Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page 2nd thread, malware: blue screen, bugs & more
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 3 1 23
 
LinkBack Thread Tools
Old 06-14-2008, 09:49 AM   #1 (permalink)
Registered User
 
mrskoz's Avatar
 
Join Date: May 2005
Posts: 35
OS: XP


Question 2nd thread, malware: blue screen, bugs & more
Hello,

I had previously posted a thread about some problems, but didn't receive a reply, so the moderator/analyst amateur removed it for me (THANK YOU!!!) so I could start again (i uninstalled everything and started over) & run new logs.

I previously was able to run almost all 5 steps. I couldn't download spyware blaster last time, could only run it from a flash drive. This time, I can't even do that. Any program or word or file containing the word "spyware" shuts down as soon as you attempt to access it, including browser windows. I also updated everything for XP except SP3. Is that advised? It failed last time, repeatedly, so I didn't try this time.

And this time when I ran Deckard there was no file anywhere called extra.txt that I attached previously to my old thread.

I found the bugs screensaver, but have not been able to find the virus/malware, whichever is causing all the problems: we have a blue screen, disabled display settings (no desktop or screensaver tabs) on all XP administrator accts and at times, military time is showing.

Other problems: upon restart my own acct (no blue screen yet on mine), was completely disabled, said it was in use by another process, and when it let me in, it was a fresh new XP acct, all my settings gone. I was able to get it back after logging on & off a couple times. Something is also trying to install unknown hardware. I've refused.

I hope this is specific enough. I am posting the one log I was able to retrieve. Please let me know what other info I can offer.
-----------------------------

Deckard's System Scanner v20071014.68
Run by CHRISTOPHER on 2008-06-14 11:37:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-14 11:37:48
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\DAO\DADDYKOZ\SVCHOST.EXE
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\D-Link Media Server\MediaGUI.exe
C:\Program Files\D-Link Media Server\MediaServer.exe
C:\Documents and Settings\CHRISTOPHER\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [User Themes] C:\Program Files\Common Files\Microsoft Shared\DAO\DADDYKOZ\SVCHOST.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcqmon.exe] "C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe"
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O18 - Protocol: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlcq_device - Unknown owner - C:\WINDOWS\system32\dlcqcoms.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Zune Network Sharing Service (ZuneNetworkSvc) - Unknown owner - C:\Program Files\Zune\ZuneNss.exe


--
End of file - 5886 bytes

-- Files created between 2008-05-14 and 2008-06-14 -----------------------------

2008-06-13 07:29:52 0 dr-h----- C:\Documents and Settings\CHRISTOPHER\Recent
2008-06-13 0717 47360 --a------ C:\Documents and Settings\CHRISTOPHER\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-06-13 0716 0 d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\Vso
2008-06-05 14:50:33 0 d-------- C:\Documents and Settings\GENEVIEVE\Application Data\ESET
2008-06-05 14:39:06 0 d-------- C:\Documents and Settings\LAURYN\Application Data\ESET
2008-06-05 06:39:32 0 d-------- C:\Program Files\MSXML 6.0
2008-06-05 06:22:50 0 d-------- C:\Documents and Settings\BRITTNEY\Application Data\ESET
2008-06-04 17:41:52 0 d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\ESET
2008-06-04 17:41:00 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-06-04 17:39:00 0 d-------- C:\Program Files\iPod
2008-06-04 17:38:52 0 d-------- C:\Program Files\iTunes
2008-06-04 14:46:50 0 d-------- C:\WINDOWS\system32\scripting
2008-06-04 14:46:50 0 d-------- C:\WINDOWS\system32\en
2008-06-04 14:46:50 0 d-------- C:\WINDOWS\system32\bits
2008-06-04 14:46:50 0 d-------- C:\WINDOWS\l2schemas
2008-06-04 14:45:16 0 d-------- C:\WINDOWS\ServicePackFiles
2008-06-04 14:42:56 0 d-------- C:\WINDOWS\network diagnostic
2008-06-04 14:39:34 1845248 --a------ C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-04 14:38:52 15360 --a------ C:\WINDOWS\system32\asfsipc.dll <Not Verified; Microsoft Corporation; Microsoft (R) DRM>
2008-06-04 14:38:28 0 d-------- C:\WINDOWS\EHome
2008-06-04 14:32:53 7680 --a------ C:\WINDOWS\system32\spdwnwxp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-04 14:23:38 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-04 10:20:51 0 d-------- C:\Program Files\Panda Security
2008-06-03 23:25:26 0 d-------- C:\Program Files\Enigma Software Group
2008-06-03 21:11:10 0 d-------- C:\Documents and Settings\GENEVIEVE\Application Data\SUPERAntiSpyware.com
2008-06-03 21:11:10 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-03 20:56:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-05-18 12:31:14 0 d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\HPAppData


-- Find3M Report ---------------------------------------------------------------

2008-06-14 00:34:12 0 d-------- C:\Program Files\D-Link Media Server
2008-06-13 07:11:30 0 d-------- C:\Program Files\Qualcomm
2008-06-13 0718 33 --a------ C:\Documents and Settings\CHRISTOPHER\Application Data\pcouffin.log
2008-06-13 0717 1144 --a------ C:\Documents and Settings\CHRISTOPHER\Application Data\pcouffin.inf
2008-06-13 0717 7824 --a------ C:\Documents and Settings\CHRISTOPHER\Application Data\pcouffin.cat
2008-06-12 12:39:38 0 d-------- C:\Program Files\BitLord
2008-06-10 19:41:56 0 d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\.purple
2008-06-05 06:21:08 0 d-------- C:\Program Files\Apple Software Update
2008-06-04 17:37:49 0 d-------- C:\Program Files\QuickTime
2008-06-04 17:36:28 0 d-------- C:\Program Files\Java
2008-06-04 15:03:23 0 d-------- C:\Program Files\Windows NT
2008-06-04 15:03:22 0 d-------- C:\Program Files\Movie Maker
2008-06-04 15:03:21 0 d-------- C:\Program Files\Messenger
2008-06-03 23:35:47 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-06-03 20:51:51 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-03 20:33:49 3168 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-03 20:13:08 0 d-------- C:\Program Files\The Learning Company
2008-06-03 20:07:59 0 d-------- C:\Program Files\GameHouse
2008-06-03 20:03:07 0 d-------- C:\Program Files\PopCap Games
2008-05-26 18:18:44 0 d-------- C:\Program Files\dl_Cats
2008-05-20 06:41:18 0 d-------- C:\Program Files\Picasa2
2008-05-18 14:42:11 0 d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\uTorrent
2008-05-01 06:28:35 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-30 09:05:10 85 --a------ C:\WINDOWS\popcinfo.dat
2008-04-29 12:33:37 137447 --a------ C:\WINDOWS\HPHins15.dat
2008-04-29 12:29:29 0 d-------- C:\Program Files\HP
2008-04-29 12:26:29 0 d-------- C:\Program Files\Common Files
2008-04-29 12:26:29 0 d-------- C:\Program Files\Common Files\HP
2008-04-22 18:03:04 0 d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\Adobe
2008-04-15 00:04:03 0 d-------- C:\Program Files\ItsDeductible2006
2008-03-18 19:36:14 36734 --a------ C:\WINDOWS\system32\OggDSuninst.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"User Themes"="C:\Program Files\Common Files\Microsoft Shared\DAO\DADDYKOZ\SVCHOST.exe" [08/16/2007 11:40 PM]
"WD Button Manager"="WDBtnMgr.exe" [03/18/2007 07:59 PM C:\WINDOWS\system32\WDBtnMgr.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [02/07/2007 04:24 PM]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [03/11/2003 05:24 PM]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [08/19/2003 11:43 AM]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [02/07/2007 04:21 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 11:44 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 11:35 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 11:36 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 11:32 AM]
"FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [12/12/2006 04:22 AM]
"dlcqmon.exe"="C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe" [01/12/2007 01:21 PM]
"CmPCIaudio"="CMICNFG3.CPL" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [12/21/2007 08:21 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 08:05 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)
"ForceActiveDesktopOn"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoteBurner]
C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProfileWatcher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
"C:\Program Files\Zune\ZuneLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneNetworkSvc"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt hpqcxs08 hpqddsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e3b6ae5-416c-11dc-a119-0016e665bbdc}]
AutoRun\command- H:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-06-14 11:38:56 ------------
__________________
Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years.
William F. Buckley, Jr.
Last edited by mrskoz; 06-14-2008 at 09:57 AM.
mrskoz is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 06-14-2008, 12:48 PM   #2 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,303
OS: XP SP3


Re: 2nd thread, malware: blue screen, bugs & more
Hi,

The extra.txt is only produced the first time when DSS is run as default. For now, we'll begin with the Combofix and we can get the extra.txt later.

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2008, 02:26 PM   #3 (permalink)
Registered User
 
mrskoz's Avatar
 
Join Date: May 2005
Posts: 35
OS: XP


Re: 2nd thread, malware: blue screen, bugs & more
Thank you for the quick response. I really appreciate that you all volunteer your time to help us all.

I had to run both programs twice... the first time combofix tried to reboot & create a log, I kept getting a pop-up for SVCHOST that a jpg dll was missing, and I needed to reinstall the program. The 2nd time I ran it it went through okay.

Hijack this hung the first time through on something sounding like 015 enumeration? It ran the 2nd time through.

Below are the logs.

&&&&&&&&&&&&&&&&&&&&&&&&
ComboFix 08-06-12.2 - CHRISTOPHER 2008-06-14 16:10:07.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1551 [GMT -4:00]
Running from: C:\Documents and Settings\CHRISTOPHER\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\winhelp.ini
.
---- Previous Run -------
.
C:\WINDOWS\system32\_004266_.tmp.dll
C:\WINDOWS\system32\_004267_.tmp.dll
C:\WINDOWS\system32\_004268_.tmp.dll
C:\WINDOWS\system32\_004269_.tmp.dll
C:\WINDOWS\system32\_004276_.tmp.dll
C:\WINDOWS\system32\_004277_.tmp.dll
C:\WINDOWS\system32\_004278_.tmp.dll
C:\WINDOWS\system32\_004279_.tmp.dll
C:\WINDOWS\system32\_004281_.tmp.dll
C:\WINDOWS\system32\_004282_.tmp.dll
C:\WINDOWS\system32\_004285_.tmp.dll
C:\WINDOWS\system32\_004286_.tmp.dll
C:\WINDOWS\system32\_004288_.tmp.dll
C:\WINDOWS\system32\_004289_.tmp.dll
C:\WINDOWS\system32\_004290_.tmp.dll
C:\WINDOWS\system32\_004292_.tmp.dll
C:\WINDOWS\system32\_004295_.tmp.dll
C:\WINDOWS\system32\_004296_.tmp.dll
C:\WINDOWS\system32\_004300_.tmp.dll
C:\WINDOWS\system32\_004301_.tmp.dll
C:\WINDOWS\system32\_004303_.tmp.dll
C:\WINDOWS\system32\_004306_.tmp.dll
C:\WINDOWS\system32\_004308_.tmp.dll
C:\WINDOWS\system32\_004309_.tmp.dll
C:\WINDOWS\system32\_004310_.tmp.dll
C:\WINDOWS\system32\_004311_.tmp.dll
C:\WINDOWS\system32\_004312_.tmp.dll
C:\WINDOWS\system32\_004315_.tmp.dll
C:\WINDOWS\system32\_004316_.tmp.dll
C:\WINDOWS\system32\_004317_.tmp.dll
C:\WINDOWS\system32\_004318_.tmp.dll
C:\WINDOWS\system32\_004319_.tmp.dll
C:\WINDOWS\system32\_004324_.tmp.dll
C:\WINDOWS\system32\_004326_.tmp.dll
C:\WINDOWS\system32\_004327_.tmp.dll
C:\WINDOWS\system32\2.tmp
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\ijl11pro.dll
C:\WINDOWS\winhelp.ini
G:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_SYSREST.SYS
-------\Service_sysrest.sys


((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-14 11:37 . 2008-06-14 11:37 <DIR> d-------- C:\Deckard
2008-06-13 07:06 . 2008-06-13 07:06 <DIR> d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\Vso
2008-06-13 07:06 . 2008-06-13 07:06 87,608 --a------ C:\Documents and Settings\CHRISTOPHER\Application Data\ezpinst.exe
2008-06-13 07:06 . 2008-06-13 07:06 47,360 --a------ C:\Documents and Settings\CHRISTOPHER\Application Data\pcouffin.sys
2008-06-12 03:02 . 2008-06-12 03:02 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-11 22:50 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 22:50 . 2008-04-14 07:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-07 05:38 . 2008-06-06 17:27 52,736 --a------ C:\WINDOWS\system32\71.tmp
2008-06-05 14:50 . 2008-06-05 14:50 <DIR> d-------- C:\Documents and Settings\GENEVIEVE\Application Data\ESET
2008-06-05 14:39 . 2008-06-05 14:39 <DIR> d-------- C:\Documents and Settings\LAURYN\Application Data\ESET
2008-06-05 06:39 . 2008-06-05 06:39 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-05 06:22 . 2008-06-05 06:22 <DIR> d-------- C:\Documents and Settings\BRITTNEY\Application Data\ESET
2008-06-04 17:41 . 2008-06-04 17:41 <DIR> d-------- C:\Program Files\ESET
2008-06-04 17:41 . 2008-06-04 17:41 <DIR> d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\ESET
2008-06-04 17:41 . 2008-06-04 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-06-04 17:39 . 2008-06-04 17:39 <DIR> d-------- C:\Program Files\iPod
2008-06-04 17:39 . 2008-06-14 16:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-04 17:39 . 2008-06-04 17:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-04 17:38 . 2008-06-04 17:39 <DIR> d-------- C:\Program Files\iTunes
2008-06-04 15:20 . 2008-06-04 15:20 392 --a------ C:\sslist.sss
2008-06-04 15:19 . 2008-06-04 15:20 21,976 --a------ C:\ssave0.sss
2008-06-04 14:46 . 2008-06-04 15:03 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-04 14:46 . 2008-06-04 15:03 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-04 14:46 . 2008-06-04 15:03 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-04 14:46 . 2008-06-04 15:02 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-04 14:45 . 2008-06-04 14:47 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-04 14:39 . 2007-10-25 23:36 8,454,656 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-06-04 14:38 . 2008-06-04 14:38 <DIR> d-------- C:\WINDOWS\EHome
2008-06-04 14:38 . 2004-08-04 02:58 2,012,670 --------- C:\WINDOWS\nt5.cat
2008-06-04 14:38 . 2001-03-02 20:52 15,360 --a------ C:\WINDOWS\system32\asfsipc.dll
2008-06-04 14:32 . 2008-04-13 20:12 8,461,312 --a------ C:\WINDOWS\system32\SET278.tmp
2008-06-04 14:23 . 2008-06-04 15:01 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-04 10:20 . 2008-06-04 10:20 <DIR> d-------- C:\Program Files\Panda Security
2008-06-03 23:25 . 2008-06-03 23:25 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-03 21:11 . 2008-06-03 21:11 <DIR> d-------- C:\Documents and Settings\GENEVIEVE\Application Data\SUPERAntiSpyware.com
2008-06-03 21:11 . 2008-06-03 21:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-25 22:05 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-05-18 12:31 . 2008-05-18 12:31 <DIR> d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\HPAppData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 04:34 --------- d-----w C:\Program Files\D-Link Media Server
2008-06-13 11:11 --------- d-----w C:\Program Files\Qualcomm
2008-06-12 21:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-12 16:39 --------- d-----w C:\Program Files\BitLord
2008-06-10 23:41 --------- d-----w C:\Documents and Settings\CHRISTOPHER\Application Data\.purple
2008-06-05 10:21 --------- d-----w C:\Program Files\Apple Software Update
2008-06-04 21:37 --------- d-----w C:\Program Files\QuickTime
2008-06-04 21:36 --------- d-----w C:\Program Files\Java
2008-06-04 03:35 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-04 00:51 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-04 00:33 3,168 ----a-w C:\WINDOWS\system32\tmp.reg
2008-06-04 00:13 --------- d-----w C:\Program Files\The Learning Company
2008-06-04 00:07 --------- d-----w C:\Program Files\GameHouse
2008-06-04 00:03 --------- d-----w C:\Program Files\PopCap Games
2008-06-01 20:24 --------- d-----w C:\Documents and Settings\BRITTNEY\Application Data\.purple
2008-05-27 22:25 --------- d-----w C:\Documents and Settings\GENEVIEVE\Application Data\uTorrent
2008-05-26 22:18 --------- d-----w C:\Program Files\dl_Cats
2008-05-20 10:41 --------- d-----w C:\Program Files\Picasa2
2008-05-18 18:42 --------- d-----w C:\Documents and Settings\CHRISTOPHER\Application Data\uTorrent
2008-05-15 13:16 --------- d-----w C:\Documents and Settings\GENEVIEVE\Application Data\HPAppData
2008-05-12 17:25 --------- d-----w C:\Documents and Settings\GENEVIEVE\Application Data\.purple
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-06 10:35 --------- d-----w C:\Documents and Settings\BRITTNEY\Application Data\HPAppData
2008-04-29 16:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG
2008-04-29 16:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-04-29 16:29 --------- d-----w C:\Program Files\HP
2008-04-29 16:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-04-29 16:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-04-29 16:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-04-29 16:26 --------- d-----w C:\Program Files\Common Files\HP
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-15 04:04 --------- d-----w C:\Program Files\ItsDeductible2006
2008-04-14 16:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-04-14 16:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-14 00:15 218,134 ----a-w C:\WINDOWS\AppPatch\SET5B0.tmp
2008-04-14 00:15 204,396 ----a-w C:\WINDOWS\AppPatch\SET5AF.tmp
2008-04-14 00:15 1,202,774 ----a-w C:\WINDOWS\AppPatch\SET5AE.tmp
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\SET35C.tmp
2008-04-14 00:09 16,896 ----a-w C:\WINDOWS\system32\SET498.tmp
2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\SET29D.tmp
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\SET41A.tmp
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\SET2EF.tmp
2008-04-13 17:26 90,112 ----a-w C:\WINDOWS\system32\SET25B.tmp
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\SET36A.tmp
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\SET2EC.tmp
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\SET345.tmp
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\SET4A8.tmp
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\SET27A.tmp
2008-04-13 16:26 1,351,168 ----a-w C:\WINDOWS\system32\SET357.tmp
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\SET341.tmp
2008-04-13 15:42 16,896 ----a-w C:\WINDOWS\system32\SET24A.tmp
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\SET34D.tmp
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-25 21:16 25,840 ----a-w C:\Documents and Settings\BRITTNEY\Application Data\GDIPFONTCACHEV1.DAT
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-18 23:36 36,734 ----a-w C:\WINDOWS\system32\OggDSuninst.exe
2007-07-16 15:20 27,016 ----a-w C:\Documents and Settings\GENEVIEVE\Application Data\GDIPFONTCACHEV1.DAT
2007-04-17 01:39 87,608 ----a-w C:\Documents and Settings\GENEVIEVE\Application Data\ezpinst.exe
2007-04-17 01:39 47,360 ----a-w C:\Documents and Settings\GENEVIEVE\Application Data\pcouffin.sys
2007-11-29 15:54 56 --sh--r C:\WINDOWS\system32\8F26DE8530.sys
2007-11-29 15:54 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2005-03-01 21:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 12:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2006-12-19 12:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-04 00:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2006-12-19 10:17 2180352 8f0deab1f81fb83f9c5995853ce48b9f C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe
2005-03-01 20:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\$NtUninstallKB929338_0$\ntoskrnl.exe
2006-12-19 12:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2qfe\ntoskrnl.exe
2008-04-13 15:27 2188928 0c89243c7c3ee199b96fcc16990e0679 C:\WINDOWS\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\ntoskrnl.exe
2008-04-13 15:27 2188928 0c89243c7c3ee199b96fcc16990e0679 C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\system32\dllcache\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"User Themes"="C:\Program Files\Common Files\Microsoft Shared\DAO\DADDYKOZ\SVCHOST.exe" [ ]
"WD Button Manager"="WDBtnMgr.exe" [2007-03-18 19:59 339968 C:\WINDOWS\system32\WDBtnMgr.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 16:24 71216]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 17:24 86016]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 11:43 57344]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 16:21 54832]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 11:35 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 11:36 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 11:32 77824]
"FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [2006-12-12 04:22 312200]
"dlcqmon.exe"="C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe" [2007-01-12 13:21 292336]
"CmPCIaudio"="CMICNFG3.CPL" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.divxa32"= divxa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoteBurner]
C:\Program Files\NoteBurner\VTBurnerGUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProfileWatcher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-14 18:22 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
C:\Program Files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneNetworkSvc"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\WINDOWS\\system32\\MediaServerDump\\LiveUpdate\\OLUpdate.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\D-Link Media Server\\MediaGUI.exe"=
"C:\\Program Files\\D-Link Media Server\\MediaServer.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"C:\\WINDOWS\\system32\\dlcqcoms.exe"=
"C:\\Program Files\\Pidgin\\pidgin.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys []
S3 DMSKSSRh;DMSKSSRh;C:\DOCUME~1\GENEVI~1\LOCALS~1\Temp\DMSKSSRh.sys []
S3 RTIUSB;RTI USB Driver;C:\WINDOWS\system32\Drivers\RTIusb.sys [2005-09-30 16:04]
S4 dlcq_device;dlcq_device;C:\WINDOWS\system32\dlcqcoms.exe [2006-12-12 04:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e3b6ae5-416c-11dc-a119-0016e665bbdc}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-06-10 12:07:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 16:12:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-06-14 16:13:34
ComboFix-quarantined-files.txt 2008-06-14 20:13:20

Pre-Run: 38,149,578,752 bytes free
Post-Run: 38,136,213,504 bytes free

284 --- E O F --- 2008-06-12 07:02:45
**********************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:31 PM, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [User Themes] C:\Program Files\Common Files\Microsoft Shared\DAO\DADDYKOZ\SVCHOST.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcqmon.exe] "C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe"
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 4865 bytes
__________________
Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years.
William F. Buckley, Jr.
mrskoz is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2008, 02:45 PM   #4 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,303
OS: XP SP3


Re: 2nd thread, malware: blue screen, bugs & more
Hi,

Well done.

Quote:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
Now, let's get the Recovery Console installed before we go ahead with further cleaning.

Go to Microsoft's website =====> http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System, which is Windows XP Home Edition Service Pack 2 in your case.




Download the file & save it as it's originally named, next to ComboFix.exe.






Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next prompt, click 'Yes' to run the full ComboFix scan.


  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt .
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2008, 02:59 PM   #5 (permalink)
Registered User
 
mrskoz's Avatar
 
Join Date: May 2005
Posts: 35
OS: XP


Re: 2nd thread, malware: blue screen, bugs & more
Hi, hope I did this is right. ;)
-------------------------


ComboFix 08-06-12.2 - CHRISTOPHER 2008-06-14 16:53:55.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1537 [GMT -4:00]
Running from: C:\Documents and Settings\CHRISTOPHER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\CHRISTOPHER\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-14 16:17 . 2008-06-14 16:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-14 11:37 . 2008-06-14 11:37 <DIR> d-------- C:\Deckard
2008-06-13 07:06 . 2008-06-13 07:06 <DIR> d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\Vso
2008-06-13 07:06 . 2008-06-13 07:06 87,608 --a------ C:\Documents and Settings\CHRISTOPHER\Application Data\ezpinst.exe
2008-06-13 07:06 . 2008-06-13 07:06 47,360 --a------ C:\Documents and Settings\CHRISTOPHER\Application Data\pcouffin.sys
2008-06-12 03:02 . 2008-06-12 03:02 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-11 22:50 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 22:50 . 2008-04-14 07:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-07 05:38 . 2008-06-06 17:27 52,736 --a------ C:\WINDOWS\system32\71.tmp
2008-06-05 14:50 . 2008-06-05 14:50 <DIR> d-------- C:\Documents and Settings\GENEVIEVE\Application Data\ESET
2008-06-05 14:39 . 2008-06-05 14:39 <DIR> d-------- C:\Documents and Settings\LAURYN\Application Data\ESET
2008-06-05 06:39 . 2008-06-05 06:39 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-05 06:22 . 2008-06-05 06:22 <DIR> d-------- C:\Documents and Settings\BRITTNEY\Application Data\ESET
2008-06-04 17:41 . 2008-06-04 17:41 <DIR> d-------- C:\Program Files\ESET
2008-06-04 17:41 . 2008-06-04 17:41 <DIR> d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\ESET
2008-06-04 17:41 . 2008-06-04 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-06-04 17:39 . 2008-06-04 17:39 <DIR> d-------- C:\Program Files\iPod
2008-06-04 17:39 . 2008-06-14 16:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-04 17:39 . 2008-06-04 17:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-04 17:38 . 2008-06-04 17:39 <DIR> d-------- C:\Program Files\iTunes
2008-06-04 15:20 . 2008-06-04 15:20 392 --a------ C:\sslist.sss
2008-06-04 15:19 . 2008-06-04 15:20 21,976 --a------ C:\ssave0.sss
2008-06-04 14:46 . 2008-06-04 15:03 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-04 14:46 . 2008-06-04 15:03 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-04 14:46 . 2008-06-04 15:03 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-04 14:46 . 2008-06-04 15:02 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-04 14:45 . 2008-06-04 14:47 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-04 14:39 . 2007-10-25 23:36 8,454,656 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-06-04 14:38 . 2008-06-04 14:38 <DIR> d-------- C:\WINDOWS\EHome
2008-06-04 14:38 . 2004-08-04 02:58 2,012,670 --------- C:\WINDOWS\nt5.cat
2008-06-04 14:38 . 2001-03-02 20:52 15,360 --a------ C:\WINDOWS\system32\asfsipc.dll
2008-06-04 14:32 . 2008-04-13 20:12 8,461,312 --a------ C:\WINDOWS\system32\SET278.tmp
2008-06-04 14:23 . 2008-06-04 15:01 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-04 10:20 . 2008-06-04 10:20 <DIR> d-------- C:\Program Files\Panda Security
2008-06-03 23:25 . 2008-06-03 23:25 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-03 21:11 . 2008-06-03 21:11 <DIR> d-------- C:\Documents and Settings\GENEVIEVE\Application Data\SUPERAntiSpyware.com
2008-06-03 21:11 . 2008-06-03 21:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-25 22:05 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-05-18 12:31 . 2008-05-18 12:31 <DIR> d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\HPAppData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 04:34 --------- d-----w C:\Program Files\D-Link Media Server
2008-06-13 11:11 --------- d-----w C:\Program Files\Qualcomm
2008-06-12 21:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-12 16:39 --------- d-----w C:\Program Files\BitLord
2008-06-10 23:41 --------- d-----w C:\Documents and Settings\CHRISTOPHER\Application Data\.purple
2008-06-05 10:21 --------- d-----w C:\Program Files\Apple Software Update
2008-06-04 21:37 --------- d-----w C:\Program Files\QuickTime
2008-06-04 21:36 --------- d-----w C:\Program Files\Java
2008-06-04 03:35 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-04 00:51 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-04 00:33 3,168 ----a-w C:\WINDOWS\system32\tmp.reg
2008-06-04 00:13 --------- d-----w C:\Program Files\The Learning Company
2008-06-04 00:07 --------- d-----w C:\Program Files\GameHouse
2008-06-04 00:03 --------- d-----w C:\Program Files\PopCap Games
2008-06-01 20:24 --------- d-----w C:\Documents and Settings\BRITTNEY\Application Data\.purple
2008-05-27 22:25 --------- d-----w C:\Documents and Settings\GENEVIEVE\Application Data\uTorrent
2008-05-26 22:18 --------- d-----w C:\Program Files\dl_Cats
2008-05-20 10:41 --------- d-----w C:\Program Files\Picasa2
2008-05-18 18:42 --------- d-----w C:\Documents and Settings\CHRISTOPHER\Application Data\uTorrent
2008-05-15 13:16 --------- d-----w C:\Documents and Settings\GENEVIEVE\Application Data\HPAppData
2008-05-12 17:25 --------- d-----w C:\Documents and Settings\GENEVIEVE\Application Data\.purple
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-06 10:35 --------- d-----w C:\Documents and Settings\BRITTNEY\Application Data\HPAppData
2008-04-29 16:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG
2008-04-29 16:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-04-29 16:29 --------- d-----w C:\Program Files\HP
2008-04-29 16:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-04-29 16:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-04-29 16:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-04-29 16:26 --------- d-----w C:\Program Files\Common Files\HP
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-15 04:04 --------- d-----w C:\Program Files\ItsDeductible2006
2008-04-14 16:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-04-14 16:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-14 00:15 218,134 ----a-w C:\WINDOWS\AppPatch\SET5B0.tmp
2008-04-14 00:15 204,396 ----a-w C:\WINDOWS\AppPatch\SET5AF.tmp
2008-04-14 00:15 1,202,774 ----a-w C:\WINDOWS\AppPatch\SET5AE.tmp
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\SET35C.tmp
2008-04-14 00:09 16,896 ----a-w C:\WINDOWS\system32\SET498.tmp
2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\SET29D.tmp
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\SET41A.tmp
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\SET2EF.tmp
2008-04-13 17:26 90,112 ----a-w C:\WINDOWS\system32\SET25B.tmp
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\SET36A.tmp
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\SET2EC.tmp
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\SET345.tmp
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\SET4A8.tmp
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\SET27A.tmp
2008-04-13 16:26 1,351,168 ----a-w C:\WINDOWS\system32\SET357.tmp
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\SET341.tmp
2008-04-13 15:42 16,896 ----a-w C:\WINDOWS\system32\SET24A.tmp
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\SET34D.tmp
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-25 21:16 25,840 ----a-w C:\Documents and Settings\BRITTNEY\Application Data\GDIPFONTCACHEV1.DAT
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-18 23:36 36,734 ----a-w C:\WINDOWS\system32\OggDSuninst.exe
2007-07-16 15:20 27,016 ----a-w C:\Documents and Settings\GENEVIEVE\Application Data\GDIPFONTCACHEV1.DAT
2007-04-17 01:39 87,608 ----a-w C:\Documents and Settings\GENEVIEVE\Application Data\ezpinst.exe
2007-04-17 01:39 47,360 ----a-w C:\Documents and Settings\GENEVIEVE\Application Data\pcouffin.sys
2007-11-29 15:54 56 --sh--r C:\WINDOWS\system32\8F26DE8530.sys
2007-11-29 15:54 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2005-03-01 21:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 12:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2006-12-19 12:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-04 00:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2006-12-19 10:17 2180352 8f0deab1f81fb83f9c5995853ce48b9f C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe
2005-03-01 20:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\$NtUninstallKB929338_0$\ntoskrnl.exe
2006-12-19 12:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2qfe\ntoskrnl.exe
2008-04-13 15:27 2188928 0c89243c7c3ee199b96fcc16990e0679 C:\WINDOWS\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\ntoskrnl.exe
2008-04-13 15:27 2188928 0c89243c7c3ee199b96fcc16990e0679 C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\system32\dllcache\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"User Themes"="C:\Program Files\Common Files\Microsoft Shared\DAO\DADDYKOZ\SVCHOST.exe" [ ]
"WD Button Manager"="WDBtnMgr.exe" [2007-03-18 19:59 339968 C:\WINDOWS\system32\WDBtnMgr.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 16:24 71216]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 17:24 86016]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 11:43 57344]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 16:21 54832]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 11:35 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 11:36 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 11:32 77824]
"FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [2006-12-12 04:22 312200]
"dlcqmon.exe"="C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe" [2007-01-12 13:21 292336]
"CmPCIaudio"="CMICNFG3.CPL" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.divxa32"= divxa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoteBurner]
C:\Program Files\NoteBurner\VTBurnerGUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProfileWatcher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-14 18:22 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
C:\Program Files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneNetworkSvc"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\WINDOWS\\system32\\MediaServerDump\\LiveUpdate\\OLUpdate.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\D-Link Media Server\\MediaGUI.exe"=
"C:\\Program Files\\D-Link Media Server\\MediaServer.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"C:\\WINDOWS\\system32\\dlcqcoms.exe"=
"C:\\Program Files\\Pidgin\\pidgin.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys []
S3 DMSKSSRh;DMSKSSRh;C:\DOCUME~1\GENEVI~1\LOCALS~1\Temp\DMSKSSRh.sys []
S3 RTIUSB;RTI USB Driver;C:\WINDOWS\system32\Drivers\RTIusb.sys [2005-09-30 16:04]
S4 dlcq_device;dlcq_device;C:\WINDOWS\system32\dlcqcoms.exe [2006-12-12 04:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e3b6ae5-416c-11dc-a119-0016e665bbdc}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-06-10 12:07:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 16:54:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-06-14 16:56:05
ComboFix-quarantined-files.txt 2008-06-14 20:55:48
ComboFix2.txt 2008-06-14 20:13:35

Pre-Run: 38,116,339,712 bytes free
Post-Run: 38,103,732,224 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

241 --- E O F --- 2008-06-12 07:02:45
__________________
Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years.
William F. Buckley, Jr.
mrskoz is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2008, 03:10 PM   #6 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,303
OS: XP SP3


Re: 2nd thread, malware: blue screen, bugs & more
Yes, you did it right.

It's going to take me some time to go through your logs now. Will be back when I'm ready to post you some new instructions.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2008, 03:12 PM   #7 (permalink)
Registered User
 
mrskoz's Avatar
 
Join Date: May 2005
Posts: 35
OS: XP


Re: 2nd thread, malware: blue screen, bugs & more
Fantastic. Again, I appreciate your time very much.
__________________
Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years.
William F. Buckley, Jr.
mrskoz is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2008, 04:06 PM   #8 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,303
OS: XP SP3


Re: 2nd thread, malware: blue screen, bugs & more
Hi again,

I see some reference to uTorrent and BitLord, which are p2p file sharing programs. I would like to warn you that the nature of P2P filesharing is so that even if one is using a "clean" program, many of the files downloaded from non-documented sources have the potential of being infected. So, regardless of whether one is using a "clean" program, one may still be prone to infection by malware because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. Also by default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple, file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft.
I recommend very strongly that you remove them from your system via Add/Remove Programs in Control Panel.

Delete their associated folders too if you removed them. You can use Windows Explorer (right click on Start, click on Explore) to navigate and locate them.

C:\Program Files\uTorrent
C:\Program Files\BitLord

===========================

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop.
  • Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

===========================
  • Open notepad (Start>All programs>accessories>notepad )
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
(It must be notepad, not wordpad, or it won't work):

Code:
File::
C:\DOCUME~1\GENEVI~1\LOCALS~1\Temp\DMSKSSRh.sys
C:\WINDOWS\system32\71.tmp
C:\WINDOWS\AppPatch\SET5B0.tmp
C:\WINDOWS\AppPatch\SET5AF.tmp
C:\WINDOWS\AppPatch\SET5AE.tmp
C:\WINDOWS\system32\SET35C.tmp
C:\WINDOWS\system32\SET498.tmp
C:\WINDOWS\system32\SET29D.tmp
C:\WINDOWS\system32\SET41A.tmp
C:\WINDOWS\system32\SET2EF.tmp
C:\WINDOWS\system32\SET25B.tmp
C:\WINDOWS\system32\SET36A.tmp
C:\WINDOWS\system32\SET2EC.tmp
C:\WINDOWS\system32\SET345.tmp
C:\WINDOWS\system32\SET4A8.tmp
C:\WINDOWS\system32\SET27A.tmp
C:\WINDOWS\system32\SET357.tmp
C:\WINDOWS\system32\SET341.tmp
C:\WINDOWS\system32\SET24A.tmp
C:\WINDOWS\system32\SET34D.tmp
C:\WINDOWS\system32\SET278.tmp

Folder::
C:\Program Files\Enigma Software Group

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"User Themes"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
C:\\Program Files\\uTorrent\\utorrent.exe"=-

Driver::
DMSKSSRh
Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2008, 04:53 PM   #9 (permalink)
Registered User
 
mrskoz's Avatar
 
Join Date: May 2005
Posts: 35
OS: XP


Re: 2nd thread, malware: blue screen, bugs & more
Wow that was eye-opening, thank you.
BitLord was removed sometime ago.. but yes the folder was there.

Utorrent however, was on there twice, which was strange. I should have been more careful with that being that I am the one who put it on here for educational purposes (the moms' forum for homeschool & educational/games swap), but I am not the only who lives here, so I was fine to remove it considering what I've been dealing with now for 2 weeks.

Here is the new log:
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

ComboFix 08-06-12.2 - CHRISTOPHER 2008-06-14 18:35:40.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1556 [GMT -4:00]
Running from: C:\Documents and Settings\CHRISTOPHER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\CHRISTOPHER\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\DOCUME~1\GENEVI~1\LOCALS~1\Temp\DMSKSSRh.sys
C:\WINDOWS\AppPatch\SET5AE.tmp
C:\WINDOWS\AppPatch\SET5AF.tmp
C:\WINDOWS\AppPatch\SET5B0.tmp
C:\WINDOWS\system32\71.tmp
C:\WINDOWS\system32\SET24A.tmp
C:\WINDOWS\system32\SET25B.tmp
C:\WINDOWS\system32\SET278.tmp
C:\WINDOWS\system32\SET27A.tmp
C:\WINDOWS\system32\SET29D.tmp
C:\WINDOWS\system32\SET2EC.tmp
C:\WINDOWS\system32\SET2EF.tmp
C:\WINDOWS\system32\SET341.tmp
C:\WINDOWS\system32\SET345.tmp
C:\WINDOWS\system32\SET34D.tmp
C:\WINDOWS\system32\SET357.tmp
C:\WINDOWS\system32\SET35C.tmp
C:\WINDOWS\system32\SET36A.tmp
C:\WINDOWS\system32\SET41A.tmp
C:\WINDOWS\system32\SET498.tmp
C:\WINDOWS\system32\SET4A8.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Enigma Software Group
C:\Program Files\Enigma Software Group\SpyHunter\ActiveKill.dll
C:\Program Files\Enigma Software Group\SpyHunter\ActiveXKill.dll
C:\Program Files\Enigma Software Group\SpyHunter\Language.dll
C:\Program Files\Enigma Software Group\SpyHunter\Options.dll
C:\Program Files\Enigma Software Group\SpyHunter\ProcessGuard.dll
C:\Program Files\Enigma Software Group\SpyHunter\RegistryGuard.dll
C:\Program Files\Enigma Software Group\SpyHunter\Scanner.dll
C:\Program Files\Enigma Software Group\SpyHunter\Scheduler.dll
C:\Program Files\Enigma Software Group\SpyHunter\SHDS.mht
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.chm
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.skn
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll
C:\Program Files\Enigma Software Group\SpyHunter\Updater.dll
C:\Program Files\Enigma Software Group\SpyHunter\whitelist.dat
C:\Program Files\Enigma Software Group\SpyHunter\WSAMonitor.dll
C:\WINDOWS\AppPatch\SET5AE.tmp
C:\WINDOWS\AppPatch\SET5AF.tmp
C:\WINDOWS\AppPatch\SET5B0.tmp
C:\WINDOWS\system32\71.tmp
C:\WINDOWS\system32\SET24A.tmp
C:\WINDOWS\system32\SET25B.tmp
C:\WINDOWS\system32\SET278.tmp
C:\WINDOWS\system32\SET27A.tmp
C:\WINDOWS\system32\SET29D.tmp
C:\WINDOWS\system32\SET2EC.tmp
C:\WINDOWS\system32\SET2EF.tmp
C:\WINDOWS\system32\SET341.tmp
C:\WINDOWS\system32\SET345.tmp
C:\WINDOWS\system32\SET34D.tmp
C:\WINDOWS\system32\SET357.tmp
C:\WINDOWS\system32\SET35C.tmp
C:\WINDOWS\system32\SET36A.tmp
C:\WINDOWS\system32\SET41A.tmp
C:\WINDOWS\system32\SET498.tmp
C:\WINDOWS\system32\SET4A8.tmp

.
((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-14 18:31 . 2008-06-14 18:31 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-14 18:31 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-14 16:17 . 2008-06-14 16:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-14 11:37 . 2008-06-14 11:37 <DIR> d-------- C:\Deckard
2008-06-13 07:06 . 2008-06-13 07:06 <DIR> d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\Vso
2008-06-13 07:06 . 2008-06-13 07:06 87,608 --a------ C:\Documents and Settings\CHRISTOPHER\Application Data\ezpinst.exe
2008-06-13 07:06 . 2008-06-13 07:06 47,360 --a------ C:\Documents and Settings\CHRISTOPHER\Application Data\pcouffin.sys
2008-06-12 03:02 . 2008-06-12 03:02 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-11 22:50 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 22:50 . 2008-04-14 07:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-05 14:50 . 2008-06-05 14:50 <DIR> d-------- C:\Documents and Settings\GENEVIEVE\Application Data\ESET
2008-06-05 14:39 . 2008-06-05 14:39 <DIR> d-------- C:\Documents and Settings\LAURYN\Application Data\ESET
2008-06-05 06:39 . 2008-06-05 06:39 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-05 06:22 . 2008-06-05 06:22 <DIR> d-------- C:\Documents and Settings\BRITTNEY\Application Data\ESET
2008-06-04 17:41 . 2008-06-04 17:41 <DIR> d-------- C:\Program Files\ESET
2008-06-04 17:41 . 2008-06-04 17:41 <DIR> d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\ESET
2008-06-04 17:41 . 2008-06-04 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-06-04 17:39 . 2008-06-04 17:39 <DIR> d-------- C:\Program Files\iPod
2008-06-04 17:39 . 2008-06-14 18:29 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-04 17:39 . 2008-06-04 17:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-04 17:38 . 2008-06-04 17:39 <DIR> d-------- C:\Program Files\iTunes
2008-06-04 15:20 . 2008-06-04 15:20 392 --a------ C:\sslist.sss
2008-06-04 15:19 . 2008-06-04 15:20 21,976 --a------ C:\ssave0.sss
2008-06-04 14:46 . 2008-06-04 15:03 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-04 14:46 . 2008-06-04 15:03 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-04 14:46 . 2008-06-04 15:03 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-04 14:46 . 2008-06-04 15:02 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-04 14:45 . 2008-06-04 14:47 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-04 14:39 . 2007-10-25 23:36 8,454,656 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-06-04 14:38 . 2008-06-04 14:38 <DIR> d-------- C:\WINDOWS\EHome
2008-06-04 14:38 . 2004-08-04 02:58 2,012,670 --------- C:\WINDOWS\nt5.cat
2008-06-04 14:38 . 2001-03-02 20:52 15,360 --a------ C:\WINDOWS\system32\asfsipc.dll
2008-06-04 14:32 . 2008-04-13 20:11 3,066,880 --a------ C:\WINDOWS\system32\SET358.tmp
2008-06-04 14:23 . 2008-06-04 15:01 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-04 10:20 . 2008-06-04 10:20 <DIR> d-------- C:\Program Files\Panda Security
2008-06-03 21:11 . 2008-06-03 21:11 <DIR> d-------- C:\Documents and Settings\GENEVIEVE\Application Data\SUPERAntiSpyware.com
2008-06-03 21:11 . 2008-06-03 21:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-25 22:05 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-05-18 12:31 . 2008-05-18 12:31 <DIR> d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\HPAppData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 22:31 --------- d-----w C:\Program Files\Java
2008-06-14 04:34 --------- d-----w C:\Program Files\D-Link Media Server
2008-06-13 11:11 --------- d-----w C:\Program Files\Qualcomm
2008-06-12 21:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-10 23:41 --------- d-----w C:\Documents and Settings\CHRISTOPHER\Application Data\.purple
2008-06-05 10:21 --------- d-----w C:\Program Files\Apple Software Update
2008-06-04 21:37 --------- d-----w C:\Program Files\QuickTime
2008-06-04 03:35 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-04 00:51 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-04 00:33 3,168 ----a-w C:\WINDOWS\system32\tmp.reg
2008-06-04 00:13 --------- d-----w C:\Program Files\The Learning Company
2008-06-04 00:07 --------- d-----w C:\Program Files\GameHouse
2008-06-04 00:03 --------- d-----w C:\Program Files\PopCap Games
2008-06-01 20:24 --------- d-----w C:\Documents and Settings\BRITTNEY\Application Data\.purple
2008-05-27 22:25 --------- d-----w C:\Documents and Settings\GENEVIEVE\Application Data\uTorrent
2008-05-26 22:18 --------- d-----w C:\Program Files\dl_Cats
2008-05-20 10:41 --------- d-----w C:\Program Files\Picasa2
2008-05-18 18:42 --------- d-----w C:\Documents and Settings\CHRISTOPHER\Application Data\uTorrent
2008-05-15 13:16 --------- d-----w C:\Documents and Settings\GENEVIEVE\Application Data\HPAppData
2008-05-12 17:25 --------- d-----w C:\Documents and Settings\GENEVIEVE\Application Data\.purple
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-06 10:35 --------- d-----w C:\Documents and Settings\BRITTNEY\Application Data\HPAppData
2008-04-29 16:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG
2008-04-29 16:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-04-29 16:29 --------- d-----w C:\Program Files\HP
2008-04-29 16:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-04-29 16:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-04-29 16:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-04-29 16:26 --------- d-----w C:\Program Files\Common Files\HP
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-15 04:04 --------- d-----w C:\Program Files\ItsDeductible2006
2008-04-14 16:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-04-14 16:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-14 00:11 99,840 ----a-w C:\WINDOWS\system32\SET4C0.tmp
2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-25 21:16 25,840 ----a-w C:\Documents and Settings\BRITTNEY\Application Data\GDIPFONTCACHEV1.DAT
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-18 23:36 36,734 ----a-w C:\WINDOWS\system32\OggDSuninst.exe
2007-07-16 15:20 27,016 ----a-w C:\Documents and Settings\GENEVIEVE\Application Data\GDIPFONTCACHEV1.DAT
2007-04-17 01:39 87,608 ----a-w C:\Documents and Settings\GENEVIEVE\Application Data\ezpinst.exe
2007-04-17 01:39 47,360 ----a-w C:\Documents and Settings\GENEVIEVE\Application Data\pcouffin.sys
2007-11-29 15:54 56 --sh--r C:\WINDOWS\system32\8F26DE8530.sys
2007-11-29 15:54 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2005-03-01 21:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 12:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2006-12-19 12:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-04 00:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2006-12-19 10:17 2180352 8f0deab1f81fb83f9c5995853ce48b9f C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe
2005-03-01 20:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\$NtUninstallKB929338_0$\ntoskrnl.exe
2006-12-19 12:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2qfe\ntoskrnl.exe
2008-04-13 15:27 2188928 0c89243c7c3ee199b96fcc16990e0679 C:\WINDOWS\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\ntoskrnl.exe
2008-04-13 15:27 2188928 0c89243c7c3ee199b96fcc16990e0679 C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\system32\dllcache\ntoskrnl.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-14_16.13.10.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-14 20:00:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-14 22:29:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-02-22 05:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 05:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2008-02-22 05:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 05:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-02-22 06:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-25 06:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WD Button Manager"="WDBtnMgr.exe" [2007-03-18 19:59 339968 C:\WINDOWS\system32\WDBtnMgr.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 16:24 71216]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 17:24 86016]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 11:43 57344]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 16:21 54832]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 11:35 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 11:36 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 11:32 77824]
"FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [2006-12-12 04:22 312200]
"dlcqmon.exe"="C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe" [2007-01-12 13:21 292336]
"CmPCIaudio"="CMICNFG3.CPL" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.divxa32"= divxa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoteBurner]
C:\Program Files\NoteBurner\VTBurnerGUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProfileWatcher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-14 18:22 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
C:\Program Files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneNetworkSvc"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\MediaServerDump\\LiveUpdate\\OLUpdate.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\D-Link Media Server\\MediaGUI.exe"=
"C:\\Program Files\\D-Link Media Server\\MediaServer.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\WINDOWS\\system32\\dlcqcoms.exe"=
"C:\\Program Files\\Pidgin\\pidgin.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys []
S3 DMSKSSRh;DMSKSSRh;C:\DOCUME~1\GENEVI~1\LOCALS~1\Temp\DMSKSSRh.sys []
S3 RTIUSB;RTI USB Driver;C:\WINDOWS\system32\Drivers\RTIusb.sys [2005-09-30 16:04]
S4 dlcq_device;dlcq_device;C:\WINDOWS\system32\dlcqcoms.exe [2006-12-12 04:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e3b6ae5-416c-11dc-a119-0016e665bbdc}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-10 12:07:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 18:38:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-06-14 18:40:52
ComboFix-quarantined-files.txt 2008-06-14 22:40:50
ComboFix2.txt 2008-06-14 20:56:07
ComboFix3.txt 2008-06-14 20:13:35

Pre-Run: 36,359,401,472 bytes free
Post-Run: 36,344,745,984 bytes free

288 --- E O F --- 2008-06-12 07:02:45
__________________
Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years.
William F. Buckley, Jr.
mrskoz is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2008, 05:05 PM   #10 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,303
OS: XP SP3


Re: 2nd thread, malware: blue screen, bugs & more
Hi,

Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
=============================

When you're done with the above and back in Normal Mode, please perform an online scan with Internet Explorer at Kaspersky Online Scanner

http://i275.photobucket.com/albums/j...g/KAS/KAS9.gif

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

===========================

Expected logs:

Report.txt
Kaspersky report
a fresh HijackThis log

Also, please let me know how the system is running now.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-15-2008, 06:05 AM   #11 (permalink)
Registered User
 
mrskoz's Avatar
 
Join Date: May 2005
Posts: 35
OS: XP


Re: 2nd thread, malware: blue screen, bugs & more
Hi,

Thank you... I had a slight problem running SDFix in safe mode.. something completely disabled the mouse (I kept going using the keyboard) & there were approximately 50-75 (!!) identical pop-ups during that scan that read "SDFix SYSTEM\CurrentControlSet\Control\VirtualDeviceDivers. Virtual Device Driver format in the registry is invalid. Choose 'Close' to terminate the application. I opted for 'close' thinking I would reboot and try again, but it kept running the scan.

And... I am seeing some improvement. :) Our system is becoming much more stable... the affected accounts still have blue desktops but the actual yellow banner warning of infection is gone. The display settings on the accounts are still missing some tabs (desktop & screen saver). The computer printer no longer works though it is directly attached, but it is accessible over the network oddly. When I search for "spyware" in a browser, it no longer shuts all open programs down. On certain websites I am getting a nagging pop-up to install Adobe Flash Player Installer, from Adobe? This is new, so am guessing one of the probs was through flash somewhere? And QuickLaunch through windows settings no longer disappears from the taskbar at every login.

I still am not sure where this originated... I'm fairly certain it came from my teen who also says 2 of her friends have the exact same problem (bugs/blue screen), and they think it came from either myspace or flickr.com? I've noticed it all over this forum lately, though.

Here are the logs:


SDFix: Version 1.192
Run by CHRISTOPHER on Sat 06/14/2008 at 09:20 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 21:38:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:3c1a819c
"s2"=dword:8638b1e3
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:9b,76,e5,12,87,80,cc,96,69,dd,90,c5,0c,34,9f,53,cf,bb,95,fc,97,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:d3,b1,4f,ee,d2,9a,3e,2b,70,f3,99,e8,47,e1,cb,2e,15,c8,22,0c,4c,..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:9b,76,e5,12,87,80,cc,96,69,dd,90,c5,0c,34,9f,53,cf,bb,95,fc,97,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\WINDOWS\\system32\\MediaServerDump\\LiveUpdate\\OLUpdate.exe"="C:\\WINDOWS\\system32\\MediaServerDump\\LiveUpdate\\OLUpdate.exe:*:Enabled:Media Server LiveUpdate"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Program Files\\D-Link Media Server\\MediaGUI.exe"="C:\\Program Files\\D-Link Media Server\\MediaGUI.exe:*:Enabled:D-Link_MediaServerGUI"
"C:\\Program Files\\D-Link Media Server\\MediaServer.exe"="C:\\Program Files\\D-Link Media Server\\MediaServer.exe:*:Enabled:D-Link_MediaServer"
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"="C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe:*:Disabled:CyberLink PowerDVD"
"C:\\WINDOWS\\system32\\dlcqcoms.exe"="C:\\WINDOWS\\system32\\dlcqcoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\Pidgin\\pidgin.exe"="C:\\Program Files\\Pidgin\\pidgin.exe:*:Enabled:Pidgin"
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"="C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe:*:Enabled:Kaspersky Internet Security 7.0 Setup"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :



Files with Hidden Attributes :


Finished!

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, June 15, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, June 15, 2008 01:21:30
Records in database: 864606
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 130004
Threat name: 3
Infected objects: 259
Suspicious objects: 12
Duration of the scan: 02:33:54


File name / Threat name / Threats count
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\auctions259 Infected: Trojan-Spy.HTML.Bayfraud.ib 30
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox28 Infected: Trojan-Spy.HTML.Bayfraud.ib 11
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox28 Infected: Trojan-Spy.HTML.Paylap.by 1
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox28 Suspicious: Trojan-Spy.HTML.Fraud.gen 3
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox428 Infected: Trojan-Spy.HTML.Bayfraud.ib 11
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox428 Infected: Trojan-Spy.HTML.Paylap.by 1
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox428 Suspicious: Trojan-Spy.HTML.Fraud.gen 3
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox62 Infected: Trojan-Spy.HTML.Bayfraud.ib 4
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\mine391 Infected: Trojan-Spy.HTML.Bayfraud.ib 3
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr-1.com\Inbox Infected: Trojan-Spy.HTML.Bayfraud.ib 4
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr-1.com\Inbox.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 3
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox Infected: Trojan-Spy.HTML.Bayfraud.ib 11
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox Infected: Trojan-Spy.HTML.Paylap.by 1
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 3
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox.sbd\auctions Infected: Trojan-Spy.HTML.Bayfraud.ib 30
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\infanttoddlerclothing Infected: Trojan-Spy.HTML.Bayfraud.ib 1
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 8
C:\Documents and Settings\GENEVIEVE\My Documents\misc\Thunderbird 1.5 en-US - 2006-01-13.pcv Infected: Trojan-Spy.HTML.Bayfraud.ib 57
C:\Documents and Settings\GENEVIEVE\My Documents\misc\Thunderbird 1.5 en-US - 2006-01-13.pcv Infected: Trojan-Spy.HTML.Paylap.by 1
C:\Documents and Settings\GENEVIEVE\My Documents\misc\Thunderbird 1.5 en-US - 2006-01-13.pcv Suspicious: Trojan-Spy.HTML.Fraud.gen 3
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr-1.com\Inbox.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 3
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd\auctions Infected: Trojan-Spy.HTML.Bayfraud.ib 30
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\infanttoddlerclothing Infected: Trojan-Spy.HTML.Bayfraud.ib 1
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 7
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\pop-server.san.rr-1.com\Inbox.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 3
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\pop-server.san.rr.com\Inbox.sbd\auctions Infected: Trojan-Spy.HTML.Bayfraud.ib 30
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\infanttoddlerclothing Infected: Trojan-Spy.HTML.Bayfraud.ib 1
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 7

The selected area was scanned.
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:54 AM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://drudgereport.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcqmon.exe] "C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe"
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 4652 bytes
__________________
Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years.
William F. Buckley, Jr.
Last edited by mrskoz; 06-15-2008 at 06:10 AM.
mrskoz is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-15-2008, 09:23 AM   #12 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,303
OS: XP SP3


Re: 2nd thread, malware: blue screen, bugs & more
Hi,

Quote:
I had a slight problem running SDFix in safe mode.. something completely disabled the mouse (I kept going using the keyboard) & there were approximately 50-75 (!!) identical pop-ups during that scan that read "SDFix SYSTEM\CurrentControlSet\Control\VirtualDeviceDivers. Virtual Device Driver format in the registry is invalid. Choose 'Close' to terminate the application. I opted for 'close' thinking I would reboot and try again, but it kept running the scan.
I don't think it's malware related. The following link has some information on the error message you were getting.

http://support.microsoft.com/kb/q254914/

=============================

Quote:
And... I am seeing some improvement. :) Our system is becoming much more stable...
That's good.

Quote:
the affected accounts still have blue desktops but the actual yellow banner warning of infection is gone. The display settings on the accounts are still missing some tabs (desktop & screen saver).
We'll fix that.

=============================

Did you set your home page to this yourself. It's alright if you did. I just want to make sure:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://drudgereport.com/

=============================

The infected items reported by Kaspersky are in the Thunderbird mail client and in Genevieve's "My Documents", Thunderbird and misc folders, probably backups. Please delete them.

C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\auctions259
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox28
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox428
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox62
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\mine391

C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr-1.com\Inbox.sbd\mine
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd\auctions
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr-1.com\Inbox
C:\Documents and Settings\GENEVIEVE\My Documents\misc\Thunderbird 1.5 en-US - 2006-01-13.pcv

============================
  • Open notepad (Start>All programs>accessories>notepad )
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
(It must be notepad, not wordpad, or it won't work):

Code:
KILLALL::

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=-
"NoDispScrSavPage"=-

Rootkit::
C:\DOCUME~1\GENEVI~1\LOCALS~1\Temp\DMSKSSRh.sys

Driver::
DMSKSSRh
Save this as CFScript.txt



Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-15-2008, 04:57 PM   #13 (permalink)
Registered User
 
mrskoz's Avatar
 
Join Date: May 2005
Posts: 35
OS: XP


Re: 2nd thread, malware: blue screen, bugs & more
Hi.. Thanks for your diligence in this. I checked with my husband about drudgereport.com, and yes that is his home page on the browsers. I then deleted the files you listed, and while I was doing it a strange error msg, not windows-based (?) popped up.. I couldn't catch the whole thing because it was on a countdown to close in 18 seconds, but it mentioned: ffdshow compact manager, and explorer.exe attempting to load ffdshow, then something about a whitelist or blacklist. Sorry I wasn't able to get more info & by the time I remembered screen captures, it was gone.

Here is the new log:
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

ComboFix 08-06-12.2 - CHRISTOPHER 2008-06-15 18:41:12.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1421 [GMT -4:00]
Running from: C:\Documents and Settings\CHRISTOPHER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\CHRISTOPHER\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\GENEVI~1\LOCALS~1\Temp\DMSKSSRh.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DMSKSSRH
-------\Service_DMSKSSRh


((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-14 21:17 . 2008-06-14 21:17 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-14 21:12 . 2008-06-14 21:46 <DIR> d-------- C:\SDFix
2008-06-14 18:31 . 2008-06-14 18:31 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-14 18:31 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-14 16:17 . 2008-06-14 16:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-14 11:37 . 2008-06-14 11:37 <DIR> d-------- C:\Deckard
2008-06-13 07:06 . 2008-06-13 07:06 <DIR> d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\Vso
2008-06-13 07:06 . 2008-06-13 07:06 87,608 --a------ C:\Documents and Settings\CHRISTOPHER\Application Data\ezpinst.exe
2008-06-13 07:06 . 2008-06-13 07:06 47,360 --a------ C:\Documents and Settings\CHRISTOPHER\Application Data\pcouffin.sys
2008-06-12 03:02 . 2008-06-12 03:02 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-11 22:50 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 22:50 . 2008-04-14 07:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-05 14:50 . 2008-06-05 14:50 <DIR> d-------- C:\Documents and Settings\GENEVIEVE\Application Data\ESET
2008-06-05 14:39 . 2008-06-05 14:39 <DIR> d-------- C:\Documents and Settings\LAURYN\Application Data\ESET
2008-06-05 06:39 . 2008-06-05 06:39 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-05 06:22 . 2008-06-05 06:22 <DIR> d-------- C:\Documents and Settings\BRITTNEY\Application Data\ESET
2008-06-04 17:41 . 2008-06-04 17:41 <DIR> d-------- C:\Program Files\ESET
2008-06-04 17:41 . 2008-06-04 17:41 <DIR> d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\ESET
2008-06-04 17:41 . 2008-06-04 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-06-04 17:39 . 2008-06-04 17:39 <DIR> d-------- C:\Program Files\iPod
2008-06-04 17:39 . 2008-06-15 18:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-04 17:39 . 2008-06-04 17:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-04 17:38 . 2008-06-04 17:39 <DIR> d-------- C:\Program Files\iTunes
2008-06-04 15:20 . 2008-06-04 15:20 392 --a------ C:\sslist.sss
2008-06-04 15:19 . 2008-06-04 15:20 21,976 --a------ C:\ssave0.sss
2008-06-04 14:46 . 2008-06-04 15:03 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-04 14:46 . 2008-06-04 15:03 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-04 14:46 . 2008-06-04 15:03 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-04 14:46 . 2008-06-04 15:02 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-04 14:45 . 2008-06-04 14:47 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-04 14:39 . 2007-10-25 23:36 8,454,656 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-06-04 14:38 . 2008-06-04 14:38 <DIR> d-------- C:\WINDOWS\EHome
2008-06-04 14:38 . 2004-08-04 02:58 2,012,670 --------- C:\WINDOWS\nt5.cat
2008-06-04 14:38 . 2001-03-02 20:52 15,360 --a------ C:\WINDOWS\system32\asfsipc.dll
2008-06-04 14:32 . 2008-04-13 20:11 3,066,880 --a------ C:\WINDOWS\system32\SET358.tmp
2008-06-04 14:23 . 2008-06-04 15:01 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-04 10:20 . 2008-06-04 10:20 <DIR> d-------- C:\Program Files\Panda Security
2008-06-03 21:11 . 2008-06-03 21:11 <DIR> d-------- C:\Documents and Settings\GENEVIEVE\Application Data\SUPERAntiSpyware.com
2008-06-03 21:11 . 2008-06-03 21:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-25 22:05 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-05-18 12:31 . 2008-05-18 12:31 <DIR> d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\HPAppData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 22:31 --------- d-----w C:\Program Files\Java
2008-06-14 04:34 --------- d-----w C:\Program Files\D-Link Media Server
2008-06-13 11:11 --------- d-----w C:\Program Files\Qualcomm
2008-06-12 21:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-10 23:41 --------- d-----w C:\Documents and Settings\CHRISTOPHER\Application Data\.purple
2008-06-05 10:21 --------- d-----w C:\Program Files\Apple Software Update
2008-06-04 21:37 --------- d-----w C:\Program Files\QuickTime
2008-06-04 03:35 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-04 00:51 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-04 00:13 --------- d-----w C:\Program Files\The Learning Company
2008-06-04 00:07 --------- d-----w C:\Program Files\GameHouse
2008-06-04 00:03 --------- d-----w C:\Program Files\PopCap Games
2008-06-01 20:24 --------- d-----w C:\Documents and Settings\BRITTNEY\Application Data\.purple
2008-05-27 22:25 --------- d-----w C:\Documents and Settings\GENEVIEVE\Application Data\uTorrent
2008-05-26 22:18 --------- d-----w C:\Program Files\dl_Cats
2008-05-20 10:41 --------- d-----w C:\Program Files\Picasa2
2008-05-18 18:42 --------- d-----w C:\Documents and Settings\CHRISTOPHER\Application Data\uTorrent
2008-05-15 13:16 --------- d-----w C:\Documents and Settings\GENEVIEVE\Application Data\HPAppData
2008-05-12 17:25 --------- d-----w C:\Documents and Settings\GENEVIEVE\Application Data\.purple
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-06 10:35 --------- d-----w C:\Documents and Settings\BRITTNEY\Application Data\HPAppData
2008-04-29 16:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG
2008-04-29 16:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-04-29 16:29 --------- d-----w C:\Program Files\HP
2008-04-29 16:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-04-29 16:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-04-29 16:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-04-29 16:26 --------- d-----w C:\Program Files\Common Files\HP
2008-04-15 04:04 --------- d-----w C:\Program Files\ItsDeductible2006
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\SET5B4.tmp
2008-04-14 00:11 39,424 ----a-w C:\WINDOWS\AppPatch\SET114A.tmp
2008-04-14 00:11 245,248 ----a-w C:\WINDOWS\AppPatch\SET5B2.tmp
2008-04-14 00:11 141,312 ----a-w C:\WINDOWS\AppPatch\SET5B3.tmp
2008-04-14 00:11 116,224 ----a-w C:\WINDOWS\AppPatch\SET5B1.tmp
2008-04-14 00:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\SET5B5.tmp
2008-03-25 21:16 25,840 ----a-w C:\Documents and Settings\BRITTNEY\Application Data\GDIPFONTCACHEV1.DAT
2007-07-16 15:20 27,016 ----a-w C:\Documents and Settings\GENEVIEVE\Application Data\GDIPFONTCACHEV1.DAT
2007-04-17 01:39 87,608 ----a-w C:\Documents and Settings\GENEVIEVE\Application Data\ezpinst.exe
2007-04-17 01:39 47,360 ----a-w C:\Documents and Settings\GENEVIEVE\Application Data\pcouffin.sys
2007-11-29 15:54 56 --sh--r C:\WINDOWS\system32\8F26DE8530.sys
2007-11-29 15:54 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2005-03-01 21:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 12:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2006-12-19 12:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-04 00:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2006-12-19 10:17 2180352 8f0deab1f81fb83f9c5995853ce48b9f C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe
2005-03-01 20:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\$NtUninstallKB929338_0$\ntoskrnl.exe
2006-12-19 12:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2008-04-13 15:27 2188928 0c89243c7c3ee199b96fcc16990e0679 C:\WINDOWS\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\ntoskrnl.exe
2008-04-13 15:27 2188928 0c89243c7c3ee199b96fcc16990e0679 C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\system32\dllcache\ntoskrnl.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-14_16.13.10.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-14 20:00:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-15 22:47:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-14 05:35:30 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-06-15 01:18:08 13,488,128 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-06-15 01:18:08 241,664 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-14 05:35:30 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-06-15 01:17:52 13,488,128 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-06-15 01:17:52 241,664 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-02-22 05:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 05:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2008-02-22 05:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 05:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-02-22 06:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-25 06:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WD Button Manager"="WDBtnMgr.exe" [2007-03-18 19:59 339968 C:\WINDOWS\system32\WDBtnMgr.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 16:24 71216]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 17:24 86016]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 11:43 57344]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 16:21 54832]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 11:35 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 11:36 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 11:32 77824]
"FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [2006-12-12 04:22 312200]
"dlcqmon.exe"="C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe" [2007-01-12 13:21 292336]
"CmPCIaudio"="CMICNFG3.CPL" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.divxa32"= divxa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoteBurner]
C:\Program Files\NoteBurner\VTBurnerGUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProfileWatcher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-14 18:22 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
C:\Program Files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneNetworkSvc"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\MediaServerDump\\LiveUpdate\\OLUpdate.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\D-Link Media Server\\MediaGUI.exe"=
"C:\\Program Files\\D-Link Media Server\\MediaServer.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\WINDOWS\\system32\\dlcqcoms.exe"=
"C:\\Program Files\\Pidgin\\pidgin.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys []
S3 RTIUSB;RTI USB Driver;C:\WINDOWS\system32\Drivers\RTIusb.sys [2005-09-30 16:04]
S4 dlcq_device;dlcq_device;C:\WINDOWS\system32\dlcqcoms.exe [2006-12-12 04:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e3b6ae5-416c-11dc-a119-0016e665bbdc}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-06-10 12:07:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 18:48:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-06-15 18:52:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 22:52:51
ComboFix2.txt 2008-06-14 22:40:53
ComboFix3.txt 2008-06-14 20:56:07
ComboFix4.txt 2008-06-14 20:13:35

Pre-Run: 36,122,759,168 bytes free
Post-Run: 36,255,440,896 bytes free

245 --- E O F --- 2008-06-12 07:02:45
__________________
Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years.
William F. Buckley, Jr.
mrskoz is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-15-2008, 05:10 PM   #14 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,303
OS: XP SP3


Re: 2nd thread, malware: blue screen, bugs & more
Hi,

Well done.

Please run this online scan to help look for remnants.

Please perform an online scan with Internet Explorer at Kaspersky Online Scanner

http://i275.photobucket.com/albums/j...g/KAS/KAS9.gif

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-16-2008, 05:27 AM   #15 (permalink)
Registered User
 
mrskoz's Avatar
 
Join Date: May 2005
Posts: 35
OS: XP


Re: 2nd thread, malware: blue screen, bugs & more
Hi, Here is the log from the 2nd scan... deja vu?

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, June 16, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, June 16, 2008 00:58:11
Records in database: 870168
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 128424
Threat name: 3
Infected objects: 107
Suspicious objects: 6
Duration of the scan: 04:10:25


File name / Threat name / Threats count
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox428 Infected: Trojan-Spy.HTML.Bayfraud.ib 11
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox428 Infected: Trojan-Spy.HTML.Paylap.by 1
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox428 Suspicious: Trojan-Spy.HTML.Fraud.gen 3
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr-1.com\Inbox.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 3
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox Infected: Trojan-Spy.HTML.Bayfraud.ib 11
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox Infected: Trojan-Spy.HTML.Paylap.by 1
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 3
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox.sbd\auctions Infected: Trojan-Spy.HTML.Bayfraud.ib 30
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\infanttoddlerclothing Infected: Trojan-Spy.HTML.Bayfraud.ib 1
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 8
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr-1.com\Inbox.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 3
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd\auctions Infected: Trojan-Spy.HTML.Bayfraud.ib 30
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\infanttoddlerclothing Infected: Trojan-Spy.HTML.Bayfraud.ib 1
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 7

The selected area was scanned.
__________________
Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years.
William F. Buckley, Jr.
mrskoz is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-16-2008, 05:28 AM   #16 (permalink)
Registered User
 
mrskoz's Avatar
 
Join Date: May 2005
Posts: 35
OS: XP


Re: 2nd thread, malware: blue screen, bugs & more
Actually, I will just go ahead & delete those old email backups, as they are from 2 years ago, and I no longer need them. Shall I run another scan & post another log again for you afterwards?
__________________
Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years.
William F. Buckley, Jr.
mrskoz is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-16-2008, 05:45 AM   #17 (permalink)
Registered User
 
mrskoz's Avatar
 
Join Date: May 2005
Posts: 35
OS: XP


Re: 2nd thread, malware: blue screen, bugs & more
I deleted the email backups, and checked my own current email in Thunderbird to make sure I didn't delete anything important, and found an email dated from when this all began, around June 2, from comcast saying that my computer is sending out spam & I am probably infected.

I was not aware of anything like that at all, and in fact since this began, have only checked my email using the other computer on webmail, I've been so worried about keystroke loggers. I'd have to check with the family about whether they have used email (I told them no passwords until this was clean, but I am not sure if they listened. ;) ) so I can try to give you more info on that, if needed.
__________________
Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years.
William F. Buckley, Jr.
mrskoz is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-16-2008, 05:53 AM   #18 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,303
OS: XP SP3


Re: 2nd thread, malware: blue screen, bugs & more
Some are deleted, but there's more. You must have missed some.

These are in the misc folder in "My Documents"(backups):

C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr-1.com\Inbox.sbd\mine
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox.sbd\auctions
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\infanttoddlerclothing
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\mine
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr-1.com\Inbox.sbd\mine
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox.sbd\auctions
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\infanttoddlerclothing
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\mine

These are in the "Thunderbird" folder in "My Documents"(backups)

C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd\auctions
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\infanttoddlerclothing
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\mine
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\infanttoddlerclothing
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr-1.com\Inbox.sbd\mine
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd\auctions
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\mine


These are still in the Thunderbird inbox. I don't know what the "Inbox428" refers to as I don't use thunderbird and not familiar with it:


C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox428
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox428
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox428
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox428
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr-1.com\Inbox.sbd\mine

You can delete them all and then scan again.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-16-2008, 02:37 PM   #19 (permalink)
Registered User
 
mrskoz's Avatar
 
Join Date: May 2005
Posts: 35
OS: XP


Re: 2nd thread, malware: blue screen, bugs & more
I am not sure why, but the Kaspersky scans are taking longer each time, and are now twice as long, and they seem to be finding not only the same infections but different infections also. It most recently found more old email backups (unless I still am just not deleting the right ones somehow?? I am feeling very foolish here that I keep doing this & there it is again).

Here is the log for the complete scan that took 5 hrs today, and I then deleted those objects found and ran a scan again just on the folder in documents & settings where they kept showing up. Let me know if you need another complete scan of the whole shebang again...

*************************


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, June 16, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, June 16, 2008 12:08:05
Records in database: 872350
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 128573
Threat name: 2
Infected objects: 43
Suspicious objects: 0
Duration of the scan: 05:00:20


File name / Threat name / Threats count
C:\Documents and Settings\GENEVIEVE\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D171.exe Infected: Trojan.Win32.VB.dkn 1
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr-1.com\Inbox.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 3
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd\auctions Infected: Trojan-Spy.HTML.Bayfraud.ib 30
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\infanttoddlerclothing Infected: Trojan-Spy.HTML.Bayfraud.ib 1
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 7
C:\Program Files\Common Files\Wise Installation Wizard\WIS78D62D17D97042DAB8CF5E5576293B33_7_0_0_43.MSI Infected: Trojan.Win32.VB.dkn 1

The selected area was scanned.
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

LOG FOR JUST THE DOCUMENTS & SETTINGS\GENEVIEVE FOLDERS:



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, June 16, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, June 16, 2008 12:08:05
Records in database: 872350
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:


Scan statistics:
Files scanned: 6761
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 00:13:40

No malware has been detected. The scan area is clean.

The selected area was scanned.
*********************************************************
__________________
Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years.
William F. Buckley, Jr.
mrskoz is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-16-2008, 03:21 PM   #20 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,303
OS: XP SP3


Re: 2nd thread, malware: blue screen, bugs & more
Hi,

Well, looks like you got it all cleaned out except one file to be deleted:

C:\Program Files\Common Files\Wise Installation Wizard\WIS78D62D17D97042DAB8CF5E5576293B33_7_0_0_43.MSI

If you have no further malware issues, you're good to go.
  • Click Start then Run
  • Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the /



    This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

Here are some steps to make your surfing more secure in future:

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Avoid illegal sites, because that's where most malware is present.

* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Keep your antivirus-program up-to-date and do regular scans with it. Please make sure that you have only one active antivirus program on your system.

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site http://windowsupdate.microsoft.com/ to get the critical updates.

If you are running Microsoft, or any portion thereof, go to the Microsoft's Office Update site http://office.microsoft.com/officeup....aspx?lc=en-us and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

The following free realtime pestscanners prevent a number of malware-variants from entering your computer, in the first place:

SpywareBlaster A tutorial on installing & using this product can be found here: http://www.bleepingcomputer.com/forums/tutorial49.html
SpywareGuard here

If you haven't got one, already, install a firewall and keep it up-to-date. Please make sure that you have only one active firewall on your system.

A firewall will prevent unauthorized contact between your computer and internet. A tutorial on Firewalls and a listing of some available ones can be found here:
http://forum.malwareremoval.com/viewtopic.php?p=56#56
http://www.bleepingcomputer.com/forums/tutorial60.html

Test your firewall here to make sure that it's working properly

ATF Cleaner by Atribune is a useful utility to clean the temporary files and cookies on a regular basis.

But above all, keep all your software UP-TO-DATE at all time!!

A colleague of ours has excellent information and tips on the prevention of malware here

If you want to fight back the Malware Writers, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

Happy Surfing!
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 3 1 23

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 11:39 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85