Tech Support Forum - View Single Post

twobsolo · 12-08-2008, 12:01 PM

I ran the script and attached the log.

ComboFix 08-12-05.01 - Owner 2008-12-08 10:50:42.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.729 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\CFix.exe.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\pqggin.exe
C:\sydp.exe
c:\windows\system32\bb
c:\windows\system32\ceg.sdr
c:\windows\system32\def.help
c:\windows\system32\ert
c:\windows\system32\ert\VEM8O23.exe
c:\windows\system32\fe.sp
c:\windows\system32\fes.ra
c:\windows\system32\QI19
c:\windows\system32\rgv.xl
c:\windows\system32\vm
c:\windows\system32\vm\ben2tali.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-11-28 14:06 . 2008-11-28 14:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-28 14:06 . 2008-11-28 14:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-28 14:06 . 2008-10-26 21:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-28 14:06 . 2008-10-26 21:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-28 14:04 . 2008-11-28 14:04 <DIR> d-------- c:\program files\Trend Micro
2008-11-28 10:19 . 2008-11-28 14:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-28 10:10 . 2008-11-28 10:11 <DIR> d-------- C:\095656869fa05163197b
2008-11-24 18:48 . 2008-11-24 18:48 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-12 14:31 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 14:31 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-09 17:28 . 2008-11-28 10:47 <DIR> d-------- c:\program files\AdwarePro
2008-11-09 10:37 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-11-09 10:36 . 2008-04-13 17:11 21,504 --a------ c:\windows\system32\hidserv.dll
2008-11-09 10:36 . 2008-04-13 11:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-11-09 10:36 . 2008-04-13 11:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 20:47 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-28 22:10 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-28 18:54 --------- d-----w c:\program files\Google
2008-11-28 18:53 --------- d--h--r c:\documents and settings\Owner\Application Data\yahoo!
2008-11-28 18:53 --------- d-----w c:\program files\Yahoo!
2008-11-28 18:53 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-11-28 18:52 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-28 18:52 --------- d-----w c:\program files\epson
2008-11-25 06:11 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-25 02:48 --------- d-----w c:\program files\Java
2008-11-09 20:58 --------- d-----w c:\program files\support.com
2008-11-07 06:31 --------- d-----w c:\documents and settings\LocalService\Application Data\Yahoo!
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-17 04:26 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2008-10-09 02:15 --------- d-----w c:\documents and settings\Owner\Application Data\Viewpoint
2006-04-18 04:30 9,583,368 ----a-w c:\documents and settings\Owner\DesktopDoctor1.5.1.exe
2003-08-27 22:19 36,963 ----a-r c:\program files\Common Files\SM1updtr.dll
2005-01-29 03:20 0 --sha-w c:\windows\SMINST\HPCD.sys
2007-07-02 23:13 5 --sha-w c:\windows\system32\cafbdbbee_s.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- c:\windows\system32\dllcache\user32.dll ----
Company: Microsoft Corporation
File Description: Windows XP USER API Client DLL
File Version: 5.1.2600.5512 (xpsp.080413-2105)
Product Name: Microsoftr Windowsr Operating System
Copyright: c Microsoft Corporation. All rights reserved.
Original file name: user32
MD5: b26b135ff1b9f60c9388b4a7d16f600b

---- Directory of C:\095656869fa05163197b ----

2008-11-28 10:11 35 --a------ c:\095656869fa05163197b\update\update.log

((((((((((((((((((((((((((((( snapshot@2008-12-05_12.10.08.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-08 18:52:57 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_668.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-24 136600]
"SoundMan"="SOUNDMAN.EXE" [2004-08-24 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-08-24 c:\windows\ALCWZRD.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Enable Wireless Keyboard Driver.lnk - c:\program files\Wireless Device\Wireless Keyboard\Magickey.exe [2005-01-28 172032]
Enable Wireless Optical Mouse Driver.lnk - c:\program files\Wireless Device\Wireless Mouse\MouseAp.exe [2005-01-28 217088]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 19:42 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a------ 2004-03-11 15:18 135168 c:\program files\eMachines Bay Reader\shwiconEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Automatic LiveUpdate Scheduler"=2 (0x2)
"gusvc"=3 (0x3)
"LiveUpdate"=3 (0x3)
"PrismXL"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2005-01-28 12964]
R3 HPFXBULK;HPFXBULK;c:\windows\system32\drivers\hpfxbulk.sys [2007-11-11 9344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2005-01-29 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 16:12]

2008-12-08 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uStart Page = hxxp://webmail.peacehealth.org/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

- c:\windows\Downloaded Program Files\RhapX.inf
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vemimigj.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 10:53:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\Wireless Device\Wireless Keyboard\OSD.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-08 10:54:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-08 18:54:36
ComboFix2.txt 2008-12-05 20:10:34

Pre-Run: 143,369,195,520 bytes free
Post-Run: 143,355,146,240 bytes free

179 --- E O F --- 2008-11-28 18:11:18