Tech Support Forum banner

random .dll files in system32; host file changes

3978 Views 18 Replies 4 Participants Last post by  Ried
i've been trying to kill this virus for a few days with combofix and HJT logs with no success... :( :mad::eek:

symptoms:
1. C:\Windows\Update.dll
basically adds a bunch of .cn (Chinese) entries to "HOSTS" file
appears as rundll32.exe in task manager

2. random .dll's in C:\Windows\system32
such as "950D1600.dll"

3. System.exe file in system32
in properties
description: HB Inject Application Version 1.2.1.1007
copyright: Copyright ? 2008, HB Software
original file name: HBInject.exe
4. C:\Program Files\Messenger\msgmr.dll
appears as rundll32.exe in task manager

5. changing of startup entries in msconfig, specifically to include the System.exe, msgmr.dll, and Update.dll

6. C:\Documents and Settings\(user name)\Local Settings\temp\wmsetup.dll
perflib_perfdata(random three #/letter sequence).dat is also in that folder

7. none of these files can be deleted unless in safe mode or during restart

for a few days, I simply killed the rundll32.exe processes and manually changed the HOSTS file

then i deleted the msgmr.dll and update.dll files, but they reappeared

two days ago, I checked my HJT log, and found a bunch of weird registry things, so I opened regedit and deleted every one of them
one of them had to do w/ "thunderadvise.dll", which i promptly deleted

the HJT log was clean, but only temporarily

I ran combofix several times and it deleted everything i've mentioned above but...

the same symptoms keep appearing

DDS log




DDS (Version 1.0) - NTFSx86
Run by demo at 15:22:40.89 on Thu 11/27/2008
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.628 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\demo\Desktop\New Folder (2)\opera\op.com
C:\Documents and Settings\demo\Desktop\dds.scr

============== Psuedo HJT Report ===============

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [HBService32] System.exe
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
AppInit_DLLs: HBmhly.dll
SSODL: msnmsg - {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} - c:\program files\messenger\msgmr.dll
SEH: {950D1600-DE4A-448D-93B4-7BAE5A7A8052} - 950D1600.dll
SEH: {DFB3DAC5-B0B5-4B05-BFCF-FB42737778FA} - DFB3DAC5.dll
SEH: {DA63E650-537C-4042-87BB-9D19D844680B} - DA63E650.dll

============= SERVICES / DRIVERS ===============

R3 d812a079;d812a079;\??\c:\windows\system32\d812a079.sys [2008-11-27 5504]
S0 HBKernel32;HBKernel32 Driver;c:\windows\system32\drivers\HBKernel32.sys [2008-11-27 14699]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\C:\VCdRom.sys []
S3 6457aed;6457aed;\??\c:\windows\system32\6457aed.sys [2008-11-27 5504]
S3 b160485;b160485;\??\c:\windows\system32\b160485.sys [2008-11-18 5504]
S3 d435fd4;d435fd4;\??\c:\windows\system32\d435fd4.sys [2008-11-16 5504]
S3 de8296f;de8296f;\??\c:\windows\system32\de8296f.sys [2008-11-12 5504]
S3 f35ee9e;f35ee9e;\??\c:\windows\system32\f35ee9e.sys [2008-11-13 5504]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\c:\windows\system32\NSNDIS5.SYS [2004-3-23 17280]

=============== Created Last 30 ================

2008-11-27 15:05 250 a------- c:\windows\gmer.ini
2008-11-27 14:58 19,968 a------- c:\windows\system32\HBmhly.dll
2008-11-27 14:58 7,680 a------- c:\windows\system32\System.exe
2008-11-27 14:58 14,699 a------- c:\windows\system32\drivers\HBKernel32.sys
2008-11-27 14:58 13,080 a--sh--- c:\windows\system32\DA63E650.dll
2008-11-27 14:58 252 a--sh--- c:\windows\system32\DA63E650.cfg
2008-11-27 14:58 5,504 a------- c:\windows\system32\6457aed.sys
2008-11-27 14:58 14,076 a--sh--- c:\windows\system32\DFB3DAC5.dll
2008-11-27 14:58 216,451 a--sh--- c:\windows\system32\950D1600.dll
2008-11-27 14:58 344 a--sh--- c:\windows\system32\950D1600.cfg
2008-11-27 14:58 5,504 a------- c:\windows\system32\d812a079.sys
2008-11-27 14:58 237,568 a------- c:\windows\Update.dll
2008-11-27 14:31 <DIR> --d----- C:\ComboFix
2008-11-27 14:08 208 a--sh--- c:\windows\system32\A1A6BC2E.cfg
2008-11-27 13:45 1,298 a------- c:\windows\system32\tmp.reg
2008-11-27 13:44 289,144 a------- c:\windows\system32\VCCLSID.exe
2008-11-27 13:44 288,417 a------- c:\windows\system32\SrchSTS.exe
2008-11-27 13:44 87,552 a------- c:\windows\system32\VACFix.exe
2008-11-27 13:44 82,944 a------- c:\windows\system32\o4Patch.exe
2008-11-27 13:44 82,944 a------- c:\windows\system32\IEDFix.exe
2008-11-27 13:44 82,944 a------- c:\windows\system32\IEDFix.C.exe
2008-11-27 13:44 82,432 a------- c:\windows\system32\404Fix.exe
2008-11-27 13:44 53,248 a------- c:\windows\system32\Process.exe
2008-11-27 13:44 51,200 a------- c:\windows\system32\dumphive.exe
2008-11-27 13:44 25,600 a------- c:\windows\system32\WS2Fix.exe
2008-11-26 19:20 <DIR> --d----- c:\program files\Messenger
2008-11-26 19:05 161,792 a------- c:\windows\SWREG.exe
2008-11-26 19:05 98,816 a------- c:\windows\sed.exe
2008-11-26 13:31 <DIR> --d----- c:\program files\common files\Macrovision Shared
2008-11-26 12:37 54,156 a---h--- c:\windows\QTFont.qfn
2008-11-26 12:37 1,409 a------- c:\windows\QTFont.for
2008-11-25 14:06 236 a--sh--- c:\windows\system32\FFAE967F.cfg
2008-11-25 14:06 432 a--sh--- c:\windows\system32\D9C002DD.cfg
2008-11-25 13:36 <DIR> --d----- c:\docume~1\demo\applic~1\Download Manager
2008-11-21 17:18 208 a--sh--- c:\windows\system32\DFB3DAC5.cfg
2008-11-20 16:11 145 a------- c:\windows\Eudcedit.ini
2008-11-18 14:28 244 a--sh--- c:\windows\system32\E1D19FCC.cfg
2008-11-18 14:28 5,504 a------- c:\windows\system32\b160485.sys
2008-11-16 18:39 5,504 a------- c:\windows\system32\d435fd4.sys
2008-11-15 14:10 <DIR> --d----- c:\docume~1\demo\applic~1\Audacity
2008-11-15 13:40 <DIR> --d----- c:\docume~1\demo\applic~1\FrostWire
2008-11-15 13:25 220 a--sh--- c:\windows\system32\B8E83D3C.cfg
2008-11-15 13:23 73,728 a------- c:\windows\system32\javacpl.cpl
2008-11-13 18:08 5,504 a------- c:\windows\system32\f35ee9e.sys
2008-11-12 20:28 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 20:28 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-12 16:47 5,504 a------- c:\windows\system32\de8296f.sys
2008-11-05 18:00 204 a--sh--- c:\windows\system32\C8FFD223.cfg
2008-11-05 17:57 272 a--sh--- c:\windows\system32\F2CBFAC4.cfg
2008-11-03 15:30 <DIR> --d----- c:\windows\pss
2008-11-03 15:20 204 a--sh--- c:\windows\system32\E5D39975.cfg
2008-11-03 15:19 436 a--sh--- c:\windows\system32\F8E07BB2.cfg
2008-11-02 16:50 <DIR> --d-h--- c:\windows\[email protected]
2008-11-01 13:30 <DIR> --d----- C:\New Folder (x)
2008-11-01 13:10 <DIR> --d----- c:\docume~1\demo\applic~1\uTorrent
2008-10-29 14:31 <DIR> --d----- c:\windows\Cache

==================== Find3M ====================

2008-11-14 19:12 <DIR> --d----- c:\docume~1\demo\applic~1\vlc
2008-11-06 14:02 <DIR> --d----- c:\program files\MUSICMATCH
2008-11-06 13:59 <DIR> --d----- c:\program files\lynx
2008-11-06 13:57 <DIR> --d----- c:\docume~1\demo\applic~1\Dev-Cpp
2008-11-06 13:56 <DIR> --d----- c:\program files\Apoint
2008-11-02 17:00 27,136 a------- c:\windows\apppatch\AcLue.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 03:57 1,846,016 a------- c:\windows\system32\win32k.sys
2008-09-04 08:42 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-08-29 20:06 1,350,664 a------- c:\windows\system32\msxml6.dll
2008-01-21 11:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2007-10-09 20:38 <DIR> --d----- c:\docume~1\demo\applic~1\ScanSoft
2007-09-10 21:10 <DIR> --d----- c:\docume~1\demo\applic~1\NJStar
2006-09-13 15:18 <DIR> --d----- c:\docume~1\demo\applic~1\Ethereal
2006-06-01 12:02 <DIR> --d----- c:\docume~1\demo\applic~1\WildPackets
2006-05-31 23:58 <DIR> --d----- c:\docume~1\demo\applic~1\PDFill
2006-05-31 19:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2006-05-31 19:41 <DIR> --d----- c:\docume~1\demo\applic~1\MSNInstaller
2006-03-16 17:18 <DIR> --d----- c:\docume~1\demo\applic~1\Mikrotik
2006-03-11 16:07 <DIR> --d--r-- c:\docume~1\demo\applic~1\Brother
2006-03-11 15:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Brother
2006-01-18 16:51 <DIR> --d----- c:\docume~1\demo\applic~1\Symantec
2005-11-10 17:23 <DIR> --d----- c:\docume~1\demo\applic~1\Intel
2005-11-10 17:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intel
2005-10-14 20:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2005-10-14 20:43 <DIR> --d----- c:\docume~1\demo\applic~1\Jasc Software Inc
2004-08-10 10:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI
2006-05-31 13:40 56 a--shr-- c:\windows\system32\2354A42A8E.sys

============= FINISH: 15:22:49.65 ===============

Attachments

See less See more
Status
Not open for further replies.
1 - 19 of 19 Posts
Hi, welcome to tsf!

You have a lot of nasty infections there..

delete your copy of combofix.

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
See less See more
should i run in safe mode or regular?
Please run it in regular mode.
COMBOFIX LOG...


ComboFix 08-11-28.02 - demo 2008-11-28 17:08:47.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.677 [GMT -8:00]
Running from: c:\documents and settings\demo\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Messenger\msgmr.dll
c:\windows\Fonts\Framdee.ttf
c:\windows\system32\6457aed.sys
c:\windows\system32\950D1600.cfg
c:\windows\system32\950D1600.dll
c:\windows\system32\b160485.sys
c:\windows\system32\d812a079.sys
c:\windows\system32\DA63E650.cfg
c:\windows\system32\DA63E650.dll
c:\windows\system32\DFB3DAC5.cfg
c:\windows\system32\DFB3DAC5.dll
c:\windows\system32\drivers\HBKernel32.sys
c:\windows\system32\HBmhly.dll
c:\windows\system32\system.exe
c:\windows\temp\wmsetup.dll
c:\windows\Update.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_B160485
-------\Legacy_D812A079
-------\Service_6457aed
-------\Service_b160485
-------\Service_d812a079
-------\Service_HBKernel32


((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))
.

2008-11-27 15:05 . 2008-11-27 15:07 250 --a------ c:\windows\gmer.ini
2008-11-27 14:08 . 2008-11-27 14:08 208 --ahs---- c:\windows\system32\A1A6BC2E.cfg
2008-11-27 13:45 . 2008-11-27 13:45 1,298 --a------ c:\windows\system32\tmp.reg
2008-11-27 13:44 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-27 13:44 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-27 13:44 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-11-27 13:44 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-11-27 13:44 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-27 13:44 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-11-27 13:44 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-11-27 13:44 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-27 13:44 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-27 13:44 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-26 13:31 . 2008-11-26 13:31 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-26 13:05 . 2008-11-26 14:30 <DIR> d-------- c:\program files\Common Files\Adobe
2008-11-26 12:37 . 2008-11-26 12:37 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-26 12:37 . 2008-11-26 12:37 1,409 --a------ c:\windows\QTFont.for
2008-11-25 14:06 . 2008-11-27 14:08 432 --ahs---- c:\windows\system32\D9C002DD.cfg
2008-11-25 14:06 . 2008-11-25 14:06 236 --ahs---- c:\windows\system32\FFAE967F.cfg
2008-11-25 13:36 . 2008-11-25 16:47 <DIR> d-------- c:\documents and settings\demo\Application Data\Download Manager
2008-11-20 16:11 . 2008-11-20 16:11 145 --a------ c:\windows\Eudcedit.ini
2008-11-18 14:28 . 2008-11-18 14:28 244 --ahs---- c:\windows\system32\E1D19FCC.cfg
2008-11-16 18:39 . 2008-11-16 18:39 5,504 --a------ c:\windows\system32\d435fd4.sys
2008-11-15 14:10 . 2008-11-23 17:10 <DIR> d-------- c:\documents and settings\demo\Application Data\Audacity
2008-11-15 13:40 . 2008-11-25 20:22 <DIR> d-------- c:\documents and settings\demo\Application Data\FrostWire
2008-11-15 13:25 . 2008-11-15 13:25 220 --ahs---- c:\windows\system32\B8E83D3C.cfg
2008-11-15 13:23 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-13 18:08 . 2008-11-13 18:08 5,504 --a------ c:\windows\system32\f35ee9e.sys
2008-11-12 20:28 . 2008-09-04 08:42 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 20:28 . 2008-10-24 03:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 16:47 . 2008-11-12 16:47 5,504 --a------ c:\windows\system32\de8296f.sys
2008-11-05 18:00 . 2008-11-05 18:00 204 --ahs---- c:\windows\system32\C8FFD223.cfg
2008-11-05 17:57 . 2008-11-05 17:57 272 --ahs---- c:\windows\system32\F2CBFAC4.cfg
2008-11-03 15:20 . 2008-11-03 15:20 204 --ahs---- c:\windows\system32\E5D39975.cfg
2008-11-03 15:19 . 2008-11-26 14:44 436 --ahs---- c:\windows\system32\F8E07BB2.cfg
2008-11-02 16:50 . 2008-11-02 16:52 <DIR> d--h----- c:\windows\[email protected]
2008-11-01 13:30 . 2008-11-01 13:30 <DIR> d-------- C:\New Folder (x)
2008-11-01 13:10 . 2008-11-26 13:03 <DIR> d-------- c:\documents and settings\demo\Application Data\uTorrent
2008-10-29 14:31 . 2008-10-29 14:31 <DIR> d-------- c:\windows\Cache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 05:45 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-15 21:23 --------- d-----w c:\program files\Java
2008-11-15 03:12 --------- d-----w c:\documents and settings\demo\Application Data\vlc
2008-11-06 22:02 --------- d-----w c:\program files\MUSICMATCH
2008-11-06 21:59 --------- d-----w c:\program files\lynx
2008-11-06 21:57 --------- d-----w c:\documents and settings\demo\Application Data\Dev-Cpp
2008-11-06 21:56 --------- d-----w c:\program files\Apoint
2008-11-03 23:30 --------- d-----w c:\documents and settings\demo\Application Data\OpenOffice.org2
2008-10-25 04:42 --------- d-----w c:\documents and settings\All Users\Application Data\GTek
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2006-05-31 21:40 56 --sha-r c:\windows\system32\2354A42A8E.sys
.

((((((((((((((((((((((((((((( [email protected]_14.41.19.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-27 23:05:47 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 05:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2008-11-27 23:05:47 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-10-03 22:59 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Client.exe]
"Debugger"=c:\windows\system32\windg.exe

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^demo^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\demo\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3PMmUpdate]
c:\windows\Update.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-08-05 18:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 04:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a------ 2005-02-23 13:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EOUApp]
--a------ 2005-10-03 23:03 356352 c:\program files\Intel\Wireless\Bin\EOUWiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-08-20 14:57 221184 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-07-25 06:14 188416 c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
-ra------ 2003-08-20 13:15 483328 c:\windows\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
-ra------ 2003-08-20 13:23 49152 c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2004-08-04 02:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 02:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2005-10-03 22:59 385024 c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a------ 2005-10-03 22:59 401408 c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 13:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 13:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 04:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--a------ 2004-04-11 17:15 290816 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 04:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 04:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-01-19 23:05 217088 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-01 10:37 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-06-01 10:19 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Brother XP spl Service"=2 (0x2)
"SNDSrvc"=3 (0x3)
"rpcapd"=3 (0x3)
"IDriverT"=3 (0x3)
"brmfrmps"=2 (0x2)
"NICCONFIGSVC"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"WLANKEEPER"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"OwnershipProtocol"=2 (0x2)
"Imapi Helper"=3 (0x3)
"idsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"EvtEng"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dude\\dudes.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\WINDOWS\\[email protected]\\iexplorer.exe"=
"c:\\Documents and Settings\\demo\\My Documents\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

S1 vcdrom;Virtual CD-ROM Device Driver;\??\C:\VCdRom.sys []
S3 d435fd4;d435fd4;\??\c:\windows\system32\d435fd4.sys [2008-11-16 5504]
S3 de8296f;de8296f;\??\c:\windows\system32\de8296f.sys [2008-11-12 5504]
S3 f35ee9e;f35ee9e;\??\c:\windows\system32\f35ee9e.sys [2008-11-13 5504]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\c:\windows\system32\NSNDIS5.SYS [2004-03-23 17280]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c21fc2e-582f-11dc-bfa0-0013ce46134d}]
\shell\explore\Command - G:\boot.exe
\shell\open\Command - G:\boot.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c1227fb-af5d-11dc-bfaa-00123feb0953}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-13 c:\windows\Tasks\HP DArC Task #Hewlett-Packard#7200#CN41E3B0HZI5.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-08-20 14:57]

2008-11-27 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2003-08-20 13:23]

2008-11-29 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-HBService32 - System.exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-28 21:53:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\IWPDGINA.DLL
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-28 21:55:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-29 05:55:28
ComboFix2.txt 2008-11-27 22:43:26
ComboFix3.txt 2008-11-27 03:17:25

Pre-Run: 2,450,796,544 bytes free
Post-Run: 2,440,110,080 bytes free

259 --- E O F --- 2008-11-13 23:46:28



OTHER STUFF:

1. i forgot to tell you earlier that explorer.exe doesn't load (how convenient) :) , not even in safe mode nor with the run function of task manager
i'm doing everything with taskmanager now...
idk whether the virus did it or my randomly deleting of registry entries..

2. combofix didn't work too well... again

3. the virus has also inhabited the system32/drivers folder

4. after the combofix scan i deleted the crp in the HOSTS file, and killed off like 5 rundll32.exe's w/ task manager
See less See more
Open NOTEPAD and copy/paste the text in the quotebox below into it:

Code:
Folder::
c:\WINDOWS\[email protected]
File::
c:\windows\system32\A1A6BC2E.cfg
c:\windows\system32\VACFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\D9C002DD.cfg
c:\windows\system32\FFAE967F.cfg
c:\windows\system32\E1D19FCC.cfg
c:\windows\system32\d435fd4.sys
c:\windows\system32\B8E83D3C.cfg
c:\windows\system32\f35ee9e.sys
c:\windows\system32\de8296f.sys
c:\windows\system32\C8FFD223.cfg
c:\windows\system32\F2CBFAC4.cfg
c:\windows\system32\E5D39975.cfg
c:\windows\system32\F8E07BB2.cfg
c:\windows\system32\windg.exe
c:\windows\system32\d435fd4.sys 
c:\windows\system32\de8296f.sys
c:\windows\system32\f35ee9e.sys
driver::
d435fd4
de8296f
f35ee9e
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Client.exe]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\[email protected]\\iexplorer.exe"=-
"c:\\Documents and Settings\\demo\\My Documents\\uTorrent.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c21fc2e-582f-11dc-bfa0-0013ce46134d}]
Save this as "CFScript"





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

--------


In your next post, tell us what type of antivirus program you currently have installed on the machine
See less See more
ComboFix 08-11-29.03 - demo 2008-11-29 14:22:42.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.639 [GMT -8:00]
Running from: c:\documents and settings\demo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\demo\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\404Fix.exe
c:\windows\system32\A1A6BC2E.cfg
c:\windows\system32\B8E83D3C.cfg
c:\windows\system32\C8FFD223.cfg
c:\windows\system32\d435fd4.sys
c:\windows\system32\D9C002DD.cfg
c:\windows\system32\de8296f.sys
c:\windows\system32\E1D19FCC.cfg
c:\windows\system32\E5D39975.cfg
c:\windows\system32\F2CBFAC4.cfg
c:\windows\system32\f35ee9e.sys
c:\windows\system32\F8E07BB2.cfg
c:\windows\system32\FFAE967F.cfg
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\windg.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Messenger\msgmr.dll
c:\windows\AppPatch\AcSpecf.dll
c:\windows\AppPatch\AcXtrnel.sdb
c:\windows\Downloaded Program Files\ThunderAdvise.dll
c:\windows\Fonts\Framdee.ttf
c:\windows\[email protected]
c:\windows\[email protected]\00000000.256
c:\windows\[email protected]\binkw32.dll
c:\windows\[email protected]\chktrust.exe
c:\windows\[email protected]\config.txt
c:\windows\[email protected]\CONTENT\1024editbox.ksml
c:\windows\[email protected]\CONTENT\1024log.ksml
c:\windows\[email protected]\CONTENT\1200editbox.ksml
c:\windows\[email protected]\CONTENT\1200log.ksml
c:\windows\[email protected]\CONTENT\480editbox.ksml
c:\windows\[email protected]\CONTENT\480log.ksml
c:\windows\[email protected]\CONTENT\576editbox.ksml
c:\windows\[email protected]\CONTENT\576log.ksml
c:\windows\[email protected]\CONTENT\600editbox.ksml
c:\windows\[email protected]\CONTENT\600log.ksml
c:\windows\[email protected]\CONTENT\720editbox.ksml
c:\windows\[email protected]\CONTENT\720log.ksml
c:\windows\[email protected]\CONTENT\768editbox.ksml
c:\windows\[email protected]\CONTENT\768log.ksml
c:\windows\[email protected]\CONTENT\864editbox.ksml
c:\windows\[email protected]\CONTENT\864log.ksml
c:\windows\[email protected]\CONTENT\900editbox.ksml
c:\windows\[email protected]\CONTENT\900log.ksml
c:\windows\[email protected]\CONTENT\960editbox.ksml
c:\windows\[email protected]\CONTENT\960log.ksml
c:\windows\[email protected]\CONTENT\GALLERY\editbox1024.png
c:\windows\[email protected]\CONTENT\GALLERY\editbox1200.png
c:\windows\[email protected]\CONTENT\GALLERY\editbox480.png
c:\windows\[email protected]\CONTENT\GALLERY\editbox576.png
c:\windows\[email protected]\CONTENT\GALLERY\editbox600.png
c:\windows\[email protected]\CONTENT\GALLERY\editbox720.png
c:\windows\[email protected]\CONTENT\GALLERY\editbox768.png
c:\windows\[email protected]\CONTENT\GALLERY\editbox864.png
c:\windows\[email protected]\CONTENT\GALLERY\editbox900.png
c:\windows\[email protected]\CONTENT\GALLERY\editbox960.png
c:\windows\[email protected]\CONTROLS\controls.dll
c:\windows\[email protected]\CONTROLS\controls.ini
c:\windows\[email protected]\drvmgt.dll
c:\windows\[email protected]\EBUSetup.sem
c:\windows\[email protected]\ending.bik
c:\windows\[email protected]\eula.dll
c:\windows\[email protected]\eula.rtf
c:\windows\[email protected]\favicon.ico
c:\windows\[email protected]\gamespy.ico
c:\windows\[email protected]\GSArcade.exe
c:\windows\[email protected]\haloupdate.cfg
c:\windows\[email protected]\iexplorer.exe
c:\windows\[email protected]\Keystone.dll
c:\windows\[email protected]\ksimeui.dll
c:\windows\[email protected]\ksml.xsd
c:\windows\[email protected]\MAPS\a10.map
c:\windows\[email protected]\MAPS\a30.map
c:\windows\[email protected]\MAPS\a50.map
c:\windows\[email protected]\MAPS\b30.map
c:\windows\[email protected]\MAPS\b40.map
c:\windows\[email protected]\MAPS\beavercreek.map
c:\windows\[email protected]\MAPS\bitmaps.map
c:\windows\[email protected]\MAPS\bloodgulch.map
c:\windows\[email protected]\MAPS\boardingaction.map
c:\windows\[email protected]\MAPS\c10.map
c:\windows\[email protected]\MAPS\c20.map
c:\windows\[email protected]\MAPS\c40.map
c:\windows\[email protected]\MAPS\carousel.map
c:\windows\[email protected]\MAPS\chillout.map
c:\windows\[email protected]\MAPS\d20.map
c:\windows\[email protected]\MAPS\d40.map
c:\windows\[email protected]\MAPS\damnation.map
c:\windows\[email protected]\MAPS\dangercanyon.map
c:\windows\[email protected]\MAPS\deathisland.map
c:\windows\[email protected]\MAPS\gephyrophobia.map
c:\windows\[email protected]\MAPS\hangemhigh.map
c:\windows\[email protected]\MAPS\icefields.map
c:\windows\[email protected]\MAPS\infinity.map
c:\windows\[email protected]\MAPS\longest.map
c:\windows\[email protected]\MAPS\prisoner.map
c:\windows\[email protected]\MAPS\putput.map
c:\windows\[email protected]\MAPS\ratrace.map
c:\windows\[email protected]\MAPS\sidewinder.map
c:\windows\[email protected]\MAPS\sounds.map
c:\windows\[email protected]\MAPS\timberland.map
c:\windows\[email protected]\MAPS\ui.map
c:\windows\[email protected]\MAPS\wizard.map
c:\windows\[email protected]\mgspid.dll
c:\windows\[email protected]\msvcr71.dll
c:\windows\[email protected]\msxmlenu.msi
c:\windows\[email protected]\ogg.dll
c:\windows\[email protected]\patchw32.dll
c:\windows\[email protected]\Readme.rtf
c:\windows\[email protected]\SETUPENU.DLL
c:\windows\[email protected]\SHADERS\fx.bin
c:\windows\[email protected]\SHADERS\vsh.bin
c:\windows\[email protected]\Shortcut to iexplorer.exe.lnk
c:\windows\[email protected]\Strings.dll
c:\windows\[email protected]\Thumbs.db
c:\windows\[email protected]\unicows.dll
c:\windows\[email protected]\vorbis.dll
c:\windows\[email protected]\vorbisfile.dll
c:\windows\[email protected]\WATSON\1028\dwintl.dll
c:\windows\[email protected]\WATSON\1031\dwintl.dll
c:\windows\[email protected]\WATSON\1033\dwintl.dll
c:\windows\[email protected]\WATSON\1035\dwintl.dll
c:\windows\[email protected]\WATSON\1036\dwintl.dll
c:\windows\[email protected]\WATSON\1040\dwintl.dll
c:\windows\[email protected]\WATSON\1041\dwintl.dll
c:\windows\[email protected]\WATSON\1042\dwintl.dll
c:\windows\[email protected]\WATSON\1046\dwintl.dll
c:\windows\[email protected]\WATSON\2052\dwintl.dll
c:\windows\[email protected]\WATSON\2070\dwintl.dll
c:\windows\[email protected]\WATSON\3076\dwintl.dll
c:\windows\[email protected]\WATSON\3082\dwintl.dll
c:\windows\[email protected]\WATSON\dw15.exe
c:\windows\[email protected]\xiph_license.txt
c:\windows\system32\01AFE3DC.dll
c:\windows\system32\06EA0A93.cfg
c:\windows\system32\06EA0A93.dll
c:\windows\system32\08223B03.cfg
c:\windows\system32\08223B03.dll
c:\windows\system32\122B901E.cfg
c:\windows\system32\122B901E.dll
c:\windows\system32\14F7F80A.cfg
c:\windows\system32\14F7F80A.dll
c:\windows\system32\201476D0.dll
c:\windows\system32\29EA67E0.dll
c:\windows\system32\2EF0D734.cfg
c:\windows\system32\2EF0D734.dll
c:\windows\system32\34A25F04.cfg
c:\windows\system32\34A25F04.dll
c:\windows\system32\39349BEE.cfg
c:\windows\system32\39349BEE.dll
c:\windows\system32\404Fix.exe
c:\windows\system32\4D023DE9.cfg
c:\windows\system32\4D023DE9.dll
c:\windows\system32\56BC86C7.cfg
c:\windows\system32\56BC86C7.dll
c:\windows\system32\5934EA2B.cfg
c:\windows\system32\5934EA2B.dll
c:\windows\system32\6457aed.sys
c:\windows\system32\66AFCB56.cfg
c:\windows\system32\66AFCB56.dll
c:\windows\system32\7E983C60.dll
c:\windows\system32\8566F82E.cfg
c:\windows\system32\8566F82E.dll
c:\windows\system32\93DEE065.dll
c:\windows\system32\950D1600.cfg
c:\windows\system32\950D1600.dll
c:\windows\system32\9CA963CA.cfg
c:\windows\system32\9CA963CA.dll
c:\windows\system32\A1A6BC2E.cfg
c:\windows\system32\A1A6BC2E.dll
c:\windows\system32\A55F538E.dll
c:\windows\system32\b160485.sys
c:\windows\system32\B3721C07.cfg
c:\windows\system32\B3721C07.dll
c:\windows\system32\B8E83D3C.cfg
c:\windows\system32\C8FFD223.cfg
c:\windows\system32\d435fd4.sys
c:\windows\system32\d812a079.sys
c:\windows\system32\D9C002DD.cfg
c:\windows\system32\D9C002DD.dll
c:\windows\system32\DA63E650.cfg
c:\windows\system32\DA63E650.dll
c:\windows\system32\de8296f.sys
c:\windows\system32\DFB3DAC5.cfg
c:\windows\system32\DFB3DAC5.dll
c:\windows\system32\drivers\eth8023.sys
c:\windows\system32\E0D39066.cfg
c:\windows\system32\E0D39066.dll
c:\windows\system32\E1D19FCC.cfg
c:\windows\system32\E5D39975.cfg
c:\windows\system32\F2CBFAC4.cfg
c:\windows\system32\f35ee9e.sys
c:\windows\system32\F8E07BB2.cfg
c:\windows\system32\F8E07BB2.dll
c:\windows\system32\FFAE967F.cfg
c:\windows\system32\FFAE967F.dll
c:\windows\system32\HBmhly.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\system.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\windg.exe
c:\windows\temp\wmsetup.dll
c:\windows\Update.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_B160485
-------\Legacy_D435FD4
-------\Legacy_D812A079
-------\Legacy_DE8296F
-------\Legacy_ETH8023
-------\Legacy_F35EE9E
-------\Service_6457aed
-------\Service_b160485
-------\Service_d435fd4
-------\Service_d812a079
-------\Service_de8296f
-------\Service_eth8023
-------\Service_f35ee9e
-------\Service_HBKernel32


((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))
.

2008-11-28 21:59 . 2008-11-28 21:59 196 --ahs---- c:\windows\system32\201476D0.cfg
2008-11-28 21:59 . 2008-11-28 21:59 180 --ahs---- c:\windows\system32\A55F538E.cfg
2008-11-27 15:05 . 2008-11-27 15:07 250 --a------ c:\windows\gmer.ini
2008-11-27 13:45 . 2008-11-27 13:45 1,298 --a------ c:\windows\system32\tmp.reg
2008-11-27 13:44 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-27 13:44 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-27 13:44 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-27 13:44 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-27 13:44 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-27 13:44 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-26 13:31 . 2008-11-26 13:31 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-26 13:05 . 2008-11-26 14:30 <DIR> d-------- c:\program files\Common Files\Adobe
2008-11-26 12:37 . 2008-11-26 12:37 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-26 12:37 . 2008-11-26 12:37 1,409 --a------ c:\windows\QTFont.for
2008-11-25 13:36 . 2008-11-25 16:47 <DIR> d-------- c:\documents and settings\demo\Application Data\Download Manager
2008-11-20 16:11 . 2008-11-20 16:11 145 --a------ c:\windows\Eudcedit.ini
2008-11-15 14:10 . 2008-11-23 17:10 <DIR> d-------- c:\documents and settings\demo\Application Data\Audacity
2008-11-15 13:40 . 2008-11-25 20:22 <DIR> d-------- c:\documents and settings\demo\Application Data\FrostWire
2008-11-15 13:23 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-12 20:28 . 2008-09-04 08:42 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 20:28 . 2008-10-24 03:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-01 13:30 . 2008-11-01 13:30 <DIR> d-------- C:\New Folder (x)
2008-11-01 13:10 . 2008-11-26 13:03 <DIR> d-------- c:\documents and settings\demo\Application Data\uTorrent
2008-10-29 14:31 . 2008-10-29 14:31 <DIR> d-------- c:\windows\Cache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 06:00 24,625 ----a-w c:\windows\MSVB50CHS.dll
2008-11-29 06:00 20,480 ----a-w c:\windows\MPKrnl.dll
2008-11-29 06:00 10,240 ----a-w c:\windows\MKMKrnl.dll
2008-11-26 05:45 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-15 21:23 --------- d-----w c:\program files\Java
2008-11-15 03:12 --------- d-----w c:\documents and settings\demo\Application Data\vlc
2008-11-06 22:02 --------- d-----w c:\program files\MUSICMATCH
2008-11-06 21:59 --------- d-----w c:\program files\lynx
2008-11-06 21:57 --------- d-----w c:\documents and settings\demo\Application Data\Dev-Cpp
2008-11-06 21:56 --------- d-----w c:\program files\Apoint
2008-11-03 23:30 --------- d-----w c:\documents and settings\demo\Application Data\OpenOffice.org2
2008-10-25 04:42 --------- d-----w c:\documents and settings\All Users\Application Data\GTek
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2006-05-31 21:40 56 --sha-r c:\windows\system32\2354A42A8E.sys
.

((((((((((((((((((((((((((((( s[email protected]_14.41.19.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-27 23:05:47 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 05:13:02 811,008 ----a-w c:\windows\gmer.exe
- 2008-07-02 16:58:15 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-29 06:15:55 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-07-02 16:58:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-29 06:15:55 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-02 16:58:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-29 06:15:55 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-27 23:05:47 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2004-08-04 12:00:00 22,016 --s---r c:\windows\system32\oleadp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]
"MPKrnl"="c:\windows\MPKrnl.dll" [2008-11-28 20480]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"MPMKrnl"="c:\windows\MKMKrnl.dll" [2008-11-28 10240]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{F8E07BB2-7A19-4057-80F1-E14646E630B4}"= "F8E07BB2.dll" [BU]
"{D9C002DD-EA51-43A2-9009-54EAAAF031A4}"= "D9C002DD.dll" [BU]
"{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8}"= "A1A6BC2E.dll" [BU]
"{201476D0-2B18-462E-AB9F-3E2B0CC8732B}"= "201476D0.dll" [BU]
"{A55F538E-9E65-4706-9458-852BF6592063}"= "A55F538E.dll" [BU]
"{FFAE967F-D0FC-4D2B-A0F5-D1BF27F46418}"= "FFAE967F.dll" [BU]
"{93DEE065-EC9B-4505-ADD3-19880AD3C38F}"= "93DEE065.dll" [BU]
"{29EA67E0-9EE5-4D1A-A056-5B7BDAC4CF97}"= "29EA67E0.dll" [BU]
"{01AFE3DC-2242-436E-9B44-6DD1C664E828}"= "01AFE3DC.dll" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Upnp"= {DE01DA19-A6A8-EB80-4D47-248DEB2A9399} - c:\windows\system32\upnpsrv.dll [2004-08-04 20480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-10-03 22:59 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\HelpSvc.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UIHost.kxp]
"Debugger"=ntsd -d

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^demo^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\demo\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3PMmUpdate]
c:\windows\Update.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-08-05 18:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 04:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a------ 2005-02-23 13:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EOUApp]
--a------ 2005-10-03 23:03 356352 c:\program files\Intel\Wireless\Bin\EOUWiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-08-20 14:57 221184 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-07-25 06:14 188416 c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
-ra------ 2003-08-20 13:15 483328 c:\windows\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
-ra------ 2003-08-20 13:23 49152 c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2004-08-04 02:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 02:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2005-10-03 22:59 385024 c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a------ 2005-10-03 22:59 401408 c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 13:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 13:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 04:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--a------ 2004-04-11 17:15 290816 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 04:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 04:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-01-19 23:05 217088 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-01 10:37 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-06-01 10:19 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Brother XP spl Service"=2 (0x2)
"SNDSrvc"=3 (0x3)
"rpcapd"=3 (0x3)
"IDriverT"=3 (0x3)
"brmfrmps"=2 (0x2)
"NICCONFIGSVC"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"WLANKEEPER"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"OwnershipProtocol"=2 (0x2)
"Imapi Helper"=3 (0x3)
"idsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"EvtEng"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dude\\dudes.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

S1 vcdrom;Virtual CD-ROM Device Driver;\??\C:\VCdRom.sys []
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\c:\windows\system32\NSNDIS5.SYS [2004-03-23 17280]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c1227fb-af5d-11dc-bfaa-00123feb0953}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-13 c:\windows\Tasks\HP DArC Task #Hewlett-Packard#7200#CN41E3B0HZI5.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-08-20 14:57]

2008-11-29 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2003-08-20 13:23]

2008-11-29 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{7E983C60-EBF5-4A36-BE25-EA26ED55052B} - 7E983C60.dll



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-29 14:31:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\IWPDGINA.DLL
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'lsass.exe'(948)
c:\windows\system32\oleadp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-29 14:33:21 - machine was rebooted [demo]
ComboFix-quarantined-files.txt 2008-11-29 22:33:19
ComboFix2.txt 2008-11-29 05:55:32
ComboFix3.txt 2008-11-27 22:43:26
ComboFix4.txt 2008-11-27 03:17:25

Pre-Run: 2,500,739,072 bytes free
Post-Run: 2,464,583,680 bytes free

464 --- E O F --- 2008-11-13 23:46:28
See less See more
again, same symptoms appear...

currently, the problems only occur during startup..., after killing a few processes with task manager, the virus becomes dormant (i think)


i do not use any antivirus programs, as i plan to switch to linux soon.
i am 99% certain that this laptop became infected as a result of my mother's browsing of random asian sites...


i attached a copy of the previously mentioned "Update.dll" file in a .txt format, in case that may help

Attachments

2
Do this fast if you wish to avoid a regeneration.


Open NOTEPAD and copy/paste the text in the quotebox below into it:

Code:
File::
c:\windows\system32\201476D0.cfg
c:\windows\system32\A55F538E.cfg
c:\windows\MSVB50CHS.dll
c:\windows\MPKrnl.dll
c:\windows\MKMKrnl.dll
c:\windows\system32\oleadp.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MPKrnl"="-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"MPMKrnl"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8E07BB2-7A19-4057-80F1-E14646E630B4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D9C002DD-EA51-43A2-9009-54EAAAF031A4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201476D0-2B18-462E-AB9F-3E2B0CC8732B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A55F538E-9E65-4706-9458-852BF6592063}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFAE967F-D0FC-4D2B-A0F5-D1BF27F46418}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93DEE065-EC9B-4505-ADD3-19880AD3C38F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29EA67E0-9EE5-4D1A-A056-5B7BDAC4CF97}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01AFE3DC-2242-436E-9B44-6DD1C664E828}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\HelpSvc.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UIHost.kxp]
Save this as "CFScript"





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Additonally, ComboFix will generate a zipped file at C:\Qoobox\Quarantine\[4][email protected]_Time.zip
Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/submit-malware.php?channel=4


---------------


Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
        [*]Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


---------------


In your next post, please include fresh logs from:
  1. Online scan
    [*] ComboFix's log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
See less See more
ComboFix 08-11-29.03 - demo 2008-11-29 15:02:29.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.636 [GMT -8:00]
Running from: c:\documents and settings\demo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\demo\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\MKMKrnl.dll
c:\windows\MPKrnl.dll
c:\windows\MSVB50CHS.dll
c:\windows\system32\201476D0.cfg
c:\windows\system32\A55F538E.cfg
c:\windows\system32\oleadp.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Messenger\msgmr.dll
c:\windows\Fonts\Framdee.ttf
c:\windows\MKMKrnl.dll
c:\windows\MPKrnl.dll
c:\windows\MSVB50CHS.dll
c:\windows\system32\122B901E.cfg
c:\windows\system32\122B901E.dll
c:\windows\system32\12316E69.dll
c:\windows\system32\14F7F80A.cfg
c:\windows\system32\14F7F80A.dll
c:\windows\system32\201476D0.cfg
c:\windows\system32\201476D0.dll
c:\windows\system32\4D023DE9.cfg
c:\windows\system32\4D023DE9.dll
c:\windows\system32\56BC86C7.cfg
c:\windows\system32\56BC86C7.dll
c:\windows\system32\5934EA2B.cfg
c:\windows\system32\5934EA2B.dll
c:\windows\system32\6457aed.sys
c:\windows\system32\950D1600.cfg
c:\windows\system32\950D1600.dll
c:\windows\system32\A1A6BC2E.cfg
c:\windows\system32\A1A6BC2E.dll
c:\windows\system32\A55F538E.cfg
c:\windows\system32\A55F538E.dll
c:\windows\system32\b160485.sys
c:\windows\system32\d812a079.sys
c:\windows\system32\D9C002DD.cfg
c:\windows\system32\D9C002DD.dll
c:\windows\system32\DA63E650.cfg
c:\windows\system32\DA63E650.dll
c:\windows\system32\DFB3DAC5.cfg
c:\windows\system32\DFB3DAC5.dll
c:\windows\system32\F8E07BB2.cfg
c:\windows\system32\F8E07BB2.dll
c:\windows\system32\FFAE967F.cfg
c:\windows\system32\FFAE967F.dll
c:\windows\system32\HBmhly.dll
c:\windows\system32\oleadp.dll
c:\windows\system32\system.exe
c:\windows\temp\wmsetup.dll
c:\windows\Update.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_B160485
-------\Service_6457aed
-------\Service_b160485
-------\Service_d812a079
-------\Service_HBKernel32


((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))
.

2008-11-29 14:37 . 2008-11-29 14:37 244 --ahs---- c:\windows\system32\12316E69.cfg
2008-11-29 14:36 . 2008-11-29 14:36 5,504 --a------ c:\windows\system32\b71fe93.sys
2008-11-27 15:05 . 2008-11-27 15:07 250 --a------ c:\windows\gmer.ini
2008-11-27 13:45 . 2008-11-27 13:45 1,298 --a------ c:\windows\system32\tmp.reg
2008-11-27 13:44 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-27 13:44 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-27 13:44 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-27 13:44 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-27 13:44 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-27 13:44 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-26 13:31 . 2008-11-26 13:31 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-26 13:05 . 2008-11-26 14:30 <DIR> d-------- c:\program files\Common Files\Adobe
2008-11-26 12:37 . 2008-11-26 12:37 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-26 12:37 . 2008-11-26 12:37 1,409 --a------ c:\windows\QTFont.for
2008-11-25 13:36 . 2008-11-25 16:47 <DIR> d-------- c:\documents and settings\demo\Application Data\Download Manager
2008-11-20 16:11 . 2008-11-20 16:11 145 --a------ c:\windows\Eudcedit.ini
2008-11-15 14:10 . 2008-11-23 17:10 <DIR> d-------- c:\documents and settings\demo\Application Data\Audacity
2008-11-15 13:40 . 2008-11-25 20:22 <DIR> d-------- c:\documents and settings\demo\Application Data\FrostWire
2008-11-15 13:23 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-12 20:28 . 2008-09-04 08:42 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 20:28 . 2008-10-24 03:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-01 13:10 . 2008-11-26 13:03 <DIR> d-------- c:\documents and settings\demo\Application Data\uTorrent
2008-10-29 14:31 . 2008-10-29 14:31 <DIR> d-------- c:\windows\Cache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 05:45 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-15 21:23 --------- d-----w c:\program files\Java
2008-11-15 03:12 --------- d-----w c:\documents and settings\demo\Application Data\vlc
2008-11-06 22:02 --------- d-----w c:\program files\MUSICMATCH
2008-11-06 21:59 --------- d-----w c:\program files\lynx
2008-11-06 21:57 --------- d-----w c:\documents and settings\demo\Application Data\Dev-Cpp
2008-11-06 21:56 --------- d-----w c:\program files\Apoint
2008-11-03 23:30 --------- d-----w c:\documents and settings\demo\Application Data\OpenOffice.org2
2008-10-25 04:42 --------- d-----w c:\documents and settings\All Users\Application Data\GTek
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2006-05-31 21:40 56 --sha-r c:\windows\system32\2354A42A8E.sys
.

((((((((((((((((((((((((((((( [email protected]_14.41.19.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-27 23:05:47 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 05:13:02 811,008 ----a-w c:\windows\gmer.exe
- 2008-07-02 16:58:15 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-29 22:41:47 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-07-02 16:58:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-29 22:41:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-02 16:58:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-29 22:41:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-27 23:05:47 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Upnp"= {DE01DA19-A6A8-EB80-4D47-248DEB2A9399} - c:\windows\system32\upnpsrv.dll [2004-08-04 20480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-10-03 22:59 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^demo^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\demo\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3PMmUpdate]
c:\windows\Update.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-08-05 18:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 04:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a------ 2005-02-23 13:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EOUApp]
--a------ 2005-10-03 23:03 356352 c:\program files\Intel\Wireless\Bin\EOUWiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-08-20 14:57 221184 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-07-25 06:14 188416 c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
-ra------ 2003-08-20 13:15 483328 c:\windows\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
-ra------ 2003-08-20 13:23 49152 c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2004-08-04 02:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 02:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2005-10-03 22:59 385024 c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a------ 2005-10-03 22:59 401408 c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 13:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 13:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 04:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--a------ 2004-04-11 17:15 290816 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 04:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 04:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-01-19 23:05 217088 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-01 10:37 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-06-01 10:19 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HBService32]
System.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Brother XP spl Service"=2 (0x2)
"SNDSrvc"=3 (0x3)
"rpcapd"=3 (0x3)
"IDriverT"=3 (0x3)
"brmfrmps"=2 (0x2)
"NICCONFIGSVC"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"WLANKEEPER"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"OwnershipProtocol"=2 (0x2)
"Imapi Helper"=3 (0x3)
"idsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"EvtEng"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dude\\dudes.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

S1 vcdrom;Virtual CD-ROM Device Driver;\??\C:\VCdRom.sys []
S3 b71fe93;b71fe93;\??\c:\windows\system32\b71fe93.sys [2008-11-29 5504]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\c:\windows\system32\NSNDIS5.SYS [2004-03-23 17280]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c1227fb-af5d-11dc-bfaa-00123feb0953}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-13 c:\windows\Tasks\HP DArC Task #Hewlett-Packard#7200#CN41E3B0HZI5.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-08-20 14:57]

2008-11-29 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2003-08-20 13:23]

2008-11-29 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{12316E69-4CE5-4CD7-A174-C0BD57529D5A} - 12316E69.dll
MSConfigStartUp-MPKrnl - c:\windows\MPKrnl.dll



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-29 15:10:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\IWPDGINA.DLL
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-29 15:12:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-29 23:12:21
ComboFix2.txt 2008-11-29 22:33:23
ComboFix3.txt 2008-11-29 05:55:32
ComboFix4.txt 2008-11-27 22:43:26
ComboFix5.txt 2008-11-29 23:02:00

Pre-Run: 2,443,898,880 bytes free
Post-Run: 2,435,678,208 bytes free

279 --- E O F --- 2008-11-13 23:46:28



i cannot find the C:\Qoobox\Quarantine\[4][email protected]_Time.zip or anything similar

computer runs smoothly except
1. explorer.exe doesn't work as i mentioned earlier
2. log in takes like 2 or 3 minutes after typing password

as of right now, the virus has not regenerated... :)?

i will be running the online scan in a short while
See less See more
okay, i forgot to tell u that when the virus is active, the IEXPLORER.EXE process often appears

i tried to run internet explorer through c:\prog files\internet explorer\IEXPLORER.EXE

nothing happened


i renamed the IEXPLORER.EXE to IEXPLOR.EXE

i received two messages. i attached a screenshot of them


Did the virus alter the IEXPLORER.EXE file somehow???

fyi, my IEXPLOR.EXE (previously IEXPLORER.EXE) has a file size of like 91kb

Attachments

See less See more
okay, i am certain that the virus has modified iexplore.exe
i was changing the name back, and then suddenly, a new iexplore.exe program randomly appeared (not as a process)
it also had a file size of 91kb

so i deleted them both and refreshed with F5, and again iexplore appeared; the virus seems to still be active
Perflib_Perfdata files reappear in *username*\local settings\temp folder

i cannot decide whether these weird files are a result of system activity or virus activity

currently, i cannot access it b/c "it is being used by another process"
... the virus broke out again... somehow

the occurance of the symptoms is very random...
restart computer -> virus broke out again !!!
this time i saw a 981187.exe file in task manager
i do not use any antivirus programs, as i plan to switch to linux soon.
I'll be honest. The above statement is the reason why nobody has replied you. We put in a lot of effort to clean a machine. Statements like "I don't need an antivirus program" OR "I'm switching to another OS soon" doesn't help. Why break our backs over it?

I apologise is this doesn't go down well with you. Perhaps it's a good time to switch to Linux now
still, i would like to know what to do with this virus because i have seen the exact same problem on another computer, and that computer will use windows xp for another few years. Hopefully this isn't a virus that has spread throughout my family's network.
sUBs said:
We put in a lot of effort to clean a machine. Statements like "I don't need an antivirus program" OR "I'm switching to another OS soon" doesn't help. Why break our backs over it?
We have hundreds of users seeking our free assistance here. As you don't appear to be taking recommendations or instructions seriously, perhaps you'd be better served taking your computers to the local repair shop.
1 - 19 of 19 Posts
Status
Not open for further replies.
Top