Tech Support Forum banner
Status
Not open for further replies.
1 - 12 of 12 Posts

·
Registered
Joined
·
296 Posts
Discussion Starter · #1 ·
trying to get it, ive hit it with malware antibytes, spybot, and a few hjt scans but this is a little beyond my abilities

under normal login cant access task manager, and any time we've tried installing a new program the "antivirus" malware is popping up as saying that its a dangerous file and that its been blocked

here are the logs
sorry if that came out sounding weird im exhausted here



DDS (Ver_09-07-30.01) - NTFSx86
Run by Steve at 16:01:27.65 on Sun 09/13/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.568 [GMT -4:00]

AV: avast! antivirus 4.8.1351 [VPS 090913-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Steve\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1248808547&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-US
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [<NO NAME>]
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [HPWUTOOLBOX] c:\program files\hp\hp officejet pro k550 series\toolbox\HPWUTBX.exe "-i"
mRun: [HPWU_MPM_Agent] c:\program files\hp\hp officejet pro k550 series\toolbox\mpm.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = wusorevo.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-20 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-20 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-12-20 138680]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-12-20 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-12-20 352920]
S3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [2006-8-31 14092]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2005-10-1 15576]
S4 FlipShare Service;FlipShare Service;c:\program files\flip video\flipshare\FlipShareService.exe [2009-6-4 451904]
S4 NSDAHHPW;NSDAHHPW;c:\docume~1\admini~1\locals~1\temp\NSDAHHPW.exe [2009-9-12 498560]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-11-19 1251720]

=============== Created Last 30 ================

2009-09-12 15:41 <DIR> --d----- c:\docume~1\steve\applic~1\Malwarebytes
2009-09-12 15:41 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-12 15:41 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-12 15:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-12 15:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-12 15:28 <DIR> --d----- c:\program files\CCleaner
2009-09-11 21:52 <DIR> --d----- c:\program files\Trend Micro
2009-09-11 15:32 16 a------- c:\windows\pxydb.dat
2009-09-11 15:32 19,584 ac------ c:\windows\system32\dllcache\rasirda.sys
2009-09-11 15:32 19,584 a------- c:\windows\system32\drivers\rasirda.sys
2009-09-11 15:22 26,112 ac------ c:\windows\system32\dllcache\EXCH_seos.dll
2009-09-11 15:21 35,328 ac------ c:\windows\system32\dllcache\iprip.dll
2009-09-11 15:20 331,264 ac------ c:\windows\system32\dllcache\aqueue.dll
2009-09-11 15:18 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-09-11 15:18 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-09-11 15:18 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-09-11 15:18 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-09-11 15:18 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-09-11 15:18 <DIR> --d----- c:\program files\Online Services
2009-09-11 15:17 16,384 ac------ c:\windows\system32\dllcache\isignup.exe
2009-09-11 15:06 1,875,968 ac------ c:\windows\system32\dllcache\msir3jp.lex
2009-09-11 15:05 6,144 a------- c:\windows\system32\kbd101b.dll
2009-09-11 13:45 0 a------- c:\windows\system32\41.exe
2009-09-11 13:38 19,967 a------- C:\udtcnn.exe
2009-09-10 17:13 <DIR> --d----- c:\program files\iPod
2009-09-10 17:13 <DIR> --d----- c:\program files\iTunes
2009-09-10 17:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-10 17:12 <DIR> --d----- c:\program files\Bonjour
2009-09-05 01:54 94,208 a------- c:\windows\system32\QuickTimeVR.qtx
2009-09-05 01:54 69,632 a------- c:\windows\system32\QuickTime.qts
2009-08-28 21:32 <DIR> --d----- c:\docume~1\steve\applic~1\HpUpdate

==================== Find3M ====================

2009-09-11 15:16 23,428 a------- c:\windows\system32\emptyregdb.dat
2009-09-11 15:07 2,396 a------- c:\windows\system32\PerfStringBackup.TMP
2009-08-18 18:11 144,536 a------- c:\docume~1\steve\applic~1\GDIPFONTCACHEV1.DAT
2009-07-29 21:11 410,984 a------- c:\windows\system32\deploytk.dll
2006-01-01 16:13 29,696 a------- c:\program files\c_378_us0_biz_10psht_prt.doc

============= FINISH: 16:02:13.59 ===============
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hi darklordryu,

I'd like to see the log from Malwarebytes, please.
 

·
Registered
Joined
·
296 Posts
Discussion Starter · #3 ·
Im sorry, im doing this for someone in another state, so it may take a little while, but i do have a screencap of the last scan, Ill get the real log as soon as i can

these two results keep popping up, and we're getting rid of them, but they keep coming back

and in hijack, there are several values as ell that just wont go away
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
I appreciate the image, but I want to see what it has removed thus far. Post it when you are able.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Thank you. : )

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================

Disable your AntiVirus and AntiSpyware applications as it will interfere with our tools and the removal.

Right click on the Avast! icon in system tray (looks like this:
)
and choose (***Stop On-Access Protection****)

Right click, > Program Settings > Troubleshooting > Tick disable self defense

====================================================


Double click on combofix.exe & follow the prompts.


  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
 

·
Registered
Joined
·
296 Posts
heres the combofix log
the user is saying all seems good, he ran malware and said nothing came up

more to scan?

ComboFix 09-09-14.02 - Steve 09/14/2009 22:30.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.533 [GMT -4:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1351 [VPS 090914-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Steve\Desktop\TRAINE~1\Training\TURBUL~1\FAT-lo~1.exe
c:\documents and settings\Steve\My Documents\ZbThumbnail.info
c:\recycler\S-1-5-21-1282263992-573764131-2833766345-1003
c:\recycler\S-1-5-21-1708537768-308236825-839522115-1003
c:\windows\system\GZinf60593.drv
c:\windows\system\GZinf60779.drv
c:\windows\system32\41.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))
.

2009-09-12 19:41 . 2009-09-12 19:41 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
2009-09-12 19:41 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-12 19:41 . 2009-09-12 19:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-12 19:41 . 2009-09-12 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-12 19:41 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-12 19:28 . 2009-09-12 19:28 -------- d-----w- c:\program files\CCleaner
2009-09-12 13:24 . 2009-09-12 13:24 -------- d-s---w- c:\documents and settings\Administrator\UserData
2009-09-12 13:23 . 2009-09-12 13:23 150344 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-12 01:52 . 2009-09-12 01:52 -------- d-----w- c:\program files\Trend Micro
2009-09-11 19:32 . 2009-09-11 19:32 16 ----a-w- c:\windows\pxydb.dat
2009-09-11 19:32 . 2001-08-17 17:51 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2009-09-11 19:32 . 2001-08-17 17:51 19584 ----a-w- c:\windows\system32\drivers\rasirda.sys
2009-09-11 19:22 . 2001-08-18 02:36 26112 -c--a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2009-09-11 19:21 . 2004-08-04 12:00 35328 -c--a-w- c:\windows\system32\dllcache\iprip.dll
2009-09-11 19:20 . 2004-08-04 12:00 331264 -c--a-w- c:\windows\system32\dllcache\aqueue.dll
2009-09-11 19:17 . 2004-08-04 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2009-09-11 19:06 . 2004-08-04 12:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2009-09-11 19:05 . 2001-08-17 18:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2009-09-11 19:05 . 2004-08-04 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2009-09-11 19:05 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-09-11 19:05 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2009-09-11 19:05 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2009-09-11 17:38 . 2009-09-11 17:38 19967 ----a-w- C:\udtcnn.exe
2009-09-10 21:13 . 2009-09-10 21:13 -------- d-----w- c:\program files\iPod
2009-09-10 21:13 . 2009-09-10 21:14 -------- d-----w- c:\program files\iTunes
2009-09-10 21:13 . 2009-09-10 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-10 21:12 . 2009-09-10 21:12 -------- d-----w- c:\program files\Bonjour
2009-09-10 21:09 . 2009-09-10 21:09 -------- d-----w- c:\documents and settings\Steve\Local Settings\Application Data\Apple
2009-09-10 21:09 . 2009-09-10 21:09 -------- d-----w- c:\program files\Apple Software Update
2009-09-10 21:09 . 2009-09-10 21:14 -------- dc----w- c:\windows\system32\DRVSTORE
2009-09-10 21:08 . 2009-09-10 21:13 -------- d-----w- c:\program files\Common Files\Apple
2009-09-10 21:08 . 2009-09-10 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-08-29 01:33 . 2009-08-29 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-08-29 01:32 . 2009-08-29 01:33 -------- d-----w- c:\documents and settings\Steve\Application Data\HpUpdate

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-15 00:33 . 2009-08-13 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-13 16:23 . 2005-10-01 09:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-12 21:05 . 2005-10-10 02:29 150344 ----a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-12 13:33 . 2007-01-21 02:55 -------- d-----w- c:\program files\Windows Live Safety Center
2009-09-12 02:02 . 2005-10-01 09:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-11 19:16 . 2004-08-07 12:54 23428 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-11 19:07 . 2009-09-11 19:07 2396 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-09-11 00:19 . 2005-05-07 09:41 -------- d-----w- c:\program files\QuickTime
2009-09-10 21:11 . 2005-05-07 09:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-29 01:32 . 2005-05-07 09:37 -------- d-----w- c:\program files\Hp
2009-08-17 16:10 . 2008-12-21 03:13 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-17 16:06 . 2008-12-21 03:13 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2008-12-21 03:13 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2008-12-21 03:13 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2008-12-21 03:13 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2008-12-21 03:13 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2008-12-21 03:13 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2008-12-21 03:13 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2008-12-21 03:13 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-12 21:34 . 2009-05-22 16:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-12 20:41 . 2009-08-12 20:41 -------- d-----w- c:\documents and settings\Steve\Application Data\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1
2009-08-12 17:15 . 2009-08-12 17:15 -------- d-----w- c:\program files\TweetDeck
2009-08-06 22:18 . 2009-08-06 22:18 -------- d-----w- c:\program files\MSBuild
2009-08-06 22:17 . 2009-08-06 22:17 -------- d-----w- c:\program files\Reference Assemblies
2009-07-31 18:28 . 2009-07-31 18:28 -------- d-----w- c:\program files\Flip Video
2009-07-31 18:28 . 2009-07-31 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video
2009-07-30 01:11 . 2009-07-30 01:11 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-30 01:11 . 2005-05-07 09:13 -------- d-----w- c:\program files\Java
2009-07-30 01:10 . 2009-07-30 01:10 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-24 18:35 . 2009-07-24 18:35 -------- d-----w- c:\program files\Adobe Media Player
2006-01-01 20:13 . 2006-01-01 20:13 29696 ----a-w- c:\program files\c_378_us0_biz_10psht_prt.doc
2007-07-19 11:57 . 2007-05-16 19:27 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2006-12-13 03:12 . 2007-01-21 02:43 66648 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-12-13 03:12 . 2007-01-21 02:43 54352 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-12-13 03:12 . 2007-01-21 02:43 34928 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-12-13 03:12 . 2007-01-21 02:43 46696 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-12-13 03:12 . 2007-01-21 02:43 172120 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-09 339968]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-22 229438]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 155648]
"HPWUTOOLBOX"="c:\program files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe" [2005-09-19 352256]
"HPWU_MPM_Agent"="c:\program files\HP\HP Officejet Pro K550 Series\Toolbox\mpm.exe" [2005-09-19 106496]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-20 1836544]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-07-04 184320]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-9-30 110592]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2008-10-27 184320]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-8-31 169472]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/20/2008 11:13 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/20/2008 11:13 PM 20560]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
S3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [8/31/2006 12:26 PM 14092]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [10/1/2005 1:39 AM 15576]
S4 FlipShare Service;FlipShare Service;c:\program files\Flip Video\FlipShare\FlipShareService.exe [6/4/2009 5:41 PM 451904]
S4 NSDAHHPW;NSDAHHPW;c:\docume~1\ADMINI~1\LOCALS~1\Temp\NSDAHHPW.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\NSDAHHPW.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-09-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-14 c:\windows\Tasks\User_Feed_Synchronization-{0D268CE5-3E7D-4690-9E72-906AF524BFE3}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1248808547&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-US
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\94532zkr.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Adobe InDesign 2.0 - c:\windows\ISUNINST.EXE -fc:\program files\Adobe\InDesign 2.0\Uninst.isu
AddRemove-Adobe Photoshop 7.0 - c:\windows\ISUNINST.EXE -fc:\program files\Adobe\Photoshop 7.0\Uninst.isu
AddRemove-Canon Digital Camera USB WIA Driver - c:\windows\IsUninst.exe -fc:\program files\Canon\DC USB WIA\Uninst.isu
AddRemove-HP Officejet Pro K550 Series - c:\program files\HP\Digital Imaging\{D2355E6F-5004-4e44-B63C-2E58DCB4C29B}\setup\hpzscr01.exe -datfile hpwscr03.dat
AddRemove-Vesteon Software Personal Trainer-PDA for PalmOS - c:\windows\ctpu.exe -uc:\program files\Vesteon Software\Personal Trainer-PDA\install.log



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-14 22:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????8?7?4?2??P???? ???B?????????????H<C? ??????
HPWU_MPM_Agent = c:\program files\HP\HP Officejet Pro K550 Series\Toolbox\mpm.exe???????w???w? ??????????????????4??wT???u???????????9??]????????T???9??][email protected]????A?wu???T?????j?????????????????????????????????????????????4???P???l???g??w?A?w?????A?w???w???

scanning hidden files ...


c:\windows\system32\wbem\Performance\WmiApRpl_new.ini 924 bytes
c:\windows\system32\wuapi.dll.wusetup.285890.bak 430592 bytes executable
c:\windows\system32\wuauclt.exe.wusetup.286796.bak 111104 bytes executable
c:\windows\system32\wuaucpl.cpl.wusetup.287250.bak 162304 bytes executable
c:\windows\system32\wuaueng.dll.wusetup.288218.bak 1134592 bytes executable

scan completed successfully
hidden files: 5

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(544)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3836)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\HPQ\Shared\hpqwmi.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-15 22:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-15 02:45

Pre-Run: 34,505,961,472 bytes free
Post-Run: 34,582,085,632 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

254 --- E O F --- 2009-09-09 17:48
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hi darklordryu,

One more file that needs to go. Delete C:\udtcnn.exe. If it resists deletion, delete it from Safe Mode.

I realize online scans are time consuming, but it is important to run this online scan to search for any remnants. Please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
I think we are safe to consider that finding a false postitive. :smile:

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

To help protect the computer in the future, have your friend look into the following free programs if they do not already have them:

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for both Firefox and IE.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
  • It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.


- Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

- Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.




- Most importantly, Think Prevention

-----------------------------------------------------


**Kindly respond one more time and let me know if we may consider this thread resolved.
 

·
Registered
Joined
·
296 Posts
Discussion Starter · #11 ·
excellent we're all set, the user isnt seeing any more problems on his end, thank you for the help

just two quick questions, im a comp. networking major with a pretty hefty interest in stuff like this, my first question would be how you learned as much as you have about this kind of stuff? I can solve routine problems, I can recognize an entry in hijackthis that shouldnt be there and the like but i would absolutely love to learn more...but i saw the TSF wasnt accepting more people

and my other question is, on my end i run symantec end point protection (and that alone) along with regular spybot scans, and hijackthis is and ccleaner to make sure nothing has snuck in, are there other programs youd recommend for for daily preventative maintenance?
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
It takes an enormous amount of time, dedication, reading, research, and experience to learn how to recognize, and effectively remove today's malware. HijackThis has its uses, but no longer provides enough information in regard to today's malware which is why we use the scanning tools such as dds.scr or rsit.exe.

As far as the protection you've set up for yourself, it is quite effective for the majority of malware out there. As of the time of this posting, none of the commercial applications can stop these newest nasties which most commonly arrive on a machine via P2P file sharing, crack programs, and even some legit sites that have weak security which the malware writers were able to take advantage of and park some code on. :sigh:
 
1 - 12 of 12 Posts
Status
Not open for further replies.
Top