Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
Reply to thread 'Win32/Fotomoto malware' Reply to thread 'Win32/Fotomoto malware'
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Closed Thread
 
Thread Tools
Old 01-18-2008, 12:07 PM   #1 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 9
OS: vista


Reply to thread 'Win32/Fotomoto malware'
As per instruction from Jacee

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:59:44, on 18/01/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
C:\hp\support\hpsysdrv .exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\spool\drivers\w32x86\3\printray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\System32\rundll32.exe
C:\Users\Steve\AppData\Local\Plaxo\2.13.1.2\PlaxoHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Users\Steve\AppData\Local\Plaxo\2.13.1.2\PlaxoHelper .exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Windows\explorer.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Users\Steve\Desktop\HiJackThis.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.20 85.255.112.233
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.20 85.255.112.233
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.20 85.255.112.233
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 5565 bytes
shardin1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-20-2008, 03:25 PM   #2 (permalink)
Security Team (ret.)
 
Pancake's Avatar
 
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,405
OS: XP Pro SP3


Re: Reply to thread 'Win32/Fotomoto malware'
Download SDFix from here and save it to your desktop.


Please then reboot your computer in Safe Mode by doing the following :
Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum.


=========================================


Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Caution...Never run and remove files using ComboFix without being supervised by a security analyst.
__________________
An Australian Member of



Eddy
Pancake is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-21-2008, 02:28 AM   #3 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 9
OS: vista


Re: Reply to thread 'Win32/Fotomoto malware'
Hi thanks for your help.

I downloaded SDFix as instructed and booted my machine in safe mode. However when I tried to run the RunThis BAT file nothing appeared to happen. When I say nothing - it loaded the the black dos-like command box but then immediately unloaded it. It did not give me an option to enter 'Y' to run the script.

I checked to see if report.txt had been generated just to be sure nothing had happened in the background but nothing. I tried this several time but to no avail.


In case it makes a difference I am a Vista user.

Please advise.

Steve
shardin1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-21-2008, 01:20 PM   #4 (permalink)
Security Team (ret.)
 
Pancake's Avatar
 
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,405
OS: XP Pro SP3


Re: Reply to thread 'Win32/Fotomoto malware'
Just go with Combofix.I forgot you had Vista and that wont run on it.
__________________
An Australian Member of



Eddy
Pancake is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-28-2008, 12:04 PM   #5 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 9
OS: vista


Re: Reply to thread 'Win32/Fotomoto malware'
Apologies guys. I delayed responding because I knew I was going to have to dedicate some time to this. The Fotomoto problem is starting to get the better of my PC though. To remind you I have Vista with the win32/fotomoto malware issue.

My Hijackthis log as of today is as follows;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:04:19, on 28/04/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\spool\drivers\w32x86\3\printray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Steve\AppData\Local\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Users\Steve\AppData\Local\Plaxo\2.13.1.3\PlaxoHelper .exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\explorer.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Windows\system32\p2phost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Users\Steve\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link....google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\Users\Steve\AppData\Local\Temp\vtuts.exe
O1 - Hosts: ::1 localhost
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PrinTray] C:\Windows\system32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtqrqq.dll,#1
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Users\Steve\AppData\Local\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Steve\AppData\Local\Temp\gebaw.dll,#1
O4 - HKCU\..\Run: [DDC] C:\Users\Steve\AppData\Local\Temp\noskaohw .exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Steve\AppData\Local\Temp\vtuts.dll,c
O4 - HKCU\..\Run: [BMdf7340f4] Rundll32.exe "C:\Users\Steve\AppData\Local\Temp\sarrcifw.dll",s
O4 - HKCU\..\Run: [dc407368] rundll32.exe "C:\Users\Steve\AppData\Local\Temp\hwbixydo.dll",b
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.20 85.255.112.233
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.20 85.255.112.233
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 8685 bytes


My Combofix log as of today is;

ComboFix 08-04-27.3 - Steve 2008-04-28 19:27:00.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.289 [GMT 1:00]
Running from: C:\Users\Steve\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\hp\KBD\KbdStub.EXE
c:\hp\support\hpsysdrv.exe
C:\Users\Steve\AppData\Local\Plaxo\2.13.1.2\PlaxoHelper.exe
C:\Users\Steve\AppData\Local\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\Users\Steve\AppData\Local\Temp\cpcmbpsx .exe
C:\Users\Steve\AppData\Local\Temp\cpcmbpsx.exe
C:\Users\Steve\AppData\Local\Temp\lxveufak .exe
C:\Users\Steve\AppData\Local\Temp\lxveufak.exe
C:\Users\Steve\AppData\Local\Temp\mimroxoi .exe
C:\Users\Steve\AppData\Local\Temp\mimroxoi.exe
C:\Users\Steve\AppData\Local\Temp\noskaohw .exe
C:\Users\Steve\AppData\Local\Temp\qkxclsua .exe
C:\Users\Steve\AppData\Local\Temp\qkxclsua.exe
C:\Users\Steve\AppData\Local\Temp\scctpvgq .exe
C:\Users\Steve\AppData\Local\Temp\scctpvgq.exe
C:\Windows\system32\install.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 06:29 --------- d-----w C:\Users\Steve\AppData\Roaming\PeerNetworking
2008-04-22 11:06 --------- d-----w C:\Users\Steve\AppData\Roaming\UseNeXT
2008-04-21 14:20 --------- d-----w C:\Program Files\Windows Mail
2008-04-21 13:21 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-04-21 13:21 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-04-21 13:20 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-04-21 13:20 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-04-21 13:19 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-04-21 13:19 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-04-21 13:19 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-04-21 13:19 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-04-21 13:19 17,464 ----a-w C:\Windows\system32\drivers\intelide.sys
2008-04-21 13:19 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-04-21 13:19 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-04-21 13:18 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-04-21 13:18 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-04-21 13:18 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-04-21 13:18 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-04-21 13:18 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-04-21 13:17 1,585,664 ----a-w C:\Windows\System32\setupapi.dll
2008-04-21 13:13 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-04-21 13:13 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-04-21 13:12 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-04-21 13:12 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-04-21 13:12 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-04-21 13:12 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-04-21 13:12 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-04-21 13:12 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-04-21 13:12 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-04-21 13:07 83,968 ----a-w C:\Windows\System32\dnsrslvr.dll
2008-04-21 13:07 24,576 ----a-w C:\Windows\System32\dnscacheugc.exe
2008-04-21 13:06 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-04-21 13:06 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-04-21 13:05 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-04-21 13:05 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-04-21 13:04 99,840 ----a-w C:\Windows\System32\poqexec.exe
2008-04-21 13:03 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2008-04-12 14:10 --------- d-----w C:\Program Files\Google
2008-03-28 08:25 --------- d-----w C:\Program Files\Real
2008-03-28 08:25 --------- d-----w C:\Program Files\Common Files\xing shared
2008-03-28 08:25 --------- d-----w C:\Program Files\Common Files\Real
2008-03-04 09:11 --------- d-----w C:\Users\Steve\AppData\Roaming\tastephotobook
2007-12-14 09:39 174 --sha-w C:\Program Files\desktop.ini
2007-08-29 20:32 486 ----a-w C:\Users\Steve\AppData\Roaming\wklnhst.dat
2007-07-07 17:01 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-07-07 17:01 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-07-07 17:01 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2007-12-14 08:01 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-12-14 08:01 32,768 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-12-14 08:01 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
Code:
<pre>
----a-w            65,536 2008-04-28 18:19:20  C:\hp\KBD\KbdStub .EXE
----a-w            65,536 2008-04-28 18:19:20  C:\hp\support\hpsysdrv .exe
----a-w           227,914 2008-01-21 08:57:23  C:\Users\Steve\AppData\Local\Plaxo\2.13.1.2\PlaxoHelper .exe
----a-w           227,914 2008-04-28 18:19:22  C:\Users\Steve\AppData\Local\Plaxo\2.13.1.3\PlaxoHelper .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-21 09:43 1232896]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 13:34 2159104 C:\Windows\System32\oobefldr.dll]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-07-14 01:41 20034600]
"PlaxoUpdate"="C:\Users\Steve\AppData\Local\Plaxo\2.13.1.3\PlaxoHelper.exe" [ ]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-15 12:37 120320]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-06-17 13:08 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [ ]
"KBD"="C:\HP\KBD\KbdStub.EXE" [ ]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 11:57 3784704 C:\Windows\RtHDVCpl.exe]
"CCUTRAYICON"="FactoryMode" []
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-12-10 22:52 49152]
"PrinTray"="C:\Windows\system32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-05 03:18 36864]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-04-19 18:11 151552]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-03-12 20:37 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-03-12 20:37 7770112]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-03-12 20:37 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 18:34 213936]
"VirtualCloneDrive"="C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 14:21 94208]
"MSServer"="C:\Windows\system32\awtqrqq.dll" [2008-01-04 11:32 38912]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-28 09:25 185896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]
NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T\wlan111t.exe [2007-02-25 16:30:44 884840]
SnagIt 7.lnk - C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe [2005-10-14 07:25:00 3719168]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{CDE34FC5-73EA-4818-9508-2928B53C4BE4}"= UDP:C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{3776C7A8-862A-45F7-BD61-F08AC151CD9E}"= TCP:C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{15B321F5-1194-4CBA-AE55-9DEE5E9D18A0}"= UDP:C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel(R) Viiv(TM) Media Server
"{73946F73-5F1F-405C-A60E-D1DF0160E1F8}"= TCP:C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel(R) Viiv(TM) Media Server
"{B2DCA032-AE64-4E3E-985B-9E54EA1CC159}"= UDP:C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel(R) Remoting Service
"{F2BF92B1-0238-41C7-9901-EA6FB6811EDC}"= TCP:C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel(R) Remoting Service
"{08A19991-92F7-469C-B7CF-581FA9942774}"= TCP:9442:127.0.0.1:Intel(R) Viiv(TM) Media Server Discovery
"{84701E6F-1D21-4E42-93F8-F4A729CD57DE}"= TCP:1900:LocalSubnet:LocalSubnet:Intel(R) Viiv(TM) Media Server UPnP Discovery
"{28206843-FD7C-4EBF-A5C8-88486E71F4C7}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{5EF9F198-A07C-4962-BD96-FDCE87A0A827}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"TCP Query User{F541911E-54A5-4AE1-8777-25BA4453A56D}C:\\program files\\intervideo\\dvd8\\windvd.exe"= UDP:C:\program files\intervideo\dvd8\windvd.exe:WinDVD
"UDP Query User{CB777368-D5BC-4ADD-8B11-465F46A403AD}C:\\program files\\intervideo\\dvd8\\windvd.exe"= TCP:C:\program files\intervideo\dvd8\windvd.exe:WinDVD
"{46634F2C-0858-44B3-9207-3276B4C1BE05}"= Disabled:UDP:E:\setup\HPZNUI01.EXE:hpznui01.exe
"{C352959F-5140-4B38-8544-7C769474EEC9}"= Disabled:TCP:E:\setup\HPZNUI01.EXE:hpznui01.exe
"TCP Query User{AB1CF712-2D1E-457D-9DBF-BCD457AD37FB}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{5E49E8F1-0F0E-4D03-A7CD-8A01FC1C0CEC}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R2 DQLWinService;DQLWinService;"C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe" [2006-09-03 19:32]
R2 HPSLPSVC;HP Network Devices Support;C:\Windows\system32\svchost.exe [2006-11-02 10:45]
R3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\Windows\system32\DRIVERS\WG11TND5.sys [2005-09-05 04:21]
S2 IntelDHSvcConf;Intel DH Service;"C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe" [2006-05-10 18:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 16:50:40 C:\Windows\Tasks\User_Feed_Synchronization-{5EB7044A-9160-40A7-B57E-7482E56EBD81}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 19:48:14
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-28 19:56:01
ComboFix-quarantined-files.txt 2008-04-28 18:55:56

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

179 --- E O F --- 2008-04-21 13:21:40
shardin1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-28-2008, 04:15 PM   #6 (permalink)
Security Team (ret.)
 
Pancake's Avatar
 
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,405
OS: XP Pro SP3


Re: Reply to thread 'Win32/Fotomoto malware'
Nearly done....


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote:

Killall::

Renv::
----a-w 65,536 2008-04-28 18:19:20 C:\hp\KBD\KbdStub .EXE
----a-w 65,536 2008-04-28 18:19:20 C:\hp\support\hpsysdrv .exe
----a-w 227,914 2008-01-21 08:57:23 C:\Users\Steve\AppData\Local\Plaxo\2.13.1.2\PlaxoHelper .exe
----a-w 227,914 2008-04-28 18:19:22 C:\Users\Steve\AppData\Local\Plaxo\2.13.1.3\PlaxoHelper .exe

File::
C:\Windows\system32\awtqrqq.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSServer"=-
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your compter*
__________________
An Australian Member of



Eddy
Pancake is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-29-2008, 01:20 AM   #7 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 9
OS: vista


Re: Reply to thread 'Win32/Fotomoto malware'
Hi

I followed the instructions exactly. When I ran Combofix though it rebooted my machine and did not create a log file. I re-ran Combofix (WITHOUT REPEATING THE CFSCRIPT.TXT STEP) and it created the following log file.

ComboFix 08-04-27.3 - Steve 2008-04-29 8:48:22.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.409 [GMT 1:00]
Running from: C:\Users\Steve\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 06:29 --------- d-----w C:\Users\Steve\AppData\Roaming\PeerNetworking
2008-04-22 11:06 --------- d-----w C:\Users\Steve\AppData\Roaming\UseNeXT
2008-04-21 14:20 --------- d-----w C:\Program Files\Windows Mail
2008-04-21 13:21 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-04-21 13:21 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-04-21 13:20 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-04-21 13:20 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-04-21 13:19 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-04-21 13:19 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-04-21 13:19 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-04-21 13:19 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-04-21 13:19 17,464 ----a-w C:\Windows\system32\drivers\intelide.sys
2008-04-21 13:19 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-04-21 13:19 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-04-21 13:18 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-04-21 13:18 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-04-21 13:18 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-04-21 13:18 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-04-21 13:18 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-04-21 13:17 1,585,664 ----a-w C:\Windows\System32\setupapi.dll
2008-04-21 13:13 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-04-21 13:13 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-04-21 13:12 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-04-21 13:12 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-04-21 13:12 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-04-21 13:12 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-04-21 13:12 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-04-21 13:12 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-04-21 13:12 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-04-21 13:07 83,968 ----a-w C:\Windows\System32\dnsrslvr.dll
2008-04-21 13:07 24,576 ----a-w C:\Windows\System32\dnscacheugc.exe
2008-04-21 13:06 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-04-21 13:06 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-04-21 13:05 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-04-21 13:05 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-04-21 13:04 99,840 ----a-w C:\Windows\System32\poqexec.exe
2008-04-21 13:03 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2008-04-12 14:10 --------- d-----w C:\Program Files\Google
2008-03-28 08:25 --------- d-----w C:\Program Files\Real
2008-03-28 08:25 --------- d-----w C:\Program Files\Common Files\xing shared
2008-03-28 08:25 --------- d-----w C:\Program Files\Common Files\Real
2008-03-04 09:11 --------- d-----w C:\Users\Steve\AppData\Roaming\tastephotobook
2007-12-14 09:39 174 --sha-w C:\Program Files\desktop.ini
2007-08-29 20:32 486 ----a-w C:\Users\Steve\AppData\Roaming\wklnhst.dat
2007-07-07 17:01 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-07-07 17:01 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-07-07 17:01 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2007-12-14 08:01 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-12-14 08:01 32,768 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-12-14 08:01 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
Code:
<pre>
----a-w            65,536 2008-04-28 18:19:20  C:\hp\KBD\KbdStub .EXE
----a-w            65,536 2008-04-28 18:19:20  C:\hp\support\hpsysdrv .exe
----a-w           227,914 2008-01-21 08:57:23  C:\Users\Steve\AppData\Local\Plaxo\2.13.1.2\PlaxoHelper .exe
----a-w           227,914 2008-04-28 18:19:22  C:\Users\Steve\AppData\Local\Plaxo\2.13.1.3\PlaxoHelper .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-04-28_19.55.34.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-28 18:17:38 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-29 07:38:34 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-04-28 18:17:39 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-04-29 07:38:34 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-04-28 18:17:39 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-04-29 07:38:34 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-04-28 18:20:11 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-04-29 07:40:56 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-04-28 18:19:55 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-04-29 07:40:03 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-04-29 07:40:03 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-04-28 18:26:12 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-04-29 07:41:45 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-04-28 18:19:47 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-29 07:39:58 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-29 07:39:58 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-04-28 18:20:11 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-29 07:40:17 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-04-28 18:20:11 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-29 07:40:17 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-28 18:20:11 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-04-29 07:40:17 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-28 18:24:12 108,122 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-04-29 07:43:44 108,122 ----a-w C:\Windows\System32\perfc009.dat
- 2008-04-28 18:24:13 622,906 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-04-29 07:43:44 622,906 ----a-w C:\Windows\System32\perfh009.dat
- 2008-04-28 18:20:41 7,426 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2341186625-856785702-1674014298-1001_UserData.bin
+ 2008-04-29 07:40:27 7,478 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2341186625-856785702-1674014298-1001_UserData.bin
- 2008-04-28 18:20:40 53,426 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-04-29 07:40:27 53,852 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-04-27 08:44:21 40,544 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-04-29 07:24:50 40,970 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-21 09:43 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-07-14 01:41 20034600]
"PlaxoUpdate"="C:\Users\Steve\AppData\Local\Plaxo\2.13.1.3\PlaxoHelper.exe" [ ]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-15 12:37 120320]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]
"BMdf7340f4"="C:\Users\Steve\AppData\Local\Temp\vylwjlia.dll" [2008-04-29 08:11 104000]
"cmds"="C:\Users\Steve\AppData\Local\Temp\qopmm.dll" [2008-04-29 08:11 281600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-06-17 13:08 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [ ]
"KBD"="C:\HP\KBD\KbdStub.EXE" [ ]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 11:57 3784704 C:\Windows\RtHDVCpl.exe]
"CCUTRAYICON"="FactoryMode" []
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-12-10 22:52 49152]
"PrinTray"="C:\Windows\system32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-05 03:18 36864]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-04-19 18:11 151552]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-03-12 20:37 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-03-12 20:37 7770112]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-03-12 20:37 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 18:34 213936]
"VirtualCloneDrive"="C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 14:21 94208]
"MSServer"="C:\Windows\system32\awtqrqq.dll" [2008-01-04 11:32 38912]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-28 09:25 185896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]
NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T\wlan111t.exe [2007-02-25 16:30:44 884840]
SnagIt 7.lnk - C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe [2005-10-14 07:25:00 3719168]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{CDE34FC5-73EA-4818-9508-2928B53C4BE4}"= UDP:C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{3776C7A8-862A-45F7-BD61-F08AC151CD9E}"= TCP:C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{15B321F5-1194-4CBA-AE55-9DEE5E9D18A0}"= UDP:C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel(R) Viiv(TM) Media Server
"{73946F73-5F1F-405C-A60E-D1DF0160E1F8}"= TCP:C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel(R) Viiv(TM) Media Server
"{B2DCA032-AE64-4E3E-985B-9E54EA1CC159}"= UDP:C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel(R) Remoting Service
"{F2BF92B1-0238-41C7-9901-EA6FB6811EDC}"= TCP:C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel(R) Remoting Service
"{08A19991-92F7-469C-B7CF-581FA9942774}"= TCP:9442:127.0.0.1:Intel(R) Viiv(TM) Media Server Discovery
"{84701E6F-1D21-4E42-93F8-F4A729CD57DE}"= TCP:1900:LocalSubnet:LocalSubnet:Intel(R) Viiv(TM) Media Server UPnP Discovery
"{28206843-FD7C-4EBF-A5C8-88486E71F4C7}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{5EF9F198-A07C-4962-BD96-FDCE87A0A827}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"TCP Query User{F541911E-54A5-4AE1-8777-25BA4453A56D}C:\\program files\\intervideo\\dvd8\\windvd.exe"= UDP:C:\program files\intervideo\dvd8\windvd.exe:WinDVD
"UDP Query User{CB777368-D5BC-4ADD-8B11-465F46A403AD}C:\\program files\\intervideo\\dvd8\\windvd.exe"= TCP:C:\program files\intervideo\dvd8\windvd.exe:WinDVD
"{46634F2C-0858-44B3-9207-3276B4C1BE05}"= Disabled:UDP:E:\setup\HPZNUI01.EXE:hpznui01.exe
"{C352959F-5140-4B38-8544-7C769474EEC9}"= Disabled:TCP:E:\setup\HPZNUI01.EXE:hpznui01.exe
"TCP Query User{AB1CF712-2D1E-457D-9DBF-BCD457AD37FB}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{5E49E8F1-0F0E-4D03-A7CD-8A01FC1C0CEC}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R2 DQLWinService;DQLWinService;"C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe" [2006-09-03 19:32]
R2 HPSLPSVC;HP Network Devices Support;C:\Windows\system32\svchost.exe [2006-11-02 10:45]
R3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\Windows\system32\DRIVERS\WG11TND5.sys [2005-09-05 04:21]
S2 IntelDHSvcConf;Intel DH Service;"C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe" [2006-05-10 18:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 16:50:40 C:\Windows\Tasks\User_Feed_Synchronization-{5EB7044A-9160-40A7-B57E-7482E56EBD81}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 08:53:53
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Users\Steve\AppData\Local\Temp\dclrttwr.dll
-> C:\Users\Steve\AppData\Local\Temp\vylwjlia.dll
-> C:\Users\Steve\AppData\Local\Temp\qopmm.dll
-> C:\PROGRA~1\Google\GOOGLE~2\GOOGLE~3.DLL
.
Completion time: 2008-04-29 9:09:44
ComboFix-quarantined-files.txt 2008-04-29 08:09:36
ComboFix2.txt 2008-04-28 18:56:02

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

204 --- E O F --- 2008-04-21 13:21:40


The Hijack this file is as follows;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:20:12, on 29/04/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\spool\drivers\w32x86\3\printray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Windows\System32\notepad.exe
C:\Windows\system32\rundll32.exe
C:\Windows\Explorer.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Users\Steve\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link....google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PrinTray] C:\Windows\system32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtqrqq.dll,#1
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Users\Steve\AppData\Local\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Steve\AppData\Local\Temp\qopmm.dll,c
O4 - HKCU\..\Run: [BMdf7340f4] Rundll32.exe "C:\Users\Steve\AppData\Local\Temp\vylwjlia.dll",s
O4 - HKCU\..\Run: [dc407368] rundll32.exe "C:\Users\Steve\AppData\Local\Temp\dclrttwr.dll",b
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.20 85.255.112.233
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.20 85.255.112.233
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 8099 bytes
shardin1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-29-2008, 01:54 AM   #8 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 9
OS: vista


Re: Reply to thread 'Win32/Fotomoto malware'
In addition to the recently latest Hijackthis and Combofix logs I should probably also mention the following two new symptoms which appear to have occured since i ran the last logs

1. Internet Explorer does not load at all in the foreground although ieuser.exe and iexplore.exe load in the windows task manager box
2. Mozilla Firefox loads but the google search bar does not return results. I can navigate to most pages (not all) via the Navigation Toolbar though.
3. specifically I cannot navigate to yahoo and i cannot use the google search bar

Please help....

Steve
shardin1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-29-2008, 03:43 PM   #9 (permalink)
Security Team (ret.)
 
Pancake's Avatar
 
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,405
OS: XP Pro SP3


Re: Reply to thread 'Win32/Fotomoto malware'
Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.


O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtqrqq.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Steve\AppData\Local\Temp\qopmm.dll,c
O4 - HKCU\..\Run: [BMdf7340f4] Rundll32.exe "C:\Users\Steve\AppData\Local\Temp\vylwjlia.dll",s
O4 - HKCU\..\Run: [dc407368] rundll32.exe "C:\Users\Steve\AppData\Local\Temp\dclrttwr.dll",b
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.20 85.255.112.233
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.20 85.255.112.233

Reboot....

=============================

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Code:
Renv:
----a-w            65,536 2008-04-28 18:19:20  C:\hp\KBD\KbdStub .EXE
----a-w            65,536 2008-04-28 18:19:20  C:\hp\support\hpsysdrv .exe
----a-w           227,914 2008-01-21 08:57:23  C:\Users\Steve\AppData\Local\Plaxo\2.13.1.2\PlaxoHelper .exe
----a-w           227,91