HJT & ComboFix Logs...please help

SHO · 11-15-2008, 03:50 AM

So, this was a very infected laptop I picked up. Removed tons of malware, and here are my logs. Can someone have a look and offer some help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:33 PM, on 11/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\JZhang\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 5189 bytes

ComboFix 08-11-12.02 - Administrator 2008-11-14 21:14:15.1 - NTFSx86 MINIMAL
Command switches used :: c:\documents and settings\JZhang\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt
c:\program files\Common Files\asks~1
c:\windows\system32\aiqyhpef.ini
c:\windows\system32\avjsgmmf.dll
c:\windows\system32\bwffeiel.dll
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\bestwiner.stt
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\CPV.stt
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\cqkasabt.ini
c:\windows\system32\drivers\TDSSmaxt.sys
c:\windows\system32\fqgcfumj.ini
c:\windows\system32\ltadrkcb.ini
c:\windows\system32\mqxhlxfv.ini
c:\windows\system32\nsfcjwll.ini
c:\windows\system32\qufxbuej.ini
c:\windows\system32\rfjrcx.dll
c:\windows\system32\rrfrby.dll
c:\windows\system32\TDSScfub.dll
c:\windows\system32\TDSSfpmp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSoeqh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsbhc.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\tnoeijka.ini
c:\windows\system32\uobssdop.ini
c:\windows\system32\vjasmbft.dll
c:\windows\system32\wtduispg.ini
c:\windows\system32\wxwolgip.ini
c:\windows\system32\xkkqaaug.ini
c:\windows\system32\ylksof.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2008-10-15 to 2008-11-15 )))))))))))))))))))))))))))))))
.

2008-11-14 21:02 . 2008-11-14 21:03 <DIR> d-------- c:\documents and settings\JZhang\Application Data\U3
2008-11-14 20:25 . 2008-11-14 20:25 3,478 --a------ c:\windows\system32\tmp.reg
2008-11-14 20:24 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-14 20:24 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-14 20:24 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-11-14 20:24 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-11-14 20:24 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-14 20:24 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-11-14 20:24 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-11-14 20:24 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-14 20:24 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-14 20:24 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-14 19:55 . 2008-11-14 19:55 <DIR> d-------- C:\VundoFix Backups
2008-11-14 19:45 . 2008-11-14 19:45 <DIR> d-------- c:\documents and settings\Administrator\Application Data\U3
2008-11-14 17:22 . 2008-11-14 17:22 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-14 17:21 . 2008-11-14 17:21 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-11-14 14:40 . 2008-11-14 20:53 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-14 14:39 . 2008-11-14 20:52 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-14 14:20 . 2008-11-14 14:20 <DIR> d-------- c:\documents and settings\JZhang\Application Data\Malwarebytes
2008-11-14 14:19 . 2008-11-14 14:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-14 14:19 . 2008-11-14 14:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-14 14:19 . 2008-06-09 20:13 34,296 --a------ c:\windows\system32\drivers\mbamcatchme.sys
2008-11-14 14:19 . 2008-06-09 20:13 15,864 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-14 13:42 . 2008-11-14 17:09 <DIR> d-------- c:\program files\a-squared Free
2008-11-14 13:28 . 2008-11-14 13:28 <DIR> d-------- c:\program files\Lavasoft
2008-11-14 13:19 . 2008-11-14 17:22 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-14 13:19 . 2008-11-14 13:19 <DIR> d-------- c:\documents and settings\JZhang\Application Data\SUPERAntiSpyware.com
2008-11-14 13:19 . 2008-11-14 13:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-14 13:18 . 2008-11-14 13:27 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-14 13:02 . 2008-11-14 13:02 <DIR> d-------- c:\program files\CCleaner
2008-11-14 12:17 . 2008-11-14 12:17 129 --a------ C:\Shortcut to CD Drive.lnk
2008-11-10 11:36 . 2008-11-14 21:21 2,148 --a------ c:\windows\system32\wpa.dbl
2008-11-10 11:34 . 2008-11-14 21:21 0 --a------ c:\windows\system.ini
2008-11-07 20:11 . 2003-03-18 17:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2008-11-07 11:08 . 2008-11-07 11:08 9,662 --a------ c:\windows\system32\ZoneAlarmIconUS.ico
2008-11-07 03:35 . 2008-11-07 03:35 4,286 --a------ c:\windows\system32\Jamster.ico
2008-11-07 02:44 . 2008-11-14 15:09 <DIR> d--hs---- c:\windows\ag
2008-11-05 11:58 . 2008-11-05 11:58 <DIR> d-------- c:\program files\Common Files\xing shared
2008-11-04 22:03 . 2008-11-04 22:03 <DIR> d-------- c:\program files\Avira
2008-11-04 22:03 . 2008-11-04 22:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-11-03 13:19 . 2008-11-03 13:19 25 --a------ c:\windows\cdplayer.ini
2008-11-03 13:19 . 2008-11-03 13:19 0 --a------ c:\windows\nsreg.dat
2008-11-03 09:48 . 2008-11-14 13:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-01 23:37 . 2008-11-02 02:16 <DIR> d-------- c:\program files\Adobe Media Player
2008-11-01 22:34 . 2008-11-01 22:34 18,637 --a------ c:\program files\Common Files\adydu.pif
2008-11-01 22:34 . 2008-11-01 22:34 14,303 --a------ c:\program files\Common Files\ypoky.dat
2008-11-01 22:34 . 2008-11-01 22:34 12,258 --a------ c:\windows\qenuwodi.db
2008-11-01 22:34 . 2008-11-01 22:34 10,121 --a------ c:\program files\Common Files\upomado.vbs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-11-14 16:36 --------- d-----w c:\program files\eSignal
2008-11-13 03:13 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-13 03:10 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-05 16:58 --------- d-----w c:\program files\Common Files\Real
2008-11-03 18:02 --------- d-----w c:\program files\Real
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2002-10-11 126976]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2002-10-11 561152]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT \TINTSETP.EXE" [2003-07-16 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TIN TSETP.EXE" [2003-07-16 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScI nst.exe" [2003-07-16 59392]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.E XE" [2004-08-04 208952]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\system32\Ati2mdxx.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-13 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
D-Link AirPlus G Wireless Utility.lnk - c:\program files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe [2008-02-12 782412]
D-Link REG Utility.lnk - c:\program files\D-Link\AirPlus G Wireless Adapter Utility\Reg.exe [2008-02-12 24576]
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2005-03-17 59080]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2000-08-06 69632]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\eSignal\\winros.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware 2007\\lsupdatemanager.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware 2007\\Ad-Aware2007.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\SpywareBlaster\\spywareblaster.exe"=
"c:\\Program Files\\Avira\\AntiVir PersonalEdition Classic\\avcenter.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\7-Zip\\7zFMn.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 stwlfbus;stwlfbus;c:\windows\system32\DRIVERS\stwl fbus.sys [2003-04-27 8704]
R3 st3wolf;st3wolf;c:\windows\system32\DRIVERS\st3wol f.sys [2003-04-27 99360]
S3 csaudio;USB2.0 Audio Device Driver;c:\windows\system32\DRIVERS\CsAud.sys [2003-03-24 11008]
S3 DCamUSB20GAB;Hi-speed USB 2.0 TVBOX;c:\windows\system32\Drivers\GMini20.sys [2003-07-17 73156]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{6c001de0-b269-11dd-8e7b-000d56389311}]
\Shell\¶}±Ò(&O)\command - RECYCLER\UcHelp.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{001D98AC-22DC-457F-86FC-6E24E722B58f} - (no file)
BHO-{0ECC566D-22DC-457F-86FC-6E24E722B58f} - (no file)
BHO-{3B3159B7-22DC-457F-86FC-6E24E722B58f} - (no file)
BHO-{4AD6994B-74DB-5B5A-8C3A-5BC00222849F} - (no file)
BHO-{4E83C91C-27DA-5B5C-8C3A-5BC0022285CE} - (no file)
BHO-{9a03795a-88d7-4b4f-bedc-ac05fc5d467b} - (no file)
Toolbar-SITEguard - (no file)
ShellExecuteHooks-{75ABCF92-9764-4DFA-A83F-5142C3905052} - (no file)
Notify-AutorunsDisabled - pmnkJyax.dll

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\JZhang\Application Data\Mozilla\Firefox\Profiles\n87hygh0.default\
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-14 21:21:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\windows\system32\hpzipm12.exe
c:\windows\system32\wdfmgr.exe
.
************************************************** ************************
.
Completion time: 2008-11-14 21:26:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-15 02:26:17

Pre-Run: 21,407,784,960 bytes free
Post-Run: 21,281,964,032 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

205

ComboFix looked to have removed a lot. It did say I had rootkits before it rebooted and started up in safe mode to complete it's scan. I've already run full scans with SAS, MAM, Adaware, and A-squared in regular and safe mode. They found lots of Trojans and other malware. Also ran a full AVIRA AV scan, and that came up w/ stuff too. Can't get Spybot to install. Also, can't get to ther Windows Update site to do updates even though the computer is online and will go to other sites, no problem. Should I run Panda scan for rootkits?

Thanks.

**ceewi1** · 11-17-2008, 11:32 AM

You appear to have a flash drive infection, among other things. This may have infected any other machines that the flash drive was plugged into, so I suggest you check those as well.

Please plug any flash drives you have into your computer.

Please set Windows to show hidden files:

From any folder, select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please navigate to each flash drive and look for a folder named Recycler. If found, see if it contains a file called UcHelp.exe. If so, delete that file and any others within the Recycler folder.

Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

File::
c:\program files\Common Files\adydu.pif
c:\program files\Common Files\ypoky.dat
c:\windows\qenuwodi.db
c:\program files\Common Files\upomado.vbs

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{6c001de0-b269-11dd-8e7b-000d56389311}]

Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.

CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.

Please post

The ComboFix log
A new HijackThis log
A new log with Malwarebytes' Antimalware
An update on how your system is running now

11-15-2008, 03:50 AM	#1 (permalink)
SHO Bronze Member Join Date: Mar 2007 Posts: 70	HJT & ComboFix Logs...please help So, this was a very infected laptop I picked up. Removed tons of malware, and here are my logs. Can someone have a look and offer some help. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:35:33 PM, on 11/14/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\a-squared Free\a2service.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\JZhang\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: AutorunsDisabled O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ? O4 - Global Startup: D-Link REG Utility.lnk = ? O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - AutorunsDisabled - (no file) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O24 - Desktop Component AutorunsDisabled: (no name) - (no file) -- End of file - 5189 bytes ComboFix 08-11-12.02 - Administrator 2008-11-14 21:14:15.1 - NTFSx86 MINIMAL Command switches used :: c:\documents and settings\JZhang\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt c:\program files\Common Files\asks~1 c:\windows\system32\aiqyhpef.ini c:\windows\system32\avjsgmmf.dll c:\windows\system32\bwffeiel.dll c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\bestwiner.stt c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\CPV.stt c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\fbk.sts c:\windows\system32\cqkasabt.ini c:\windows\system32\drivers\TDSSmaxt.sys c:\windows\system32\fqgcfumj.ini c:\windows\system32\ltadrkcb.ini c:\windows\system32\mqxhlxfv.ini c:\windows\system32\nsfcjwll.ini c:\windows\system32\qufxbuej.ini c:\windows\system32\rfjrcx.dll c:\windows\system32\rrfrby.dll c:\windows\system32\TDSScfub.dll c:\windows\system32\TDSSfpmp.dll c:\windows\system32\TDSSnmxh.log c:\windows\system32\TDSSnrsr.dll c:\windows\system32\TDSSoeqh.dll c:\windows\system32\TDSSosvd.dat c:\windows\system32\TDSSrhym.log c:\windows\system32\TDSSriqp.dll c:\windows\system32\TDSSsbhc.dll c:\windows\system32\TDSStkdv.log c:\windows\system32\tnoeijka.ini c:\windows\system32\uobssdop.ini c:\windows\system32\vjasmbft.dll c:\windows\system32\wtduispg.ini c:\windows\system32\wxwolgip.ini c:\windows\system32\xkkqaaug.ini c:\windows\system32\ylksof.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_TDSSSERV.SYS -------\Legacy_TDSSSERV.SYS ((((((((((((((((((((((((( Files Created from 2008-10-15 to 2008-11-15 ))))))))))))))))))))))))))))))) . 2008-11-14 21:02 . 2008-11-14 21:03 <DIR> d-------- c:\documents and settings\JZhang\Application Data\U3 2008-11-14 20:25 . 2008-11-14 20:25 3,478 --a------ c:\windows\system32\tmp.reg 2008-11-14 20:24 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe 2008-11-14 20:24 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe 2008-11-14 20:24 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe 2008-11-14 20:24 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe 2008-11-14 20:24 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe 2008-11-14 20:24 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe 2008-11-14 20:24 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe 2008-11-14 20:24 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe 2008-11-14 20:24 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe 2008-11-14 20:24 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe 2008-11-14 19:55 . 2008-11-14 19:55 <DIR> d-------- C:\VundoFix Backups 2008-11-14 19:45 . 2008-11-14 19:45 <DIR> d-------- c:\documents and settings\Administrator\Application Data\U3 2008-11-14 17:22 . 2008-11-14 17:22 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes 2008-11-14 17:21 . 2008-11-14 17:21 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com 2008-11-14 14:40 . 2008-11-14 20:53 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP 2008-11-14 14:39 . 2008-11-14 20:52 <DIR> d-------- c:\program files\SpywareBlaster 2008-11-14 14:20 . 2008-11-14 14:20 <DIR> d-------- c:\documents and settings\JZhang\Application Data\Malwarebytes 2008-11-14 14:19 . 2008-11-14 14:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-14 14:19 . 2008-11-14 14:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-14 14:19 . 2008-06-09 20:13 34,296 --a------ c:\windows\system32\drivers\mbamcatchme.sys 2008-11-14 14:19 . 2008-06-09 20:13 15,864 --a------ c:\windows\system32\drivers\mbam.sys 2008-11-14 13:42 . 2008-11-14 17:09 <DIR> d-------- c:\program files\a-squared Free 2008-11-14 13:28 . 2008-11-14 13:28 <DIR> d-------- c:\program files\Lavasoft 2008-11-14 13:19 . 2008-11-14 17:22 <DIR> d-------- c:\program files\SUPERAntiSpyware 2008-11-14 13:19 . 2008-11-14 13:19 <DIR> d-------- c:\documents and settings\JZhang\Application Data\SUPERAntiSpyware.com 2008-11-14 13:19 . 2008-11-14 13:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-11-14 13:18 . 2008-11-14 13:27 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-11-14 13:02 . 2008-11-14 13:02 <DIR> d-------- c:\program files\CCleaner 2008-11-14 12:17 . 2008-11-14 12:17 129 --a------ C:\Shortcut to CD Drive.lnk 2008-11-10 11:36 . 2008-11-14 21:21 2,148 --a------ c:\windows\system32\wpa.dbl 2008-11-10 11:34 . 2008-11-14 21:21 0 --a------ c:\windows\system.ini 2008-11-07 20:11 . 2003-03-18 17:20 1,060,864 --a------ c:\windows\system32\MFC71.dll 2008-11-07 11:08 . 2008-11-07 11:08 9,662 --a------ c:\windows\system32\ZoneAlarmIconUS.ico 2008-11-07 03:35 . 2008-11-07 03:35 4,286 --a------ c:\windows\system32\Jamster.ico 2008-11-07 02:44 . 2008-11-14 15:09 <DIR> d--hs---- c:\windows\ag 2008-11-05 11:58 . 2008-11-05 11:58 <DIR> d-------- c:\program files\Common Files\xing shared 2008-11-04 22:03 . 2008-11-04 22:03 <DIR> d-------- c:\program files\Avira 2008-11-04 22:03 . 2008-11-04 22:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira 2008-11-03 13:19 . 2008-11-03 13:19 25 --a------ c:\windows\cdplayer.ini 2008-11-03 13:19 . 2008-11-03 13:19 0 --a------ c:\windows\nsreg.dat 2008-11-03 09:48 . 2008-11-14 13:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2008-11-01 23:37 . 2008-11-02 02:16 <DIR> d-------- c:\program files\Adobe Media Player 2008-11-01 22:34 . 2008-11-01 22:34 18,637 --a------ c:\program files\Common Files\adydu.pif 2008-11-01 22:34 . 2008-11-01 22:34 14,303 --a------ c:\program files\Common Files\ypoky.dat 2008-11-01 22:34 . 2008-11-01 22:34 12,258 --a------ c:\windows\qenuwodi.db 2008-11-01 22:34 . 2008-11-01 22:34 10,121 --a------ c:\program files\Common Files\upomado.vbs . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-11-14 16:36 --------- d-----w c:\program files\eSignal 2008-11-13 03:13 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-13 03:10 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2008-11-05 16:58 --------- d-----w c:\program files\Common Files\Real 2008-11-03 18:02 --------- d-----w c:\program files\Real . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2002-10-11 126976] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2002-10-11 561152] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT \TINTSETP.EXE" [2003-07-16 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TIN TSETP.EXE" [2003-07-16 455168] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScI nst.exe" [2003-07-16 59392] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.E XE" [2004-08-04 208952] "ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\system32\Ati2mdxx.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193] Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-13 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696] D-Link AirPlus G Wireless Utility.lnk - c:\program files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe [2008-02-12 782412] D-Link REG Utility.lnk - c:\program files\D-Link\AirPlus G Wireless Adapter Utility\Reg.exe [2008-02-12 24576] Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2005-03-17 59080] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2000-08-06 69632] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\eSignal\\winros.exe"= "c:\\Program Files\\Lavasoft\\Ad-Aware 2007\\lsupdatemanager.exe"= "c:\\Program Files\\Lavasoft\\Ad-Aware 2007\\Ad-Aware2007.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= "c:\\Program Files\\SpywareBlaster\\spywareblaster.exe"= "c:\\Program Files\\Avira\\AntiVir PersonalEdition Classic\\avcenter.exe"= "c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"= "c:\\Program Files\\7-Zip\\7zFMn.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R0 stwlfbus;stwlfbus;c:\windows\system32\DRIVERS\stwl fbus.sys [2003-04-27 8704] R3 st3wolf;st3wolf;c:\windows\system32\DRIVERS\st3wol f.sys [2003-04-27 99360] S3 csaudio;USB2.0 Audio Device Driver;c:\windows\system32\DRIVERS\CsAud.sys [2003-03-24 11008] S3 DCamUSB20GAB;Hi-speed USB 2.0 TVBOX;c:\windows\system32\Drivers\GMini20.sys [2003-07-17 73156] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{6c001de0-b269-11dd-8e7b-000d56389311}] \Shell\¶}±Ò(&O)\command - RECYCLER\UcHelp.exe . - - - - ORPHANS REMOVED - - - - BHO-{001D98AC-22DC-457F-86FC-6E24E722B58f} - (no file) BHO-{0ECC566D-22DC-457F-86FC-6E24E722B58f} - (no file) BHO-{3B3159B7-22DC-457F-86FC-6E24E722B58f} - (no file) BHO-{4AD6994B-74DB-5B5A-8C3A-5BC00222849F} - (no file) BHO-{4E83C91C-27DA-5B5C-8C3A-5BC0022285CE} - (no file) BHO-{9a03795a-88d7-4b4f-bedc-ac05fc5d467b} - (no file) Toolbar-SITEguard - (no file) ShellExecuteHooks-{75ABCF92-9764-4DFA-A83F-5142C3905052} - (no file) Notify-AutorunsDisabled - pmnkJyax.dll . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\JZhang\Application Data\Mozilla\Firefox\Profiles\n87hygh0.default\ . ************************************************ ******************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-14 21:21:34 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************** ******************** . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\acs.exe c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe c:\program files\a-squared Free\a2service.exe c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe c:\windows\system32\ati2evxx.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe c:\windows\system32\hpzipm12.exe c:\windows\system32\wdfmgr.exe . ********************************************** ********************** . Completion time: 2008-11-14 21:26:22 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-15 02:26:17 Pre-Run: 21,407,784,960 bytes free Post-Run: 21,281,964,032 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 205 ComboFix looked to have removed a lot. It did say I had rootkits before it rebooted and started up in safe mode to complete it's scan. I've already run full scans with SAS, MAM, Adaware, and A-squared in regular and safe mode. They found lots of Trojans and other malware. Also ran a full AVIRA AV scan, and that came up w/ stuff too. Can't get Spybot to install. Also, can't get to ther Windows Update site to do updates even though the computer is online and will go to other sites, no problem. Should I run Panda scan for rootkits? Thanks.

11-17-2008, 11:32 AM	#2 (permalink)
ceewi1 Moderator Join Date: Dec 2005 Location: Melbourne, Australia Age: 22 Posts: 5,418	You appear to have a flash drive infection, among other things. This may have infected any other machines that the flash drive was plugged into, so I suggest you check those as well. Please plug any flash drives you have into your computer. Please set Windows to show hidden files: From any folder, select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. Please navigate to each flash drive and look for a folder named Recycler. If found, see if it contains a file called UcHelp.exe. If so, delete that file and any others within the Recycler folder. Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: Code: File:: c:\program files\Common Files\adydu.pif c:\program files\Common Files\ypoky.dat c:\windows\qenuwodi.db c:\program files\Common Files\upomado.vbs Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{6c001de0-b269-11dd-8e7b-000d56389311}] Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop. Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log. CAUTION: Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running. Please post The ComboFix log A new HijackThis log A new log with Malwarebytes' Antimalware An update on how your system is running now __________________ CPU: Core 2 Duo E6600 / MOBO: Gigabyte 965P-DS3 / GPU: Gigabyte HD4870 RAM: 2GB G.Skill F2-6400CL4D-2GBPK / HDD: 2TB Total HDD / PSU: Antec NeoPower 480W Cheap PSUs - 2% of system costs, responsible for 28% of system deaths As Sealed Stick was removed, lost or damaged, it shall be out of warranty validity. - The "Warranty void if removed" sticker on numerous CoolerMaster PSUs. Useful PSU Guides

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Combofix Scripts	Buzz1927	Computer Security	0	04-14-2008 08:31 AM
a check up hjt and combofix included	koolkid12349	Computer Security	2	02-05-2008 06:52 AM
What's wrong with ComboFix and SmitFraudFix Links?	Novice2000	General Software	2	01-31-2008 01:04 PM
Stopping Exchange Logs?	jeckgo	Operating Systems	0	02-02-2006 06:28 AM
HJT Logs	Ku-sama	Computer Security	3	01-07-2006 05:55 AM