MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Spools.exe virus?
November 14, 2019, 05:53:08 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 14, 2019, 05:53:08 AM

Login with username, password and session length
 Featured Sites:
News
Help us help you! Help us help you by helping out! The more people know about us, the more help will be available. Click here to find out how...
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Spools.exe virus?  (Read 5071 times)
favrekicksass
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 65


Bookmark and Share

View Profile
« on: May 31, 2008, 05:33:57 PM »

My computer has been running very slow, almost every program i try to open it gives me a spools.exe encountered a problem and needs to close error message.  Not sure what to do here, tried to update SUPERAntispyware and it tells me my firewall may be blocking my internet connection, can't open any other antivirus software, just gives me spools.exe errors.

can't post a log either, gives me an error message that says to help protect your computer windows closed notepad, here are screen shots of the log, sorry

thank you for the help






Logged

 
favrekicksass
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 65


Bookmark and Share

View Profile
« Reply #1 on: May 31, 2008, 07:36:25 PM »

i am now unable to run any .exe files, the windows "open with..." box comes up  PC Smash
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #2 on: May 31, 2008, 10:34:41 PM »

Ok.We need to download ComboFix.exe. This will give a better view to the files running and also hidden on your computer and also those in the registry.

Please visit this webpage for download links, and instructions for running ComboFix

When the tool is finished, it will produce a report for you. Please copy and paste the "C:\ComboFix.txt" along with a new 'HijackThis' log so that we can continue to do any further cleaning that your system may require.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.

=======================================

Please download SDFix from here and save it to your desktop

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Please copy and paste that log in your next reply.




Logged

An Australian Member of

EDDY
favrekicksass
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 65


Bookmark and Share

View Profile
« Reply #3 on: June 13, 2008, 03:44:21 AM »

I ran SDfix, but i can't open the log, DEP comes up when i try to open any .txt file in notepad.

Another strange problem i am having is i can not visit any antispyware websites, it tells me the connection is down, when it isn't, i couldn't download combofix because of this.

any suggestions?
Logged

 
favrekicksass
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 65


Bookmark and Share

View Profile
« Reply #4 on: June 13, 2008, 04:13:39 AM »

here is the combofix log


SDFix: Version 1.191
Run by HP_Administrator on Thu 06/12/2008 at 10:15 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Schedule Service Path

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\LocalService\cftmon.exe - Deleted
C:\WINDOWS\system32\config\systemprofile\cftmon.exe - Deleted
C:\WINDOWS\system32\winpfz37.sys  - Deleted
C:\WINDOWS\system32\zxdnt3d.cfg  - Deleted
C:\WINDOWS\winlogon.exe  - Deleted





Removing Temp Files

ADS Check :
 


                                 Final Check :


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\mcjincap.exe"="C:\\WINDOWS\\system32\\mcjincap.exe:*:Disabled:mcjincap"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Disabled:iTunes"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 14 May 2006           211 A.SHR --- "C:\BOOT.BAK"
Mon 28 Jan 2008     1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008     5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008     2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Mon  4 Jun 2007     1,102,339 A.SH. --- "C:\WINDOWS\system32\xqjhphme.tmp"
Fri 25 May 2007     1,544,658 ..SH. --- "C:\WINDOWS\system32\yyadd.bak1"
Sat 26 May 2007     1,549,886 ..SH. --- "C:\WINDOWS\system32\yyadd.bak2"
Tue 20 Feb 2007        23,552 ...H. --- "C:\Documents and Settings\HP_Administrator\My Documents\~WRL0001.tmp"
Tue  6 May 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT3.tmp"
Mon 12 May 2008             8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Mon 12 May 2008             8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Mon 12 May 2008             8 A..H. --- "C:\Documents and Settings\HP_Administrator\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Mon 12 May 2008             8 A..H. --- "C:\Documents and Settings\HP_Administrator\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"

Finished!
Logged

 
favrekicksass
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 65


Bookmark and Share

View Profile
« Reply #5 on: June 13, 2008, 04:14:37 AM »

here is a HJT

Logfile of HijackThis v1.99.1
Scan saved at 12:14:11 AM, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
O2 - BHO: (no name) - {04DA36D4-E8D6-438E-A659-829F8318ECBB} - C:\WINDOWS\system32\btpanu.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ReSchedHPSU.lnk = C:\hp\bin\CLOAKER.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180477843312
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: __c003CFA1 - C:\WINDOWS\system32\__c003CFA1.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - - (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #6 on: June 13, 2008, 04:16:13 AM »


  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clipboard by highlighting it and then pressing Ctrl+C.

Code:
Files to delete:
C:\WINDOWS\system32\__c003CFA1.dat
C:\WINDOWS\system32\xqjhphme.tmp
C:\WINDOWS\system32\yyadd.bak1
C:\WINDOWS\system32\yyadd.bak2

  • In the avenger window, click the Paste Script from Clipboard, button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a shutdown. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log, along with a new HijackThis log in your next reply.
Try Combofix again when the above is done.








« Last Edit: June 13, 2008, 04:23:47 AM by Pancake » Logged

An Australian Member of

EDDY
favrekicksass
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 65


Bookmark and Share

View Profile
« Reply #7 on: June 13, 2008, 07:27:55 PM »

i am unable to download anything, whenever i go to a site that has spyware removal tools i get a page cant be displayed, also firefox does not get a connection.  I can only use IE and i get pop-ups like crazy.

i can't uninstall or update any antivirus software, i tried uninstalling and my comp crashes
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #8 on: June 13, 2008, 10:17:07 PM »

Can you download them on another computer,put them onto a disc or thumb drive and then run them.?
Logged

An Australian Member of

EDDY
favrekicksass
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 65


Bookmark and Share

View Profile
« Reply #9 on: June 14, 2008, 04:02:48 PM »

i cant believe i didnt think to get them off another computer, thank you!

here is the avenger log, new HJT below it

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jmtxxlbe

*******************

Script file located at: \??\C:\Program Files\ffhptvgk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\ctfmon.exe not found!
Deletion of file C:\WINDOWS\system32\ctfmon.exe failed!

Could not process line:
C:\WINDOWS\system32\ctfmon.exe
Status: 0xc0000034



File C:\WINDOWS\system32\hkcmd.exe not found!
Deletion of file C:\WINDOWS\system32\hkcmd.exe failed!

Could not process line:
C:\WINDOWS\system32\hkcmd.exe
Status: 0xc0000034



File C:\WINDOWS\system32\igfxpers.exe not found!
Deletion of file C:\WINDOWS\system32\igfxpers.exe failed!

Could not process line:
C:\WINDOWS\system32\igfxpers.exe
Status: 0xc0000034



File C:\WINDOWS\system32\igfxtray.exe not found!
Deletion of file C:\WINDOWS\system32\igfxtray.exe failed!

Could not process line:
C:\WINDOWS\system32\igfxtray.exe
Status: 0xc0000034



File C:\WINDOWS\system32\wltray.exe not found!
Deletion of file C:\WINDOWS\system32\wltray.exe failed!

Could not process line:
C:\WINDOWS\system32\wltray.exe
Status: 0xc0000034



File C:\WINDOWS\system32\bak\ctfmon.exe not found!
File move operation C:\WINDOWS\system32\bak\ctfmon.exe|C:\WINDOWS\system32\ctfmon.exe failed!

Could not process line:
C:\WINDOWS\system32\bak\ctfmon.exe|C:\WINDOWS\system32\ctfmon.exe
Status: 0xc0000034



File C:\WINDOWS\system32\bak\hkcmd.exe not found!
File move operation C:\WINDOWS\system32\bak\hkcmd.exe|C:\WINDOWS\system32\hkcmd.exe failed!

Could not process line:
C:\WINDOWS\system32\bak\hkcmd.exe|C:\WINDOWS\system32\hkcmd.exe
Status: 0xc0000034



File C:\WINDOWS\system32\bak\igfxpers.exe not found!
File move operation C:\WINDOWS\system32\bak\igfxpers.exe|C:\WINDOWS\system32\igfxpers.exe failed!

Could not process line:
C:\WINDOWS\system32\bak\igfxpers.exe|C:\WINDOWS\system32\igfxpers.exe
Status: 0xc0000034



File C:\WINDOWS\system32\bak\igfxtray.exe not found!
File move operation C:\WINDOWS\system32\bak\igfxtray.exe|C:\WINDOWS\system32\igfxtray.exe failed!

Could not process line:
C:\WINDOWS\system32\bak\igfxtray.exe|C:\WINDOWS\system32\igfxtray.exe
Status: 0xc0000034



File C:\WINDOWS\system32\bak\wltray.exe not found!
File move operation C:\WINDOWS\system32\bak\wltray.exe|C:\WINDOWS\system32\wltray.exe failed!

Could not process line:
C:\WINDOWS\system32\bak\wltray.exe|C:\WINDOWS\system32\wltray.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished!  Terminate.


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "clbdriver" found!
ImagePath:  \??\globalroot\systemroot\system32\drivers\vmdesched.sys
Start Type:  1 (System)

Rootkit scan completed.

File "C:\WINDOWS\system32\__c003CFA1.dat" deleted successfully.
File "C:\WINDOWS\system32\xqjhphme.tmp" deleted successfully.
File "C:\WINDOWS\system32\yyadd.bak1" deleted successfully.
File "C:\WINDOWS\system32\yyadd.bak2" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.


===========================================================================

Logfile of HijackThis v1.99.1
Scan saved at 12:02:10 PM, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
O2 - BHO: (no name) - {04DA36D4-E8D6-438E-A659-829F8318ECBB} - C:\WINDOWS\system32\btpanu.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Burn4Free Toolbar Helper - {D187A56B-A33F-4CBE-9D77-459FC0BAE012} - C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll
O3 - Toolbar: Burn4Free Toolbar - {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ReSchedHPSU.lnk = C:\hp\bin\CLOAKER.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180477843312
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: __c003CFA1 - C:\WINDOWS\system32\__c003CFA1.dat (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - - (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


Logged

 
favrekicksass
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 65


Bookmark and Share

View Profile
« Reply #10 on: June 14, 2008, 04:57:48 PM »

here is the combofix log, looks like firefox runs again!

ComboFix 08-06-12.2 - HP_Administrator 2008-06-14 12:09:02.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.678 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix1.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\HP_Administrator\Application Data\DOBE~1
C:\Documents and Settings\HP_Administrator\Application Data\Dxccwrd.dll
C:\Documents and Settings\HP_Administrator\ftp34.dll
C:\Documents and Settings\LocalService\ftp34.dll
C:\Program Files\Common Files\sks~1
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\__c0010B21.exe
C:\WINDOWS\system32\__c001A08F.dat
C:\WINDOWS\system32\__c001C944.dat
C:\WINDOWS\system32\__c0026765.dat
C:\WINDOWS\system32\__c002B104.dat
C:\WINDOWS\system32\__c002C96E.dat
C:\WINDOWS\system32\__c002E4F8.dat
C:\WINDOWS\system32\__c0030FDC.dat
C:\WINDOWS\system32\__c0040892.exe
C:\WINDOWS\system32\__c004201.dat
C:\WINDOWS\system32\__c0046110.dat
C:\WINDOWS\system32\__c0047208.dat
C:\WINDOWS\system32\__c004F543.dat
C:\WINDOWS\system32\__c0058BFF.dat
C:\WINDOWS\system32\__c0064AA5.dat
C:\WINDOWS\system32\__c0067183.exe
C:\WINDOWS\system32\__c0069A6C.dat
C:\WINDOWS\system32\__c006F8CC.dat
C:\WINDOWS\system32\__c007143C.dat
C:\WINDOWS\system32\__c0081D36.dat
C:\WINDOWS\system32\__c0086DB3.dat
C:\WINDOWS\system32\__c008710.dat
C:\WINDOWS\system32\__c0087B0F.dat
C:\WINDOWS\system32\__c008BC16.dat
C:\WINDOWS\system32\__c009059B.dat
C:\WINDOWS\system32\__c009AA61.exe
C:\WINDOWS\system32\__c009BCF8.exe
C:\WINDOWS\system32\__c00A43F1.dat
C:\WINDOWS\system32\__c00A9C40.dat
C:\WINDOWS\system32\__c00AA24E.exe
C:\WINDOWS\system32\__c00AB590.exe
C:\WINDOWS\system32\__c00B19B1.dat
C:\WINDOWS\system32\__c00BA200.dat
C:\WINDOWS\system32\__c00BBE32.dat
C:\WINDOWS\system32\__c00BCE36.dat
C:\WINDOWS\system32\__c00CA480.exe
C:\WINDOWS\system32\__c00CA78.dat
C:\WINDOWS\system32\__c00D17BE.dat
C:\WINDOWS\system32\__c00E5AAF.dat
C:\WINDOWS\system32\__c00EE72.dat
C:\WINDOWS\system32\__c00F0CC4.exe
C:\WINDOWS\system32\__c00F67E0.dat
C:\WINDOWS\system32\__c00F7C32.exe
C:\WINDOWS\system32\__c00FD702.exe
C:\WINDOWS\system32\__c00FD840.dat
C:\WINDOWS\system32\__c00FDF44.dat
C:\WINDOWS\system32\__c00FE32B.exe
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\config\systemprofile\ftp34.dll
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\AXEL.DAV
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\ftp34.dll
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\lclcfg32.ini
C:\WINDOWS\system32\lfd32.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\sl.bin
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T8
C:\WINDOWS\system32\xqjhphme.ini
C:\WINDOWS\system32\xqjhphme.ini2
C:\WINDOWS\winhelp.ini
D:\Autorun.inf

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Legacy_CORE
-------\Legacy_NET_AGENT
-------\Service_Net Agent


(((((((((((((((((((((((((   Files Created from 2008-05-14 to 2008-06-14  )))))))))))))))))))))))))))))))
.

2008-06-13 20:09 . 2008-06-13 20:09   <DIR>   d--------   C:\Program Files\Burn4Free Toolbar
2008-06-13 20:09 . 2008-06-13 20:35   <DIR>   d--------   C:\Program Files\Burn4Free
2008-06-13 20:09 . 2008-06-13 20:09   232,075   --a------   C:\WINDOWS\Burn4Free_Toolbar_Uninstaller_1921.exe
2008-06-13 19:53 . 2008-06-13 19:53   <DIR>   d--------   C:\Documents and Settings\HP_Administrator\Application Data\Leadertech
2008-06-04 00:30 . 2008-06-04 00:30   <DIR>   d--------   C:\Program Files\Common Files\Adobe Systems Shared
2008-06-04 00:30 . 2008-06-04 00:30   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-06-03 23:42 . 2008-06-03 23:42   <DIR>   d--------   C:\Documents and Settings\HP_Administrator\Application Data\gtk-2.0
2008-06-03 23:42 . 2008-06-03 23:42   <DIR>   d--------   C:\Documents and Settings\HP_Administrator\.thumbnails
2008-06-03 23:39 . 2008-06-03 23:39   <DIR>   d--------   C:\Program Files\GIMP-2.0
2008-06-03 23:39 . 2008-06-03 23:48   <DIR>   d--------   C:\Documents and Settings\HP_Administrator\.gimp-2.4

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 04:32   ---------   d-----w   C:\Program Files\Spybot - Search & Destroy
2008-06-13 04:29   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-08 02:25   ---------   d-----w   C:\Program Files\World of Warcraft
2008-06-04 04:26   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-05-13 23:54   15,781   ----a-w   C:\WINDOWS\system32\drivers\mdc8021x.sys
2008-05-13 23:54   ---------   d-----w   C:\Program Files\Belkin
2008-05-12 23:54   ---------   d--ha-w   C:\Documents and Settings\All Users\Application Data\GTek
2008-05-12 23:54   ---------   d--h--w   C:\Documents and Settings\HP_Administrator\Application Data\GTek
2008-05-12 23:54   ---------   d-----w   C:\Program Files\Linksys EasyLink Advisor
2008-05-12 23:54   ---------   d-----w   C:\Documents and Settings\Administrator\Application Data\Gtek
2008-05-04 01:17   ---------   d-----w   C:\Program Files\IrfanView
2008-04-28 22:37   ---------   d-----w   C:\Documents and Settings\HP_Administrator\Application Data\ICAClient
2008-04-28 01:02   ---------   d-----w   C:\Documents and Settings\HP_Administrator\Application Data\HP
2008-04-26 21:29   ---------   d-----w   C:\Program Files\Java
2006-12-08 22:55   0   ----a-w   C:\Documents and Settings\HP_Administrator\xx_tempopt.bin
2007-01-10 23:09   4,096   --sha-w   C:\WINDOWS\system32\1112.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{04DA36D4-E8D6-438E-A659-829F8318ECBB}]
2008-03-04 19:13   98048   --a------   C:\WINDOWS\system32\btpanu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D187A56B-A33F-4CBE-9D77-459FC0BAE012}]
2008-06-13 20:09   806912   --a------   C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}"= "C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll" [2008-06-13 20:09 806912]

[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}"= C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll [2008-06-13 20:09 806912]

[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-05 20:15 1481968]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-22 18:52 98304]

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin 802.11g Wireless PCI Card Configuration Utility.lnk - C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe [2008-05-13 19:54:51 340054]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 09:23:26 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 17:05:56 65588]
ReSchedHPSU.lnk - C:\hp\bin\CLOAKER.EXE [2005-08-22 17:58:37 27136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c003CFA1]
C:\WINDOWS\system32\__c003CFA1.dat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R0 slknvfgz;slknvfgz;C:\WINDOWS\system32\drivers\dptwzbre.dat []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2003-07-24 12:10]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Program Files\Lavalys\EVEREST Home Edition\kerneld.wnt [2005-08-18 00:00]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
asatekzb
WmdmPmSNldrsvc

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\subsystems]
"Windows"= basetjuea32.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6692096-87ac-11db-9b03-0013d4b7cddb}]
\Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure31.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ded34406-8fc3-11db-9b1a-001150683807}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 12:25:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\C:\Program Files\Lavalys\EVEREST Home Edition\kerneld.wnt"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\slknvfgz]
"ImagePath"="system32\drivers\dptwzbre.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\csrss.exe
-> C:\WINDOWS\system32\basetjuea32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\wltrysvc.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\ehome\ehRecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-06-14 12:27:37 - machine was rebooted
ComboFix-quarantined-files.txt  2008-06-14 16:27:30
ComboFix2.txt  2007-05-13 18:48:15

Pre-Run: 106,404,245,504 bytes free
Post-Run: 106,421,280,768 bytes free

229   --- E O F ---   2008-05-28 07:00:45
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #11 on: June 14, 2008, 10:44:11 PM »


Before we can carry on with your cleanup we need to install your Recovery Console.
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System




Download the file & save it as it's originally named, next to ComboFix.exe.






Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next prompt, click 'Yes' to run the full ComboFix scan.


  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log for further review.












Logged

An Australian Member of

EDDY
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page June 28, 2018, 06:49:14 PM