Trouble removing spools.exe

Glimflicker · 22nd June 2008

My mother's computer slowed down, so naturally she decided to download some antivirus software and fix it! Unfortunately, she wound up downloading something even worse, and it appears to be spools.exe. I was unable to run an executable for the longest time, but right before I decided to reformat, I found that I could run a couple nested .bat files in an endless loop, and after enough calls I could launch whatever I wanted to. My attempts at removing it have been unsuccessful, so here's the output from DSS:

Deckard's System Scanner v20071014.68
Run by Lorna Jones on 2008-06-21 20:35:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).

-- HijackThis (run as Lorna Jones.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:08 PM, on 6/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Lorna Jones\My Documents\Installed\dss.exe
C:\DOCUME~1\LORNAJ~1\MYDOCU~1\INSTAL~1\LORNAJ~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster.com/SmartOffers...meLeftPane.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=4060925
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {0576C568-1DFF-4F13-BAF0-D07F8E96071C} - C:\WINDOWS\system32\wvUmjhhg.dll
O2 - BHO: (no name) - {32341E7E-C319-46DE-91D0-E30BB1A3CABA} - C:\WINDOWS\system32\vtUooMCR.dll
O2 - BHO: {7ff94b1e-f2bb-630b-04a4-7b51bb1530f8} - {8f0351bb-15b7-4a40-b036-bb2fe1b49ff7} - C:\WINDOWS\system32\uveivlbc.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: (no name) - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - (no file)
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\SAV\sav.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Lorna Jones\cftmon.exe
O4 - HKLM\..\Run: [086ccfb2] rundll32.exe "C:\WINDOWS\system32\pltqtgaa.dll",b
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\SAV\sav.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Lorna Jones\cftmon.exe
O4 - HKCU\..\Run: [WinAntivirusPro] C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpf...qdiagh.cab?326
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: vtUooMCR - C:\WINDOWS\SYSTEM32\vtUooMCR.dll
O20 - Winlogon Notify: __c00F3F70 - C:\WINDOWS\system32\__c00F3F70.dat
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe (file missing)
O23 - Service: McAfee SpamKiller Server (MskService) - Unknown owner - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

--
End of file - 6920 bytes

-- Files created between 2008-05-21 and 2008-06-21 -----------------------------

2008-06-21 19:45:44 0 d-------- C:\Documents and Settings\Administrator.LORNA\Application Data\Identities
2008-06-21 19:45:44 0 d--h----- C:\Documents and Settings\Administrator.LORNA\Application Data\Gtek
2008-06-21 19:45:43 0 dr------- C:\Documents and Settings\Administrator.LORNA\Favorites
2008-06-21 19:45:43 0 d-------- C:\Documents and Settings\Administrator.LORNA\Desktop
2008-06-21 19:45:43 0 d--hs---- C:\Documents and Settings\Administrator.LORNA\Cookies
2008-06-21 19:45:43 0 dr-h----- C:\Documents and Settings\Administrator.LORNA\Application Data
2008-06-21 19:45:43 0 d-------- C:\Documents and Settings\Administrator.LORNA\Application Data\Symantec
2008-06-21 19:45:43 0 d---s---- C:\Documents and Settings\Administrator.LORNA\Application Data\Microsoft
2008-06-21 19:45:42 0 d--h----- C:\Documents and Settings\Administrator.LORNA\Templates
2008-06-21 19:45:42 0 dr------- C:\Documents and Settings\Administrator.LORNA\Start Menu
2008-06-21 19:45:42 0 dr-h----- C:\Documents and Settings\Administrator.LORNA\SendTo
2008-06-21 19:45:42 0 dr-h----- C:\Documents and Settings\Administrator.LORNA\Recent
2008-06-21 19:45:42 0 d--h----- C:\Documents and Settings\Administrator.LORNA\PrintHood
2008-06-21 19:45:42 0 d--h----- C:\Documents and Settings\Administrator.LORNA\NetHood
2008-06-21 19:45:42 0 dr------- C:\Documents and Settings\Administrator.LORNA\My Documents
2008-06-21 19:45:42 0 d--h----- C:\Documents and Settings\Administrator.LORNA\Local Settings
2008-06-21 19:45:41 786432 --ah----- C:\Documents and Settings\Administrator.LORNA\NTUSER.DAT
2008-06-21 19:22:33 99328 --a------ C:\WINDOWS\system32\uveivlbc.dll
2008-06-21 19:22:31 81408 --a------ C:\WINDOWS\system32\pltqtgaa.dll
2008-06-21 19:20:40 99328 --a------ C:\WINDOWS\system32\qehpfnba.dll
2008-06-21 19:20:06 25088 --a------ C:\WINDOWS\system32\cbXNeCuT.dll
2008-06-08 18:36:51 92160 --a------ C:\WINDOWS\system32\xmjviijo.dll
2008-06-08 18:36:47 108544 --a------ C:\WINDOWS\system32\pwkayfhe.dll
2008-06-08 17:48:44 56 --a------ C:\xcrashdump.dat
2008-06-08 17:47:53 0 d-------- C:\Program Files\WinAntivirusPro3.8
2008-06-08 17:47:53 0 d-------- C:\Program Files\NetFilter
2008-06-08 17:45:53 18944 --a------ C:\WINDOWS\system32\drivers\spools.exe
2008-06-08 17:45:53 18944 --a------ C:\Documents and Settings\Lorna Jones\cftmon.exe
2008-06-08 17:45:51 0 d-------- C:\Program Files\SAV
2008-06-08 17:45:47 5120 --a------ C:\WINDOWS\system32\ftp34.dll
2008-06-08 17:45:47 5120 --a------ C:\Documents and Settings\Lorna Jones\ftp34.dll
2008-06-08 17:44:53 67584 --a------ C:\WINDOWS\system32\__c006B5C4.exe
2008-06-08 17:41:29 108544 --a------ C:\WINDOWS\system32\hxqtvvkj.dll
2008-06-08 17:40:01 92160 --a------ C:\WINDOWS\system32\lclcqauq.dll
2008-06-07 14:11:15 108544 --a------ C:\WINDOWS\system32\xwpylvpe.dll
2008-06-07 14:09:56 1742 --ahs---- C:\WINDOWS\system32\ghhjmUvw.ini2
2008-06-07 14:09:53 347136 --a------ C:\WINDOWS\system32\wvUmjhhg.dll
2008-06-07 14:04:48 59904 --a------ C:\WINDOWS\system32\vtUooMCR.dll
2008-06-07 14:04:43 25088 --a------ C:\WINDOWS\system32\__c00F3F70.dat
2008-05-21 07:50:03 0 d-------- C:\Program Files\Adobe Media Player
2008-05-21 07:49:43 0 d-------- C:\Program Files\Common Files\Adobe AIR

-- Find3M Report ---------------------------------------------------------------

2008-06-08 17:39:12 0 d-------- C:\Program Files\SpamBlockerUtility
2008-05-21 07:49:43 0 d-------- C:\Program Files\Common Files

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0576C568-1DFF-4F13-BAF0-D07F8E96071C}]
06/07/2008 02:09 PM 347136 --a------ C:\WINDOWS\system32\wvUmjhhg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32341E7E-C319-46DE-91D0-E30BB1A3CABA}]
06/07/2008 02:04 PM 59904 --a------ C:\WINDOWS\system32\vtUooMCR.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8f0351bb-15b7-4a40-b036-bb2fe1b49ff7}]
06/21/2008 07:22 PM 99328 --a------ C:\WINDOWS\system32\uveivlbc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Antivirus"="C:\Program Files\SAV\sav.exe" []
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [06/08/2008 05:46 PM]
"autoload"="C:\Documents and Settings\Lorna Jones\cftmon.exe" [06/08/2008 05:46 PM]
"086ccfb2"="C:\WINDOWS\system32\pltqtgaa.dll" [06/21/2008 07:22 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Antivirus"="C:\Program Files\SAV\sav.exe" []
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [06/08/2008 05:46 PM]
"autoload"="C:\Documents and Settings\Lorna Jones\cftmon.exe" [06/08/2008 05:46 PM]
"WinAntivirusPro"="C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe" [06/08/2008 05:47 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks]
"{32341E7E-C319-46DE-91D0-E30BB1A3CABA}"= C:\WINDOWS\system32\vtUooMCR.dll [06/07/2008 02:04 PM 59904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUooMCR]
vtUooMCR.dll 06/07/2008 02:04 PM 59904 C:\WINDOWS\system32\vtUooMCR.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00F3F70]
C:\WINDOWS\system32\__c00F3F70.dat 06/21/2008 07:16 PM 25088 C:\WINDOWS\system32\__c00F3F70.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\wvUmjhhg

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\G]
AutoRun\command- G:\LaunchU3.exe

-- End of Deckard's System Scanner: finished at 2008-06-21 20:35:35 ------------

noahdfear · 22nd June 2008

Welcome to WindowsBBS Glimflicker

Download ComboFix by sUBs from here, saving the file to your desktop.

Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

Close all open programs and windows
Double click combofix.exe and follow the prompts.
It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Glimflicker · 22nd June 2008

ComboFix log

ComboFix 08-06-20.4 - Lorna Jones 2008-06-22 7:02:50.1 - NTFSx86
Running from: C:\Documents and Settings\Lorna Jones\My Documents\Installed\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Lorna Jones\Application Data\SpamBlockerUtility_Icons
C:\Documents and Settings\Lorna Jones\Application Data\SpamBlockerUtility_Icons\Registryrepair.ico
C:\Documents and Settings\Lorna Jones\Application Data\SpamBlockerUtility_Icons\Software_Online_8.ico
C:\Documents and Settings\Lorna Jones\Application Data\SpamBlockerUtility_Icons\wallpapere1.ico
C:\Documents and Settings\Lorna Jones\cftmon.exe
C:\Documents and Settings\Lorna Jones\ftp34.dll
C:\Program Files\Hotbar
C:\Program Files\WinAntivirusPro3.8
C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\__c006B5C4.exe
C:\WINDOWS\system32\__c00F3F70.dat
C:\WINDOWS\system32\aagtqtlp.ini
C:\WINDOWS\system32\cbXNeCuT.dll
C:\WINDOWS\system32\ctleekva.ini
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\ftp34.dll
C:\WINDOWS\system32\ghhjmUvw.ini
C:\WINDOWS\system32\ghhjmUvw.ini2
C:\WINDOWS\system32\hxqtvvkj.dll
C:\WINDOWS\system32\lclcqauq.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ojiivjmx.ini
C:\WINDOWS\system32\pwkayfhe.dll
C:\WINDOWS\system32\quaqclcl.ini
C:\WINDOWS\system32\upawpjyp.ini
C:\WINDOWS\system32\vtUooMCR.dll
C:\WINDOWS\system32\wvUmjhhg.dll
C:\WINDOWS\system32\xmjviijo.dll
C:\WINDOWS\system32\xwpylvpe.dll
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2008-05-22 to 2008-06-22 )))))))))))))))))))))))))))))))
.

2008-06-21 20:46 . 2008-06-21 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-21 20:46 . 2008-06-21 20:46 <DIR> d-------- C:\Applications
2008-06-21 20:23 . 2008-06-21 20:23 <DIR> d-------- C:\Deckard
2008-06-21 19:45 . 2006-09-25 10:49 <DIR> d-------- C:\Documents and Settings\Administrator.LORNA\Application Data\Symantec
2008-06-21 19:45 . 2006-09-25 10:57 <DIR> d--h----- C:\Documents and Settings\Administrator.LORNA\Application Data\Gtek
2008-06-21 19:45 . 2008-06-21 19:45 <DIR> d-------- C:\Documents and Settings\Administrator.LORNA
2008-06-21 19:43 . 2008-06-22 07:13 294 ---hs---- C:\WINDOWS\system32\aagtqtlp.ini
2008-06-21 19:22 . 2008-06-21 19:22 99,328 --a------ C:\WINDOWS\system32\uveivlbc.dll
2008-06-21 19:22 . 2008-06-21 19:22 81,408 --a------ C:\WINDOWS\system32\pltqtgaa.dll
2008-06-21 19:20 . 2008-06-21 19:20 99,328 --a------ C:\WINDOWS\system32\qehpfnba.dll
2008-06-08 17:47 . 2008-06-08 17:47 <DIR> d-------- C:\Program Files\NetFilter
2008-06-08 17:46 . 2008-05-26 16:34 45,056 --a------ C:\WINDOWS\system32\sav.cpl
2008-06-08 17:45 . 2008-06-08 18:42 <DIR> d-------- C:\Program Files\SAV

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 12:50 --------- d-----w C:\Program Files\Adobe Media Player
2008-05-21 12:49 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2004-08-04 10:00 4,096 --sha-w C:\WINDOWS\system32\1112.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8f0351bb-15b7-4a40-b036-bb2fe1b49ff7}]
2008-06-21 19:22 99328 --a------ C:\WINDOWS\system32\uveivlbc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"SpybotSD TeaTimer"="C:\Applications\Spybot\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Antivirus"="C:\Program Files\SAV\sav.exe" [ ]
"086ccfb2"="C:\WINDOWS\system32\pltqtgaa.dll" [2008-06-21 19:22 81408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00F3F70]
C:\WINDOWS\system32\__c00F3F70.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\subsystems]
"Windows"= baseuff32.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 06:00:00 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-06-01 06:00:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 07:12:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\aagtqtlp.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\csrss.exe
-> C:\WINDOWS\system32\baseuff32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2008-06-22 7:18:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-22 12:18:21

Pre-Run: 46,531,600,384 bytes free
Post-Run: 46,597,918,720 bytes free

131 --- E O F --- 2008-05-28 12:42:01

--------------------------------------------------------------------

HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:06 AM, on 6/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Applications\Spybot\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Lorna Jones\My Documents\Installed\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=4060925
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Applications\Spybot\SDHelper.dll
O2 - BHO: {7ff94b1e-f2bb-630b-04a4-7b51bb1530f8} - {8f0351bb-15b7-4a40-b036-bb2fe1b49ff7} - C:\WINDOWS\system32\uveivlbc.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\SAV\sav.exe
O4 - HKLM\..\Run: [086ccfb2] rundll32.exe "C:\WINDOWS\system32\pltqtgaa.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Applications\Spybot\TeaTimer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Applications\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Applications\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpf...qdiagh.cab?326
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: __c00F3F70 - C:\WINDOWS\system32\__c00F3F70.dat (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe (file missing)
O23 - Service: McAfee SpamKiller Server (MskService) - Unknown owner - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

--
End of file - 6308 bytes

noahdfear · 22nd June 2008

First, if listed in Add/Remove programs, uninstall SystemAntivirus2008 (or might be SAV). Let me know if it's not listed.

Next, highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:


http://www.windowsbbs.com/showthread.php?t=74524

Suspect::
C:\WINDOWS\system32\baseuff32.dll
Collect::
C:\WINDOWS\system32\aagtqtlp.ini
C:\WINDOWS\system32\uveivlbc.dll
C:\WINDOWS\system32\pltqtgaa.dll
C:\WINDOWS\system32\qehpfnba.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8f0351bb-15b7-4a40-b036-bb2fe1b49ff7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Antivirus"=-
"086ccfb2"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00F3F70]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Please note that I have instructed CFScript to collect some files. This means that at some point, likely after reboot when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. This will assist the author in adding the files for removal in future updates. Thanks!

Please let me know if/when the upload is successful. I have included another file that needs to be analyzed.

Glimflicker · 5th July 2008

Things appear to have gotten worse. Here's the ComboFix log:

ComboFix 08-07-04.2 - Lorna Jones 2008-07-04 18:28:02.2 - NTFSx86
Running from: C:\Documents and Settings\Lorna Jones\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lorna Jones\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\aagtqtlp.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pltqtgaa.dll
C:\WINDOWS\system32\qehpfnba.dll
C:\WINDOWS\system32\uveivlbc.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 )))))))))))))))))))))))))))))))
.

2008-07-03 14:13 . 2004-08-04 05:00 82,944 --a------ C:\WINDOWS\system32\sockets.dll
2008-07-03 14:13 . 2008-07-04 18:32 47,616 --a------ C:\WINDOWS\system32\Crypt16.exe
2008-07-03 14:13 . 2008-07-04 18:32 41,984 --ahs---- C:\WINDOWS\system32\Crypt_16.dll
2008-06-29 22:10 . 2008-06-29 22:10 46 --a------ C:\WINDOWS\hposf045.dat
2008-06-22 08:44 . 2008-06-22 08:44 6,790 --a------ C:\WINDOWS\system32\Config.MPF
2008-06-22 07:50 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-22 07:50 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-21 20:46 . 2008-06-21 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-21 20:46 . 2008-06-21 20:46 <DIR> d-------- C:\Applications
2008-06-21 20:23 . 2008-06-21 20:23 <DIR> d-------- C:\Deckard
2008-06-21 19:45 . 2006-09-25 10:49 <DIR> d-------- C:\Documents and Settings\Administrator.LORNA\Application Data\Symantec
2008-06-21 19:45 . 2006-09-25 10:57 <DIR> d--h----- C:\Documents and Settings\Administrator.LORNA\Application Data\Gtek
2008-06-21 19:45 . 2008-06-21 19:45 <DIR> d-------- C:\Documents and Settings\Administrator.LORNA
2008-06-08 17:47 . 2008-06-08 17:47 <DIR> d-------- C:\Program Files\NetFilter
2008-06-08 17:46 . 2008-05-26 16:34 45,056 --a------ C:\WINDOWS\system32\sav.cpl
2008-06-08 17:45 . 2008-06-08 18:42 <DIR> d-------- C:\Program Files\SAV

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-03 11:39 --------- d-----w C:\Program Files\McAfee
2008-06-30 03:28 --------- d-----w C:\Program Files\HP
2008-06-24 02:11 --------- d-----w C:\Program Files\SiteAdvisor
2008-06-23 13:02 --------- d-----w C:\Documents and Settings\Lorna Jones\Application Data\SiteAdvisor
2008-06-22 13:49 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-22 13:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-21 12:50 --------- d-----w C:\Program Files\Adobe Media Player
2008-05-21 12:49 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-24 03:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2004-08-04 10:00 4,096 --sha-w C:\WINDOWS\system32\1112.dat
.

((((((((((((((((((((((((((((( snapshot@2008-06-22_ 7.18.09.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-22 12:12:21 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-04 23:32:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-13 13:10:50 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-03-01 13:06:20 124,928 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\advpack.dll
+ 2008-03-01 13:06:21 347,136 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtmsft.dll
+ 2008-03-01 13:06:21 214,528 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtrans.dll
+ 2008-03-01 13:06:21 133,120 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\extmgr.dll
+ 2008-03-01 13:06:21 63,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\icardie.dll
+ 2008-02-29 08:55:23 70,656 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ie4uinit.exe
+ 2008-03-01 13:06:21 153,088 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakeng.dll
+ 2008-03-01 13:06:21 230,400 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieaksie.dll
+ 2008-02-15 05:44:25 161,792 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakui.dll
+ 2008-03-01 13:06:22 383,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieapfltr.dll
+ 2008-03-01 13:06:22 384,512 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iedkcs32.dll
+ 2008-03-01 13:06:24 6,066,176 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieframe.dll
+ 2008-03-01 13:06:24 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iernonce.dll
+ 2008-03-01 13:06:25 267,776 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iertutil.dll
+ 2008-02-22 10:00:51 13,824 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieudinit.exe
+ 2008-02-29 08:55:46 625,664 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iexplore.exe
+ 2008-03-01 13:06:25 27,648 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\jsproxy.dll
+ 2008-03-01 13:06:26 459,264 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeeds.dll
+ 2008-03-01 13:06:26 52,224 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeedsbs.dll
+ 2008-03-01 23:36:30 3,591,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtml.dll
+ 2008-03-01 13:06:28 478,208 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtmled.dll
+ 2008-03-01 13:06:28 193,024 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msrating.dll
+ 2008-03-01 13:06:29 671,232 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mstime.dll
+ 2008-03-01 13:06:29 102,912 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\occache.dll
+ 2008-03-01 13:06:29 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\updspapi.dll
+ 2008-03-01 13:06:29 105,984 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\url.dll
+ 2008-03-01 13:06:30 1,159,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\urlmon.dll
+ 2008-03-01 13:06:30 233,472 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\webcheck.dll
+ 2008-03-01 13:06:31 826,368 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
- 2008-03-01 13:06:20 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-04-23 04:16:28 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2004-08-04 10:00:00 24,576 ----a-w C:\WINDOWS\system32\baseqgl32.dll
- 2006-10-02 00:17:27 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-04 19:29:58 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2006-10-02 00:17:27 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-04 19:29:58 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-01 13:06:20 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-04-23 04:16:28 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
- 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-03-01 13:06:21 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2008-03-01 13:06:21 133,120 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-04-23 04:16:28 133,120 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-03-01 13:06:21 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-04-23 04:16:28 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
- 2008-03-01 13:06:21 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2008-03-01 13:06:21 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2008-03-01 13:06:22 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2008-03-01 13:06:22 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2008-03-01 13:06:24 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2008-03-01 13:06:24 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-04-23 04:16:28 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2008-03-01 13:06:25 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2008-04-23 04:16:28 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2008-03-01 13:06:25 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2008-03-01 13:06:26 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2008-03-01 13:06:26 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-04-23 04:16:28 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-03-01 13:06:29 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-04-23 04:16:28 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2008-03-01 13:06:29 102,912 ------w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-04-23 04:16:28 102,912 ------w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2008-03-01 13:06:29 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-04-23 04:16:28 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
- 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-03-01 13:06:30 233,472 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-04-23 04:16:29 233,472 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2008-03-01 13:06:31 826,368 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-04-23 04:16:29 826,368 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2006-12-22 22:02:40 71,496 ----a-w C:\WINDOWS\system32\drivers\mfeavfk.sys
+ 2007-11-22 11:44:08 79,304 ----a-w C:\WINDOWS\system32\drivers\mfeavfk.sys
- 2006-12-22 22:02:34 34,184 ----a-w C:\WINDOWS\system32\drivers\mfebopk.sys
+ 2007-11-22 11:44:08 35,240 ----a-w C:\WINDOWS\system32\drivers\mfebopk.sys
- 2006-12-22 22:02:34 170,408 ----a-w C:\WINDOWS\system32\drivers\mfehidk.sys
+ 2007-11-22 11:44:08 201,320 ----a-w C:\WINDOWS\system32\drivers\mfehidk.sys
- 2006-12-22 22:02:34 32,008 ----a-w C:\WINDOWS\system32\drivers\mferkdk.sys
+ 2007-11-22 11:44:04 33,832 ----a-w C:\WINDOWS\system32\drivers\mferkdk.sys
- 2006-12-22 22:02:34 37,480 ----a-w C:\WINDOWS\system32\drivers\mfesmfk.sys
+ 2007-12-02 17:51:42 40,488 ----a-w C:\WINDOWS\system32\drivers\mfesmfk.sys
- 2007-01-09 22:44:44 107,608 ----a-w C:\WINDOWS\system32\drivers\Mpfp.sys
+ 2007-07-13 11:20:24 113,952 ----a-w C:\WINDOWS\system32\drivers\Mpfp.sys
- 2006-03-03 17:07:02 143,360 ----a-w C:\WINDOWS\system32\dunzip32.dll
+ 2006-03-03 13:07:02 143,360 ----a-w C:\WINDOWS\system32\dunzip32.dll
- 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-03-01 13:06:21 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2008-03-01 13:06:21 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-04-23 04:16:28 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-03-01 13:06:21 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-04-23 04:16:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2008-02-29 08:55:23 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-04-22 07:39:58 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2008-03-01 13:06:21 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2008-03-01 13:06:21 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2008-02-15 05:44:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2008-04-20 05:07:51 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2008-03-01 13:06:22 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2008-03-01 13:06:22 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2008-03-01 13:06:24 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2008-03-01 13:06:24 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2008-03-01 13:06:25 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-04-23 04:16:28 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2008-02-22 10:00:51 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2008-03-01 13:06:25 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2008-05-09 19:35:06 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
- 2008-03-01 13:06:26 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2008-03-01 13:06:26 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2008-03-01 23:36:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-04-24 03:16:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-04-23 04:16:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2008-03-01 13:06:29 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-04-23 04:16:28 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2008-03-01 13:06:29 102,912 ----a-w C:\WINDOWS\system32\occache.dll
+ 2008-04-23 04:16:28 102,912 ----a-w C:\WINDOWS\system32\occache.dll
- 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2006-11-17 21:14:30 14,640 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2008-03-01 13:06:29 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-04-23 04:16:28 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-03-01 13:06:30 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-04-23 04:16:29 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2008-03-01 13:06:31 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-04-23 04:16:29 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-07-04 23:32:25 10,240 ----a-w C:\WINDOWS\TEMP\NT8132.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"SpybotSD TeaTimer"="C:\Applications\Spybot\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\Cryp t16.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\subsystems]
"Windows"= baseqgl32.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 06:00:00 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-06-01 06:00:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{8f0351bb-15b7-4a40-b036-bb2fe1b49ff7} - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 18:32:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\csrss.exe
-> C:\WINDOWS\system32\baseqgl32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-07-04 18:42:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-04 23:41:54
ComboFix2.txt 2008-06-22 12:18:25

Pre-Run: 46,140,653,568 bytes free
Post-Run: 46,174,429,184 bytes free

298 --- E O F --- 2008-06-22 13:16:09

noahdfear · 5th July 2008

Thank you for the submission!

Before we go any further, please install the Recovery Console.
You need to download the installation package for the Setup Disks for Floppy Boot Install from Microsoft so that we can use it to install the Recovery Console on your computer. No validation required! Please select the download link below that's appropriate for your Operating System then download and save the setup package to your desktop. If necessary, change the language version to match your installation. Do NOT change the name of the downloaded file!

Microsoft Windows XP Home Edition
- Service Pack 2
  http://www.microsoft.com/downloads/d...D-81C2137FF464
Microsoft Windows XP Professional
- Service Pack 2
  http://www.microsoft.com/downloads/d...C-0A0205368124

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, if successfully installed, exit ComboFix and proceed as follows.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:


http://www.windowsbbs.com/showthread.php?t=74524

KillAll::
File::
C:\WINDOWS\system32\baseuff32.dll
C:\WINDOWS\system32\sav.cpl
Folder::
C:\Program Files\SAV
Suspect::
C:\WINDOWS\system32\sockets.dll
Collect::
C:\WINDOWS\system32\Crypt16.exe
C:\WINDOWS\system32\Crypt_16.dll
C:\WINDOWS\system32\baseqgl32.dll
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
"Windows"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
  32,5c,63,73,72,73,73,2e,65,78,65,20,4f,62,6a,65,63,74,44,69,72,65,63,74,6f,\
  72,79,3d,5c,57,69,6e,64,6f,77,73,20,53,68,61,72,65,64,53,65,63,74,69,6f,6e,\
  3d,31,30,32,34,2c,33,30,37,32,2c,35,31,32,20,57,69,6e,64,6f,77,73,3d,4f,6e,\
  20,53,75,62,53,79,73,74,65,6d,54,79,70,65,3d,57,69,6e,64,6f,77,73,20,53,65,\
  72,76,65,72,44,6c,6c,3d,62,61,73,65,73,72,76,2c,31,20,53,65,72,76,65,72,44,\
  6c,6c,3d,77,69,6e,73,72,76,3a,55,73,65,72,53,65,72,76,65,72,44,6c,6c,49,6e,\
  69,74,69,61,6c,69,7a,61,74,69,6f,6e,2c,33,20,53,65,72,76,65,72,44,6c,6c,3d,\
  77,69,6e,73,72,76,3a,43,6f,6e,53,65,72,76,65,72,44,6c,6c,49,6e,69,74,69,61,\
  6c,69,7a,61,74,69,6f,6e,2c,32,20,50,72,6f,66,69,6c,65,43,6f,6e,74,72,6f,6c,\
  3d,4f,66,66,20,4d,61,78,52,65,71,75,65,73,74,54,68,72,65,61,64,73,3d,31,36,\
  00
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Please note that I have instructed CFScript to collect some files. This means that at some point, likely after reboot when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. This will assist the author in adding the files for removal in future updates. Thanks!