Thread: Computer has been hijacked - IE/Firefox inoperable
View Single Post
Old 08-11-2008, 10:31 AM   #22 (permalink)
rath
Registered User
 
Join Date: Jan 2007
Posts: 22
OS: xp pro


Re: Computer has been hijacked - IE/Firefox inoperable
alright...that seemed to do something good. The computer is looking like it used to before this infection, however, i still can't get online with it. There are the usual icons in the network connections folder, but I can't seem to connect to my wireless network connection. I get the following message:

Windows cannot configure this wireless connection.
If you have enabled another program to manage this wireless connection, use that software.
If you want Windows to configure this wireless connection, start the Wireless Zero Configuration (WZC) service.

here's the log:

ComboFix 08-08-08.08 - THOMAS DEMENTI 2008-08-11 12:17:23.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.617 [GMT -4:00]
Running from: C:\Documents and Settings\THOMAS DEMENTI\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 )))))))))))))))))))))))))))))))
.

2008-08-09 11:57 . 2008-08-09 11:57 <DIR> d-------- C:\Deckard
2008-08-08 15:09 . 2008-08-08 15:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-08 13:49 . 2008-08-08 13:49 <DIR> d-------- C:\Program Files\ESET
2008-08-08 13:49 . 2008-08-08 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-08-08 12:52 . 2008-08-08 12:52 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-08 12:52 . 2008-08-08 12:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-08 12:52 . 2008-08-08 12:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-07 17:25 . 2008-08-07 17:25 <DIR> d-------- C:\Program Files\Windows Defender
2008-08-07 16:52 . 2008-08-07 20:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\services
2008-08-07 10:17 . 2008-08-07 16:43 <DIR> d-------- C:\Program Files\Foxit Software
2008-08-06 16:16 . 2008-08-06 16:16 <DIR> d-------- C:\Documents and Settings\THOMAS DEMENTI\Application Data\Sarm Software
2008-08-06 16:15 . 2008-08-07 10:23 607 --a------ C:\WINDOWS\Omega.INI
2008-08-06 16:14 . 2008-08-06 16:14 <DIR> d-------- C:\Program Files\Sarm Software
2008-08-05 09:45 . 2008-08-05 09:46 <DIR> d-------- C:\Program Files\RamBooster 2.0
2008-08-04 18:01 . 2008-08-04 18:01 <DIR> d-------- C:\Program Files\iTunes
2008-08-04 18:01 . 2008-08-04 18:01 <DIR> d-------- C:\Program Files\iPod
2008-07-21 17:44 . 2008-07-21 17:44 <DIR> d-------- C:\Program Files\Bonjour
2008-07-21 17:43 . 2008-07-21 17:44 <DIR> d-------- C:\Program Files\QuickTime
2008-07-21 14:03 . 2008-07-21 14:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-07-21 14:01 . 2008-07-21 14:05 <DIR> d-------- C:\Program Files\Canon
2008-07-21 13:59 . 2008-07-21 13:59 <DIR> d-------- C:\Program Files\Common Files\Canon
2008-07-21 10:05 . 2008-07-21 10:05 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-07-16 09:33 . 2008-07-16 09:33 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 17:48 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-08-08 17:48 8,014 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-08-08 17:48 48,768 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-08-08 17:48 110,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-08 17:48 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-08-08 17:48 --------- d-----w C:\Program Files\Symantec
2008-08-08 17:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-08 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-08 16:46 --------- d-----w C:\Documents and Settings\THOMAS DEMENTI\Application Data\uTorrent
2008-08-07 20:44 6,262 ----a-w C:\Documents and Settings\THOMAS DEMENTI\Application Data\wklnhst.dat
2008-08-04 22:02 --------- d-----w C:\Program Files\Apple Software Update
2008-07-27 22:41 --------- d-----w C:\Program Files\Full Tilt Poker
2008-07-26 17:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-21 14:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-17 12:24 --------- d-----w C:\Program Files\IrfanView
2008-07-08 19:45 --------- d-----w C:\Documents and Settings\THOMAS DEMENTI\Application Data\Logitech
2008-07-08 19:44 --------- d-----w C:\Program Files\Common Files\Logishrd
2008-07-08 19:43 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-07-08 19:42 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-07-08 19:40 --------- d-----w C:\Program Files\Logitech
2008-07-08 19:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-07-08 19:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2005-10-15 12:47 66,824 ----a-w C:\Documents and Settings\THOMAS DEMENTI\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-08-09_17.34.44.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3120\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3120\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3120\_fusion.dll
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3120\_mscorjit.dll
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3120\_mscorlib.dll
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3120\_mscorsn.dll
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3120\_mscorsvr.dll
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3120\_mscorwks.dll
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3120\_msvcr71.dll
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3120\_PerfCounter.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"RamBooster"="C:\Program Files\RamBooster 2.0\Rambooster.exe" [2005-11-17 07:32 561664]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 13:45 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 18:52 1447168]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 02:17 55824 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 21:17 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-07-08 15:40:53 789008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-01-09 12:30 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^THOMAS DEMENTI^Start Menu^Programs^Startup^Product Registration.lnk]
path=C:\Documents and Settings\THOMAS DEMENTI\Start Menu\Programs\Startup\Product Registration.lnk
backup=C:\WINDOWS\pss\Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-10 09:47 116040 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2005-05-31 05:33 122941 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 17:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a--c--- 2005-02-15 16:02 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 17:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 17:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-08-19 18:30 26112 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 04:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-27 13:45 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-03-08 12:48 761947 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-11-29 02:17 55824 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"ERSvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 18:56]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2006-04-07 17:06]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-11 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe []

2008-08-06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-08-11 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Reg - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\THOMAS DEMENTI\Application Data\Mozilla\Firefox\Profiles\mulixzw9.Default User\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://mail.google.com/mail/
FF -: plugin - C:\Documents and Settings\THOMAS DEMENTI\Application Data\Mozilla\plugins\npPxPlay.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 12:20:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\TMP0000006C8A26D9AF790FABC1 524288 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-08-11 12:22:21
ComboFix-quarantined-files.txt 2008-08-11 16:22:05
ComboFix2.txt 2008-08-11 15:30:47
ComboFix3.txt 2008-08-11 00:24:28
ComboFix4.txt 2008-08-10 18:46:56
ComboFix5.txt 2008-08-11 16:17:08

Pre-Run: 23,789,318,144 bytes free
Post-Run: 23,774,072,832 bytes free

223 --- E O F --- 2008-08-11 16:16:09
rath is offline