Jump to content

davidcito989

Members
  • Posts

    9
  • Joined

  • Last visited

Reputation

0 Neutral
  1. thanks for posting this!!!! My Sister in Law had this on her PC and I was banging my head against the wall trying to figure it out. I think I'll recommend she buys the full version of malwarebytes to prevent her husband from clicking on every little pop-up that appears. (Also need to tell him to stop visiting those kinds of websites)
  2. Thanks for all the help and the suggestions. This is for my sister-in-law's PC and now I have to explain to her how her husband infected it and how to prevent it.
  3. that did it, no more hits when I run malwarebytes or AVG. Thanks.
  4. ComboFix 09-03-30.04 - HP_Administrator 2009-03-31 13:15:36.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.459 [GMT -4:00] Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt AV: AVG 7.5.557 *On-access scanning disabled* (Updated) FW: Norton Internet Worm Protection *disabled* * Created a new restore point FILE :: c:\windows\system32\avwa.dll c:\windows\system32\drivers\oxyjsqmo.sys c:\windows\Tasks\bxedsquz.job . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_OXYJSQMO ((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 ))))))))))))))))))))))))))))))) . 2009-03-28 20:04 . 2009-03-28 20:04 <DIR> d-------- c:\program files\Trend Micro 2009-03-28 18:45 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-28 18:45 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-02-26 21:57 . 2009-03-28 19:38 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-26 19:52 . 2009-02-26 19:52 <DIR> d-------- c:\documents and settings\Olivita\Application Data\Malwarebytes 2009-02-26 19:48 . 2009-02-26 19:48 <DIR> d-------- c:\program files\m 2009-02-26 19:47 . 2009-02-26 19:47 0 --a------ C:\LOG61.tmp 2009-02-23 21:13 . 2009-02-23 21:13 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\AdobeUM 2009-02-19 13:53 . 2009-03-27 14:29 54,156 --ah----- c:\windows\QTFont.qfn 2009-02-19 13:53 . 2009-02-19 13:53 1,409 --a------ c:\windows\QTFont.for 2009-02-19 11:58 . 2009-02-19 11:59 109 --ahs---- c:\windows\system32\4163043254.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-31 17:10 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\AVG7 2009-03-31 17:09 --------- d-----w c:\documents and settings\Olivita\Application Data\AVG7 2009-03-30 22:12 23,424 ----a-w c:\windows\system32\drivers\amezlaox.sys 2009-03-22 03:10 --------- d-----w c:\documents and settings\McHugh\Application Data\AVG7 2009-02-26 23:48 --------- d-----w c:\documents and settings\Olivita\Application Data\U3 2009-01-08 21:39 0 ----a-w c:\documents and settings\Olivita\Application Data\wklnhst.dat . ------- Sigcheck ------- 2005-03-14 04:17 359936 6129e70f3d2f1e60860c930ebeaf92c2 c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys 2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys 2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys 2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys 2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys 2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys 2004-08-10 00:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB893066$\tcpip.sys 2005-03-14 03:55 359808 0e66b538096a6529d1ac66e78eb0d5c8 c:\windows\$NtUninstallKB917953$\tcpip.sys 2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys 2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748$\tcpip.sys 2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys 2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 c:\windows\system32\dllcache\tcpip.sys 2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 c:\windows\system32\drivers\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360] "HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152] "DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 90112] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568] "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856] "HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-12-15 49152] "A Verizon App"="c:\progra~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE" [2005-05-23 50744] "Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-03-11 936960] "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440] "DISCover"="c:\program files\DISC\DISCover.exe" [2007-10-30 1095256] "AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-24 590848] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-18 180269] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-03-22 282624] "RTHDCPL"="RTHDCPL.EXE" [2006-03-08 c:\windows\RTHDCPL.EXE] "nwiz"="nwiz.exe" [2006-01-24 c:\windows\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-02-01 219136] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2007-01-15 282624] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624] LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-03-22 57344] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "AlwaysReady Power Message APP"=ARPWRMSG.EXE "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\DISC\\DISCover.exe"= "c:\\Program Files\\DISC\\DiscStreamHub.exe"= "c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"= . . ------- Supplementary Scan ------- . uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 Trusted Zone: trymedia.com . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-31 13:21:31 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe c:\windows\arservice.exe c:\progra~1\Grisoft\AVG7\avgamsvr.exe c:\progra~1\Grisoft\AVG7\avgupsvc.exe c:\progra~1\Grisoft\AVG7\avgemc.exe c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\nvsvc32.exe c:\windows\ehome\mcrdsvc.exe c:\windows\system32\dllhost.exe c:\windows\system32\wscntfy.exe c:\windows\ehome\ehmsas.exe c:\program files\Common Files\Verizon Online\ConnMgr\cmisrv.exe c:\program files\DISC\DiscStreamHub.exe c:\program files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe . ************************************************************************** . Completion time: 2009-03-31 13:24:17 - machine was rebooted ComboFix-quarantined-files.txt 2009-03-31 17:24:15 ComboFix2.txt 2009-03-30 22:21:27 ComboFix3.txt 2009-03-29 20:29:53 Pre-Run: 222,202,023,936 bytes free Post-Run: 222,187,089,920 bytes free Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=,1,2,3,4 174 --- E O F --- 2009-03-14 02:28:09
  5. I did follow the instructions and it did run, its just no log was produced. I'll run again, I just wanted to hear from you it was OK to retry. With all the warnings about combofix, I am paranoid about running it with out specific instructions
  6. I copied the txt file into combo fix, it ran and rebooted, but the log.txt was empty.
  7. Can't get rid of files/registry entries on reboot. I have run malwarebytes several time and the entries that are marked as delete on reboot never get deleted. Any help you can provide will be appreciated. I have read previous entries on this so I ran combofix and autruns, here are all the log files. I ran the processes in the followin order, malwarebytes combofix autoruns hijackthis and here are the results... malwarebytes logofile Malwarebytes' Anti-Malware 1.35 Database version: 1912 Windows 5.1.2600 Service Pack 2 3/29/2009 3:51:39 PM mbam-log-2009-03-29 (15-51-39).txt Scan type: Quick Scan Objects scanned: 113016 Time elapsed: 14 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 8 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d979721-5df7-4e9e-b6f2-ab0de572b097} (Trojan.BHO.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{4d979721-5df7-4e9e-b6f2-ab0de572b097} (Trojan.BHO.H) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\avwa.dll (Trojan.BHO.H) -> Delete on reboot. C:\Documents and Settings\Olivita\Local Settings\Temp\nalizmau.dat (Rootkit.Agent) -> Delete on reboot. Combofix: ComboFix 09-03-29.02 - HP_Administrator 2009-03-29 16:15:33.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.546 [GMT -4:00] Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe AV: AVG 7.5.557 *On-access scanning disabled* (Updated) FW: Norton Internet Worm Protection *disabled* * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Olivita\Local Settings\Temporary Internet Files\fbk.sts c:\windows\IE4 Error Log.txt c:\windows\system32\_000006_.tmp.dll c:\windows\system32\_000007_.tmp.dll c:\windows\system32\_000010_.tmp.dll c:\windows\system32\rsoirmva.ini c:\windows\system32\TDSSosvd.dat c:\windows\system32\winsrc.dll.tmp c:\windows\system32\xslimghw.ini c:\windows\wiaserviv.log D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TDSSSERV.SYS -------\Service_TDSSserv.sys -------\Service_UACd.sys ((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 ))))))))))))))))))))))))))))))) . 2009-03-28 20:04 . 2009-03-28 20:04 <DIR> d-------- c:\program files\Trend Micro 2009-03-28 18:45 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-28 18:45 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-29 14:31 --------- d-----w c:\documents and settings\Olivita\Application Data\AVG7 2009-03-29 12:00 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\AVG7 2009-03-28 23:38 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-03-22 03:10 --------- d-----w c:\documents and settings\McHugh\Application Data\AVG7 2009-02-26 23:52 --------- d-----w c:\documents and settings\Olivita\Application Data\Malwarebytes 2009-02-26 23:48 --------- d-----w c:\program files\m 2009-02-26 23:48 --------- d-----w c:\documents and settings\Olivita\Application Data\U3 2009-02-24 01:13 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\AdobeUM 2009-01-08 21:39 0 ----a-w c:\documents and settings\Olivita\Application Data\wklnhst.dat . ------- Sigcheck ------- 2005-03-14 04:17 359936 6129e70f3d2f1e60860c930ebeaf92c2 c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys 2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys 2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys 2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys 2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys 2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys 2004-08-10 00:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB893066$\tcpip.sys 2005-03-14 03:55 359808 0e66b538096a6529d1ac66e78eb0d5c8 c:\windows\$NtUninstallKB917953$\tcpip.sys 2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys 2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748$\tcpip.sys 2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys 2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 c:\windows\system32\dllcache\tcpip.sys 2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 c:\windows\system32\drivers\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D979721-5DF7-4E9E-B6F2-AB0DE572B097}] 2004-08-10 00:00 96256 --a------ c:\windows\system32\avwa.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360] "HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152] "DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 90112] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568] "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856] "HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-12-15 49152] "A Verizon App"="c:\progra~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE" [2005-05-23 50744] "Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-03-11 936960] "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440] "DISCover"="c:\program files\DISC\DISCover.exe" [2007-10-30 1095256] "AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-24 590848] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-18 180269] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-03-22 282624] "RTHDCPL"="RTHDCPL.EXE" [2006-03-08 c:\windows\RTHDCPL.EXE] "nwiz"="nwiz.exe" [2006-01-24 c:\windows\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-02-01 219136] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2007-01-15 282624] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624] LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-03-22 57344] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=kcyrpi.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "AlwaysReady Power Message APP"=ARPWRMSG.EXE "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\DISC\\DISCover.exe"= "c:\\Program Files\\DISC\\DiscStreamHub.exe"= "c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"= R0 oxyjsqmo;oxyjsqmo;c:\windows\system32\drivers\oxyjsqmo.sys [2004-08-10 23424] . Contents of the 'Scheduled Tasks' folder 2009-03-29 c:\windows\Tasks\bxedsquz.job - c:\windows\system32\urqOFwwv.dll [] . - - - - ORPHANS REMOVED - - - - BHO-{C66C1D5E-7D8F-45A7-8A90-C5EAEE1DB043} - (no file) SharedTaskScheduler-IPC Configuration Utility - (no file) Notify-awtQhFvs - awtQhFvs.dll SafeBoot-Winqy74.sys . ------- Supplementary Scan ------- . uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 Trusted Zone: trymedia.com . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-29 16:26:37 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe c:\windows\arservice.exe c:\progra~1\Grisoft\AVG7\avgamsvr.exe c:\progra~1\Grisoft\AVG7\avgupsvc.exe c:\progra~1\Grisoft\AVG7\avgemc.exe c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\nvsvc32.exe c:\windows\ehome\mcrdsvc.exe c:\windows\system32\dllhost.exe c:\windows\ehome\ehmsas.exe c:\program files\Common Files\Verizon Online\ConnMgr\cmisrv.exe c:\program files\DISC\DiscStreamHub.exe c:\program files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe . ************************************************************************** . Completion time: 2009-03-29 16:29:51 - machine was rebooted ComboFix-quarantined-files.txt 2009-03-29 20:29:48 Pre-Run: 219,573,886,976 bytes free Post-Run: 222,289,571,840 bytes free Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=,1,2,3,4 190 --- E O F --- 2009-03-14 02:28:09 Autoruns: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run + A Verizon App VerizonAppManager (Verified) Verizon Communications c:\program files\verizon online\help support\verizonsupport.exe + AVG7_CC AVG Control Center (Not verified) GRISOFT, s.r.o. c:\program files\grisoft\avg7\avgcc.exe + DISCover DISCover Drop & Play System Executable (Verified) Digital Interactive Systems Corporation c:\program files\disc\discover.exe + DMAScheduler DMAScheduler (Not verified) Sonic Solutions c:\program files\hp digitalmedia archive\dmascheduler.exe + HP Software Update Hewlett-Packard Product Assistant (Not verified) Hewlett-Packard Development Company, L.P. c:\program files\hp\hp software update\hpwuschd2.exe + HPBootOp HP Boot Optimizer (Not verified) Hewlett-Packard Company c:\program files\hewlett-packard\hp boot optimizer\hpbootop.exe + HPHUPD08 HPHupd08 (Not verified) Hewlett-Packard c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe + KBD KBD EXE (Not verified) Hewlett-Packard Company c:\hp\kbd\kbd.exe + nwiz NVIDIA nView Wizard, Version 110.19 (Not verified) NVIDIA Corporation c:\windows\system32\nwiz.exe + QuickTime Task QuickTime Task (Not verified) Apple Computer, Inc. c:\program files\quicktime\qttask.exe + Recguard Recguard Application c:\windows\sminst\recguard.exe + TkBellExe RealNetworks Scheduler (Not verified) RealNetworks, Inc. c:\program files\common files\real\update_ob\realsched.exe + Verizon_McciTrayApp mcci+McciTrayApp (Not verified) Motive Communications, Inc. c:\program files\verizon\mccitrayapp.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup + HotSync Manager.lnk HotSync
  8. I did some further research on this board and discovered that I have a Rootkit.Sentinel on board. I will perform the following steps and post the results for analysis ------------------------------------------------------------------------ Download and install Autoruns. http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx When you first run it it will generate an extensive listing and the word "Ready" will appear in the bottom left of the sofware GUI. At this point goto options and place check(tick) against verify coded signatures and hide Microsoft & windows entries.Next press F5 button to refresh. Once Ready status by software is gained then goto File option.Select "Export as" and save output file as Autoruns.txt Can you please then copy and paste the contents of that text file into your next reply for analysis. -------------------------------------------------------------------------------------
  9. I have run malwarebytes several times, and each time there are registry entries that it can not delete, but will delete on reboot. When I reboot, the entries are still therel Malwarebytes' Anti-Malware 1.35 Database version: 1912 Windows 5.1.2600 Service Pack 2 3/28/2009 7:57:15 PM mbam-log-2009-03-28 (19-57-15).txt Scan type: Quick Scan Objects scanned: 19240 Time elapsed: 1 minute(s), 16 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d979721-5df7-4e9e-b6f2-ab0de572b097} (Trojan.BHO.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{4d979721-5df7-4e9e-b6f2-ab0de572b097} (Trojan.BHO.H) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{84ba8988-33e1-4c89-a150-bf428e8d3213} (Trojan.BHO) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\avwa.dll (Trojan.BHO.H) -> Delete on reboot. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:05:18 PM, on 3/28/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\arservice.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe C:\Program Files\HP\HP Software Update\HPwuSchd2.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE C:\Program Files\Verizon\McciTrayApp.exe C:\HP\KBD\KBD.EXE C:\Program Files\DISC\DISCover.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Palm\HOTSYNC.EXE C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe C:\Program Files\DISC\DiscStreamHub.exe C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe C:\PROGRA~1\Grisoft\AVG7\avgw.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.trymedia.com (HKLM) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O20 - AppInit_DLLs: kcyrpi.dll O20 - Winlogon Notify: awtQhFvs - awtQhFvs.dll (file missing) O22 - SharedTaskScheduler: IPC Configuration Utility - IPC Configuration Utility - (no file) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 8900 bytes
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.