Jump to content


Photo

Possibly more than one Spyware infections!!!


  • This topic is locked This topic is locked
9 replies to this topic

#1 Rob2142

Rob2142

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 22 January 2008 - 01:52 AM

:alarm: Ok so it started about 3 days ago. I hooked my computer to the internet for the first time and i played some Counter Strike Source for one night. The day after is when everything started going wrong. The program for Couter Strike Source (known as Steam) was not working. My computer was slowing down, So i scanned with Ad-Aware. I found 4 infections know as Adware.BHO(generic) and removed them...not for long as they returned and wont delete. then my Norton firewall kept asking me to block a program called MLLJJ.EXE from accesing the Internet. I blocked it because I had no idea what it was. then Mozilla Firefox stopped working, saying it was "unable to connect toe the server" or something, yet other programs like Xfire (a online chatting program similar to AIM) were working fine. I restarted my Computer thinking it would fix the problem. I was wrong. When I turned my computer back on, a procces called WMRAM.EXE was"multiplying" itself at least 20 times, slowing my Computer even more. the MLLJJ.EXE again tried to acces the internet, but i had pulled the plug on it. another program tried to accses the internet as well, but i forgot its name. I turned my PC off again and rebooted. This time, and occasionally when i boot up my comp, a window pops up saying that the MLLJJ.EXE cant run and it wants to send some error report to Microsoft. I hit dont send and ignore it. Another thing that happens is that some symbol in the bottom right hand corner of the screen says my computer is infected. Knowing from a previous eperience not to trust that i just close it. I have installed Zone Alarm, but was only able to do it in Safe mode. AVG will not install ecasue it apparently has a "acces denied" error, even though i am the only person who uses the CPU and there are no other profiles or logs on it. I fear that this MLLJJ.EXE virus/trojan is hacking my CPU as twice now it has tried to start Firefox and open to the site Scan.Malwarecrush.com. I dont trust it at all. My CPU is not connected to internet and Zone Alarm cannot be activated in a normal or safe boot mode. I have a logfile scanned by Hijackthis! and will post it if it helps.




Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:16:41 AM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
K:\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
F3 - REG:win.ini: load=C:\WINDOWS\system32\mlljj.exe
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {837B45D6-BF85-457D-AABF-6D2E7815F791} - (no file)
O2 - BHO: (no name) - {8A52E811-F038-461A-9337-FD7D6BA3934C} - C:\WINDOWS\system32\mlljj.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: InternetHelper.CInternetHelper - {D9CEE89F-CC54-4337-A283-7035335B42E6} - C:\WINDOWS\system32\winifo.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: (no name) - {FC1B64D9-3499-4791-82D5-AABAC3FAEA45} - C:\WINDOWS\system32\jkkkklk.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [GeelixHUDDesktop] C:\Program Files\Geelix.4.0.0.0\GeelixHUDDesktop.exe -startup
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvkib.dll,startup
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\lsass .exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [wininfo] C:\WINDOWS\system32\wmram.exe
O4 - HKCU\..\Run: [WindowBlinds] C:\Documents and Settings\All Users\Documents\Stardock\WindowBlinds\WBInstall32.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Steam] "C:\SteamBuster\Resources\Emulator\hCUPa\Steam.exe" -silent
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: jkkkklk - C:\WINDOWS\SYSTEM32\jkkkklk.dll
O20 - Winlogon Notify: tuvsqnk - tuvsqnk.dll (file missing)
O20 - Winlogon Notify: winnsy32 - C:\WINDOWS\SYSTEM32\winnsy32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 9371 bytes




Please help me get rid of this problem. It is very annoying and i am starting to lose my temper at times :techsupport: :rant:

All Help is appreciated Thankyou.

-Rob2142

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 24 January 2008 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 Rob2142

Rob2142

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 24 January 2008 - 06:06 PM

Ok thank you.

#4 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 27 January 2008 - 05:46 AM

Hi,

1. Download this file -
ComboFix
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#5 Rob2142

Rob2142

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 27 January 2008 - 10:47 AM

Alright ill get to that.

#6 Rob2142

Rob2142

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 27 January 2008 - 11:49 AM

Ok here is the logfile for Combofix as you requested.

ComboFix 08-01-23.1C - Bobby 2008-01-27 10:02:47.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.528 [GMT -6:00]
Running from: K:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\hp\KBD\KBD .EXE
C:\Program Files\ATI Multimedia\main\ATIDtct .EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\main\launchpd .exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW .exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM .exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc .exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Helper
C:\Program Files\Helper\Helper9.dll
c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06 .exe
c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\iTouch\iTouch .exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\lsass.exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
c:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OinFP.exe
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\PowerISO\PWRISOVM .EXE
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP .exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\setup.exe
C:\SteamBuster\Resources\Emulator\hCUPa\steam .exe
C:\WINDOWS\SMINST\RECGUARD .EXE
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\grecorder.dll
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.ini2
C:\WINDOWS\system32\jkkkklk.dll
C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\mlljj.exe
C:\WINDOWS\system32\RCX59.tmp
C:\WINDOWS\system32\wmram .exe
C:\WINDOWS\system32\wmram.exe
H:\Autorun.inf

<pre>
C:\WINDOWS\system32\wmram .exe ---> QooBox
</pre>
.
.
((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.

2008-01-27 10:00 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-26 17:14 . 2008-01-26 17:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-26 17:14 . 2008-01-26 17:14 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-26 16:52 . 2008-01-26 16:52 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-26 16:51 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-01-26 16:49 . 2008-01-26 16:49 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-26 15:36 . 2008-01-26 15:36 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-22 10:46 . 2008-01-22 12:39 <DIR> d----c--- C:\VundoFix Backups
2008-01-21 20:56 . 2008-01-26 17:21 241,696 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-21 20:56 . 2008-01-22 12:41 2,540 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-21 20:52 . 2008-01-21 20:52 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-01-21 20:48 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-21 20:48 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-01-21 20:48 . 2008-01-21 20:52 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-01-21 20:46 . 2008-01-21 20:48 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-01-21 20:46 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-01-21 20:46 . 2008-01-27 10:17 353,366 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-01-21 20:45 . 2008-01-27 10:18 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-01-21 18:56 . 2008-01-21 18:56 338,432 --a------ C:\WINDOWS\system32\RCX99A3.tmp
2008-01-21 03:00 . 2008-01-21 18:47 <DIR> d-------- C:\WINDOWS\$hf_mig$
2008-01-20 13:07 . 2008-01-20 13:07 338,432 --a------ C:\WINDOWS\system32\RCX94A4.tmp
2008-01-20 10:28 . 2008-01-21 21:39 667,648 --a------ C:\WINDOWS\system32\hphmon06 .exe
2008-01-20 10:28 . 2008-01-21 21:39 59,392 --a------ C:\WINDOWS\system\hpsysdrv .exe
2008-01-20 08:19 . 2008-01-20 08:19 45 --a--c--- C:\TEST.XML
2008-01-20 08:17 . 2008-01-21 22:04 178 --a------ C:\WINDOWS\system\hpsysdrv .DAT
2008-01-20 02:37 . 2008-01-20 02:37 105,472 --a------ C:\WINDOWS\system32\drvwat.dll
2008-01-20 02:37 . 2008-01-20 02:37 103,936 --a------ C:\WINDOWS\system32\drvkib.dll
2008-01-20 01:45 . 2008-01-20 01:46 <DIR> d-------- C:\Program Files\Xfire
2008-01-20 01:35 . 2008-01-20 01:35 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-01-19 18:24 . 2008-01-19 18:24 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-01-19 18:24 . 2008-01-19 18:24 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-01-19 18:23 . 2006-06-29 15:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-01-19 18:22 . 2006-10-16 18:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-19 18:18 . 2008-01-19 18:18 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-16 20:16 . 2004-08-12 07:59 521,216 --a------ C:\WINDOWS\system32\logonui.exe
2008-01-16 19:48 . 2008-01-16 23:13 <DIR> d-------- C:\Program Files\OneStepSearch
2008-01-16 19:45 . 2008-01-16 19:45 129,536 --a------ C:\WINDOWS\system32\IJL15.dll
2008-01-16 19:44 . 2005-03-22 04:26 3,661,508 --a------ C:\WINDOWS\system32\BreastWomen.scr
2008-01-16 19:44 . 2008-01-16 19:44 640,957 --a------ C:\WINDOWS\unins000.exe
2008-01-16 19:44 . 2008-01-16 19:44 822 --a------ C:\WINDOWS\unins000.dat
2008-01-16 19:41 . 2008-01-16 19:41 <DIR> d-------- C:\Program Files\Active Dancer Strip Saver
2008-01-16 19:39 . 2008-01-16 19:39 <DIR> d-------- C:\Program Files\Stardock
2008-01-16 19:39 . 2007-07-11 16:06 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2008-01-16 16:38 . 2008-01-16 16:38 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-01-15 22:24 . 2007-04-27 18:03 211 --ahsc--- C:\BOOT.BKK
2008-01-15 22:20 . 2008-01-15 22:20 <DIR> d-------- C:\Program Files\TGTSoft
2007-12-31 11:44 . 2007-12-31 11:44 <DIR> d-------- C:\Program Files\GameSpy Arcade

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 16:11 --------- d-----w C:\Program Files\QuickTime
2008-01-27 16:11 --------- d-----w C:\Program Files\PowerISO
2008-01-27 16:11 --------- d-----w C:\Program Files\iTunes
2008-01-27 16:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-26 23:12 --------- d-----w C:\Program Files\iPod
2008-01-20 20:26 28,256 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-01-20 00:29 --------- d-----w C:\Program Files\MSBuild
2008-01-12 07:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-31 01:50 --------- d-----w C:\Program Files\Microsoft Games
2007-12-31 01:44 --------- d-----w C:\Program Files\EA GAMES
2007-12-31 01:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 01:41 --------- d-----w C:\Program Files\LucasArts
2007-12-26 18:09 --------- d-----w C:\Program Files\ZD Soft
2007-12-23 17:41 --------- d-----w C:\Program Files\Notation
2007-12-03 00:06 --------- d-----w C:\Program Files\Lavasoft
2007-12-02 23:23 --------- d-----w C:\Program Files\Sierra Entertainment
.
<pre>
----a-w			59,392 2008-01-22 03:39:22  C:\WINDOWS\system\hpsysdrv .exe
----a-w		   667,648 2008-01-22 03:39:24  C:\WINDOWS\system32\hphmon06 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
2007-03-02 18:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
2007-03-02 18:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D9CEE89F-CC54-4337-A283-7035335B42E6}]
2004-10-07 14:30 45056 ----s---- C:\WINDOWS\system32\winifo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-21 20:52 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [ ]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"WindowBlinds"="C:\Documents and Settings\All Users\Documents\Stardock\WindowBlinds\WBInstall32.exe" [ ]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [ ]
"Steam"="C:\SteamBuster\Resources\Emulator\hCUPa\Steam.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [ ]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [ ]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [ ]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [ ]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [ ]
"KBD"="C:\HP\KBD\KBD.EXE" [ ]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [ ]
"VTTimer"="VTTimer.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"AlcxMonitor"="ALCXMNTR.EXE" []
"PS2"="C:\WINDOWS\system32\ps2.exe" [ ]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 18:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [ ]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [ ]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 03:50 26624 C:\WINDOWS\LOGI_MWX.EXE]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [ ]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [ ]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [ ]
"GeelixHUDDesktop"="C:\Program Files\Geelix.4.0.0.0\GeelixHUDDesktop.exe" [ ]
"HydraVisionDesktopManager"="C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [ ]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [ ]
"MSDrive"="C:\WINDOWS\system32\drvkib.dll" [2008-01-20 02:37 103936]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]

C:\Documents and Settings\Bobby\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 23:26:24 210520]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-04-29 14:38:57 176128]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsqnk]
tuvsqnk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-01-14 09:04 210168 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-11-07 03:50]
S3 vidcap;vidcap;C:\WINDOWS\system32\DRIVERS\vidcap.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\O]
\Shell\AutoRun\command - O:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b10c60aa-fc35-11db-a503-00112fd6ef99}]
\Shell\AutoRun\command - O:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-04-29 23:22:05 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 10:35:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
-> C:\WINDOWS\system32\drvkib.dll
.
Completion time: 2008-01-27 10:41:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-27 16:41:49
.
2008-01-22 17:55:40 --- E O F ---

#7 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 27 January 2008 - 01:34 PM

Hi,

Open notepad and copy/paste the text in the quotebox below into it (do not include the word ‘Quote’)

File::

RENV::
C:\WINDOWS\system32\wmram .exe
C:\WINDOWS\system\hpsysdrv .exe
C:\WINDOWS\system32\hphmon06 .exe
C:\WINDOWS\system32\drvwat.dll
C:\WINDOWS\system32\drvkib.dll
C:\WINDOWS\system32\winifo.dll
Folder::
C:\Program Files\OneStepSearch
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D9CEE89F-CC54-4337-A283-7035335B42E6}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsqnk]


Save this as CFScript

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Next:

Please navigate (using Internet Explorer, other browsers won't work) to the following site: http://support.f-sec.../home/ols.shtml

Scroll to the bottom of the page, and click Start Scan.

When prompted, choose to install the software. After the software has installed, click Accept. Click Custom Scan and check the option for Scan inside archives, then click Start. The necessary databases will then be downloaded, and the scan will then start automatically.

Please be patient as this scan will take a while to complete. If any infections are found then once the scan has finished, the "cleaning" screen will be displayed.

Choose Automatic cleaning (recommended).After cleaning has finished, then the Finish screen will be displayed.

Choose Show Report. In order to post the report, press CTRL+A on your keyboard to highlight all the text.

Then copy and paste that information into this thread. You may need two posts to fit it in.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#8 Rob2142

Rob2142

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 28 January 2008 - 06:55 PM

I got someone lookin at my comp right now. Thank you for your help anyways.

#9 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 29 January 2008 - 03:29 AM

I hope they're good, as you have a file infector, and I haven't finished removing it. Anyhow, your choice.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#10 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 29 January 2008 - 03:29 AM

Since the issue appears to be resolved this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button