Jump to content

Trojan.TDSS: need help with the log by combofix


Recommended Posts

Hi,

Malwarebytes detected Trojan.TDSS but can not remove it. It is reported removed, but after a reboot malwarebytes detects the same threat again. I ran ComboFix as described in one of the threads on this forum, and need help in regard to my next step.

Note that I do not have recovery console installed. I have a double boot Linux/Windows XP machine and I am afraid that it will mess up with Grub.

Here is the log produced by ComboFix.

Thanks in advance

<LOG BEGINS HERE>

ComboFix 09-08-03.A2 - Administrator 04.08.2009 17:54.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2564 [GMT 2:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\S-1-5-21-1214880521-1771959046-1285687842-500

c:\recycler\S-1-5-21-436374069-179605362-725345543-500

c:\windows\Installer\f99c.msp

c:\windows\system32\AutoRun.inf

c:\windows\system32\config\systemprofile\Desktop\System Security 2009.lnk

c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security

c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security\System Security

c:\windows\system32\drivers\hjgruivkypyqbi.sys

c:\windows\system32\hjgruifpbwvrxd.dat

c:\windows\system32\hjgruioirjxjvs.dll

c:\windows\system32\hjgruiqjwtxwnl.dll

c:\windows\system32\hjgruirteumnpq.dat

c:\windows\system32\drivers\str.sys . . . . failed to delete

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_hjgruiwqpsmsrs

-------\Legacy_DOT3SVCREMOTEREGISTRY

-------\Service_Dot3svcRemoteRegistry

((((((((((((((((((((((((( Files Created from 2009-07-04 to 2009-08-04 )))))))))))))))))))))))))))))))

.

2009-08-04 16:02 . 2009-08-04 16:02 114688 ----a-w- c:\windows\system32\chg.exe

2009-08-04 12:33 . 2009-08-04 16:03 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-08-04 12:33 . 2009-08-04 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-08-04 12:33 . 2009-08-04 12:33 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-08-04 12:33 . 2009-08-04 12:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2009-08-02 15:34 . 2009-08-02 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-08-02 15:34 . 2009-08-02 15:34 -------- d-----w- c:\windows\system32\drivers\NSS

2009-08-02 15:34 . 2009-08-02 15:34 -------- d-----w- c:\program files\Norton Security Scan

2009-08-02 15:34 . 2009-08-02 15:34 -------- d-----w- c:\program files\NortonInstaller

2009-08-02 15:34 . 2009-08-02 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-08-02 15:27 . 2009-08-02 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2009-08-01 07:19 . 2009-08-01 07:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-08-01 07:19 . 2009-08-03 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-01 07:19 . 2009-08-03 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-01 07:19 . 2009-08-01 07:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-01 07:19 . 2009-08-04 14:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-01 02:23 . 2009-08-01 03:56 -------- d--h--w- C:\$AVG8.VAULT$

2009-07-25 15:19 . 2009-07-27 11:38 2961 --s-a-w- c:\windows\system32\3180863869.dat

2009-07-16 18:26 . 2009-07-16 18:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar

2009-07-09 15:52 . 2009-07-09 15:52 59976 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.463\English\setup.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-04 16:02 . 2009-01-30 20:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype

2009-08-04 12:32 . 2007-12-20 09:48 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-08-04 11:22 . 2008-01-05 17:55 -------- d-----w- c:\documents and settings\pavels\Application Data\Skype

2009-08-04 11:21 . 2008-01-05 17:57 -------- d-----w- c:\documents and settings\pavels\Application Data\skypePM

2009-08-02 15:41 . 2007-12-10 22:10 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-08-02 12:47 . 2009-02-08 18:35 -------- d-----w- c:\program files\Microsoft Silverlight

2009-08-01 06:35 . 2007-12-20 13:13 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-08-01 06:27 . 2009-05-30 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-08-01 06:26 . 2007-12-20 13:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-08-01 04:07 . 2007-12-20 13:08 -------- d-----w- c:\program files\Pidgin

2009-08-01 02:56 . 2009-01-30 20:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM

2009-07-16 17:26 . 2008-11-19 09:56 58216 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-05 11:52 . 2007-12-21 21:47 58216 ----a-w- c:\documents and settings\pavels\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-04 07:47 . 2007-12-21 08:08 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2009-07-02 17:30 . 2009-05-30 18:25 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-06-28 08:53 . 2009-06-28 08:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-06-28 08:53 . 2009-06-28 08:53 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AVGTOOLBAR

2009-06-28 08:52 . 2009-05-30 18:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-06-28 08:52 . 2007-12-20 13:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-06-26 16:50 . 2004-08-04 08:00 666624 ----a-w- c:\windows\system32\wininet.dll

2009-06-26 16:50 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-06-18 20:27 . 2008-10-07 19:21 -------- d-----w- c:\program files\Winamp

2009-06-18 20:27 . 2008-10-07 19:21 -------- d-----w- c:\documents and settings\pavels\Application Data\Winamp

2009-06-18 20:16 . 2009-05-30 18:51 -------- d-----w- c:\documents and settings\pavels\Application Data\AVGTOOLBAR

2009-06-16 14:36 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2004-08-04 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-03 19:09 . 2004-08-04 08:00 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-05-30 18:25 . 2009-05-30 18:25 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-05-07 15:32 . 2004-08-04 08:00 345600 ----a-w- c:\windows\system32\localspl.dll

2009-04-18 19:08 . 2008-06-21 07:30 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-06-14 14:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]

"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]

"gStart"="c:\garmin\gStart.exe" [2007-03-04 1891416]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-07-28 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]

"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-30 136600]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-03 163840]

"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]

"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-21 1187840]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-10 806912]

"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-10-09 697976]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]

"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2007-05-03 57344]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]

"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928]

"HPWWANGSAssistant"="c:\swsetup\HPQWWAN\HPWWanGSAssistant.exe" [2007-05-03 4032056]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]

"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2007-05-23 192512]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-10 37888]

"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-10-25 380928]

"hp Update 2100C"="c:\sj644\hpupdate.exe" [2002-01-24 28672]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-28 1948440]

"MSxmlHpr"="c:\windows\system32\msxm192z.dll" [2004-08-17 28672]

"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213]

DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-12-20 192512]

HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 10:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]

2007-02-07 01:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-06-28 08:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]

2007-04-30 16:19 49152 ----a-w- c:\windows\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\APSHook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ SbHpNp scecli ASWLNPkg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\WINDOWS\\SMINST\\Scheduler.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\StarNet\\X-Win32 9.0\\xwin32.exe"=

"c:\\Documents and Settings\\pavels\\Local Settings\\Application Data\\Skype\\Phone\\Skype.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [27.04.2007 05:23 100095]

R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [09.10.2006 23:31 44720]

R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [30.03.2007 02:54 13696]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [30.05.2009 20:25 335752]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [30.05.2009 20:25 108552]

R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [27.04.2007 05:23 5808]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [28.07.2009 10:53 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28.07.2009 10:53 72944]

R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [04.08.2004 10:00 14336]

R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [04.08.2004 10:00 14336]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [30.05.2009 20:25 907032]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [30.05.2009 20:25 298776]

R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [27.04.2007 20:58 221184]

R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [04.12.2006 17:13 292384]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [04.04.2007 21:16 41216]

R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [10.12.2007 22:55 47616]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28.07.2009 10:53 7408]

S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [23.04.2007 23:13 30008]

S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [30.04.2007 18:28 172131]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

Cognizance REG_MULTI_SZ ASBroker ASChannel

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

.

Contents of the 'Scheduled Tasks' folder

2009-01-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 12:42]

2009-08-02 c:\windows\Tasks\Norton Security Scan for Administrator.job

- c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-08-02 15:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.hp.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\l5od8een.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo! Search

FF - prefs.js: browser.startup.homepage - www.google.com.au

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-04 18:03

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqsettware Updatet = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????T??????????????|?M?|?????M?|&?@

scanning hidden files ...

c:\windows\system32\drivers\fxysvaofprt.sys 76544 bytes executable

c:\windows\system32\drivers\str.sys 213024 bytes executable

scan completed successfully

hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fkudcvx]

"ImagePath"="\??\c:\windows\system32\drivers\fxysvaofprt.sys"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"Installed"="1"

"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll

c:\windows\system32\DeviceNP.dll

- - - - - - - > 'lsass.exe'(1004)

c:\windows\SbHpNp.dll

c:\program files\Hewlett-Packard\IAM\bin\ASWLNPkg.dll

c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll

- - - - - - - > 'explorer.exe'(6520)

c:\windows\system32\APSHook.dll

c:\windows\system32\btmmhook.dll

c:\windows\system32\msxm192z.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe

c:\windows\system32\ati2evxx.exe

c:\windows\system32\scardsvr.exe

c:\program files\Hewlett-Packard\IAM\Bin\asghost.exe

c:\windows\system32\msdtc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\CTSVCCDA.EXE

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe

c:\windows\system32\mqsvc.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\windows\system32\rundll32.exe

c:\program files\Hewlett-Packard\Shared\HpqToaster.exe

c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

c:\windows\system32\mqtgsvc.exe

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

c:\windows\system32\msiexec.exe

.

**************************************************************************

.

Completion time: 2009-08-04 18:07 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-04 16:07

Pre-Run: 8 795 525 120 bytes free

Post-Run: 10 228 822 016 bytes free

301 --- E O F --- 2009-08-02 12:41

Link to post
Share on other sites

  • Staff

Hi,

First of all, please backup your important data first, just in case, because you're dealing with a stubborn rootkit here which may cause your pc unbootable.

Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Rootkit::

c:\windows\system32\drivers\fxysvaofprt.sys

c:\windows\system32\drivers\str.sys

Driver::

fkudcvx

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

Hi Mieke,

Thanks for looking at my log. After the previous run of combofix the system stabilized, and scans with AVG and superantispyware found nothing. Scans with malwarebytes repeatedly hanged at the last stage (what it was... some generic check after everything was found OK). AVG once came (by its own) with a report of a new trojan, and seems to remove it successfully.

Here is the new log from combofix:

<BEGIN>

ComboFix 09-08-03.A2 - Administrator 07.08.2009 18:44.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2467 [GMT 2:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\str.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_FKUDCVX

-------\Service_fkudcvx

((((((((((((((((((((((((( Files Created from 2009-07-07 to 2009-08-07 )))))))))))))))))))))))))))))))

.

2009-08-05 18:12 . 2009-06-14 14:07 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll

2009-08-05 17:26 . 2009-08-05 17:26 -------- d-----w- c:\documents and settings\pavels\Application Data\Malwarebytes

2009-08-04 12:33 . 2009-08-07 16:53 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-08-04 12:33 . 2009-08-04 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-08-04 12:33 . 2009-08-04 12:33 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-08-04 12:33 . 2009-08-04 12:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2009-08-02 15:34 . 2009-08-05 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-08-02 15:34 . 2009-08-02 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-08-02 15:27 . 2009-08-02 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2009-08-01 07:19 . 2009-08-01 07:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-08-01 07:19 . 2009-08-01 07:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-01 02:23 . 2009-08-06 16:06 -------- d--h--w- C:\$AVG8.VAULT$

2009-07-25 15:19 . 2009-07-27 11:38 2961 --s-a-w- c:\windows\system32\3180863869.dat

2009-07-16 18:26 . 2009-07-16 18:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar

2009-07-09 15:52 . 2009-07-09 15:52 59976 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.463\English\setup.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-06 16:02 . 2008-01-05 17:55 -------- d-----w- c:\documents and settings\pavels\Application Data\Skype

2009-08-06 16:02 . 2008-01-05 17:57 -------- d-----w- c:\documents and settings\pavels\Application Data\skypePM

2009-08-05 18:28 . 2009-01-30 20:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype

2009-08-05 18:02 . 2007-12-20 13:13 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-08-05 17:51 . 2007-12-20 09:48 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-08-05 17:50 . 2007-12-20 13:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-08-02 15:41 . 2007-12-10 22:10 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-08-02 12:47 . 2009-02-08 18:35 -------- d-----w- c:\program files\Microsoft Silverlight

2009-08-01 06:27 . 2009-05-30 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-08-01 04:07 . 2007-12-20 13:08 -------- d-----w- c:\program files\Pidgin

2009-08-01 02:56 . 2009-01-30 20:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM

2009-07-16 17:26 . 2008-11-19 09:56 58216 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-05 11:52 . 2007-12-21 21:47 58216 ----a-w- c:\documents and settings\pavels\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-04 07:47 . 2007-12-21 08:08 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2009-07-02 17:30 . 2009-05-30 18:25 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-06-28 08:53 . 2009-06-28 08:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-06-28 08:53 . 2009-06-28 08:53 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AVGTOOLBAR

2009-06-28 08:52 . 2009-05-30 18:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-06-28 08:52 . 2007-12-20 13:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-06-26 16:50 . 2004-08-04 08:00 666624 ----a-w- c:\windows\system32\wininet.dll

2009-06-26 16:50 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-06-18 20:27 . 2008-10-07 19:21 -------- d-----w- c:\program files\Winamp

2009-06-18 20:27 . 2008-10-07 19:21 -------- d-----w- c:\documents and settings\pavels\Application Data\Winamp

2009-06-18 20:16 . 2009-05-30 18:51 -------- d-----w- c:\documents and settings\pavels\Application Data\AVGTOOLBAR

2009-06-16 14:36 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2004-08-04 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-03 19:09 . 2004-08-04 08:00 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-05-30 18:25 . 2009-05-30 18:25 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-04-18 19:08 . 2008-06-21 07:30 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-08-04_16.03.39 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-12-20 15:36 . 2009-08-05 18:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2007-12-20 15:36 . 2009-08-04 16:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2007-12-20 15:36 . 2009-08-05 18:02 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2007-12-20 15:36 . 2009-08-04 16:02 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-06-26 08:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]

"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]

"gStart"="c:\garmin\gStart.exe" [2007-03-04 1891416]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-07-28 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]

"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-30 136600]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-03 163840]

"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]

"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-21 1187840]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-10 806912]

"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-10-09 697976]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]

"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2007-05-03 57344]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]

"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928]

"HPWWANGSAssistant"="c:\swsetup\HPQWWAN\HPWWanGSAssistant.exe" [2007-05-03 4032056]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]

"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2007-05-23 192512]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-10 37888]

"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-10-25 380928]

"hp Update 2100C"="c:\sj644\hpupdate.exe" [2002-01-24 28672]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-28 1948440]

"MSxmlHpr"="c:\windows\system32\msxm192z.dll" [2004-08-17 28672]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]

"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213]

DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-12-20 192512]

HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 10:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]

2007-02-07 01:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-06-28 08:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]

2007-04-30 16:19 49152 ----a-w- c:\windows\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\APSHook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ SbHpNp scecli ASWLNPkg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"TapiSrv"=3 (0x3)

"HpFkCryptService"=2 (0x2)

"FLCDLOCK"=3 (0x3)

"btwdins"=2 (0x2)

"Bonjour Service"=2 (0x2)

"aawserviceAlerter"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\WINDOWS\\SMINST\\Scheduler.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\StarNet\\X-Win32 9.0\\xwin32.exe"=

"c:\\Documents and Settings\\pavels\\Local Settings\\Application Data\\Skype\\Phone\\Skype.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [27.04.2007 05:23 100095]

R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [09.10.2006 23:31 44720]

R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [30.03.2007 02:54 13696]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [30.05.2009 20:25 335752]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [30.05.2009 20:25 108552]

R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [27.04.2007 05:23 5808]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [28.07.2009 10:53 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28.07.2009 10:53 72944]

R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [04.08.2004 10:00 14336]

R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [04.08.2004 10:00 14336]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [30.05.2009 20:25 907032]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [30.05.2009 20:25 298776]

R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [04.12.2006 17:13 292384]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [04.04.2007 21:16 41216]

R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [10.12.2007 22:55 47616]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28.07.2009 10:53 7408]

S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [23.04.2007 23:13 30008]

S4 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [30.04.2007 18:28 172131]

S4 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [27.04.2007 20:58 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

Cognizance REG_MULTI_SZ ASBroker ASChannel

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

.

Contents of the 'Scheduled Tasks' folder

2009-01-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 12:42]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.hp.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\l5od8een.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo! Search

FF - prefs.js: browser.startup.homepage - www.google.com.au

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-07 18:53

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????T??????????????|?M?|?????M?|&?@

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"Installed"="1"

"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll

c:\windows\system32\DeviceNP.dll

- - - - - - - > 'lsass.exe'(996)

c:\windows\SbHpNp.dll

c:\program files\Hewlett-Packard\IAM\bin\ASWLNPkg.dll

c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll

- - - - - - - > 'explorer.exe'(2756)

c:\windows\system32\APSHook.dll

c:\windows\system32\btmmhook.dll

c:\windows\system32\msxm192z.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\windows\system32\scardsvr.exe

c:\windows\system32\msdtc.exe

c:\windows\system32\CTSVCCDA.EXE

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\mqsvc.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\program files\Hewlett-Packard\IAM\Bin\asghost.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\windows\system32\rundll32.exe

c:\program files\Hewlett-Packard\Shared\HpqToaster.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

c:\windows\system32\mqtgsvc.exe

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

c:\windows\system32\msiexec.exe

.

**************************************************************************

.

Completion time: 2009-08-07 18:57 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-07 16:57

ComboFix2.txt 2009-08-04 16:07

Pre-Run: 10

Link to post
Share on other sites

  • Staff

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

Why are you bumping this thread? I already replied "Aug 7 2009, 07:36 PM" but you never replied anymore.

Sorry, I must have missed that somehow.

Anyway, I ran "CombFix /u" and got the message that it has been uninstalled.

Thanks for your help, I keep the fingers crossed.

Cheers

-sparse

Link to post
Share on other sites

  • Staff

Glad I could help. :(

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.