Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Does this HJT log look suspicious?
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 12-03-2008, 08:41 AM   #1 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 62
OS: XP SP3


Does this HJT log look suspicious?
Hello,

I think my FF has been hijacked, anytime I try to search for something on google and click a link, it takes me to random sites, usually wanting me to buy something. I've tried scanning with spybot in safe mode but to no avail. I posted my HJT log, any help is appreciated.



Logfile of HijackThis v1.99.1
Scan saved at 10:39:27 AM, on 03/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Warren\Desktop\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\msgrapp.8.5.1302.1018.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 2009\mzvkbd.dll,C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 2009\adialhk.dll,C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 2009\kloehk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" -r (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Last edited by tanger; 12-03-2008 at 08:42 AM.
tanger is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 12-03-2008, 10:11 PM   #2 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 62
OS: XP SP3


Re: Does this HJT log look suspicious?
help...
tanger is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-03-2008, 11:22 PM   #3 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 62
OS: XP SP3


Re: Does this HJT log look suspicious?
some more logs...


DDS (Version 1.0) - NTFSx86
Run by Warren at 1:00:01.31 on 04/12/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.2047.1602 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\iPod\bin\iPodService.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Warren\Desktop\dds.com

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [EPSON Stylus CX4800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\asus wifi-ap solo.lnk - c:\program files\asus wifi-ap solo\RtWLan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logitech setpoint.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\microsoft office\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\microsoft office\office11\REFIEBAR.DLL
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: klogon - c:\windows\system32\klogon.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\progra~1\kaspersky lab\kaspersky internet security 2009\mzvkbd.dll,c:\progra~1\kaspersky lab\kaspersky internet security 2009\adialhk.dll,c:\progra~1\kaspersky lab\kaspersky internet security 2009\kloehk.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-4-16 112144]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 32784]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2008-7-16 213008]
R2 AVP;Kaspersky Internet Security;"c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe" -r [2008-4-25 201992]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-3-25 24592]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-11-26 176128]
R3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\SjyPkt.sys [2008-11-26 13532]

=============== Created Last 30 ================

2008-12-04 00:47 250 a------- c:\windows\gmer.ini
2008-12-02 22:50 79 a------- c:\windows\wininit.ini
2008-12-02 14:34 <DIR> --d----- c:\program files\Foxit Software
2008-12-02 11:15 <DIR> --d----- c:\docume~1\warren\applic~1\Kaspersky_Key_Finder_(KKF
2008-11-28 00:34 <DIR> --d----- c:\docume~1\warren\applic~1\Design Science
2008-11-28 00:33 <DIR> --d----- c:\program files\MathType
2008-11-28 00:22 <DIR> --d----- c:\docume~1\warren\applic~1\Inkscape
2008-11-28 00:21 <DIR> --d----- c:\program files\Inkscape
2008-11-27 19:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Alias
2008-11-26 21:24 21,035 a------- c:\windows\system32\drivers\AegisP.sys
2008-11-26 21:23 176,128 a------- c:\windows\system32\drivers\RTL8187.sys
2008-11-26 21:23 13,532 a------- c:\windows\system32\drivers\SjyPkt.sys
2008-11-26 21:23 <DIR> --d----- c:\program files\ASUS WiFi-AP Solo
2008-11-26 17:35 28 a------- c:\windows\pdf995.ini
2008-11-26 17:34 59 a------- c:\windows\wpd99.drv
2008-11-26 17:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\pdf995
2008-11-26 17:34 249,856 a------- c:\windows\system32\pdfmona.dll
2008-11-26 17:34 51,716 a------- c:\windows\system32\pdf995mon.dll
2008-11-26 17:34 <DIR> --d----- c:\program files\pdf995
2008-11-21 23:08 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-21 23:08 73,728 a------- c:\windows\system32\javacpl.cpl
2008-11-12 16:52 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 16:52 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-05 16:41 107,368 a------- c:\windows\system32\GEARAspi.dll
2008-11-05 16:41 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-11-05 16:40 <DIR> --d----- c:\program files\iPod
2008-11-05 16:40 <DIR> --d----- c:\program files\iTunes
2008-11-05 16:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-05 16:40 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2008-11-05 00:02 <DIR> --d----- c:\program files\VS Revo Group
2008-11-04 23:33 664 a------- c:\windows\system32\d3d9caps.dat
2008-11-04 20:03 301,656 a------- c:\windows\system32\BtCoreIf.dll
2008-11-04 19:42 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2008-11-04 18:35 54,156 a---h--- c:\windows\QTFont.qfn
2008-11-04 18:35 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2008-12-04 00:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2008-12-02 23:33 <DIR> --d----- c:\docume~1\warren\applic~1\uTorrent
2008-11-27 19:10 <DIR> --d----- c:\docume~1\warren\applic~1\Autodesk
2008-11-18 09:08 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-17 01:10 <DIR> --d----- c:\program files\WorldOfGoo
2008-11-05 16:40 <DIR> --d----- c:\program files\Bonjour
2008-11-04 20:03 <DIR> --d----- c:\program files\common files\Logitech
2008-11-03 17:17 <DIR> --d----- c:\program files\common files\Macrovision Shared
2008-11-01 19:01 <DIR> --d----- c:\program files\THQ
2008-11-01 18:34 <DIR> --d----- c:\program files\Steam
2008-10-29 20:46 <DIR> --d----- c:\program files\Curve Expert
2008-10-27 15:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\2DBoy
2008-10-27 15:23 <DIR> --d----- c:\docume~1\warren\applic~1\My Battle for Middle-earth(tm) II Files
2008-10-27 00:04 <DIR> --d----- c:\program files\EA GAMES
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-08 15:20 <DIR> --d----- c:\docume~1\warren\applic~1\SPORE
2008-09-28 11:12 507,904 a------- c:\windows\system32\winlogon.exe
2008-09-16 20:27 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-09-15 07:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 20:14 1,307,648 -c------ c:\windows\system32\msxml6.dll
2008-07-16 16:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2008-05-03 12:32 <DIR> --d----- c:\docume~1\warren\applic~1\My Battle for Middle-earth Files
2008-05-02 17:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2004-08-04 07:00 73,728 ac-sh--- c:\windows\registeredpackages\{dd90d410-1823-43eb-9a16-a2331bf08799}$backup$\system\wmplayer.exe

============= FINISH: 1:00:18.73 ===============
Attached Files
File Type: txt Gmer.txt (24.3 KB, 1 views)
File Type: txt Attach.txt (10.6 KB, 2 views)
tanger is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-14-2008, 10:01 PM   #4 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,562
OS: WinXP and Vista


Re: Does this HJT log look suspicious?
Hello tanger,

Apologies for the oversight of your thread. Please delete your current dds.com, download the latest version from here, and run a new scan with it.

Post just the dds.txt and we'll get started.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-15-2008, 09:06 AM   #5 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 62
OS: XP SP3


Re: Does this HJT log look suspicious?
Thank you Ried,

Ive attached the dds.txt file. Ive also ran ComboFix between the time from my original post and now.


DDS (Version 1.0.1) - NTFSx86
Run by Warren at 11:04:38.93 on 15/12/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.2047.1424 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Warren\Desktop\dds.com

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\asus wifi-ap solo.lnk - c:\program files\asus wifi-ap solo\RtWLan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\microsoft office\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\microsoft office\office12\REFIEBAR.DLL
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: klogon - c:\windows\system32\klogon.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\warren\applic~1\mozilla\firefox\profiles\po1w7agd.default\
FF - prefs.js: browser.startup.homepage - www.tsn.ca

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-4-16 112144]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 32784]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2008-7-16 213008]
R2 AVP;Kaspersky Internet Security;"c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe" -r [2008-4-25 201992]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-3-25 24592]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-11-26 176128]
R3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\SjyPkt.sys [2008-11-26 13532]

=============== Created Last 30 ================

2008-12-13 01:06 <DIR> --d----- c:\program files\Nobilis
2008-12-12 11:52 <DIR> --d----- c:\program files\MathType
2008-12-11 16:02 453,152 a------- c:\windows\system32\nvudisp.exe
2008-12-11 16:02 203,520 a------- c:\windows\system32\nvapps.xml
2008-12-11 16:02 18,537 a------- c:\windows\system32\nvdisp.nvu
2008-12-11 16:02 <DIR> --d----- c:\windows\nview
2008-12-11 16:02 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-12-11 16:01 <DIR> --d----- C:\NVIDIA
2008-12-11 14:05 <DIR> --d----- c:\windows\SHELLNEW
2008-12-11 13:43 <DIR> --d----- c:\windows\Downloaded Installations
2008-12-10 14:03 <DIR> --d----- c:\windows\SxsCaPendDel
2008-12-04 02:28 <DIR> a-dshr-- C:\cmdcons
2008-12-04 02:25 161,792 a------- c:\windows\SWREG.exe
2008-12-04 02:25 98,816 a------- c:\windows\sed.exe
2008-12-04 00:47 250 a------- c:\windows\gmer.ini
2008-12-02 22:50 79 a------- c:\windows\wininit.ini
2008-12-02 14:34 <DIR> --d----- c:\program files\Foxit Software
2008-12-02 11:15 <DIR> --d----- c:\docume~1\warren\applic~1\Kaspersky_Key_Finder_(KKF
2008-11-28 00:34 <DIR> --d----- c:\docume~1\warren\applic~1\Design Science
2008-11-28 00:22 <DIR> --d----- c:\docume~1\warren\applic~1\Inkscape
2008-11-28 00:21 <DIR> --d----- c:\program files\Inkscape
2008-11-27 19:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Alias
2008-11-26 21:24 21,035 a------- c:\windows\system32\drivers\AegisP.sys
2008-11-26 21:23 176,128 a------- c:\windows\system32\drivers\RTL8187.sys
2008-11-26 21:23 13,532 a------- c:\windows\system32\drivers\SjyPkt.sys
2008-11-26 21:23 <DIR> --d----- c:\program files\ASUS WiFi-AP Solo
2008-11-26 17:35 28 a------- c:\windows\pdf995.ini
2008-11-26 17:34 59 a------- c:\windows\wpd99.drv
2008-11-26 17:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\pdf995
2008-11-26 17:34 249,856 a------- c:\windows\system32\pdfmona.dll
2008-11-26 17:34 51,716 a------- c:\windows\system32\pdf995mon.dll
2008-11-26 17:34 <DIR> --d----- c:\program files\pdf995
2008-11-21 23:08 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-21 23:08 73,728 a------- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2008-12-15 11:04 712,736 ac-sh--- c:\windows\system32\drivers\fidbox2.dat
2008-12-15 11:04 5,612 ac-sh--- c:\windows\system32\drivers\fidbox2.idx
2008-12-15 02:32 3,773,984 ac-sh--- c:\windows\system32\drivers\fidbox.dat
2008-12-15 02:32 33,708 ac-sh--- c:\windows\system32\drivers\fidbox.idx
2008-10-24 06:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-13 09:56 70,936 a------- c:\windows\system32\PhysXLoader.dll
2008-10-07 09:13 288,024 a------- c:\windows\system32\PhysXCplUI.exe
2008-10-07 09:13 23,320 a------- c:\windows\system32\PhysXDevice.dll
2008-10-07 09:13 288,024 a------- c:\windows\system32\PhysXCompatCplUI.exe
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelTraditionalChinese.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelSwedish.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelSpanish.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelSimplifiedChinese.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelPortugese.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelKorean.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelJapanese.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelGerman.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelFrench.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-28 11:12 507,904 a------- c:\windows\system32\winlogon.exe
2008-07-18 13:06 47,360 ac------ c:\docume~1\warren\applic~1\pcouffin.sys
2006-06-23 13:48 32,768 ac------ c:\windows\inf\UpdateUSB.exe
2004-08-04 07:00 73,728 ac-sh--- c:\windows\registeredpackages\{dd90d410-1823-43eb-9a16-a2331bf08799}$backup$\system\wmplayer.exe

============= FINISH: 11:04:56.29 ===============
Attached Files
File Type: txt DDS.txt (8.4 KB, 3 views)
Last edited by Ried; 12-15-2008 at 02:04 PM.
tanger is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-15-2008, 02:07 PM   #6 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,562
OS: WinXP and Vista


Re: Does this HJT log look suspicious?
Then I shall need to see that as well. You'll find it at C:\Combofix.txt

A reminder -- Post #2 of our sticky topic New Instructions - Read This Before Posting for Malware Removal Help --

Quote:
Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix
.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-15-2008, 02:50 PM   #7 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 62
OS: XP SP3


Re: Does this HJT log look suspicious?
Here is the combofix log

ComboFix 08-12-15.01 - Warren 2008-12-15 16:44:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1436 [GMT -5:00]
Running from: c:\documents and settings\Warren\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-11-15 to 2008-12-15 )))))))))))))))))))))))))))))))
.

2008-12-15 16:42 . 2008-12-15 16:43 <DIR> d-------- C:\32788R22FWJFW
2008-12-13 01:06 . 2008-12-13 01:06 <DIR> d-------- c:\program files\Nobilis
2008-12-12 11:52 . 2008-12-12 11:54 <DIR> d-------- c:\program files\MathType
2008-12-11 16:02 . 2008-12-11 16:02 <DIR> d-------- c:\windows\nview
2008-12-11 16:02 . 2008-11-12 13:45 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2008-12-11 16:02 . 2008-11-12 14:54 453,152 --a------ c:\windows\system32\nvudisp.exe
2008-12-11 16:02 . 2008-12-15 10:37 203,520 --a------ c:\windows\system32\nvapps.xml
2008-12-11 16:02 . 2008-11-12 14:54 18,537 --a------ c:\windows\system32\nvdisp.nvu
2008-12-11 16:01 . 2008-12-11 16:01 <DIR> d-------- C:\NVIDIA
2008-12-11 14:08 . 2008-12-11 14:08 <DIR> d-------- c:\program files\Microsoft Works
2008-12-11 14:05 . 2008-12-11 15:06 <DIR> d-------- c:\windows\SHELLNEW
2008-12-11 13:43 . 2008-12-11 13:43 <DIR> d-------- c:\windows\Downloaded Installations
2008-12-11 13:37 . 2008-12-11 13:37 <DIR> d-------- c:\documents and settings\Administrator
2008-12-10 15:20 . 2008-12-10 15:20 <DIR> d-------- c:\documents and settings\Warren\Application Data\vlc
2008-12-10 14:03 . 2008-12-11 12:46 <DIR> d-------- c:\windows\SxsCaPendDel
2008-12-04 00:47 . 2008-12-04 00:47 250 --a------ c:\windows\gmer.ini
2008-12-02 22:50 . 2008-12-02 22:50 79 --a------ c:\windows\wininit.ini
2008-12-02 14:34 . 2008-12-02 14:34 <DIR> d-------- c:\program files\Foxit Software
2008-12-02 11:15 . 2008-12-02 11:15 <DIR> d-------- c:\documents and settings\Warren\Application Data\Kaspersky_Key_Finder_(KKF
2008-11-28 00:34 . 2008-11-28 00:34 <DIR> d-------- c:\documents and settings\Warren\Application Data\Design Science
2008-11-28 00:29 . 2008-11-28 14:45 <DIR> d-------- c:\documents and settings\Warren\Application Data\gtk-2.0
2008-11-28 00:22 . 2008-11-28 00:22 <DIR> d-------- c:\documents and settings\Warren\Application Data\Inkscape
2008-11-28 00:21 . 2008-11-28 00:22 <DIR> d-------- c:\program files\Inkscape
2008-11-27 19:10 . 2008-11-27 19:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Alias
2008-11-26 21:24 . 2008-11-26 21:24 21,035 --a------ c:\windows\system32\drivers\AegisP.sys
2008-11-26 21:23 . 2008-11-26 21:23 <DIR> d-------- c:\program files\ASUS WiFi-AP Solo
2008-11-26 21:23 . 2006-06-16 15:30 176,128 --a------ c:\windows\system32\drivers\RTL8187.sys
2008-11-26 21:23 . 2006-03-31 04:39 13,532 --a------ c:\windows\system32\drivers\SjyPkt.sys
2008-11-26 17:35 . 2008-11-26 17:35 <DIR> d-------- c:\documents and settings\Warren\Application Data\pdf995
2008-11-26 17:35 . 2008-11-26 17:35 28 --a------ c:\windows\pdf995.ini
2008-11-26 17:34 . 2008-11-26 17:35 <DIR> d-------- c:\program files\pdf995
2008-11-26 17:34 . 2008-12-02 14:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\pdf995
2008-11-26 17:34 . 2008-11-26 17:34 249,856 --a------ c:\windows\system32\pdfmona.dll
2008-11-26 17:34 . 2008-11-26 17:34 51,716 --a------ c:\windows\system32\pdf995mon.dll
2008-11-26 17:34 . 2008-12-02 14:17 59 --a------ c:\windows\wpd99.drv
2008-11-21 23:10 . 2008-11-21 23:10 <DIR> d-------- c:\windows\Sun
2008-11-21 23:08 . 2008-11-10 05:43 410,984 --a------ c:\windows\system32\deploytk.dll
2008-11-21 23:08 . 2008-11-10 03:39 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-21 23:07 . 2008-12-03 09:05 <DIR> d-------- c:\program files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 21:43 33,764 -csha-w c:\windows\system32\drivers\fidbox.idx
2008-12-15 21:43 3,781,152 -csha-w c:\windows\system32\drivers\fidbox.dat
2008-12-15 16:04 712,736 -csha-w c:\windows\system32\drivers\fidbox2.dat
2008-12-15 16:04 5,612 -csha-w c:\windows\system32\drivers\fidbox2.idx
2008-12-15 15:37 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-14 16:28 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-13 03:38 --------- d-----w c:\documents and settings\Warren\Application Data\uTorrent
2008-12-11 21:03 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-11 21:02 --------- d-----w c:\program files\AGEIA Technologies
2008-12-11 20:06 --------- d-----w c:\program files\MSBuild
2008-12-10 20:14 --------- d-----w c:\program files\VideoLAN
2008-12-02 19:32 --------- d-----w c:\program files\Common Files\Adobe
2008-11-28 00:10 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-28 00:10 --------- d-----w c:\documents and settings\Warren\Application Data\Autodesk
2008-11-28 00:01 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk
2008-11-27 02:23 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-18 14:08 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-17 06:10 --------- d-----w c:\program files\WorldOfGoo
2008-11-05 21:41 --------- d-----w c:\program files\iTunes
2008-11-05 21:41 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-05 21:40 --------- d-----w c:\program files\QuickTime
2008-11-05 21:40 --------- d-----w c:\program files\iPod
2008-11-05 21:40 --------- d-----w c:\program files\Common Files\Apple
2008-11-05 21:40 --------- d-----w c:\program files\Bonjour
2008-11-05 21:40 --------- d-----w c:\program files\Apple Software Update
2008-11-05 05:02 --------- d-----w c:\program files\VS Revo Group
2008-11-05 03:34 --------- d-----w c:\program files\Microsoft Visual Studio 9.0
2008-11-05 01:03 --------- d-----w c:\program files\Common Files\Logitech
2008-11-05 01:03 --------- d-----w c:\program files\Common Files\Logishrd
2008-11-05 00:42 --------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2008-11-05 00:39 --------- d-----w c:\program files\Microsoft SDKs
2008-11-03 22:17 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-11-02 00:01 --------- d-----w c:\program files\THQ
2008-11-01 23:34 --------- d-----w c:\program files\Steam
2008-10-30 01:46 --------- d-----w c:\program files\Curve Expert
2008-10-27 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy
2008-10-27 20:23 --------- d-----w c:\documents and settings\Warren\Application Data\My Battle for Middle-earth(tm) II Files
2008-10-27 05:04 --------- d-----w c:\program files\EA GAMES
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-22 21:30 --------- d-----w c:\program files\Microsoft.NET
2008-10-22 20:54 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-10-22 16:11 --------- d-----w c:\program files\Reference Assemblies
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 -c--a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 -c--a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-13 14:56 70,936 ----a-w c:\windows\system32\PhysXLoader.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelTraditionalChinese.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelSwedish.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelSpanish.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelSimplifiedChinese.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelPortugese.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelKorean.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelJapanese.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelGerman.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelFrench.dll
2008-10-07 14:13 288,024 ----a-w c:\windows\system32\PhysXCplUI.exe
2008-10-07 14:13 288,024 ----a-w c:\windows\system32\PhysXCompatCplUI.exe
2008-10-07 14:13 23,320 ----a-w c:\windows\system32\PhysXDevice.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-28 16:12 507,904 ----a-w c:\windows\system32\winlogon.exe
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-07-18 18:06 47,360 -c--a-w c:\documents and settings\Warren\Application Data\pcouffin.sys
2006-06-23 18:48 32,768 -c--a-w c:\windows\inf\UpdateUSB.exe
2004-08-04 12:00 73,728 -csha-w c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

------- Sigcheck -------

2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 05:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-07-11 23:10 360320 b3acff769e44cc8ae708ab740a52cf5d c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 07:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-05-02 17:26 360064 8283a4d489b207991efdc8328733d0bc c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
2008-09-28 11:11 361600 cbeebeb899e31ef52b962cb31fc8ca5c c:\windows\system32\dllcache\TCPIP.SYS
2008-09-28 11:11 361600 cbeebeb899e31ef52b962cb31fc8ca5c c:\windows\system32\drivers\TCPIP.SYS

2008-05-02 17:11 502272 6225f14b8ce08ccba8b25ad27843c674 c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
2008-09-28 11:12 507904 679a7259741f6a09994f02ce261b5f2e c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-04-25 201992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2008-11-26 987136]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-04 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a--c--- 2006-11-16 18:04 139264 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4800 Series]
--a--c--- 2005-02-02 03:00 98304 c:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2007-08-31 14:01 1037736 c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 14:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-11-12 14:54 13672448 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-11-12 14:54 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a--c--- 2008-03-14 18:50 233472 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
-----c--- 2006-07-13 06:12 729088 c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a--c--- 2006-12-18 20:34 868352 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-10 05:43 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-11-12 14:54 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Steam\\steamapps\\warrenlightning\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-03-25 24592]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-11-26 176128]
R3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys [2008-11-26 13532]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67b0ce98-414d-11dd-94ec-0015af291d0c}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84b05056-adcd-11dd-9591-0015af291d0c}]
\Shell\Auto\command - sxs2.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs2.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8532678-8e23-11dd-9552-0015af291d0c}]
\Shell\Auto\command - E:\auto.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
\Shell\explore\Command - E:\t.com
\Shell\open\Command - E:\t.com

*Newly Created Service* - SJYPKT
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AlcoholAutomount - c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Warren\Application Data\Mozilla\Firefox\Profiles\po1w7agd.default\
FF - prefs.js: browser.startup.homepage - www.tsn.ca
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 16:45:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1084)
c:\windows\system32\klogon.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2008-12-15 16:45:45
ComboFix-quarantined-files.txt 2008-12-15 21:45:43

Pre-Run: 177,850,273,792 bytes free
Post-Run: 177,838,174,208 bytes free

255 --- E O F --- 2008-12-14 16:28:37
Attached Files
File Type: txt ComboFix.txt (18.3 KB, 2 views)
Last edited by Ried; 12-15-2008 at 06:02 PM.
tanger is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-15-2008, 06:05 PM   #8 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,562
OS: WinXP and Vista


Re: Does this HJT log look suspicious?
Is there any reason the Recovery Console has not been installed? Did you receive any error messages?

You ran ComboFix more than once. I need to see the entire course of events here. Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report shall pop open for you. Please copy/paste the contents into your next reply.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-15-2008, 06:46 PM   #9 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 62
OS: XP SP3


Re: Does this HJT log look suspicious?
When I ran ComboFix, it asked me if i wanted to install the recovery console but I thoguht I already had it so I said no, that explains why it says I dont have the recovery console installed.

I did run ComboFix twice. I had to run it a second time because I deleted the log from the first one.

Here is the quarantined files list..



2008-12-15 16:43:23 A------- 54 C:\Qoobox\Quarantine\catchme.log
2008-12-15 16:45:00 A------- 5,987 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-12-15 16:45:29 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-12-15 16:45:29 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-12-15 16:45:29 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-12-15 16:45:36 A------- 652 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-AlcoholAutomount.reg.dat
tanger is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-15-2008, 10:06 PM   #10 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,562
OS: WinXP and Vista


Re: Does this HJT log look suspicious?
Hello tanger,

I suspect your system still has problems.

Please go to Virus Total
  • Copy paste the following full path into the empty box under 'Upload a file'

    c:\windows\system32\winlogon.exe
  • Click 'Send File'

  • Copy/paste the results into Notepad and save it to your desktop.

Post those results here.

You also have an infected removable drive. Please locate the unit that is typically your E:\ drive and have it handy for the next round--do not insert it or use it until you are directed to do so.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-15-2008, 10:36 PM   #11 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 62
OS: XP SP3


Re: Does this HJT log look suspicious?
After I click send file, I wasnt sure what you wanted me to copy and paste, but here is what I THINK you were looking for, tell me if im wrong.

Antivirus Version Last Update Result
AhnLab-V3 2008.12.6.0 2008.12.06 -
AntiVir 7.9.0.43 2008.12.08 -
Authentium 5.1.0.4 2008.12.08 -
Avast 4.8.1281.0 2008.12.08 -
AVG 8.0.0.199 2008.12.07 -
BitDefender 7.2 2008.12.07 -
CAT-QuickHeal 10.00 2008.12.08 -
ClamAV 0.94.1 2008.12.07 -
Comodo 708 2008.12.08 -
DrWeb 4.44.0.09170 2008.12.08 -
eSafe 7.0.17.0 2008.12.08 -
eTrust-Vet 31.6.6246 2008.12.05 -
Ewido 4.0 2008.12.08 -
F-Prot 4.4.4.56 2008.12.04 -
F-Secure 8.0.14332.0 2008.12.08 -
Fortinet 3.117.0.0 2008.12.07 -
GData 19 2008.12.07 -
Ikarus T3.1.1.45.0 2008.12.08 -
K7AntiVirus 7.10.548 2008.12.08 -
Kaspersky 7.0.0.125 2008.12.07 -
McAfee 5456 2008.12.06 -
McAfee+Artemis 5456 2008.12.06 -
Microsoft 1.4205 2008.12.08 -
NOD32 3670 2008.12.08 -
Norman 5.80.02 2008.12.05 -
Panda 9.0.0.4 2008.12.07 -
PCTools 4.4.2.0 2008.12.08 -
Prevx1 V2 2008.12.08 -
Rising 21.07.02.00 2008.12.08 -
SecureWeb-Gateway 6.7.6 2008.12.08 -
Sophos 4.36.0 2008.12.07 -
Sunbelt 3.1.1832.2 2008.12.01 -
Symantec 10 2008.12.08 -
TheHacker 6.3.1.2.179 2008.12.06 -
TrendMicro 8.700.0.1004 2008.12.08 -
VBA32 3.12.8.10 2008.12.07 -
ViRobot 2008.12.6.1504 2008.12.06 -
VirusBuster 4.5.11.0 2008.12.08 -
Additional information
File size: 507904 bytes
MD5...: 679a7259741f6a09994f02ce261b5f2e
SHA1..: 65c19a973b4959f0dfd5c835d014edb2d6acacfe
SHA256: 05cacb0eb05f81bdd55b70e29701d6a936f577fe78959f26655eb23940a20a81
SHA512: 4e768e55a99c54fc84bbd43f0cc6d2f1dbe0cc46a886d42ea49616818cc5ac21
d12f9512e0a71bcff0d14625c839eb53c3d3163ada08fdd44fde29ab8bc24ea7
ssdeep: 6144:fNZlxEdL5RvGlcHF37newMLao6nMnKHOD13PRnCfOVSePfLtisgZY3Z:gdz
+lcDKao6nSKHs5qOMgxZg
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x103e5e1
timedatestamp.....: 0x48027549 (Sun Apr 13 21:04:09 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x70991 0x70a00 6.82 619ab8c396e3277a9091005e8275283a
.data 0x72000 0x4e70 0x2000 6.28 fca073b60b2883dab4308d32c8083f1e
.rsrc 0x77000 0x9020 0x9200 3.62 8b50f3590d97bb27639f10bacbc53187

( 20 imports )
> ADVAPI32.dll: ConvertStringSecurityDescriptorToSecurityDescriptorA, A_SHAInit, A_SHAUpdate, A_SHAFinal, LsaStorePrivateData, LsaRetrievePrivateData, LsaNtStatusToWinError, CryptGetUserKey, CryptGetKeyParam, CryptEncrypt, CryptSetProvParam, CryptSignHashW, CryptDeriveKey, CryptGetProvParam, RegOpenCurrentUser, RegDeleteKeyW, AddAccessAllowedAceEx, RegSetKeySecurity, I_ScSendTSMessage, MD5Init, MD5Update, MD5Final, SetFileSecurityA, AllocateLocallyUniqueId, LsaOpenPolicy, LsaQueryInformationPolicy, LsaFreeMemory, LsaClose, RegNotifyChangeKeyValue, QueryServiceConfigW, SetKernelObjectSecurity, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegEnumKeyExW, GetCurrentHwProfileW, RegCloseKey, RegQueryValueExW, RegOpenKeyW, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AddAccessAllowedAce, InitializeAcl, GetLengthSid, AllocateAndInitializeSid, RegOpenKeyExW, CreateProcessAsUserW, DuplicateTokenEx, CloseServiceHandle, ControlService, StartServiceW, QueryServiceStatus, OpenServiceW, OpenSCManagerW, EqualSid, GetTokenInformation, RegSetValueExW, RegCreateKeyExW, CryptGenRandom, CryptDestroyHash, CryptVerifySignatureW, CryptSetHashParam, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptDecrypt, ReportEventW, RegisterEventSourceW, CryptImportKey, CryptAcquireContextW, CryptReleaseContext, CryptDestroyKey, RegEnumValueW, RegQueryInfoKeyW, RegDeleteValueW, CredFree, CredDeleteW, CredEnumerateW, CopySid, GetSidLengthRequired, GetSidSubAuthority, GetSidSubAuthorityCount, GetUserNameW, OpenThreadToken, EnumServicesStatusW, ImpersonateLoggedOnUser, RegQueryValueExA, CheckTokenMembership, DeregisterEventSource, LsaGetUserName, RevertToSelf, LookupAccountSidW, IsValidSid, SetTokenInformation, LogonUserW, LookupAccountNameW, OpenProcessToken, SynchronizeWindows31FilesAndWindowsNTRegistry, QueryWindows31FilesMigration, AdjustTokenPrivileges, RegQueryInfoKeyA
> AUTHZ.dll: AuthzInitializeResourceManager, AuthzAccessCheck, AuthziFreeAuditEventType, AuthziInitializeAuditEvent, AuthziInitializeAuditParams, AuthziInitializeAuditEventType, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthzFreeResourceManager, AuthzFreeHandle
> CRYPT32.dll: CryptImportPublicKeyInfo, CryptVerifyMessageSignature, CertCreateCertificateContext, CertSetCertificateContextProperty, CertVerifyCertificateChainPolicy, CryptSignMessage, CertCloseStore, CertComparePublicKeyInfo, CryptExportPublicKeyInfo, CertFindExtension, CryptDecryptMessage, CertGetCertificateContextProperty, CertAddCertificateContextToStore, CertOpenStore, CertVerifySubjectCertificateContext, CertGetIssuerCertificateFromStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertEnumCertificatesInStore, CryptImportPublicKeyInfoEx
> GDI32.dll: RemoveFontResourceW, AddFontResourceW
> KERNEL32.dll: WTSGetActiveConsoleSessionId, GetTimeFormatW, GetUserDefaultLCID, FileTimeToSystemTime, FileTimeToLocalFileTime, GetProcAddress, LoadLibraryW, GetModuleHandleW, SystemTimeToFileTime, GetSystemTime, SetLastError, TerminateProcess, GetCurrentProcess, CreateTimerQueueTimer, CreateThread, lstrcpynW, GetShortPathNameW, GetProfileStringW, FreeLibrary, ReleaseSemaphore, CreateSemaphoreW, GetSystemInfo, GetComputerNameW, GetEnvironmentVariableW, WaitForSingleObjectEx, LoadResource, FindResourceW, SetThreadExecutionState, DeleteTimerQueueTimer, ResetEvent, GetSystemDirectoryW, TransactNamedPipe, SetNamedPipeHandleState, GetTickCount, CreateFileW, GlobalGetAtomNameW, VirtualLock, VirtualQuery, GetDriveTypeW, Beep, ExpandEnvironmentStringsW, OpenMutexW, QueueUserWorkItem, LeaveCriticalSection, EnterCriticalSection, DisconnectNamedPipe, SearchPathW, lstrcatW, LocalReAlloc, TerminateThread, ResumeThread, GetDiskFreeSpaceExW, GlobalMemoryStatusEx, DeleteFileW, WriteProfileStringW, ReadFile, FindVolumeClose, FindNextVolumeW, FindFirstVolumeW, FormatMessageW, SetPriorityClass, MoveFileExW, WaitForMultipleObjectsEx, GetExitCodeProcess, SleepEx, InterlockedExchange, FindClose, FindFirstFileW, GetWindowsDirectoryW, SetTimerQueueTimer, GetComputerNameA, GetVersionExW, VerSetConditionMask, WriteFile, WaitNamedPipeW, WaitForMultipleObjects, ConnectNamedPipe, GetVersionExA, DuplicateHandle, OpenProcess, GetOverlappedResult, lstrcmpW, SetEnvironmentVariableW, UnregisterWait, CreateNamedPipeW, CreateRemoteThread, CreateActCtxW, GetModuleFileNameW, ExitProcess, LoadLibraryExW, SetErrorMode, SetUnhandledExceptionFilter, GetPrivateProfileStringW, LocalSize, VirtualAlloc, VirtualQueryEx, DebugBreak, CreateFileA, InitializeCriticalSection, ProcessIdToSessionId, SetInformationJobObject, AssignProcessToJobObject, TerminateJobObject, PostQueuedCompletionStatus, PulseEvent, GetQueuedCompletionStatus, CreateIoCompletionPort, CreateJobObjectW, ActivateActCtx, DeactivateActCtx, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetSystemTimeAsFileTime, UnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, GetCurrentProcessId, SetThreadPriority, GetCurrentThreadId, lstrcmpiW, GetProfileIntW, LoadLibraryExA, lstrcpyW, lstrlenW, Sleep, LocalAlloc, CreateEventW, GetExitCodeThread, SetThreadAffinityMask, GetProcessAffinityMask, CreateWaitableTimerW, CreateMutexW, OpenEventW, RegisterWaitForSingleObject, WaitForSingleObject, CreateProcessW, SetWaitableTimer, ReleaseMutex, SetEvent, UnregisterWaitEx, CloseHandle, lstrlenA, lstrcpyA, MultiByteToWideChar, GetACP, WideCharToMultiByte, HeapAlloc, GetProcessHeap, HeapFree, lstrcpynA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, lstrcmpiA, GetFileSize, SetFilePointer, GlobalAlloc, GlobalFree, GetLastError, LocalFree, lstrcatA, lstrcmpA, GetLogicalDriveStringsA, GetDriveTypeA, GetVolumeInformationW, GlobalMemoryStatus, CreateMutexA, FindResourceExW, LockResource, SizeofResource, VerifyVersionInfoW, GetSystemDirectoryA, GetCurrentThread, DelayLoadFailureHook, BaseInitAppcompatCacheSupport, OpenProfileUserMapping, CloseProfileUserMapping, BaseCleanupAppcompatCacheSupport, InitializeCriticalSectionAndSpinCount, VirtualProtect, CreateEventA, TlsSetValue, TlsGetValue, DeleteCriticalSection, TlsAlloc, VirtualFree, TlsFree
> msvcrt.dll: wcslen, _vsnwprintf, wcsncpy, wcsstr, atoi, wcstok, memmove, wcschr, swprintf, swscanf, _local_unwind2, _wcslwr, wcscmp, _snwprintf, malloc, _c_exit, _exit, _XcptFilter, _cexit, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, __3@YAXPAX@Z, __2@YAPAXI@Z, __CxxFrameHandler, _itow, _snprintf, _wtol, _strnicmp, sscanf, wcstombs, sprintf, strchr, strncmp, atof, _ftol, isspace, wcscpy, _controlfp, wcsncmp, _wcsupr, ceil, wcscat, _except_handler3, free, _wcsicmp
> NDdeApi.dll: -, -, -, -
> ntdll.dll: RtlSubAuthoritySid, RtlAllocateHeap, NtPowerInformation, NtSetSystemPowerState, NtRaiseHardError, RtlDeleteCriticalSection, NtOpenSymbolicLinkObject, NtReplyPort, NtCompleteConnectPort, NtReplyWaitReceivePort, NtAcceptConnectPort, NtCreatePort, RtlConvertSidToUnicodeString, RtlFreeUnicodeString, NtLockProductActivationKeys, RtlTimeToTimeFields, NtUnmapViewOfSection, NtMapViewOfSection, NtOpenSection, NtQuerySymbolicLinkObject, NtQueryVolumeInformationFile, NtSetSecurityObject, RtlAdjustPrivilege, NtOpenFile, NtFsControlFile, RtlAllocateAndInitializeSid, RtlDestroyEnvironment, RtlFreeHeap, NtQueryInformationToken, NtShutdownSystem, RtlEnterCriticalSection, RtlLeaveCriticalSection, RtlInitializeCriticalSection, RtlCreateEnvironment, RtlQueryEnvironmentVariable_U, RtlSetEnvironmentVariable, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, RtlInitializeSid, RtlLengthRequiredSid, NtAllocateLocallyUniqueId, RtlGetDaclSecurityDescriptor, RtlCopySid, RtlLengthSid, NtSetInformationThread, NtDuplicateToken, NtDuplicateObject, RtlEqualSid, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, NtClose, RtlOpenCurrentUser, RtlAddAce, RtlCreateAcl, RtlNtStatusToDosError, NtSetInformationProcess, NtQuerySystemInformation, NtCreateEvent, NtCreatePagingFile, RtlDosPathNameToNtPathName_U, RtlRegisterWait, NtSetValueKey, NtCreateKey, RtlTimeToSecondsSince1980, NtQuerySystemTime, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtOpenProcessToken, RtlInitString, RtlUnhandledExceptionFilter, NtQueryInformationProcess, DbgBreakPoint, RtlCheckProcessParameters, RtlSetThreadIsCritical, RtlSetProcessIsCritical, RtlGetNtProductType, NtInitiatePowerAction, DbgPrint, NtFilterToken, NtQueryInformationJobObject, NtOpenEvent, RtlGetAce, RtlQueryInformationAcl, NtQuerySecurityObject, RtlCompareUnicodeString, NtOpenDirectoryObject
> PROFMAP.dll: InitializeProfileMappingApi, RemapAndMoveUserW
> PSAPI.DLL: EnumProcesses, EnumProcessModules, GetModuleBaseNameW
> REGAPI.dll: RegDefaultUserConfigQueryW, RegUserConfigQuery
> RPCRT4.dll: RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcImpersonateClient, I_RpcMapWin32Status, RpcServerRegisterIf, RpcGetAuthorizationContextForClient, RpcFreeAuthorizationContext, RpcServerListen, RpcRevertToSelf, NdrServerCall2, UuidCreate
> Secur32.dll: LsaCallAuthenticationPackage, GetUserNameExW, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess
> SETUPAPI.dll: SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupDiGetDeviceRegistryPropertyW
> USER32.dll: SetFocus, EnumWindows, CreateWindowStationW, RegisterLogonProcess, RecordShutdownReason, LoadLocalFonts, UnhookWindowsHook, SetWindowsHookW, GetWindowTextW, CallNextHookEx, DialogBoxParamW, GetWindowPlacement, GetSystemMenu, DeleteMenu, SetWindowPlacement, SetUserObjectInformationW, GetAsyncKeyState, PostThreadMessageW, SetUserObjectSecurity, CreateDesktopW, GetMessageTime, SetTimer, SetLogonNotifyWindow, UnlockWindowStation, ReplyMessage, UnregisterHotKey, RegisterHotKey, OpenInputDesktop, GetUserObjectInformationW, CloseDesktop, RegisterDeviceNotificationW, SetThreadDesktop, CreateWindowExW, GetMessageW, TranslateMessage, RegisterWindowMessageW, RegisterClassW, SetCursor, FindWindowW, MessageBoxW, SendNotifyMessageW, PostQuitMessage, MsgWaitForMultipleObjects, GetWindowRect, GetSystemMetrics, PeekMessageW, DispatchMessageW, KillTimer, SetProcessWindowStation, UpdateWindow, ShowWindow, SetWindowPos, PostMessageW, ExitWindowsEx, EnumDisplayMonitors, SystemParametersInfoW, GetDlgItem, SendMessageW, CreateDialogParamW, DestroyWindow, GetWindowLongW, GetDlgItemTextW, EndDialog, SetWindowLongW, LoadStringW, SetWindowTextW, SetDlgItemTextW, wsprintfW, wsprintfA, LockWindowStation, MBToWCSEx, SetWindowStationUser, UpdatePerUserSystemParameters, DialogBoxIndirectParamW, wvsprintfW, SetLastErrorEx, LoadCursorW, CheckDlgButton, IsDlgButtonChecked, DefWindowProcW, CloseWindowStation, LoadImageW, GetParent, GetKeyState, GetDesktopWindow, SetForegroundWindow, SwitchDesktop, OpenDesktopW
> USERENV.dll: -, WaitForUserPolicyForegroundProcessing, GetAllUsersProfileDirectoryW, -, -, -, WaitForMachinePolicyForegroundProcessing, -, -, -, UnloadUserProfile, LoadUserProfileW, -, RegisterGPNotification, CreateEnvironmentBlock, DestroyEnvironmentBlock, UnregisterGPNotification, GetUserProfileDirectoryW
> VERSION.dll: GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
> WINSTA.dll: WinStationRequestSessionsList, WinStationQueryLogonCredentialsW, WinStationIsHelpAssistantSession, WinStationAutoReconnect, _WinStationWaitForConnect, _WinStationNotifyLogoff, WinStationDisconnect, _WinStationCallback, WinStationNameFromLogonIdW, _WinStationFUSCanRemoteUserDisconnect, WinStationEnumerate_IndexedW, WinStationGetMachinePolicy, WinStationQueryInformationW, WinStationFreeMemory, WinStationReset, _WinStationNotifyDisconnectPipe, WinStationConnectW, WinStationSetInformationW, WinStationShutdownSystem, WinStationCheckLoopBack, _WinStationNotifyLogon
> WINTRUST.dll: CryptCATAdminEnumCatalogFromHash, CryptCATCatalogInfoFromContext, CryptCATAdminCalcHashFromFileHandle, CryptCATAdminAcquireContext, CryptCATAdminReleaseCatalogContext, WTHelperProvDataFromStateData, WinVerifyTrust, WTHelperGetProvSignerFromChain, CryptCATAdminReleaseContext
> WS2_32.dll: -, -, getaddrinfo

( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.a...4f02ce261b5f2e
CWSandbox info: http://research.sunbelt-software.com...4f02ce261b5f2e
tanger is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-15-2008, 11:13 PM   #12 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,562
OS: WinXP and Vista


Re: Does this HJT log look suspicious?
Even though the Virus Total results show nothing detected, I don't like the fact that winlogon.exe was recently modified, nor the MD5 listed with it:
Quote:
MD5...: 679a7259741f6a09994f02ce261b5f2e
As such, I think it prudent to replace it with a known good copy from your system.


Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

**NOTE**
This time around, be sure to allow ComboFix to install the Recovery Console. If the installation fails for any reason, click 'No' when prompted if you want to continue. Then come back and tell me of the error you received.

Open notepad and copy/paste the text in the code box below into it:

Quote:
FCopy::
c:\windows\ServicePackFiles\i386\winlogon.exe | c:\windows\system32\winlogon.exe
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-16-2008, 05:41 AM   #13 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 62
OS: XP SP3


Re: Does this HJT log look suspicious?
I did as instructed...recovery console was installed without problems and here is the log file.


ComboFix 08-12-15.01 - Warren 2008-12-16 7:37:30.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1533 [GMT -5:00]
Running from: c:\documents and settings\Warren\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Warren\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\winlogon.exe --> c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 )))))))))))))))))))))))))))))))
.

2008-12-13 01:06 . 2008-12-13 01:06 <DIR> d-------- c:\program files\Nobilis
2008-12-12 11:52 . 2008-12-12 11:54 <DIR> d-------- c:\program files\MathType
2008-12-11 16:02 . 2008-12-11 16:02 <DIR> d-------- c:\windows\nview
2008-12-11 16:02 . 2008-11-12 13:45 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2008-12-11 16:02 . 2008-11-12 14:54 453,152 --a------ c:\windows\system32\nvudisp.exe
2008-12-11 16:02 . 2008-12-15 10:37 203,520 --a------ c:\windows\system32\nvapps.xml
2008-12-11 16:02 . 2008-11-12 14:54 18,537 --a------ c:\windows\system32\nvdisp.nvu
2008-12-11 16:01 . 2008-12-11 16:01 <DIR> d-------- C:\NVIDIA
2008-12-11 14:08 . 2008-12-11 14:08 <DIR> d-------- c:\program files\Microsoft Works
2008-12-11 14:05 . 2008-12-11 15:06 <DIR> d-------- c:\windows\SHELLNEW
2008-12-11 13:43 . 2008-12-11 13:43 <DIR> d-------- c:\windows\Downloaded Installations
2008-12-11 13:37 . 2008-12-11 13:37 <DIR> d-------- c:\documents and settings\Administrator
2008-12-10 15:20 . 2008-12-10 15:20 <DIR> d-------- c:\documents and settings\Warren\Application Data\vlc
2008-12-10 14:03 . 2008-12-11 12:46 <DIR> d-------- c:\windows\SxsCaPendDel
2008-12-04 00:47 . 2008-12-04 00:47 250 --a------ c:\windows\gmer.ini
2008-12-02 22:50 . 2008-12-02 22:50 79 --a------ c:\windows\wininit.ini
2008-12-02 14:34 . 2008-12-02 14:34 <DIR> d-------- c:\program files\Foxit Software
2008-12-02 11:15 . 2008-12-02 11:15 <DIR> d-------- c:\documents and settings\Warren\Application Data\Kaspersky_Key_Finder_(KKF
2008-11-28 00:34 . 2008-11-28 00:34 <DIR> d-------- c:\documents and settings\Warren\Application Data\Design Science
2008-11-28 00:29 . 2008-11-28 14:45 <DIR> d-------- c:\documents and settings\Warren\Application Data\gtk-2.0
2008-11-28 00:22 . 2008-11-28 00:22 <DIR> d-------- c:\documents and settings\Warren\Application Data\Inkscape
2008-11-28 00:21 . 2008-11-28 00:22 <DIR> d-------- c:\program files\Inkscape
2008-11-27 19:10 . 2008-11-27 19:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Alias
2008-11-26 21:24 . 2008-11-26 21:24 21,035 --a------ c:\windows\system32\drivers\AegisP.sys
2008-11-26 21:23 . 2008-11-26 21:23 <DIR> d-------- c:\program files\ASUS WiFi-AP Solo
2008-11-26 21:23 . 2006-06-16 15:30 176,128 --a------ c:\windows\system32\drivers\RTL8187.sys
2008-11-26 21:23 . 2006-03-31 04:39 13,532 --a------ c:\windows\system32\drivers\SjyPkt.sys
2008-11-26 17:35 . 2008-11-26 17:35 <DIR> d-------- c:\documents and settings\Warren\Application Data\pdf995
2008-11-26 17:35 . 2008-11-26 17:35 28 --a------ c:\windows\pdf995.ini
2008-11-26 17:34 . 2008-11-26 17:35 <DIR> d-------- c:\program files\pdf995
2008-11-26 17:34 . 2008-12-02 14:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\pdf995
2008-11-26 17:34 . 2008-11-26 17:34 249,856 --a------ c:\windows\system32\pdfmona.dll
2008-11-26 17:34 . 2008-11-26 17:34 51,716 --a------ c:\windows\system32\pdf995mon.dll
2008-11-26 17:34 . 2008-12-02 14:17 59 --a------ c:\windows\wpd99.drv
2008-11-21 23:10 . 2008-11-21 23:10 <DIR> d-------- c:\windows\Sun
2008-11-21 23:08 . 2008-11-10 05:43 410,984 --a------ c:\windows\system32\deploytk.dll
2008-11-21 23:08 . 2008-11-10 03:39 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-21 23:07 . 2008-12-03 09:05 <DIR> d-------- c:\program files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 21:43 33,764 -csha-w c:\windows\system32\drivers\fidbox.idx
2008-12-15 21:43 3,781,152 -csha-w c:\windows\system32\drivers\fidbox.dat
2008-12-15 16:04 712,736 -csha-w c:\windows\system32\drivers\fidbox2.dat
2008-12-15 16:04 5,612 -csha-w c:\windows\system32\drivers\fidbox2.idx
2008-12-15 15:37 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-14 16:28 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-13 03:38 --------- d-----w c:\documents and settings\Warren\Application Data\uTorrent
2008-12-11 21:03 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-11 21:02 --------- d-----w c:\program files\AGEIA Technologies
2008-12-11 20:06 --------- d-----w c:\program files\MSBuild
2008-12-10 20:14 --------- d-----w c:\program files\VideoLAN
2008-12-02 19:32 --------- d-----w c:\program files\Common Files\Adobe
2008-11-28 00:10 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-28 00:10 --------- d-----w c:\documents and settings\Warren\Application Data\Autodesk
2008-11-28 00:01 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk
2008-11-27 02:23 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-18 14:08 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-17 06:10 --------- d-----w c:\program files\WorldOfGoo
2008-11-05 21:41 --------- d-----w c:\program files\iTunes
2008-11-05 21:41 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-05 21:40 --------- d-----w c:\program files\QuickTime
2008-11-05 21:40 --------- d-----w c:\program files\iPod
2008-11-05 21:40 --------- d-----w c:\program files\Common Files\Apple
2008-11-05 21:40 --------- d-----w c:\program files\Bonjour
2008-11-05 21:40 --------- d-----w c:\program files\Apple Software Update
2008-11-05 05:02 --------- d-----w c:\program files\VS Revo Group
2008-11-05 03:34 --------- d-----w c:\program files\Microsoft Visual Studio 9.0
2008-11-05 01:03 --------- d-----w c:\program files\Common Files\Logitech
2008-11-05 01:03 --------- d-----w c:\program files\Common Files\Logishrd
2008-11-05 00:42 --------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2008-11-05 00:39 --------- d-----w c:\program files\Microsoft SDKs
2008-11-03 22:17 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-11-02 00:01 --------- d-----w c:\program files\THQ
2008-11-01 23:34 --------- d-----w c:\program files\Steam
2008-10-30 01:46 --------- d-----w c:\program files\Curve Expert
2008-10-27 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy
2008-10-27 20:23 --------- d-----w c:\documents and settings\Warren\Application Data\My Battle for Middle-earth(tm) II Files
2008-10-27 05:04 --------- d-----w c:\program files\EA GAMES
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-22 21:30 --------- d-----w c:\program files\Microsoft.NET
2008-10-22 20:54 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-10-22 16:11 --------- d-----w c:\program files\Reference Assemblies
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 -c--a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 -c--a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-13 14:56 70,936 ----a-w c:\windows\system32\PhysXLoader.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelTraditionalChinese.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelSwedish.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelSpanish.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelSimplifiedChinese.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelPortugese.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelKorean.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelJapanese.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelGerman.dll
2008-10-07 14:13 58,648 ----a-w c:\windows\system32\AgCPanelFrench.dll
2008-10-07 14:13 288,024 ----a-w c:\windows\system32\PhysXCplUI.exe
2008-10-07 14:13 288,024 ----a-w c:\windows\system32\PhysXCompatCplUI.exe
2008-10-07 14:13 23,320 ----a-w c:\windows\system32\PhysXDevice.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-07-18 18:06 47,360 -c--a-w c:\documents and settings\Warren\Application Data\pcouffin.sys
2006-06-23 18:48 32,768 -c--a-w c:\windows\inf\UpdateUSB.exe
2004-08-04 12:00 73,728 -csha-w c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

------- Sigcheck -------

2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 05:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-07-11 23:10 360320 b3acff769e44cc8ae708ab740a52cf5d c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 07:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-05-02 17:26 360064 8283a4d489b207991efdc8328733d0bc c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
2008-09-28 11:11 361600 cbeebeb899e31ef52b962cb31fc8ca5c c:\windows\system32\dllcache\TCPIP.SYS
2008-09-28 11:11 361600 cbeebeb899e31ef52b962cb31fc8ca5c c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((( snapshot@2008-12-15_16.45.29.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 00:12:39 507,904 -c--a-w c:\windows\system32\dllcache\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-04-25 201992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2008-11-26 987136]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-04 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a--c--- 2006-11-16 18:04 139264 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4800 Series]
--a--c--- 2005-02-02 03:00 98304 c:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2007-08-31 14:01 1037736 c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 14:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-11-12 14:54 13672448 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-11-12 14:54 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a--c--- 2008-03-14 18:50 233472 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
-----c--- 2006-07-13 06:12 729088 c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a--c--- 2006-12-18 20:34 868352 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-10 05:43 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-11-12 14:54 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Steam\\steamapps\\warrenlightning\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-03-25 24592]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-11-26 176128]
R3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys [2008-11-26 13532]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67b0ce98-414d-11dd-94ec-0015af291d0c}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84b05056-adcd-11dd-9591-0015af291d0c}]
\Shell\Auto\command - sxs2.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs2.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8532678-8e23-11dd-9552-0015af291d0c}]
\Shell\Auto\command - E:\auto.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
\Shell\explore\Command - E:\t.com
\Shell\open\Command - E:\t.com

*Newly Created Service* - CATCHME
*Newly Created Service* - SJYPKT
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Warren\Application Data\Mozilla\Firefox\Profiles\po1w7agd.default\
FF - prefs.js: browser.startup.homepage - www.tsn.ca
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-16 07:38:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1084)
c:\windows\system32\klogon.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2008-12-16 7:38:35
ComboFix-quarantined-files.txt 2008-12-16 12:38:33
ComboFix2.txt 2008-12-15 21:45:46

Pre-Run: 177,885,822,976 bytes free
Post-Run: 177,866,371,072 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noguiboot

265 --- E O F --- 2008-12-14 16:28:37
tanger is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-16-2008, 06:40 AM   #14 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,562
OS: WinXP and Vista


Re: Does this HJT log look suspicious?
Let's continue. :)

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Download Flash_Disinfector.exe and save it to your desktop.

Insert what is typically your E:\ drive. Keep it inserted until all steps listed below have been completed, including the online scan.

---------------------------------------------------------------------

Close/disable all anti virus and anti malware programs so they do not interfere with the running of the tools.

---------------------------------------------------------------------

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

----------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:
File::
E:\t.com

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84b05056-adcd-11dd-9591-0015af291d0c}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8532678-8e23-11dd-9552-0015af291d0c}]
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-16-2008, 07:28 AM   #15 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 62
OS: XP SP3


Re: Does this HJT log look suspicious?
OK, after running Flash Disinfector, I rebooted. Once windows started, the welcome screen showed up (where I have to select the user account) which never happens. So I select my account, then it asks me to activate windows, I enter my key and it says my key has been activated too many times. Now I cant get past this activation wizard, it just keeps logging me off (im typing this from my laptop).
tanger is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-16-2008, 02:23 PM   #16 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,562
OS: WinXP and Vista


Re: Does this HJT log look suspicious?
1. Restart your computer


2. Before Windows loads, you will be prompted to choose which Operating System to start

3. Use the up and down arrow key to select [b]Microsoft Windows Recovery Console

4. You must enter which Windows installation to log onto. Type 1 and press enter.

5. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\subs

6. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

7. The erunt backups will begin copying.

8. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.

Let me know if Windows loaded successfully
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-16-2008, 02:41 PM   #17 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 62
OS: XP SP3


Re: Does this HJT log look suspicious?
After entering "batch erdnt.con" into the recovery console, it proceeded to copy 10files. I typed exit, and my computer restarted but the activation wizards pops up again and I can't login.
tanger is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-16-2008, 04:03 PM   #18 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,562
OS: WinXP and Vista


Re: Does this HJT log look suspicious?
Do you get the same message when you try to acitivate Windows?
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-16-2008, 04:25 PM   #19 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,562
OS: WinXP and Vista


Re: Does this HJT log look suspicious?
Restart your system tapping F8. When the menu appears, select Last Known Good Configuration.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-16-2008, 06:13 PM   #20 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 62
OS: XP SP3


Re: Does this HJT log look suspicious?
1) I get the same message when I try to activate windows

2) I restarted with Last Known Good Config...same problem, cant get past activation
tanger is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 04:36 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85