1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Another Infostealer.Gampass infection

Discussion in 'Malware and Virus Removal Archive' started by sovapid, 2008/07/18.

  1. 2008/07/18
    sovapid

    sovapid Inactive Thread Starter

    Joined:
    2008/07/18
    Messages:
    6
    Likes Received:
    0
    I've searched on the site and tried using previous threads to no avail.

    System is Windows XP Service Pack 2.

    As soon as I open Firefox, Symantec Auto-Protect pops up and begins listing Infostealer.Gampass files that it has deleted. This files are usually shown as .gif files, but I have seen .dlls listed.

    Since most of the threads have shown running ComboFix to be one of the first steps, I downloaded it and ran it. After the system reboots, it comes up and says it is preparing log files. It never finishes though. I have let it sit for over an hour and nothing happens. I did (or at least I think I did) disable all of the applicaitons that would interfere with it.

    I was not able to figure out how to get the Symantec icon out of the system tray, but I'm pretty sure it was not running any thing. I disabled all of the Symantec services in the control panel and shut off everything I could find in the start up config.

    Anyways, here is the log from the dss/hijackThis tool:





    Deckard's System Scanner v20071014.68
    Run by steve.smith on 2008-07-18 18:47:43
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------



    -- HijackThis (run as steve.smith.exe) ------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 18:47, on 2008-07-18
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Novell\XTAgent.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\TpShocks.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\lotus\notes\ntmulti.exe
    C:\WINDOWS\system32\svchost.exe
    c:\program files\lenovo\system update\suservice.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    C:\Program Files\VMware\VMware Server\vmware-authd.exe
    C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
    C:\WINDOWS\system32\vmnat.exe
    C:\WINDOWS\system32\vmnetdhcp.exe
    C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Documents and Settings\steve.smith\Desktop\dss.exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\SEANNE~1.EXE
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://myportal.perficient.com:10038/wps/portal
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: DebugBar BHO - {69FC0024-10EB-480A-BBF2-3BF4E78E17B1} - C:\Program Files\Core Services\DebugBar\DebugInfoBar.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
    O3 - Toolbar: DebugBar - {3E1201F4-1707-409F-BB45-A5F192381DA0} - C:\Program Files\Core Services\DebugBar\DebugToolBar.dll
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
    O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
    O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
    O4 - Global Startup: VPN Client.lnk.disabled
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
    O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
    O9 - Extra button: IEWatch Professional - {78E5BB46-9A20-402F-BA66-B5634D177D77} - C:\Program Files\IEWatch\IEWatch.dll
    O9 - Extra 'Tools' menuitem: IEWatch - {78E5BB46-9A20-402F-BA66-B5634D177D77} - C:\Program Files\IEWatch\IEWatch.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quickplace.perficient.com/qp2.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://inotes.perficient.com/iNotes6W.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167765449254
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167765444223
    O16 - DPF: {8BF7B588-F4AC-4A6E-AF63-F664449EED2E} (PDM Plugin2) - http://135.100.200.124:10038/wps/PA_1_NO2UF4I118ADC026HKQ8KC28K6/applets/DMPlugin.cab
    O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} (Domino Web Access 8 Control) - http://inotes.perficient.com/dwa8W.cab
    O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://inotes.perficient.com/dwa7W.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = perficient.com
    O17 - HKLM\Software\..\Telephony: DomainName = perficient.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = perficient.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = perficient.com
    O21 - SSODL: DesktopWin - {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
    O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
    O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
    O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
    O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
    O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
    O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
    O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/SEAN~1.NEW/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

    --
    End of file - 12012 bytes

    -- Files created between 2008-06-18 and 2008-07-18 -----------------------------

    2008-07-18 15:33:58 18048 --a------ C:\WINDOWS\system32\drivers\eth8023.sys
    2008-07-18 15:33:23 36 --a------ C:\WINDOWS\system32\qbhxaklo.sys
    2008-07-18 15:14:09 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
    2008-07-18 15:10:12 68096 --a------ C:\WINDOWS\zip.exe
    2008-07-18 15:10:12 49152 --a------ C:\WINDOWS\VFind.exe
    2008-07-18 15:10:12 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
    2008-07-18 15:10:12 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
    2008-07-18 15:10:12 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
    2008-07-18 15:10:12 98816 --a------ C:\WINDOWS\sed.exe
    2008-07-18 15:10:12 80412 --a------ C:\WINDOWS\grep.exe
    2008-07-18 15:10:12 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
    2008-07-18 14:30:26 0 d-------- C:\Program Files\Trend Micro
    2008-07-18 14:08:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-07-18 12:44:19 0 d-------- C:\Program Files\Lavasoft
    2008-07-18 12:04:58 0 d-------- C:\Program Files\Enigma Software Group
    2008-07-17 18:46:04 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
    2008-07-17 18:45:57 0 dr------- C:\Documents and Settings\LocalService\Favorites
    2008-07-12 16:07:43 0 d-------- C:\Program Files\iPod
    2008-07-04 21:39:52 0 d-------- C:\TSO
    2008-06-22 12:27:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
    2008-06-18 19:21:23 0 d-------- C:\Documents and Settings\steve.smith\Application Data\ICAClient


    -- Find3M Report ---------------------------------------------------------------

    2008-07-18 18:34:38 0 d-------- C:\Program Files\Symantec AntiVirus
    2008-07-18 13:38:40 0 d-------- C:\Program Files\Common Files
    2008-07-18 13:35:29 0 d-------- C:\Program Files\MySpace
    2008-07-18 13:34:44 0 d-------- C:\Program Files\PokerStars
    2008-07-18 12:43:39 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-07-17 18:57:10 0 d-------- C:\Documents and Settings\steve.smith\Application Data\skypePM
    2008-07-12 16:08:10 0 d-------- C:\Program Files\iTunes
    2008-07-12 15:57:39 0 d-------- C:\Program Files\Apple Software Update
    2008-07-04 21:41:48 0 d--h----- C:\Program Files\InstallShield Installation Information
    2008-06-30 14:32:55 0 d-------- C:\Documents and Settings\steve.smith\Application Data\AdobeUM
    2008-06-22 12:27:29 0 d-------- C:\Program Files\Common Files\Adobe
    2008-06-18 19:19:39 0 d-------- C:\Program Files\Citrix
    2008-06-15 10:22:28 0 d-------- C:\Program Files\Bonjour
    2008-06-15 10:22:07 0 d-------- C:\Program Files\QuickTime
    2008-06-15 10:18:47 0 d-------- C:\Program Files\Common Files\Apple
    2008-06-12 11:26:59 0 d-------- C:\Program Files\IEWatch
    2008-05-28 17:22:56 0 d-------- C:\Program Files\JXplorer


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69FC0024-10EB-480A-BBF2-3BF4E78E17B1}]
    2008-03-11 06:04 946176 --a------ C:\Program Files\Core Services\DebugBar\DebugInfoBar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TpShocks "= "TpShocks.exe" [2006-03-15 21:04 C:\WINDOWS\system32\TpShocks.exe]
    "SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 16:17]
    "SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 16:16]
    "TVT Scheduler Proxy "= "C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 06:01]
    "vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 22:33]
    "dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-19 05:33]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk.disabled [2008-06-22 12:27:55]
    HP Digital Imaging Monitor.lnk.disabled [2007-05-04 18:14:39]
    HP Image Zone Fast Start.lnk.disabled [2007-05-04 18:16:20]
    VPN Client.lnk.disabled [2008-07-18 15:50:28]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools "=0 (0x0)
    "HideLegacyLogonScripts "=0 (0x0)
    "HideLogoffScripts "=0 (0x0)
    "RunLogonScriptSync "=1 (0x1)
    "RunStartupScriptSync "=0 (0x0)
    "HideStartupScripts "=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "HideLegacyLogonScripts "=0 (0x0)
    "HideLogoffScripts "=0 (0x0)
    "RunLogonScriptSync "=1 (0x1)
    "RunStartupScriptSync "=0 (0x0)
    "HideStartupScripts "=0 (0x0)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{7914E0AA-ECCB-4311-B584-C49538227824} "= C:\WINDOWS\system32\jhfrxz.dll [ ]
    "{73AE86E6-7F03-4C3B-8980-FB1DA157D3C7} "= C:\WINDOWS\system32\fmcvxy.dll [ ]
    "{53D44DB6-E22B-4B17-97D3-572C96CCA6E1} "= C:\WINDOWS\system32\zsdgff.dll [ ]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "DesktopWin "= {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll [2008-07-17 18:40 14336]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
    ckpNotify.dll 2004-12-16 15:33 24672 C:\WINDOWS\system32\ckpNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
    C:\WINDOWS\system32\Novell\XtNotify.dll 2005-09-08 16:14 24576 C:\WINDOWS\system32\Novell\xtnotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    C:\WINDOWS\system32\psqlpwd.dll 2006-12-08 20:44 89600 C:\WINDOWS\system32\psqlpwd.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
    @= "Service "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "MsnMsgr "= "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    "RssReader "=C:\Program Files\RssReader\RssReader.exe
    "Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    "ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    "AppleSyncNotifier "=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    "iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe "
    "Perficient IT Collect "=c:\program files\Perficient IT\Collect\collect.exe
    "HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
    "HP Software Update "= "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
    "ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    "ISUSPM Startup "=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9d2fd47-5567-11dc-9ec3-00197de7b1ad}]
    AutoRun\command- F:\JDLightning\Windows\JDLightning.exe




    -- End of Deckard's System Scanner: finished at 2008-07-18 18:48:12 ------------
     
    Last edited: 2008/07/18
    sovapid,
    #1
  2. 2008/07/18
    sovapid

    sovapid Inactive Thread Starter

    Joined:
    2008/07/18
    Messages:
    6
    Likes Received:
    0
    My hosts file was modified at the same time the notices first appeared:

    202.165.102.205 972.aksjd11.com
    202.165.102.205 w3og.cn
    203.208.35.100 qazc.fourtw.cn
    203.208.35.100 ¾¢ÃŽÃ¨ÃÅÎè²½_¾¢ÃŽÃ¨ÃÅ˽·Ã¾_¾¢ÃŽÃ¨ÃÃ…¸Ã¨Ã‡Ãº
    203.208.35.101 www.hao601.cn
    203.208.35.101 www.psp476.cn
    72.14.235.99 222.1212l112.net
    72.14.235.99 444.1212l112.netn
    72.14.235.99 555.1212l112.net
    72.14.235.99 111.1212l112.net
    65.55.21.250 111.3243l24.com
    65.55.21.250 222.3243l24.com
    65.55.21.250 333.3243l24.com
    125.64.8.112 kao2.gmwo03.com
    125.64.8.112 kao.gmwo06.com
    125.64.8.112 444.gmwo07.com
    116.252.185.15 ru.update365.us
    116.252.185.15 ad.update365.us
    207.46.232.182 popmails.net
    203.208.37.99 3.goodhh.com
    220.181.37.55 down.rwixr.com
    160.79.42.52 www.xdj2008.com
    63.175.76.152 www.revtr.cn
    219.133.40.91 qq.ljsll.com
    203.208.35.102 www.aassccwe.cn
    209.132.177.50 973.aksjd11.com
    209.132.177.50 974.aksjd11.com
    209.132.177.50 971.aksjd11.com
    209.132.177.50 975.aksjd11.com
    72.14.235.104 user1.12-39.net
    72.14.235.147 www.infomt.net
    192.150.18.101 ata1.sysions.net
    192.150.18.101 ata2.sysions.net
    192.150.18.101 ata3.sysions.net
    192.150.18.101 ata4.sysions.net
    193.120.42.226 8nnnnn99.cn
    24.39.54.34 haoaoaoÃøÖ·µ¼º½£­Ã–ùú×îºÃƒµÃ„ÃøַÕ¾
    127.0.0.1 971.lkjdasa12.com
    127.0.0.1 974.lkjdasa12.com
    127.0.0.1 111.213l23.net
    127.0.0.1 111.313l23.com
    127.0.0.1 222.313l23.com
    127.0.0.1 asd.dasd89712l.com
    127.0.0.1 cao.caonima01.com
    127.0.0.1 u1.cnnod32upserver
    127.0.0.1 u2.cnnod32upserver
    127.0.0.1 u3.cnnod32upserver
    127.0.0.1 u4.cnnod32upserver
    127.0.0.1 u5.cnnod32upserver
    127.0.0.1 u6.cnnod32upserver
    127.0.0.1 Adobe
    127.0.0.1 download.macromedia.com
    127.0.0.1 fpdownload.macromedia.com
    127.0.0.1 0.11xp.com
    127.0.0.1 0.sqwyt.com
    127.0.0.1 0001.6658588.cn
    127.0.0.1 007sf.cn
    127.0.0.1 010.waokao.cn
    127.0.0.1 023china.cn
    127.0.0.1 0272.service-google.cn
    127.0.0.1 0358.com.cn
    127.0.0.1 0371cn.cn
    127.0.0.1 0512edu.cn
    127.0.0.1 08325.cn
    127.0.0.1 086107.service-google.cn
    127.0.0.1 086121.service-google.cn
    127.0.0.1 086140.service-google.cn
    127.0.0.1 086156.service-google.cn
    127.0.0.1 086158.service-google.cn
    127.0.0.1 086165.service-google.cn
    127.0.0.1 086170.service-google.cn
    127.0.0.1 086173.service-google.cn
    127.0.0.1 086175.service-google.cn
    127.0.0.1 086195.service-google.cn
    127.0.0.1 086196.service-google.cn
    127.0.0.1 086202.service-google.cn
    127.0.0.1 086216.service-google.cn
    127.0.0.1 08657.service-google.cn
    127.0.0.1 08675.service-google.cn
    127.0.0.1 0868.service-google.cn
    127.0.0.1 08689.service-google.cn
    127.0.0.1 08697.service-google.cn
    127.0.0.1 098.seruijingandeshijinpos.com
    127.0.0.1 0hu.net
    127.0.0.1 1.100190.com
    127.0.0.1 1.111281.com
    127.0.0.1 1.11aaa.com
    127.0.0.1 1.11mmm.com
    127.0.0.1 1.11sss.com
    127.0.0.1 1.22aaa.com
    127.0.0.1 1.22ccc.com
    127.0.0.1 1.44xp.com
    127.0.0.1 1.517sese.com
    127.0.0.1 1.51wyt.com
    127.0.0.1 1.55sss.com
    127.0.0.1 1.59ri.com
    127.0.0.1 1.5se5se.org


    rest omitted because not sure how helpful it is.
     
    sovapid,
    #2


  3. to hide this advert.

  4. 2008/07/18
    sovapid

    sovapid Inactive Thread Starter

    Joined:
    2008/07/18
    Messages:
    6
    Likes Received:
    0
    Running a full Symantec scan did not turn up anything.

    I ran KASPERSKY ONLINE SCANNER 7

    and it discovered this:

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7 REPORT
    Saturday, July 19, 2008
    Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
    Kaspersky Online Scanner 7 version: 7.0.25.0
    Program database last update: Saturday, July 19, 2008 01:07:12
    Records in database: 970595
    --------------------------------------------------------------------------------

    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes

    Scan area - Critical Areas:
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    C:\Documents and Settings\sean.newby\Start Menu\Programs\Startup
    C:\Program Files
    C:\WINDOWS

    Scan statistics:
    Files scanned: 71247
    Threat name: 3
    Infected objects: 3
    Suspicious objects: 0
    Duration of the scan: 01:38:56


    File name / Threat name / Threats count
    C:\WINDOWS\AppPatch\AclLayer.dll Infected: Trojan-Downloader.Win32.Small.yhf 1
    C:\WINDOWS\AppPatch\DesktopWin.dll Infected: Trojan-Downloader.Win32.Small.xwr 1
    C:\WINDOWS\system32\nhmxejkl.dll Infected: Trojan-GameThief.Win32.OnLineGames.satg 1

    The selected area was scanned.
     
    sovapid,
    #3
  5. 2008/07/19
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS sovapid :)

    Please delete the ComboFix you currently have and download a fresh copy from here. Save it to your desktop then reboot to safe mode and run it.

    The log should be created at C:\ComboFix.txt

    If still no log, have a look in C:\Qoobox for any log with ComboFix in it's name (will not be in any subfolders of qoobox) and post any found.
     
    noahdfear,
    #4
  6. 2008/07/20
    sovapid

    sovapid Inactive Thread Starter

    Joined:
    2008/07/18
    Messages:
    6
    Likes Received:
    0
    Ran it in safe mode, it took a long time to run. Left it running overnight.

    Here is the log:

    ComboFix 08-07-19.1 - steve.smith 2008-07-20 1:03:17.4 - NTFSx86 MINIMAL
    Running from: C:\Documents and Settings\steve.smith\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    C:\Documents and Settings\steve.smith\Application Data\macromedia\Flash Player\#SharedObjects\ZTRAC8FL\Broadcaster.com | Home | Viral Video Clips, Live Community, News, Software, Movies, Music, Games, Mobile Media & More
    C:\Documents and Settings\steve.smith\Application Data\macromedia\Flash Player\#SharedObjects\ZTRAC8FL\www.broadcaster.com\played_list.sol
    C:\Documents and Settings\steve.smith\Application Data\macromedia\Flash Player\#SharedObjects\ZTRAC8FL\www.broadcaster.com\video_queue.sol
    C:\Documents and Settings\steve.smith\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#Broadcaster.com | Home | Viral Video Clips, Live Community, News, Software, Movies, Music, Games, Mobile Media & More
    C:\Documents and Settings\steve.smith\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
    C:\Documents and Settings\steve.smith\g2mdlhlpx.exe
    C:\WINDOWS\system32\aitlasys.exe
    C:\WINDOWS\system32\fstlbsys.sys
    C:\WINDOWS\system32\jkhxaklo.dll
    C:\WINDOWS\system32\lpmxajkl.exe
    C:\WINDOWS\system32\mdm.exe
    C:\WINDOWS\system32\rnmxajkl.sys
    C:\WINDOWS\system32\wymxajkl.sys
    C:\WINDOWS\system32\zptldsys.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-06-20 to 2008-07-20 )))))))))))))))))))))))))))))))
    .

    2008-07-19 15:19 . 2008-07-19 15:19 <DIR> d-------- C:\Program Files\COMODO
    2008-07-19 15:19 . 2008-07-19 15:19 <DIR> d-------- C:\Documents and Settings\steve.smith\Application Data\Comodo
    2008-07-19 15:19 . 2008-07-20 00:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
    2008-07-19 15:19 . 2008-07-19 15:19 143,104 --a------ C:\WINDOWS\system32\guard32.dll
    2008-07-19 15:19 . 2008-07-19 15:19 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
    2008-07-19 15:19 . 2008-07-19 15:19 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
    2008-07-18 18:19 . 2008-07-18 18:19 <DIR> d-------- C:\Deckard
    2008-07-18 15:33 . 2008-07-18 15:33 18,048 --a------ C:\WINDOWS\system32\drivers\eth8023.sys
    2008-07-18 15:33 . 2008-07-18 16:19 36 --a------ C:\WINDOWS\system32\qbhxaklo.sys
    2008-07-18 14:30 . 2008-07-18 14:30 <DIR> d-------- C:\Program Files\Trend Micro
    2008-07-18 14:08 . 2008-07-18 14:08 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-07-18 14:08 . 2008-07-18 14:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-07-18 12:44 . 2008-07-18 12:44 <DIR> d-------- C:\Program Files\Lavasoft
    2008-07-18 12:04 . 2008-07-18 14:27 <DIR> d-------- C:\Program Files\Enigma Software Group
    2008-07-15 13:04 . 2008-07-15 13:04 268 --ah----- C:\sqmdata12.sqm
    2008-07-15 13:04 . 2008-07-15 13:04 244 --ah----- C:\sqmnoopt12.sqm
    2008-07-12 16:07 . 2008-07-12 16:07 <DIR> d-------- C:\Program Files\iPod
    2008-07-04 21:41 . 1998-09-24 14:03 171,967 --a------ C:\WINDOWS\system32\Odbcjet.hlp
    2008-07-04 21:41 . 1998-06-18 01:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
    2008-07-04 21:41 . 1998-09-24 14:03 7,348 --a------ C:\WINDOWS\system32\Odbcjet.cnt
    2008-07-04 21:39 . 2008-07-04 21:42 <DIR> d-------- C:\TSO

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-20 04:58 --------- d-----w C:\Program Files\Symantec AntiVirus
    2008-07-20 04:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
    2008-07-18 17:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
    2008-07-18 17:35 --------- d-----w C:\Program Files\MySpace
    2008-07-18 17:34 --------- d-----w C:\Program Files\PokerStars
    2008-07-18 16:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-07-18 16:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-07-17 22:57 --------- d-----w C:\Documents and Settings\steve.smith\Application Data\skypePM
    2008-07-12 20:08 --------- d-----w C:\Program Files\iTunes
    2008-07-12 19:57 --------- d-----w C:\Program Files\Apple Software Update
    2008-07-10 13:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
    2008-07-05 01:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-06-30 18:32 --------- d-----w C:\Documents and Settings\steve.smith\Application Data\AdobeUM
    2008-06-22 16:27 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-06-18 23:21 --------- d-----w C:\Documents and Settings\steve.smith\Application Data\ICAClient
    2008-06-18 23:19 --------- d-----w C:\Program Files\Citrix
    2008-06-15 14:22 --------- d-----w C:\Program Files\QuickTime
    2008-06-15 14:22 --------- d-----w C:\Program Files\Bonjour
    2008-06-15 14:18 --------- d-----w C:\Program Files\Common Files\Apple
    2008-06-12 15:26 --------- d-----w C:\Program Files\IEWatch
    2008-05-28 21:22 --------- d-----w C:\Program Files\JXplorer
    2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
    2007-11-27 20:44 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
    2007-12-19 14:19 80 --sh--r C:\WINDOWS\system32\BBB2CAA0A2.dll
    2004-08-08 19:33 520 --sh--w C:\WINDOWS\system32\vlhxaklo.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 16:17 110592]
    "SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 16:16 512000]
    "TVT Scheduler Proxy "= "C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 06:01 503808]
    "vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 22:33 125168]
    "dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-19 05:33 127037]
    "COMODO Firewall Pro "= "C:\Program Files\COMODO\Firewall\cfp.exe" [2008-07-19 15:19 1655552]
    "TpShocks "= "TpShocks.exe" [2006-03-15 21:04 106496 C:\WINDOWS\system32\TpShocks.exe]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk.disabled [2008-06-22 12:27:55 1757]
    HP Digital Imaging Monitor.lnk.disabled [2007-05-04 18:14:39 1808]
    HP Image Zone Fast Start.lnk.disabled [2007-05-04 18:16:20 798]
    VPN Client.lnk.disabled [2008-07-18 15:50:28 2447]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
    2005-09-08 16:14 24576 C:\WINDOWS\system32\Novell\xtnotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2006-12-08 20:44 89600 C:\WINDOWS\system32\psqlpwd.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
    2004-12-16 15:33 24672 C:\WINDOWS\system32\ckpNotify.dll

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "MsnMsgr "= "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    "RssReader "=C:\Program Files\RssReader\RssReader.exe
    "Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    "ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    "AppleSyncNotifier "=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    "iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe "
    "acme IT Collect "=c:\program files\acme IT\Collect\collect.exe
    "HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
    "HP Software Update "= "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
    "ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    "ISUSPM Startup "=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
    "C:\\RAD7\\runtimes\\base_v61\\java\\bin\\java.exe "=
    "C:\\Program Files\\Mozilla Firefox\\firefox.exe "=
    "C:\\WebSphere\\AppServer\\java\\bin\\java.exe "=
    "C:\\RAD7\\jdk\\jre\\bin\\javaw.exe "=
    "C:\\IBMOmniFindYahoo\\_jvm\\jre\\bin\\java.exe "=
    "C:\\WebSphere\\Documentation\\WebSphere_Help_System\\eclipse\\jre\\bin\\javaw.exe "=
    "C:\\Program Files\\Borland\\StarTeam Toolbar\\SBToolbar.exe "=
    "C:\\Program Files\\NetMeeting\\conf.exe "=
    "C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe "=
    "C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe "=
    "C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe "=
    "C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe "=
    "C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe "=
    "C:\\WINDOWS\\system32\\java.exe "=
    "C:\\Program Files\\IBM\\ISA and ESA\\IBM Support Assistant\\jre\\bin\\javaw.exe "=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
    "C:\\Program Files\\lotus\\notes\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.j2se.win32.x86_1.5.0.SR6-200802211037\\jre\\bin\\notes2w.exe "=
    "C:\\Program Files\\Apache Software Foundation\\Apache2.2\\bin\\httpd.exe "=
    "C:\\Program Files\\iTunes\\iTunes.exe "=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe "=

    R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2006-03-15 19:08]
    S1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-07-19 15:19]
    S1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-07-19 15:19]
    S1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-20 14:18]
    S2 cdralw;NVIDIA Compatible Windows Miniport Driver;C:\WINDOWS\system32\DRIVERS\nvmini.sys []
    S2 Scap;SecureClient Application Policy Module;C:\WINDOWS\system32\DRIVERS\Scap.sys [2004-12-16 15:33]
    S2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2006-12-08 20:37]
    S2 vmserverdWin32;VMware Registration Service;C:\Program Files\VMware\VMware Server\vmserverdWin32.exe [2006-08-09 17:40]
    S2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2004-12-16 15:33]
    S2 XTAgent;Novell XTier Agent Services;C:\WINDOWS\System32\Novell\XTAgent.exe [2005-09-08 16:14]
    S3 Apache2.2;Apache2.2;C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2007-09-05 08:59]
    S3 eth8023;eth8023;C:\WINDOWS\system32\drivers\eth8023.sys [2008-07-18 15:33]
    S3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2004-12-16 15:33]
    S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys [2004-12-16 15:33]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9d2fd47-5567-11dc-9ec3-00197de7b1ad}]
    \Shell\AutoRun\command - F:\JDLightning\Windows\JDLightning.exe

    *Newly Created Service* - MDMXSDK
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-07-17 02:32:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-07-20 05:04:12 C:\WINDOWS\Tasks\MP Scheduled Scan.job "
    - C:\Program Files\Windows Defender\MpCmdRun.exe
    .
    - - - - ORPHANS REMOVED - - - -

    ShellExecuteHooks-{7914E0AA-ECCB-4311-B584-C49538227824} - C:\WINDOWS\system32\jhfrxz.dll
    ShellExecuteHooks-{73AE86E6-7F03-4C3B-8980-FB1DA157D3C7} - C:\WINDOWS\system32\fmcvxy.dll
    ShellExecuteHooks-{53D44DB6-E22B-4B17-97D3-572C96CCA6E1} - C:\WINDOWS\system32\zsdgff.dll
    SSODL-DesktopWin-{DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll


    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-20 01:08:15
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-07-20 3:04:26
    ComboFix-quarantined-files.txt 2008-07-20 07:04:18

    Pre-Run: 55,661,797,376 bytes free
    Post-Run: 55,645,433,856 bytes free

    189 --- E O F --- 2008-06-11 14:31:22
     
    Last edited: 2008/07/20
    sovapid,
    #5
  7. 2008/07/20
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Code:
    
http://www.windowsbbs.com/removing-spyware-viruses/75252-another-infostealer-gampass-infection.html

KillAll::
Suspect::
C:\WINDOWS\system32\drivers\eth8023.sys
C:\WINDOWS\system32\qbhxaklo.sys
C:\WINDOWS\system32\BBB2CAA0A2.dll
C:\WINDOWS\system32\vlhxaklo.sys
File::
C:\WINDOWS\AppPatch\AclLayer.dll
C:\WINDOWS\AppPatch\DesktopWin.dll
C:\WINDOWS\system32\nhmxejkl.dll
    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


    Please note that I have instructed CFScript to collect some files for analysis. This means that when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. Thanks!
     
    noahdfear,
    #6
  8. 2008/07/21
    sovapid

    sovapid Inactive Thread Starter

    Joined:
    2008/07/18
    Messages:
    6
    Likes Received:
    0
    ComboFix log:

    ComboFix 08-07-19.1 - steve.smith 2008-07-21 0:28:36.7 - NTFSx86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1707 [GMT -4:00]
    Running from: C:\Documents and Settings\steve.smith\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\steve.smith\Desktop\CFScript.txt

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\WINDOWS\AppPatch\AclLayer.dll
    C:\WINDOWS\AppPatch\DesktopWin.dll
    C:\WINDOWS\system32\nhmxejkl.dll
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\AppPatch\AclLayer.dll
    C:\WINDOWS\AppPatch\DesktopWin.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
    .

    2008-07-19 15:19 . 2008-07-19 15:19 <DIR> d-------- C:\Program Files\COMODO
    2008-07-19 15:19 . 2008-07-19 15:19 <DIR> d-------- C:\Documents and Settings\steve.smith\Application Data\Comodo
    2008-07-19 15:19 . 2008-07-20 00:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
    2008-07-19 15:19 . 2008-07-19 15:19 143,104 --a------ C:\WINDOWS\system32\guard32.dll
    2008-07-19 15:19 . 2008-07-19 15:19 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
    2008-07-19 15:19 . 2008-07-19 15:19 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
    2008-07-18 18:19 . 2008-07-18 18:19 <DIR> d-------- C:\Deckard
    2008-07-18 15:33 . 2008-07-18 15:33 18,048 --a------ C:\WINDOWS\system32\drivers\eth8023.sys
    2008-07-18 15:33 . 2008-07-18 16:19 36 --a------ C:\WINDOWS\system32\qbhxaklo.sys
    2008-07-18 14:30 . 2008-07-18 14:30 <DIR> d-------- C:\Program Files\Trend Micro
    2008-07-18 14:08 . 2008-07-18 14:08 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-07-18 14:08 . 2008-07-18 14:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-07-18 12:44 . 2008-07-18 12:44 <DIR> d-------- C:\Program Files\Lavasoft
    2008-07-18 12:04 . 2008-07-18 14:27 <DIR> d-------- C:\Program Files\Enigma Software Group
    2008-07-15 13:04 . 2008-07-15 13:04 268 --ah----- C:\sqmdata12.sqm
    2008-07-15 13:04 . 2008-07-15 13:04 244 --ah----- C:\sqmnoopt12.sqm
    2008-07-12 16:07 . 2008-07-12 16:07 <DIR> d-------- C:\Program Files\iPod
    2008-07-04 21:41 . 1998-09-24 14:03 171,967 --a------ C:\WINDOWS\system32\Odbcjet.hlp
    2008-07-04 21:41 . 1998-06-18 01:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
    2008-07-04 21:41 . 1998-09-24 14:03 7,348 --a------ C:\WINDOWS\system32\Odbcjet.cnt
    2008-07-04 21:39 . 2008-07-04 21:42 <DIR> d-------- C:\TSO

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-21 04:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
    2008-07-21 04:23 --------- d-----w C:\Program Files\Symantec AntiVirus
    2008-07-18 17:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
    2008-07-18 17:35 --------- d-----w C:\Program Files\MySpace
    2008-07-18 17:34 --------- d-----w C:\Program Files\PokerStars
    2008-07-18 16:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-07-18 16:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-07-17 22:57 --------- d-----w C:\Documents and Settings\steve.smith\Application Data\skypePM
    2008-07-12 20:08 --------- d-----w C:\Program Files\iTunes
    2008-07-12 19:57 --------- d-----w C:\Program Files\Apple Software Update
    2008-07-10 13:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
    2008-07-05 01:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-06-30 18:32 --------- d-----w C:\Documents and Settings\steve.smith\Application Data\AdobeUM
    2008-06-22 16:27 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-06-18 23:21 --------- d-----w C:\Documents and Settings\steve.smith\Application Data\ICAClient
    2008-06-18 23:19 --------- d-----w C:\Program Files\Citrix
    2008-06-15 14:22 --------- d-----w C:\Program Files\QuickTime
    2008-06-15 14:22 --------- d-----w C:\Program Files\Bonjour
    2008-06-15 14:18 --------- d-----w C:\Program Files\Common Files\Apple
    2008-06-12 15:26 --------- d-----w C:\Program Files\IEWatch
    2008-05-28 21:22 --------- d-----w C:\Program Files\JXplorer
    2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
    2007-11-27 20:44 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
    2007-12-19 14:19 80 --sh--r C:\WINDOWS\system32\BBB2CAA0A2.dll
    2004-08-08 19:33 520 --sh--w C:\WINDOWS\system32\vlhxaklo.sys
    .

    ((((((((((((((((((((((((((((( snapshot@2008-07-20_ 3.03.55.82 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-07-20 04:58:01 70,688 ----a-w C:\WINDOWS\system32\perfc009.dat
    + 2008-07-21 04:30:46 70,286 ----a-w C:\WINDOWS\system32\perfc009.dat
    - 2008-07-20 04:58:01 438,590 ----a-w C:\WINDOWS\system32\perfh009.dat
    + 2008-07-21 04:30:46 438,022 ----a-w C:\WINDOWS\system32\perfh009.dat
    + 2008-07-21 04:34:59 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_d4c.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 16:17 110592]
    "SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 16:16 512000]
    "TVT Scheduler Proxy "= "C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 06:01 503808]
    "vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 22:33 125168]
    "dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-19 05:33 127037]
    "COMODO Firewall Pro "= "C:\Program Files\COMODO\Firewall\cfp.exe" [2008-07-19 15:19 1655552]
    "TpShocks "= "TpShocks.exe" [2006-03-15 21:04 106496 C:\WINDOWS\system32\TpShocks.exe]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk.disabled [2008-06-22 12:27:55 1757]
    HP Digital Imaging Monitor.lnk.disabled [2007-05-04 18:14:39 1808]
    HP Image Zone Fast Start.lnk.disabled [2007-05-04 18:16:20 798]
    VPN Client.lnk.disabled [2008-07-18 15:50:28 2447]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
    2005-09-08 16:14 24576 C:\WINDOWS\system32\Novell\xtnotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2006-12-08 20:44 89600 C:\WINDOWS\system32\psqlpwd.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
    2004-12-16 15:33 24672 C:\WINDOWS\system32\ckpNotify.dll

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "MsnMsgr "= "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    "RssReader "=C:\Program Files\RssReader\RssReader.exe
    "Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    "ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    "AppleSyncNotifier "=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    "iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe "
    "acme IT Collect "=c:\program files\acme IT\Collect\collect.exe
    "HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
    "HP Software Update "= "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
    "ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    "ISUSPM Startup "=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
    "C:\\RAD7\\runtimes\\base_v61\\java\\bin\\java.exe "=
    "C:\\Program Files\\Mozilla Firefox\\firefox.exe "=
    "C:\\WebSphere\\AppServer\\java\\bin\\java.exe "=
    "C:\\RAD7\\jdk\\jre\\bin\\javaw.exe "=
    "C:\\IBMOmniFindYahoo\\_jvm\\jre\\bin\\java.exe "=
    "C:\\WebSphere\\Documentation\\WebSphere_Help_System\\eclipse\\jre\\bin\\javaw.exe "=
    "C:\\Program Files\\Borland\\StarTeam Toolbar\\SBToolbar.exe "=
    "C:\\Program Files\\NetMeeting\\conf.exe "=
    "C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe "=
    "C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe "=
    "C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe "=
    "C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe "=
    "C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe "=
    "C:\\WINDOWS\\system32\\java.exe "=
    "C:\\Program Files\\IBM\\ISA and ESA\\IBM Support Assistant\\jre\\bin\\javaw.exe "=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
    "C:\\Program Files\\lotus\\notes\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.j2se.win32.x86_1.5.0.SR6-200802211037\\jre\\bin\\notes2w.exe "=
    "C:\\Program Files\\Apache Software Foundation\\Apache2.2\\bin\\httpd.exe "=
    "C:\\Program Files\\iTunes\\iTunes.exe "=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe "=

    R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2006-03-15 19:08]
    R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-07-19 15:19]
    R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-07-19 15:19]
    R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-20 14:18]
    R2 Scap;SecureClient Application Policy Module;C:\WINDOWS\system32\DRIVERS\Scap.sys [2004-12-16 15:33]
    R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2006-12-08 20:37]
    R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2004-12-16 15:33]
    R2 XTAgent;Novell XTier Agent Services;C:\WINDOWS\System32\Novell\XTAgent.exe [2005-09-08 16:14]
    R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2004-12-16 15:33]
    S2 cdralw;NVIDIA Compatible Windows Miniport Driver;C:\WINDOWS\system32\DRIVERS\nvmini.sys []
    S2 vmserverdWin32;VMware Registration Service;C:\Program Files\VMware\VMware Server\vmserverdWin32.exe [2006-08-09 17:40]
    S3 Apache2.2;Apache2.2;C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2007-09-05 08:59]
    S3 eth8023;eth8023;C:\WINDOWS\system32\drivers\eth8023.sys [2008-07-18 15:33]
    S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys [2004-12-16 15:33]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9d2fd47-5567-11dc-9ec3-00197de7b1ad}]
    \Shell\AutoRun\command - F:\JDLightning\Windows\JDLightning.exe
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-07-17 02:32:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-07-21 04:36:43 C:\WINDOWS\Tasks\MP Scheduled Scan.job "
    - C:\Program Files\Windows Defender\MpCmdRun.exe
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-21 00:34:19
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    C:\DOCUME~1\SEAN~1.NEW\LOCALS~1\Temp\tzk7.tmp 836 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\COMODO\Firewall\cmdagent.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\lotus\notes\ntmulti.exe
    C:\Program Files\Lenovo\System Update\SUService.exe
    C:\WINDOWS\system32\TPHDEXLG.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    C:\Program Files\VMware\VMware Server\vmware-authd.exe
    C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
    C:\WINDOWS\system32\vmnat.exe
    C:\WINDOWS\system32\vmnetdhcp.exe
    C:\WINDOWS\system32\taskmgr.exe
    .
    **************************************************************************
    .
    Completion time: 2008-07-21 2:10:49 - machine was rebooted [steve.smith]
    ComboFix-quarantined-files.txt 2008-07-21 06:10:34
    ComboFix2.txt 2008-07-20 15:21:25

    Pre-Run: 55,642,689,536 bytes free
    Post-Run: 55,684,849,664 bytes free

    211 --- E O F --- 2008-06-11 14:31:22
     
    sovapid,
    #7
  9. 2008/07/21
    sovapid

    sovapid Inactive Thread Starter

    Joined:
    2008/07/18
    Messages:
    6
    Likes Received:
    0
    dss/hjt log after running combofix:

    Deckard's System Scanner v20071014.68
    Run by steve.smith on 2008-07-21 08:52:52
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------



    -- HijackThis (run as steve.smith.exe) ------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:53:12 AM, on 7/21/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Novell\XTAgent.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\COMODO\Firewall\cmdagent.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\lotus\notes\ntmulti.exe
    C:\WINDOWS\system32\svchost.exe
    c:\program files\lenovo\system update\suservice.exe
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    C:\Program Files\VMware\VMware Server\vmware-authd.exe
    C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
    C:\WINDOWS\system32\vmnat.exe
    C:\WINDOWS\system32\vmnetdhcp.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\COMODO\Firewall\cfp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\TextPad 5\TextPad.exe
    C:\Documents and Settings\steve.smith\Desktop\dss.exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\SEANNE~1.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://myportal.acme.com:10038/wps/portal
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: DebugBar BHO - {69FC0024-10EB-480A-BBF2-3BF4E78E17B1} - C:\Program Files\Core Services\DebugBar\DebugInfoBar.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
    O3 - Toolbar: DebugBar - {3E1201F4-1707-409F-BB45-A5F192381DA0} - C:\Program Files\Core Services\DebugBar\DebugToolBar.dll
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
    O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
    O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
    O4 - Global Startup: VPN Client.lnk.disabled
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
    O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
    O9 - Extra button: IEWatch Professional - {78E5BB46-9A20-402F-BA66-B5634D177D77} - C:\Program Files\IEWatch\IEWatch.dll
    O9 - Extra 'Tools' menuitem: IEWatch - {78E5BB46-9A20-402F-BA66-B5634D177D77} - C:\Program Files\IEWatch\IEWatch.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quickplace.acme.com/qp2.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://inotes.acme.com/iNotes6W.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167765449254
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167765444223
    O16 - DPF: {8BF7B588-F4AC-4A6E-AF63-F664449EED2E} (PDM Plugin2) - http://135.100.200.124:10038/wps/PA_1_NO2UF4I118ADC026HKQ8KC28K6/applets/DMPlugin.cab
    O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} (Domino Web Access 8 Control) - http://inotes.acme.com/dwa8W.cab
    O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://inotes.acme.com/dwa7W.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = acme.com
    O17 - HKLM\Software\..\Telephony: DomainName = acme.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = acme.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = acme.com
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
    O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
    O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
    O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
    O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
    O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
    O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
    O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/SEAN~1.NEW/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

    --
    End of file - 12011 bytes

    -- Files created between 2008-06-21 and 2008-07-21 -----------------------------

    2008-07-19 15:19:26 0 d-------- C:\Documents and Settings\steve.smith\Application Data\Comodo
    2008-07-19 15:19:24 0 d-------- C:\Documents and Settings\All Users\Application Data\comodo
    2008-07-19 15:19:22 0 d-------- C:\Program Files\COMODO
    2008-07-18 15:33:58 18048 --a------ C:\WINDOWS\system32\drivers\eth8023.sys
    2008-07-18 15:33:23 36 --a------ C:\WINDOWS\system32\qbhxaklo.sys
    2008-07-18 15:10:12 68096 --a------ C:\WINDOWS\zip.exe
    2008-07-18 15:10:12 49152 --a------ C:\WINDOWS\VFind.exe
    2008-07-18 15:10:12 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
    2008-07-18 15:10:12 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
    2008-07-18 15:10:12 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
    2008-07-18 15:10:12 98816 --a------ C:\WINDOWS\sed.exe
    2008-07-18 15:10:12 80412 --a------ C:\WINDOWS\grep.exe
    2008-07-18 15:10:12 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
    2008-07-18 14:30:26 0 d-------- C:\Program Files\Trend Micro
    2008-07-18 14:08:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-07-18 12:44:19 0 d-------- C:\Program Files\Lavasoft
    2008-07-18 12:04:58 0 d-------- C:\Program Files\Enigma Software Group
    2008-07-17 18:46:04 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
    2008-07-17 18:45:57 0 dr------- C:\Documents and Settings\LocalService\Favorites
    2008-07-12 16:07:43 0 d-------- C:\Program Files\iPod
    2008-07-04 21:39:52 0 d-------- C:\TSO
    2008-06-22 12:27:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe


    -- Find3M Report ---------------------------------------------------------------

    2008-07-21 00:37:18 0 d-------- C:\Program Files\Symantec AntiVirus
    2008-07-18 13:38:40 0 d-------- C:\Program Files\Common Files
    2008-07-18 13:35:29 0 d-------- C:\Program Files\MySpace
    2008-07-18 13:34:44 0 d-------- C:\Program Files\PokerStars
    2008-07-18 12:43:39 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-07-17 18:57:10 0 d-------- C:\Documents and Settings\steve.smith\Application Data\skypePM
    2008-07-12 16:08:10 0 d-------- C:\Program Files\iTunes
    2008-07-12 15:57:39 0 d-------- C:\Program Files\Apple Software Update
    2008-07-04 21:41:48 0 d--h----- C:\Program Files\InstallShield Installation Information
    2008-06-30 14:32:55 0 d-------- C:\Documents and Settings\steve.smith\Application Data\AdobeUM
    2008-06-22 12:27:29 0 d-------- C:\Program Files\Common Files\Adobe
    2008-06-18 19:21:23 0 d-------- C:\Documents and Settings\steve.smith\Application Data\ICAClient
    2008-06-18 19:19:39 0 d-------- C:\Program Files\Citrix
    2008-06-15 10:22:28 0 d-------- C:\Program Files\Bonjour
    2008-06-15 10:22:07 0 d-------- C:\Program Files\QuickTime
    2008-06-15 10:18:47 0 d-------- C:\Program Files\Common Files\Apple
    2008-06-12 11:26:59 0 d-------- C:\Program Files\IEWatch
    2008-05-28 17:22:56 0 d-------- C:\Program Files\JXplorer


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69FC0024-10EB-480A-BBF2-3BF4E78E17B1}]
    03/11/2008 06:04 AM 946176 --a------ C:\Program Files\Core Services\DebugBar\DebugInfoBar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TpShocks "= "TpShocks.exe" [03/15/2006 09:04 PM C:\WINDOWS\system32\TpShocks.exe]
    "SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [02/14/2006 04:17 PM]
    "SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [02/14/2006 04:16 PM]
    "TVT Scheduler Proxy "= "C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [03/28/2006 06:01 AM]
    "vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [09/27/2006 10:33 PM]
    "dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [05/19/2005 05:33 AM]
    "COMODO Firewall Pro "= "C:\Program Files\COMODO\Firewall\cfp.exe" [07/19/2008 03:19 PM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk.disabled [6/22/2008 12:27:55 PM]
    HP Digital Imaging Monitor.lnk.disabled [5/4/2007 6:14:39 PM]
    HP Image Zone Fast Start.lnk.disabled [5/4/2007 6:16:20 PM]
    VPN Client.lnk.disabled [7/18/2008 3:50:28 PM]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools "=0 (0x0)
    "HideLegacyLogonScripts "=0 (0x0)
    "HideLogoffScripts "=0 (0x0)
    "RunLogonScriptSync "=1 (0x1)
    "RunStartupScriptSync "=0 (0x0)
    "HideStartupScripts "=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "HideLegacyLogonScripts "=0 (0x0)
    "HideLogoffScripts "=0 (0x0)
    "RunLogonScriptSync "=1 (0x1)
    "RunStartupScriptSync "=0 (0x0)
    "HideStartupScripts "=0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
    ckpNotify.dll 12/16/2004 03:33 PM 24672 C:\WINDOWS\system32\ckpNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
    C:\WINDOWS\system32\Novell\XtNotify.dll 09/08/2005 04:14 PM 24576 C:\WINDOWS\system32\Novell\xtnotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    C:\WINDOWS\system32\psqlpwd.dll 12/08/2006 08:44 PM 89600 C:\WINDOWS\system32\psqlpwd.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @= "Service "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "MsnMsgr "= "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    "RssReader "=C:\Program Files\RssReader\RssReader.exe
    "Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    "ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    "AppleSyncNotifier "=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    "iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe "
    "acme IT Collect "=c:\program files\acme IT\Collect\collect.exe
    "HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
    "HP Software Update "= "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
    "ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    "ISUSPM Startup "=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9d2fd47-5567-11dc-9ec3-00197de7b1ad}]
    AutoRun\command- F:\JDLightning\Windows\JDLightning.exe




    -- End of Deckard's System Scanner: finished at 2008-07-21 08:53:39 ------------
     
    sovapid,
    #8
  10. 2008/07/21
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Please delete the ComboFix.exe file you currently have and download a fresh copy from here, saving it to your desktop.

    Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Code:
    
Extra::
File::
C:\WINDOWS\system32\drivers\eth8023.sys
C:\WINDOWS\system32\qbhxaklo.sys
C:\WINDOWS\system32\BBB2CAA0A2.dll
C:\WINDOWS\system32\vlhxaklo.sys
Driver::
eth8023
    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

    Check your HOSTS file. If still infected with all that junk, download HostsXpert.
    1. Unzip HostsXpert.zip to it's own folder.
    2. Open the folder and double click on HostsXpert.exe
    3. Then click on "Restore Original Hosts" to restore your Hosts file to its default condition.
    4. Click on Make Hosts Read Only to secure it against further infection.
    5. Close program when complete.


    Let me know if you're still getting infostealer alerts and how your computer is running now.
     
    noahdfear,
    #9

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...