-29 16:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG 2008-04-29 16:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard 2008-04-29 16:29 --------- d-----w C:\Program Files\HP 2008-04-29 16:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\HPSSUPPLY 2008-04-29 16:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP 2008-04-29 16:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP Product Assistant 2008-04-29 16:26 --------- d-----w C:\Program Files\Common Files\HP 2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll 2008-04-15 04:04 --------- d-----w C:\Program Files\ItsDeductible2006 2008-04-14 16:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files 2008-04-14 16:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7 2008-04-14 00:15 218,134 ----a-w C:\WINDOWS\AppPatch\SET5B0.tmp 2008-04-14 00:15 204,396 ----a-w C:\WINDOWS\AppPatch\SET5AF.tmp 2008-04-14 00:15 1,202,774 ----a-w C:\WINDOWS\AppPatch\SET5AE.tmp 2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\SET35C.tmp 2008-04-14 00:09 16,896 ----a-w C:\WINDOWS\system32\SET498.tmp 2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe 2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\SET29D.tmp 2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\SET41A.tmp 2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\SET2EF.tmp 2008-04-13 17:26 90,112 ----a-w C:\WINDOWS\system32\SET25B.tmp 2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\SET36A.tmp 2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\SET2EC.tmp 2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\SET345.tmp 2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\SET4A8.tmp 2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\SET27A.tmp 2008-04-13 16:26 1,351,168 ----a-w C:\WINDOWS\system32\SET357.tmp 2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\SET341.tmp 2008-04-13 15:42 16,896 ----a-w C:\WINDOWS\system32\SET24A.tmp 2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\SET34D.tmp 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll 2008-03-25 21:16 25,840 ----a-w C:\Documents and Settings\BRITTNEY\Application Data\GDIPFONTCACHEV1.DAT 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys 2008-03-18 23:36 36,734 ----a-w C:\WINDOWS\system32\OggDSuninst.exe 2007-07-16 15:20 27,016 ----a-w C:\Documents and Settings\GENEVIEVE\Application Data\GDIPFONTCACHEV1.DAT 2007-04-17 01:39 87,608 ----a-w C:\Documents and Settings\GENEVIEVE\Application Data\ezpinst.exe 2007-04-17 01:39 47,360 ----a-w C:\Documents and Settings\GENEVIEVE\Application Data\pcouffin.sys 2007-11-29 15:54 56 --sh--r C:\WINDOWS\system32\8F26DE8530.sys 2007-11-29 15:54 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ------- Sigcheck ------- 2005-03-01 21:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe 2006-12-19 12:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe 2006-12-19 12:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe 2004-08-04 00:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe 2006-12-19 10:17 2180352 8f0deab1f81fb83f9c5995853ce48b9f C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe 2005-03-01 20:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\$NtUninstallKB929338_0$\ntoskrnl.exe 2006-12-19 12:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe 2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe 2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2qfe\ntoskrnl.exe 2008-04-13 15:27 2188928 0c89243c7c3ee199b96fcc16990e0679 C:\WINDOWS\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\ntoskrnl.exe 2008-04-13 15:27 2188928 0c89243c7c3ee199b96fcc16990e0679 C:\WINDOWS\system32\ntoskrnl.exe 2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\system32\dllcache\ntoskrnl.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "User Themes"="C:\Program Files\Common Files\Microsoft Shared\DAO\DADDYKOZ\SVCHOST.exe" [ ] "WD Button Manager"="WDBtnMgr.exe" [2007-03-18 19:59 339968 C:\WINDOWS\system32\WDBtnMgr.exe] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 16:24 71216] "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 17:24 86016] "Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 11:43 57344] "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 16:21 54832] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 11:35 94208] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 11:36 114688] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 11:32 77824] "FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [2006-12-12 04:22 312200] "dlcqmon.exe"="C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe" [2007-01-12 13:21 292336] "CmPCIaudio"="CMICNFG3.CPL" [] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048] "egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.YV12"= yv12vfw.dll "msacm.divxa32"= divxa32.acm [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProfileWatcher] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2007-05-14 18:22 35328 C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] --a------ 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "ZuneNetworkSvc"=2 (0x2) "Bonjour Service"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "C:\\Program Files\\uTorrent\\utorrent.exe"= "C:\\WINDOWS\\system32\\MediaServerDump\\LiveUpdate\\OLUpdate.exe"= "C:\\WINDOWS\\system32\\LEXPPS.EXE"= "C:\\Program Files\\D-Link Media Server\\MediaGUI.exe"= "C:\\Program Files\\D-Link Media Server\\MediaServer.exe"= "C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"= "C:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"= "C:\\WINDOWS\\system32\\dlcqcoms.exe"= "C:\\Program Files\\Pidgin\\pidgin.exe"= "C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51] S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys [] S3 DMSKSSRh;DMSKSSRh;C:\DOCUME~1\GENEVI~1\LOCALS~1\Temp\DMSKSSRh.sys [] S3 RTIUSB;RTI USB Driver;C:\WINDOWS\system32\Drivers\RTIusb.sys [2005-09-30 16:04] S4 dlcq_device;dlcq_device;C:\WINDOWS\system32\dlcqcoms.exe [2006-12-12 04:22] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e3b6ae5-416c-11dc-a119-0016e665bbdc}] \Shell\AutoRun\command - H:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder "2008-06-10 12:07:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-14 16:12:12 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}] "ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl" . Completion time: 2008-06-14 16:13:34 ComboFix-quarantined-files.txt 2008-06-14 20:13:20 Pre-Run: 38,149,578,752 bytes free Post-Run: 38,136,213,504 bytes free 284 --- E O F --- 2008-06-12 07:02:45 ****************************************************** Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:21:31 PM, on 6/14/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\ESET\ESET Smart Security\ekrn.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\WDBtnMgr.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ESET\ESET Smart Security\egui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O4 - HKLM\..\Run: [User Themes] C:\Program Files\Common Files\Microsoft Shared\DAO\DADDYKOZ\SVCHOST.exe O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s O4 - HKLM\..\Run: [dlcqmon.exe] "C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe" O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- End of file - 4865 bytes __________________ Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years.** William F. Buckley, Jr.