[daveafrica]

Hey guys,

obviously I've tried quite a few different things with no luck.

I'm using a macbook pro but running a VMfusion which is a

emulation system for windows. So on my 'pc' I'm running XP

which has apparently been infected. One big thing is that my

control + alt + del seems to be killed by the virus. I've tried

disabling ctrl alt del option, entering msconfig in the run box and

a few other things. The box will pop up and then get killed after a

second. Frustrating. I'm posting my HJT log as well as a picture of a

.exe that I know is BS. This is very aggravating because I can't get

to the damn processes to stop running them. I've also run multiple

scans with spy bot and adware. Of course they find malware threats

and delete them. But upon a rescan they find more...even when my

computer is disconnected from the network. I would just delete the

windows emulation and start up a new one but I'm an insurance

adjuster and have very sensitive data and programs running.

Any and all help would be much much appreciated!

Ok. HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:34:52 PM, on 11/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\VMware\VMware Tools\vmacthlp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\drivers\spoclsv.exe
C:\Documents and Settings\Administrator\Application Data\gadcom\gadcom.exe
C:\Documents and Settings\Administrator\Application Data\Twain\Twain.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\VMware\VMware Tools\VMwareService.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exe
O4 - HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [cc532de5] rundll32.exe "C:\WINDOWS\system32\gbowhnmo.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [svcshare] C:\WINDOWS\system32\drivers\spoclsv.exe
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Administrator\Application Data\gadcom\gadcom.exe" 61A847B5BBF7281337983D466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\Administrator\Application Data\Twain\Twain.exe
O4 - HKCU\..\Run: [GetPack24] "C:\Program Files\GetPack\GetPack24.exe"
O4 - HKCU\..\Run: [owqu] C:\PROGRA~1\COMMON~1\owqu\owqum.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: ssvxpk.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TP AutoConnect Service (TPAutoConnSvc) - ThinPrint GmbH - C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMwareService.exe
O23 - Service: VMware Physical Disk Helper Service - VMware, Inc. - C:\Program Files\VMware\VMware Tools\vmacthlp.exe

--

That damn 'spol' .exe.....
End of file - 4800 bytes

 

[daveafrica]

:sigh:ComboFix 08-11-10.01 - Administrator 2008-11-11 14:40:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.242 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\gadcom
c:\documents and settings\Administrator\Application Data\gadcom\gadcom.exe
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Mjcore
c:\program files\Mjcore\Mjcore.dll
c:\windows\system32\124909
c:\windows\system32\124909\124909.dll
c:\windows\system32\ddcDwWpo.dll
c:\windows\system32\drivers\spoclsv.exe
c:\windows\system32\gbowhnmo.dll
c:\windows\system32\hntidmyn.ini
c:\windows\system32\HNWycMoq.ini
c:\windows\system32\HNWycMoq.ini2
c:\windows\system32\hyyaxgkv.dll
c:\windows\system32\ntttddxh.dll
c:\windows\system32\omnhwobg.ini
c:\windows\system32\qoMcyWNH.dll
c:\windows\system32\sjvrly.dll
c:\windows\system32\ssvxpk.dll
c:\windows\system32\tjhxwf.dll
c:\windows\system32\tjxidgrr.dll
c:\windows\system32\ucttaakd.dll
c:\windows\system32\winrvc32.dll
c:\windows\system32\wvUlMGYq.dll
c:\windows\system32\yznnja.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.

2008-11-11 13:34 . 2008-11-11 13:34 <DIR> d-------- c:\program files\Trend Micro
2008-11-11 13:05 . 2008-11-11 13:05 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-11-10 21:40 . 2008-11-10 21:40 152 --a------ c:\windows\wininit.ini
2008-11-10 21:22 . 2008-11-11 12:37 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-10 21:22 . 2008-11-11 12:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-10 16:20 . 2008-11-10 16:20 <DIR> d-------- c:\program files\Lavasoft
2008-11-10 16:20 . 2008-11-10 16:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-10 16:19 . 2008-11-10 16:19 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-10 15:53 . 2008-11-11 03:52 <DIR> d--hs---- c:\windows\RGF2ZQ
2008-11-10 14:40 . 2008-11-10 14:40 <DIR> d-------- c:\windows\owqu
2008-11-10 14:40 . 2008-11-10 16:28 <DIR> d-------- c:\program files\Common Files\owqu
2008-11-10 14:25 . 2008-11-10 14:25 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Twain
2008-11-10 14:20 . 2008-11-10 14:20 <DIR> d-------- c:\program files\Webtools
2008-11-08 18:27 . 2008-11-08 18:27 127,488 --a------ C:\cyeybmf.exe
2008-11-08 18:27 . 2008-11-08 18:27 124,928 --a------ c:\windows\system32\ilslhq.dll
2008-11-08 18:27 . 2008-11-08 18:27 2 --a------ C:\-866964150
2008-11-08 17:40 . 2008-11-08 18:36 <DIR> d-------- c:\documents and settings\Administrator\Application Data\GetRightToGo
2008-10-11 21:13 . 2008-07-31 14:35 372,736 --a------ c:\windows\system32\fppmon3.dll
2008-10-11 21:13 . 2008-07-31 14:35 278,528 --a------ c:\windows\system32\fppr332.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 03:16 --------- d-----w c:\documents and settings\Administrator\Application Data\U3
2008-11-08 18:22 --------- d-----w c:\program files\Microsoft SQL Server
2008-10-31 16:59 --------- d-----w c:\documents and settings\Administrator\Application Data\HP
2008-09-23 14:23 --------- d-----w c:\program files\HP
2008-09-23 14:23 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-09-23 14:22 --------- d-----w c:\program files\Common Files\HP
2008-09-23 14:21 --------- d-----w c:\program files\Hewlett-Packard
2008-09-23 14:19 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2008-09-21 04:22 --------- d-----w c:\program files\Stardock
2008-09-21 04:09 --------- d-----w c:\program files\CCleaner
2008-09-16 11:58 --------- d-----w c:\program files\Common Files\Borland Shared
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware Tools"="c:\program files\VMware\VMware Tools\VMwareTray.exe" [2008-08-22 125488]
"VMware User Process"="c:\program files\VMware\VMware Tools\VMwareUser.exe" [2008-08-22 375344]
"MSConfig"="c:\windows\pchealth\helpctr\binaries\msconfig.exe" [2004-08-04 158208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
2008-08-22 15:06 364544 c:\windows\system32\TPSvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ssvxpk.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=c:\windows\pss\Stardock ObjectDock.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 01:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 04:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 22:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:06 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfFactory Pro Dispatcher v3]
--a------ 2008-07-31 14:35 565248 c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-09-24 15:39 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Browser"=2 (0x2)
"BITS"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2008-08-22 17968]
R2 hgfs;hgfs;c:\windows\system32\DRIVERS\hgfs.sys [2008-08-22 92592]
R2 LGTO_Sync;Sync Driver;c:\windows\system32\Drivers\lgtosync.sys [2008-08-22 36400]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
R2 MSSQL$XACTWARE;SQL Server (XACTWARE);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
R2 VMMEMCTL;VMware server memory controller;c:\program files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys [2008-08-22 15408]
R2 VMTools;VMware Tools Service;c:\program files\VMware\VMware Tools\VMwareService.exe [2008-08-22 277040]
R2 VMware Physical Disk Helper Service;VMware Physical Disk Helper Service;c:\program files\VMware\VMware Tools\vmacthlp.exe [2008-08-22 182832]
R3 vmmouse;VMware Pointing Device;c:\windows\system32\DRIVERS\vmmouse.sys [2008-08-22 11696]
R3 vmx_svga;vmx_svga;c:\windows\system32\DRIVERS\vmx_svga.sys [2008-08-22 62768]
R3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\DRIVERS\vmxnet.sys [2008-08-22 36016]
S3 TPAutoConnSvc;TP AutoConnect Service;c:\program files\VMware\VMware Tools\TPAutoConnSvc.exe [2008-08-22 294912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb858541-8979-11dd-b2e5-000c298014a4}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-10-30 c:\windows\Tasks\WebReg Officejet 5600 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2005-05-11 23:21]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0524B01A-F7AF-4665-8BE1-BE460478A4FF} - c:\windows\system32\wvUlMGYq.dll
BHO-{53209944-E4BD-442A-BBCD-5DE6C19F27BE} - c:\windows\system32\qoMcyWNH.dll
BHO-{e07dcb03-8b11-42d3-9800-2822aa8082fa} - c:\windows\system32\ssvxpk.dll
HKLM-Run-cc532de5 - c:\windows\system32\gbowhnmo.dll
ShellExecuteHooks-{0524B01A-F7AF-4665-8BE1-BE460478A4FF} - c:\windows\system32\wvUlMGYq.dll
MSConfigStartUp-cc532de5 - c:\windows\system32\gbowhnmo.dll
MSConfigStartUp-GetPack24 - c:\program files\GetPack\GetPack24.exe
MSConfigStartUp-owqu - c:\progra~1\COMMON~1\owqu\owqum.exe
MSConfigStartUp-svcshare - c:\windows\system32\drivers\spoclsv.exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-11 14:43:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-11-11 14:43:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-11 14:43:54

Pre-Run: 25,667,993,600 bytes free
Post-Run: 25,619,525,632 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

186

 

[amateur]

Hello and welcome to TSF.

Sorry for not being able to have replied to your topic. If you still need help, please start a new thread and post the logs requested in our pre-posting process outlined below, as it has been quite a while since you posted:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help