Thread: System start-up change detected
View Single Post
Old 12-05-2008, 08:17 PM   #3 (permalink)
Joody
Registered User
 
Join Date: Feb 2005
Posts: 56
OS: Windows XP


Re: System start-up change detected
Thank you for your reply, I do understand how busy you must be. I would like to update you on my computer. Last night it was almost unusable so I ran SuperAntisplyware (I did not realize you didn't want any run). This program deleted a LOT of files including, I think, 11 Trojans....yikes.

On boot now I get three messages about error loading files in windows\system32. The files are

vatotosa.dll
wobupubu.dll
wefakuve.dll

Here is the Combofix log file

ComboFix 08-12-05.02 - Compaq_Owner 2008-12-05 18:51:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.191 [GMT -8:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\hizavara.dll
c:\windows\system32\kafufigu.dll
c:\windows\system32\kulufegi.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\pimenuda.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RUNTIME


((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-04 19:24 . 2008-12-04 19:24 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-04 19:24 . 2008-12-04 19:24 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2008-12-04 19:24 . 2008-12-04 19:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-04 19:23 . 2008-12-04 19:23 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-04 18:34 . 2008-12-04 18:34 1,432,270 ---hs---- c:\windows\system32\evukafew.ini
2008-12-04 06:39 . 2008-12-04 06:40 1,432,267 ---hs---- c:\windows\system32\ohunotep.ini
2008-12-02 19:38 . 2008-12-02 19:38 250 --a------ c:\windows\gmer.ini
2008-12-02 18:57 . 2008-12-02 18:57 153 --a------ c:\windows\wininit.ini
2008-12-01 19:25 . 2008-08-31 18:41 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-11-29 19:15 . 2008-11-29 19:16 1,298,668 ---hs---- c:\windows\system32\uhefowij.ini
2008-11-28 20:23 . 2008-11-29 06:22 1,298,677 ---hs---- c:\windows\system32\isofopig.ini
2008-11-28 06:54 . 2008-11-28 07:53 1,298,695 ---hs---- c:\windows\system32\ezoteyiy.ini
2008-11-27 17:04 . 2008-11-27 17:04 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-11-11 19:29 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 19:28 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 02:57 --------- d-----w c:\program files\Microsoft AntiSpyware
2008-12-05 03:19 --------- d-----w c:\program files\iTunes
2008-12-03 02:58 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 00:53 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-06 13:50 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-11-06 01:21 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Printer Info Cache
2008-11-06 01:21 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Image Zone Express
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-09 02:48 --------- d-----w c:\program files\BingoLiner
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2007-07-13 01:06 56,912 ----a-w c:\documents and settings\Compaq_Owner\g2mdlhlpx.exe
2005-03-22 03:16 10,240 -csha-w c:\windows\rnapxs\rnapxs.dat
2005-02-16 04:19 0 -csha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSGTAG"="c:\program files\MSGTAG\MSGTAG.exe" [2003-09-16 1320448]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-10 180269]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-04-21 286720]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"IcoSet"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-08-10 98304]
"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" [2005-10-25 122929]
"F-Secure TNB"="c:\program files\Shaw Secure\TNB\TNBUtil.exe" [2005-07-18 700416]
"F-Secure Startup Wizard"="c:\program files\Shaw Secure\FSGUI\FSSW.EXE" [2005-10-18 372736]
"News Service"="c:\program files\Shaw Secure\FSGUI\ispnews.exe" [2005-05-31 356352]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2004-08-10 16423]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Shaw Secure.lnk - c:\program files\Shaw Secure\backweb\3875767\Program\fspex.exe [2006-03-21 32807]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Yoe16.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\Conference\\Conference.dll"=
"c:\\Program Files\\Shaw Secure\\backweb\\3875767\\Program\\fspex.exe"=
"c:\\Program Files\\MSGTAG\\MSGTAG.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\TalkShoe\\pjsua_win.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Shaw Secure\\Anti-Virus\\fsgk32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16966:TCP"= 16966:TCP:BitComet 16966 TCP
"16966:UDP"= 16966:UDP:BitComet 16966 UDP

R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2005-03-21 70896]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
R2 BackWeb Plug-in - 3875767;Shaw Secure;c:\progra~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE [2006-03-21 32807]
R2 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys [2005-03-21 48720]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\Shaw Secure\Anti-Virus\Win2K\FSgk.sys [2005-03-21 55424]
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\Shaw Secure\Anti-Virus\Win2K\FSrec.sys [2005-03-21 16816]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
S2 PPSCAN;PPSCAN;c:\windows\system32\drivers\PPSCAN.sys [2005-06-08 91520]
S3 Yoe16;Yoe16;\??\c:\windows\System32\drivers\Yoe16.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\SHAWSE~1\ANTI-V~1\fsav.exe [2005-06-15 11:56]
.
- - - - ORPHANS REMOVED - - - -

BHO-{9726f3bd-b039-43ef-b38b-7b1a89fb5a6f} - c:\windows\system32\zeyoheko.dll
HKLM-Run-yowibivofi - c:\windows\system32\wobupobu.dll
HKLM-Run-442d93c0 - c:\windows\system32\wefakuve.dll
HKLM-Run-CPM471ea05c - c:\windows\system32\vatotosa.dll
HKLM-Run-VTTimer - VTTimer.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
mStart Page = hxxp://www.msn.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
IE: &Add animation to IncrediMail Style Box - c:\progra~1\INCRED~1\bin\resources\WebMenuImg.htm
IE: &Block this popup - c:\program files\Shaw Secure\Anti-Spyware\blockpopups.htm
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\orq4y9p9.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.ca/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 18:56:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(528)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Shaw Secure\FWES\Program\fsdc.dll

- - - - - - - > 'lsass.exe'(584)
c:\program files\Shaw Secure\FWES\Program\fsdc.dll

- - - - - - - > 'csrss.exe'(504)
c:\program files\Shaw Secure\FWES\Program\fsdc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\ewido anti-malware\ewidoctrl.exe
c:\program files\Shaw Secure\Anti-Virus\fsgk32st.exe
c:\program files\Shaw Secure\Anti-Virus\fsgk32.exe
c:\program files\Shaw Secure\backweb\3875767\Program\fsbwsys.exe
c:\program files\Shaw Secure\Common\FSMA32.EXE
c:\program files\Shaw Secure\Anti-Virus\fssm32.exe
c:\program files\Shaw Secure\Common\FSMB32.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Shaw Secure\Common\FCH32.EXE
c:\program files\Shaw Secure\Common\FAMEH32.EXE
c:\program files\Shaw Secure\Anti-Virus\fsqh.exe
c:\program files\Shaw Secure\Anti-Virus\FSRW.exe
c:\program files\Shaw Secure\FSPC\fspc.exe
c:\program files\Microsoft AntiSpyware\gcasDtServ.exe
c:\program files\Shaw Secure\Anti-Virus\FSAV32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Shaw Secure\FSPC\fshttps\fshttps.exe
c:\program files\Shaw Secure\FWES\program\fsdfwd.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\SHAWSE~1\ANTI-S~1\FSAW.exe
c:\program files\Shaw Secure\FSGUI\fsguidll.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-12-05 19:02:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-06 03:02:40

Pre-Run: 64,236,314,624 bytes free
Post-Run: 64,192,974,848 bytes free

215 --- E O F --- 2008-11-12 05:40:28
Joody is offline