combofix ran reluctantly. microsoft windows message kept appearing saying that the process was already running and after repeatedly telling it don't send a report to miscrosoft it rebooted and scanned and rebooted again producing a IEXPLORER icon on my desktop in addition to the shortcut i placed there. i didnt know if this icon was due to running combofix with an explorer window open at the time or what it's from. under properties it takes me to internet options. anyway here are the following logs created.
the router problem has been happening for months. my concern was that the new router required me to enter my user id and password.
i reallly appreciate your skill level to pour over this data and make sense of it and thank you so much for your assistance.
log after combofix ran on final reboot
ComboFix 07-09-21.2 - "Jeff" 2007-09-26 12:19:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.143 [GMT -4:00]
* Created a new restore point
.
Rootkit driver pe386 is present. ... attempting disinfection
Rootkit driver msguard is present. ... attempting disinfection
Rootkit driver lzx32 is present. ... attempting disinfection
Rootkit driver huy32 is present. ... attempting disinfection
Rootkit driver xpdt is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.
msguard ...... driver unloaded successfully.
lzx32 ...... driver unloaded successfully.
huy32 ...... driver unloaded successfully.
xpdt ...... driver unloaded successfully.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\check_LSA7.txt
C:\DOCUME~1\Jeff\APPLIC~1\DOBE~1
C:\DOCUME~1\Jeff\APPLIC~1\Sskdmns.dll
C:\Program Files\Common Files\{A0533~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\adyafaia.exe
C:\WINDOWS\system32\eefwcuhv.exe
C:\WINDOWS\system32\fhqorgso.exe
C:\WINDOWS\system32\gglbakvc.exe
C:\WINDOWS\system32\ioprivsg.exe
C:\WINDOWS\system32\kkuckfdm.exe
C:\WINDOWS\system32\lkdlarcy.exe
C:\WINDOWS\system32\mafumuno.exe
C:\WINDOWS\system32\onhdmtkv.exe
C:\WINDOWS\system32\oyemoouj.exe
C:\WINDOWS\system32\ptoyemjv.exe
C:\WINDOWS\system32\pwdbjjsw.exe
C:\WINDOWS\system32\ssiednbq.exe
C:\WINDOWS\system32\ssttu.dll
C:\WINDOWS\system32\uttss.bak1
C:\WINDOWS\system32\uttss.bak2
C:\WINDOWS\system32\uttss.ini
C:\WINDOWS\system32\uttss.ini2
C:\WINDOWS\system32\uttss.tmp
C:\WINDOWS\system32\uxvmesfe.exe
C:\WINDOWS\system32\vtjdhdcl.exe
C:\WINDOWS\system32\wtdlcvtv.exe
C:\WINDOWS\system32\wvirqxwp.exe
C:\WINDOWS\system32\yfsatiqn.exe
C:\WINDOWS\system32\yuukvpbn.exe
C:\WINDOWS\system32\zxdnt3d.cfg
H:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-08-26 to 2007-09-26 )))))))))))))))))))))))))))))))
.
2007-09-26 12:11 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-25 15:05 84,032 --a------ C:\WINDOWS\system32\qqfebams.dll
2007-09-25 13:13 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-24 17:59 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-24 17:25 85,056 --a------ C:\WINDOWS\system32\pkodkmek.dll
2007-09-24 17:23 1,690 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-24 17:22 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-24 17:22 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-24 17:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-24 17:22 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-24 16:35 85,056 --a------ C:\WINDOWS\system32\wmxyqbkm.dll
2007-09-24 15:25 85,056 --a------ C:\WINDOWS\system32\upqdkcgl.dll
2007-09-24 15:00 85,056 --a------ C:\WINDOWS\system32\ffslemvx.dll
2007-09-24 13:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Hewlett-Packard
2007-09-24 13:37 145 --------- C:\WINDOWS\hpgmdl01.dat
2007-09-24 13:32 85,056 --a------ C:\WINDOWS\system32\hopuccme.dll
2007-09-20 17:11 <DIR> d-------- C:\Deckard
2007-09-20 17:05 <DIR> d-------- C:\VundoFix Backups
2007-09-17 17:35 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-09-14 15:00 <DIR> d-------- C:\Program Files\WM Converter
2007-09-14 14:54 383,238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2007-09-14 14:54 <DIR> d-------- C:\videooutput
2007-09-13 03:13 2,009,073 --ahs---- C:\WINDOWS\system32\qtstv.bak2
2007-09-12 15:14 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-09-12 15:14 <DIR> d-------- C:\DOCUME~1\Jeff\APPLIC~1\NCH Swift Sound
2007-09-12 15:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\NCH Swift Sound
2007-09-12 15:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\NCH Software
2007-09-12 15:13 6,448 --ahs---- C:\WINDOWS\system32\qtstv.bak1
2007-09-12 15:13 <DIR> d-------- C:\Program Files\NCH Software
2007-09-12 14:05 <DIR> d-------- C:\DOCUME~1\Jeff\APPLIC~1\AVS4YOU
2007-09-12 14:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\AVS4YOU
2007-09-12 14:03 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-09-12 14:03 638,976 --a------ C:\WINDOWS\system32\divx.dll
2007-09-12 14:03 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-09-12 14:03 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2007-09-12 14:03 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-09-12 14:03 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-09-12 14:03 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-09-12 14:03 <DIR> d-------- C:\Program Files\AVS4YOU
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-24 13:40 --------- d-------- C:\Program Files\HP
2007-09-21 16:29 --------- d-------- C:\Program Files\e-Sword
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AF934DC-7451-4E66-B811-5ACDD0A40E07}]
C:\WINDOWS\system32\vtstq.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-13 11:47]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 07:48]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"SearchIndexer"="C:\WINDOWS\system32\qqfebams.dll" [2007-09-25 15:05]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtstq]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\159H]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU1]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU2]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
C:\\keyboard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Luho]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mousepad]
C:\\mousepad.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP10_EnsureFileVer]
C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NJv7jy]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys0305157347-16]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdS7_0_8 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Usqxxorc]
C:\Documents and Settings\Jeff\Application Data\?dobe\d?xplore.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wahm]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTask driver]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{33-3E-E1-1D-ZN}]
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2007-09-26 12:26:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-09-26 12:29:03 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-26 12:28
.
--- E O F ---
log found under c:/
ComboFix 07-09-21.2 - "Jeff" 2007-09-26 12:19:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.143 [GMT -4:00]
* Created a new restore point
.
Rootkit driver pe386 is present. ... attempting disinfection
Rootkit driver msguard is present. ... attempting disinfection
Rootkit driver lzx32 is present. ... attempting disinfection
Rootkit driver huy32 is present. ... attempting disinfection
Rootkit driver xpdt is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.
msguard ...... driver unloaded successfully.
lzx32 ...... driver unloaded successfully.
huy32 ...... driver unloaded successfully.
xpdt ...... driver unloaded successfully.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\check_LSA7.txt
C:\DOCUME~1\Jeff\APPLIC~1\DOBE~1
C:\DOCUME~1\Jeff\APPLIC~1\Sskdmns.dll
C:\Program Files\Common Files\{A0533~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\adyafaia.exe
C:\WINDOWS\system32\eefwcuhv.exe
C:\WINDOWS\system32\fhqorgso.exe
C:\WINDOWS\system32\gglbakvc.exe
C:\WINDOWS\system32\ioprivsg.exe
C:\WINDOWS\system32\kkuckfdm.exe
C:\WINDOWS\system32\lkdlarcy.exe
C:\WINDOWS\system32\mafumuno.exe
C:\WINDOWS\system32\onhdmtkv.exe
C:\WINDOWS\system32\oyemoouj.exe
C:\WINDOWS\system32\ptoyemjv.exe
C:\WINDOWS\system32\pwdbjjsw.exe
C:\WINDOWS\system32\ssiednbq.exe
C:\WINDOWS\system32\ssttu.dll
C:\WINDOWS\system32\uttss.bak1
C:\WINDOWS\system32\uttss.bak2
C:\WINDOWS\system32\uttss.ini
C:\WINDOWS\system32\uttss.ini2
C:\WINDOWS\system32\uttss.tmp
C:\WINDOWS\system32\uxvmesfe.exe
C:\WINDOWS\system32\vtjdhdcl.exe
C:\WINDOWS\system32\wtdlcvtv.exe
C:\WINDOWS\system32\wvirqxwp.exe
C:\WINDOWS\system32\yfsatiqn.exe
C:\WINDOWS\system32\yuukvpbn.exe
C:\WINDOWS\system32\zxdnt3d.cfg
H:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-08-26 to 2007-09-26 )))))))))))))))))))))))))))))))
.
2007-09-26 12:11 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-25 15:05 84,032 --a------ C:\WINDOWS\system32\qqfebams.dll
2007-09-25 13:13 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-24 17:59 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-24 17:25 85,056 --a------ C:\WINDOWS\system32\pkodkmek.dll
2007-09-24 17:23 1,690 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-24 17:22 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-24 17:22 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-24 17:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-24 17:22 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-24 16:35 85,056 --a------ C:\WINDOWS\system32\wmxyqbkm.dll
2007-09-24 15:25 85,056 --a------ C:\WINDOWS\system32\upqdkcgl.dll
2007-09-24 15:00 85,056 --a------ C:\WINDOWS\system32\ffslemvx.dll
2007-09-24 13:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Hewlett-Packard
2007-09-24 13:37 145 --------- C:\WINDOWS\hpgmdl01.dat
2007-09-24 13:32 85,056 --a------ C:\WINDOWS\system32\hopuccme.dll
2007-09-20 17:11 <DIR> d-------- C:\Deckard
2007-09-20 17:05 <DIR> d-------- C:\VundoFix Backups
2007-09-17 17:35 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-09-14 15:00 <DIR> d-------- C:\Program Files\WM Converter
2007-09-14 14:54 383,238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2007-09-14 14:54 <DIR> d-------- C:\videooutput
2007-09-13 03:13 2,009,073 --ahs---- C:\WINDOWS\system32\qtstv.bak2
2007-09-12 15:14 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-09-12 15:14 <DIR> d-------- C:\DOCUME~1\Jeff\APPLIC~1\NCH Swift Sound
2007-09-12 15:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\NCH Swift Sound
2007-09-12 15:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\NCH Software
2007-09-12 15:13 6,448 --ahs---- C:\WINDOWS\system32\qtstv.bak1
2007-09-12 15:13 <DIR> d-------- C:\Program Files\NCH Software
2007-09-12 14:05 <DIR> d-------- C:\DOCUME~1\Jeff\APPLIC~1\AVS4YOU
2007-09-12 14:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\AVS4YOU
2007-09-12 14:03 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-09-12 14:03 638,976 --a------ C:\WINDOWS\system32\divx.dll
2007-09-12 14:03 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-09-12 14:03 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2007-09-12 14:03 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-09-12 14:03 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-09-12 14:03 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-09-12 14:03 <DIR> d-------- C:\Program Files\AVS4YOU
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-24 13:40 --------- d-------- C:\Program Files\HP
2007-09-21 16:29 --------- d-------- C:\Program Files\e-Sword
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AF934DC-7451-4E66-B811-5ACDD0A40E07}]
C:\WINDOWS\system32\vtstq.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-13 11:47]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 07:48]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"SearchIndexer"="C:\WINDOWS\system32\qqfebams.dll" [2007-09-25 15:05]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtstq]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\159H]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU1]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU2]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
C:\\keyboard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Luho]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mousepad]
C:\\mousepad.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP10_EnsureFileVer]
C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NJv7jy]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys0305157347-16]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdS7_0_8 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Usqxxorc]
C:\Documents and Settings\Jeff\Application Data\?dobe\d?xplore.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wahm]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTask driver]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{33-3E-E1-1D-ZN}]
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2007-09-26 12:26:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-09-26 12:29:03 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-26 12:28
.
--- E O F ---
log of quarantined files
- Code: Select all
2004-08-04 08:00 132096 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_000008_.tmp.dll.vir
2004-09-13 12:15 53 --a------ C:\Qoobox\Quarantine\H\Autorun.inf.vir
2004-10-27 21:21 721920 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_000009_.tmp.dll.vir
2006-03-04 21:12 21 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\zxdnt3d.cfg.vir
2006-03-06 20:06 55 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\Jeff\APPLIC~1\Sskdmns.dll.vir
2007-07-08 21:23 15399 --a------ C:\Qoobox\Quarantine\C\ComboFix\FProps.vbs.vir
2007-09-13 03:14 75328 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\eefwcuhv.exe.vir
2007-09-19 12:58 312416 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ssttu.dll.vir
2007-09-21 01:04 75328 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\yuukvpbn.exe.vir
2007-09-21 12:59 1981742 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\uttss.bak1.vir
2007-09-21 12:59 1981742 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\uttss.ini.vir
2007-09-21 13:01 75328 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wvirqxwp.exe.vir
2007-09-22 17:35 75328 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ssiednbq.exe.vir
2007-09-24 13:26 75328 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\onhdmtkv.exe.vir
2007-09-24 14:33 1985433 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\uttss.tmp.vir
2007-09-24 14:51 75328 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vtjdhdcl.exe.vir
2007-09-24 14:55 75328 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ioprivsg.exe.vir
2007-09-24 15:13 75328 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pwdbjjsw.exe.vir
2007-09-24 15:19 75328 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\yfsatiqn.exe.vir
2007-09-24 16:32 75328 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mafumuno.exe.vir
2007-09-24 17:16 75328 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\gglbakvc.exe.vir
2007-09-24 17:40 75328 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\kkuckfdm.exe.vir
2007-09-24 17:43 75328 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\oyemoouj.exe.vir
2007-09-24 18:18 75328 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\fhqorgso.exe.vir
2007-09-24 18:33 75328 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\adyafaia.exe.vir
2007-09-25 13:44 75328 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ptoyemjv.exe.vir
2007-09-25 14:04 75328 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lkdlarcy.exe.vir
2007-09-25 14:47 75328 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\uxvmesfe.exe.vir
2007-09-25 14:57 1985092 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\uttss.bak2.vir
2007-09-25 14:59 75328 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wtdlcvtv.exe.vir
2007-09-26 12:14 678 --a------ C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir
2007-09-26 12:17 2254 --a------ C:\Qoobox\Quarantine\C\check_LSA7.txt.vir
2007-09-26 12:23 1982084 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\uttss.ini2.vir
2007-09-26 12:23 2382 --a------ C:\Qoobox\Quarantine\Registry_backups\services_DomainService.reg.dat
2007-09-26 12:23 832 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_CMDSERVICE.reg.dat
2007-09-26 12:23 846 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.dat
2007-09-26 12:23 862 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_NETWORK_MONITOR.reg.dat
2007-09-26 12:24 560 --a------ C:\Qoobox\Quarantine\catchme.log
2007-09-26 12:24 845988 --a------ C:\Qoobox\Quarantine\catchme2007-09-26_122652.01.zip
Folder PATH listing
Volume serial number is A053-3E1D
C:\QOOBOX\QUARANTINE
| catchme.log
| catchme2007-09-26_122652.01.zip
|
+---C
| | check_LSA7.txt.vir
| |
| +---ComboFix
| | FProps.vbs.vir
| |
| +---DOCUME~1
| | \---Jeff
| | \---APPLIC~1
| | Sskdmns.dll.vir
| |
| \---WINDOWS
| | cookies.ini.vir
| |
| \---system32
| adyafaia.exe.vir
| eefwcuhv.exe.vir
| fhqorgso.exe.vir
| gglbakvc.exe.vir
| ioprivsg.exe.vir
| kkuckfdm.exe.vir
| lkdlarcy.exe.vir
| mafumuno.exe.vir
| onhdmtkv.exe.vir
| oyemoouj.exe.vir
| ptoyemjv.exe.vir
| pwdbjjsw.exe.vir
| ssiednbq.exe.vir
| ssttu.dll.vir
| uttss.bak1.vir
| uttss.bak2.vir
| uttss.ini.vir
| uttss.ini2.vir
| uttss.tmp.vir
| uxvmesfe.exe.vir
| vtjdhdcl.exe.vir
| wtdlcvtv.exe.vir
| wvirqxwp.exe.vir
| yfsatiqn.exe.vir
| yuukvpbn.exe.vir
| zxdnt3d.cfg.vir
| _000008_.tmp.dll.vir
| _000009_.tmp.dll.vir
|
+---H
| Autorun.inf.vir
|
\---Registry_backups
LEGACY_CMDSERVICE.reg.dat
LEGACY_DOMAINSERVICE.reg.dat
LEGACY_NETWORK_MONITOR.reg.dat
services_DomainService.reg.dat
recent hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:18 PM, on 9/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\jeffree.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.foxnews.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6AF934DC-7451-4E66-B811-5ACDD0A40E07} - C:\WINDOWS\system32\vtstq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_03\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\qqfebams.dll",sitypnow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -
http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftup ... 7790052587
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
http://66.255.127.85/AxisCamControl.ocx
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} -
O20 - Winlogon Notify: vtstq - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
--
End of file - 3910 bytes