|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
Stop making mediocre tutorials.The best tutorials are video! Camtasia Studio makes it easy to create engaging, buzz-building screen videos at any size, in any popular format. Download the free trial!
|
|
#1
March 22nd, 2008, 11:39 PM
|
|||
|
|||
|
Yet another...another "not a valid win32 program"(Resovled)
Yes, I used P2P. After reading other posts on this forum, I am uninstalling it after I fix my problem.
I can't even open HJT.exe without the error. No safe mode (unless I want BSOD). Any help would be much appreciated.
|
|
#2
March 22nd, 2008, 11:45 PM
|
||||
|
||||
|
Quote:
Good to hear  Now on to repairs........ Make sure any antivirus or protective software is disabled before running combofix. Here is a tutorial for most programs. http://www.bleepingcomputer.com/forums/topic114351.html Then Download ComboFix.exe from HERE to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it). Just save it to your desktop as MyCombo.exe. Then click the MyCombo.exe file to run the repair. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt. When starting ComboFix will cause your computer's internal speakers to produce two beeps, and during the start process display two warnings. These are intended to discourage people who are not getting help in the forum from just experimenting with tools they do not understand. Just to inform you so you will understand that the procedures are expected, and okay. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop, however given the infection there ComboFix will likely cause a reboot in order to complete it's repairs. (ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver) Post back the C:\ComboFix.txt log
__________________
O'Neill: "So, we basically saved your whole planet, right?" Chancellor: "Yes." O'Neill: "Are you, therefore, indebted to us in any modest way?" Chancellor: "I suppose that is the case." O'Neill: "So how 'bout the blueprints to build one of those ion cannons?" Chancellor: "You have been told our policy. That has not changed."
|
|
#3
March 23rd, 2008, 12:15 AM
|
|||
|
|||
|
It keeps giving me an error when I'm trying to post my log in copy/paste format (text only)...the error says something along the lines of new users aren't allowed to post URLs...I'm justr trying to type text...
|
|
#4
March 23rd, 2008, 12:17 AM
|
|||
|
|||
|
ComboFix 08-03-22.1 - Tom 2008-03-23 0:43:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.384 [GMT -4:00] Running from: C:\Documents and Settings\Tom\Desktop\MyCombo.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\system32\drivers\down C:\WINDOWS\system32\drivers\down\33329024.exe C:\WINDOWS\system32\drivers\down\33329905.exe C:\WINDOWS\system32\drivers\down\33340681.exe C:\WINDOWS\system32\drivers\down\33342524.exe C:\WINDOWS\system32\drivers\down\33343535.exe C:\WINDOWS\system32\drivers\down\33345448.exe C:\WINDOWS\system32\drivers\down\33363283.exe C:\WINDOWS\system32\drivers\down\33368120.exe C:\WINDOWS\system32\drivers\down\33370684.exe C:\WINDOWS\system32\drivers\down\33373638.exe C:\WINDOWS\system32\drivers\down\33375691.exe C:\WINDOWS\system32\drivers\down\33376472.exe C:\WINDOWS\system32\drivers\down\33383052.exe C:\WINDOWS\system32\drivers\down\33386146.exe C:\WINDOWS\system32\drivers\down\33402079.exe C:\WINDOWS\system32\drivers\down\33408458.exe C:\WINDOWS\system32\drivers\down\33419344.exe C:\WINDOWS\system32\drivers\hldrrr.exe C:\WINDOWS\system32\drivers\srosa.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SROSA ((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 ))))))))))))))))))))))))))))))) . 2008-03-23 00:05 . 2008-03-23 00:06 8,704 --ahs---- C:\WINDOWS\system32\Thumbs.db 2008-03-22 23:50 . 2008-03-22 23:50 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Malwarebytes 2008-03-22 23:49 . 2008-03-22 23:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-03-22 23:49 . 2008-03-22 23:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-03-22 23:35 . 2008-03-22 23:35 <DIR> d-------- C:\Program Files\Trend Micro 2008-03-22 23:31 . 2008-03-22 23:33 <DIR> d-------- C:\sysclean 2008-03-19 11:45 . 2008-03-19 13:31 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Move Networks 2008-03-12 21:31 . 2008-03-12 21:31 <DIR> d-------- C:\Program Files\DNA 2008-03-12 21:31 . 2008-03-23 00:49 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\DNA 2008-03-02 19:43 . 2008-03-02 19:45 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\SecondLife 2008-03-02 19:40 . 2008-03-02 19:46 <DIR> d-------- C:\Program Files\SecondLife 2008-02-26 01:48 . 2008-03-09 04:53 <DIR> d-------- C:\Program Files\Dvd-cloner 2008-02-25 21:22 . 2008-02-25 21:22 <DIR> d-------- C:\Program Files\iPod . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-23 02:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2008-03-23 02:57 --------- d-----w C:\Program Files\eMule 2008-03-22 19:30 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-03-22 17:24 --------- d-----w C:\Documents and Settings\Tom\Application Data\AVG7 2008-03-20 04:20 --------- d-----w C:\Program Files\Safari 2008-03-19 13:05 --------- d-----w C:\Program Files\Java 2008-03-17 02:16 --------- d-----w C:\Documents and Settings\Tom\Application Data\BitTorrent 2008-03-13 01:31 --------- d-----w C:\Program Files\BitTorrent_DNA 2008-03-13 01:31 --------- d-----w C:\Documents and Settings\Tom\Application Data\BitTorrent DNA 2008-02-28 22:58 --------- d-----w C:\Program Files\AIM 2008-02-26 01:23 --------- d-----w C:\Program Files\iTunes 2008-02-26 01:20 --------- d-----w C:\Program Files\QuickTime . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-08-18 09:53 50528] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360] "RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [2007-01-22 23:31 1003520] "BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-03-12 21:31 287040] "AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 16:35 67112] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 03:33 243248] "SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 10:11 1388544] "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 13:41 860160] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-02-06 22:00 344064] "TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 11:19 94208] "TpShocks"="TpShocks.exe" [2007-09-28 14:28 181544 C:\WINDOWS\system32\TpShocks.exe] "TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-02 23:00 856064] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-07-05 19:07 110592] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-05 19:07 512000] "BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 02:38 110592] "BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 02:38 20480] "BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 02:38 396288] "BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 02:38 208896] "TP4EX"="tp4ex.exe" [2005-10-17 02:11 65536 C:\WINDOWS\system32\TP4EX.exe] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57 30208] "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 11:09 49152] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-23 00:46 579072] "googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 17:22 3739648] "QCTRAY"="C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE" [2005-02-01 04:07 741376] "QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-02-01 04:07 86016] "eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 13:21 116224] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-23 00:26 219136] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-01-25 02:16:19 24576] eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2008-01-04 12:07:10 629248] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina] QConGina.dll 2005-02-01 04:07 262144 C:\WINDOWS\system32\QConGina.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] notifyf2.dll 2005-07-06 00:45 28672 C:\WINDOWS\system32\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] tphklock.dll 2005-11-30 21:16 24576 C:\WINDOWS\system32\tphklock.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= "C:\\Program Files\\eMule\\emule.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\BitTorrent\\bittorrent.exe"= "C:\\StubInstaller.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"= "C:\\Program Files\\BitTorrent_DNA\\dna.exe"= "C:\\Program Files\\AIM\\aim.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\DNA\\btdna.exe"= R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-09-28 17:29] R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-09-28 17:28] R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-02-01 04:07] R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2005-02-01 04:07] R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-20 02:38] S1 srosa;Megadrv3;C:\WINDOWS\system32\drivers\srosa.sys [] S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2005-02-01 04:07] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bedd9eae-5b60-11dc-9cfd-00054e45defe}] \Shell\AutoRun\command - F:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder "2008-03-19 13:38:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, (omitted for URL reasons/kellte2) Rootkit scan 2008-03-23 00:52:18 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\tphklock.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\S24EvMon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\System32\QCONSVC.EXE C:\WINDOWS\system32\RegSrvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\TPHDEXLG.exe C:\WINDOWS\system32\TpKmpSVC.exe C:\Program Files\Windows Media Player\WMPNetwk.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2008-03-23 0:56:23 - machine was rebooted ComboFix-quarantined-files.txt 2008-03-23 04:56:20 . 2008-03-12 07:06:23 --- E O F ---
|
|
#5
March 23rd, 2008, 01:15 AM
|
||||
|
||||
|
* Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the Quote box below:
Quote:
* Save this as CFScript.txt and place it on your desktop.  * Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. * ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. * When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. Next Go HERE and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee. When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post back and let us know what it found (post the log).
|
|
#6
March 23rd, 2008, 01:33 AM
|
|||
|
|||
|
It should be noted that I ran and reinstalled AVG before i began this last process of running the script that you sent me. It removed 4 items.
Here are the results of the script: ComboFix 08-03-22.1 - Tom 2008-03-23 2:20:32.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.359 [GMT -4:00] Running from: C:\Documents and Settings\Tom\Desktop\MyCombo.exe Command switches used :: C:\Documents and Settings\Tom\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\drivers\hldrrr.exe C:\WINDOWS\system32\drivers\srosa.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_srosa ((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 ))))))))))))))))))))))))))))))) . 2008-03-23 01:31 . 2008-03-23 01:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-03-23 01:31 . 2008-03-23 01:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-03-23 00:05 . 2008-03-23 00:06 8,704 --ahs---- C:\WINDOWS\system32\Thumbs.db 2008-03-22 23:50 . 2008-03-22 23:50 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Malwarebytes 2008-03-22 23:35 . 2008-03-22 23:35 <DIR> d-------- C:\Program Files\Trend Micro 2008-03-22 23:31 . 2008-03-22 23:33 <DIR> d-------- C:\sysclean 2008-03-19 11:45 . 2008-03-19 13:31 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Move Networks 2008-03-12 21:31 . 2008-03-12 21:31 <DIR> d-------- C:\Program Files\DNA 2008-03-12 21:31 . 2008-03-23 02:24 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\DNA 2008-03-02 19:43 . 2008-03-02 19:45 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\SecondLife 2008-02-26 01:48 . 2008-03-09 04:53 <DIR> d-------- C:\Program Files\Dvd-cloner 2008-02-25 21:22 . 2008-02-25 21:22 <DIR> d-------- C:\Program Files\iPod . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-23 04:59 --------- d-----w C:\Documents and Settings\Tom\Application Data\AVG7 2008-03-23 04:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2008-03-23 02:57 --------- d-----w C:\Program Files\eMule 2008-03-22 19:30 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-03-20 04:20 --------- d-----w C:\Program Files\Safari 2008-03-19 13:05 --------- d-----w C:\Program Files\Java 2008-03-17 02:16 --------- d-----w C:\Documents and Settings\Tom\Application Data\BitTorrent 2008-03-13 01:31 --------- d-----w C:\Program Files\BitTorrent_DNA 2008-03-13 01:31 --------- d-----w C:\Documents and Settings\Tom\Application Data\BitTorrent DNA 2008-02-28 22:58 --------- d-----w C:\Program Files\AIM 2008-02-26 01:23 --------- d-----w C:\Program Files\iTunes 2008-02-26 01:20 --------- d-----w C:\Program Files\QuickTime . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-08-18 09:53 50528] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360] "RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [2007-01-22 23:31 1003520] "BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-03-12 21:31 287040] "AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 16:35 67112] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 03:33 243248] "SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 10:11 1388544] "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 13:41 860160] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-02-06 22:00 344064] "TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 11:19 94208] "TpShocks"="TpShocks.exe" [2007-09-28 14:28 181544 C:\WINDOWS\system32\TpShocks.exe] "TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-02 23:00 856064] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-07-05 19:07 110592] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-05 19:07 512000] "BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 02:38 110592] "BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 02:38 20480] "BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 02:38 396288] "BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 02:38 208896] "TP4EX"="tp4ex.exe" [2005-10-17 02:11 65536 C:\WINDOWS\system32\TP4EX.exe] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57 30208] "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 11:09 49152] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-23 00:58 579072] "googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 17:22 3739648] "QCTRAY"="C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE" [2005-02-01 04:07 741376] "QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-02-01 04:07 86016] "eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 13:21 116224] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-23 00:58 219136] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-01-25 02:16:19 24576] eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2008-01-04 12:07:10 629248] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina] QConGina.dll 2005-02-01 04:07 262144 C:\WINDOWS\system32\QConGina.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] notifyf2.dll 2005-07-06 00:45 28672 C:\WINDOWS\system32\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] tphklock.dll 2005-11-30 21:16 24576 C:\WINDOWS\system32\tphklock.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= "C:\\Program Files\\eMule\\emule.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\BitTorrent\\bittorrent.exe"= "C:\\StubInstaller.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "C:\\Program Files\\BitTorrent_DNA\\dna.exe"= "C:\\Program Files\\AIM\\aim.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\DNA\\btdna.exe"= R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-09-28 17:29] R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-09-28 17:28] R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-02-01 04:07] R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2005-02-01 04:07] R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-20 02:38] S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2005-02-01 04:07] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bedd9eae-5b60-11dc-9cfd-00054e45defe}] \Shell\AutoRun\command - F:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder "2008-03-19 13:38:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, (removed) Rootkit scan 2008-03-23 02:27:11 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\tphklock.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\S24EvMon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\System32\QCONSVC.EXE C:\WINDOWS\system32\RegSrvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\TPHDEXLG.exe C:\WINDOWS\system32\TpKmpSVC.exe C:\Program Files\Windows Media Player\WMPNetwk.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe . ************************************************************************** . Completion time: 2008-03-23 2:30:19 - machine was rebooted ComboFix-quarantined-files.txt 2008-03-23 06:30:16 ComboFix2.txt 2008-03-23 04:56:24 . 2008-03-12 07:06:23 --- E O F --- Thanks so much for your help.
|
|
#7
March 23rd, 2008, 01:35 AM
|
|||
|
|||
|
I can't run IE.
I get this error: 403 Forbidden. Forbidden You don't have permission to access (URL address blocked) -------------------------------------------------------------------------------- Apache Server at (URL address blocked) UPDATE: I'm also unable to start Wireless Zero Configuration. When I try to launch it through the services menu, I get Error 1068: The dependency service or group failed to start. I also have noticed that Windows Firewall turns itself off every reboot. This virus really did a number on my system, geez.
|
|
#8
March 23rd, 2008, 10:27 AM
|
||||
|
||||
|
Lets do this again with a change.
* Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the Quote box below: Quote:
* Save this as CFScript.txt and place it on your desktop. * Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. * ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. * When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
|
|
#9
March 23rd, 2008, 10:41 AM
|
|||
|
|||
|
ComboFix 08-03-22.1 - Tom 2008-03-23 11:32:21.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.352 [GMT -4:00] Running from: C:\Documents and Settings\Tom\Desktop\MyCombo.exe Command switches used :: C:\Documents and Settings\Tom\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\system32\notifyf2.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\notifyf2.dll . ((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 ))))))))))))))))))))))))))))))) . 2008-03-23 11:20 . 2008-03-23 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-03-23 11:20 . 2008-03-23 11:20 <DIR> d-------- C:\bytes' Anti-Malware 2008-03-23 11:16 . 2008-03-23 11:16 <DIR> d-------- C:\HJT 2008-03-23 00:05 . 2008-03-23 00:06 8,704 --ahs---- C:\WINDOWS\system32\Thumbs.db 2008-03-22 23:50 . 2008-03-22 23:50 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Malwarebytes 2008-03-22 23:35 . 2008-03-22 23:35 <DIR> d-------- C:\Program Files\Trend Micro 2008-03-22 23:31 . 2008-03-22 23:33 <DIR> d-------- C:\sysclean 2008-03-19 11:45 . 2008-03-19 13:31 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Move Networks 2008-03-12 21:31 . 2008-03-12 21:31 <DIR> d-------- C:\Program Files\DNA 2008-03-12 21:31 . 2008-03-23 11:33 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\DNA 2008-03-02 19:43 . 2008-03-02 19:45 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\SecondLife 2008-02-26 01:48 . 2008-03-09 04:53 <DIR> d-------- C:\Program Files\Dvd-cloner 2008-02-25 21:22 . 2008-02-25 21:22 <DIR> d-------- C:\Program Files\iPod . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-23 08:00 --------- d-----w C:\Documents and Settings\Tom\Application Data\AVG7 2008-03-23 06:41 --------- d-----w C:\Program Files\eMule 2008-03-23 04:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2008-03-22 19:30 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-03-20 04:20 --------- d-----w C:\Program Files\Safari 2008-03-19 13:05 --------- d-----w C:\Program Files\Java 2008-03-17 02:16 --------- d-----w C:\Documents and Settings\Tom\Application Data\BitTorrent 2008-03-13 01:31 --------- d-----w C:\Program Files\BitTorrent_DNA 2008-03-13 01:31 --------- d-----w C:\Documents and Settings\Tom\Application Data\BitTorrent DNA 2008-02-28 22:58 --------- d-----w C:\Program Files\AIM 2008-02-26 01:23 --------- d-----w C:\Program Files\iTunes 2008-02-26 01:20 --------- d-----w C:\Program Files\QuickTime . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-08-18 09:53 50528] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360] "RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [2007-01-22 23:31 1003520] "BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-03-12 21:31 287040] "AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 16:35 67112] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 03:33 243248] "SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 10:11 1388544] "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 13:41 860160] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-02-06 22:00 344064] "TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 11:19 94208] "TpShocks"="TpShocks.exe" [2007-09-28 14:28 181544 C:\WINDOWS\system32\TpShocks.exe] "TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-02 23:00 856064] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-07-05 19:07 110592] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-05 19:07 512000] "BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 02:38 110592] "BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 02:38 20480] "BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 02:38 396288] "BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 02:38 208896] "TP4EX"="tp4ex.exe" [2005-10-17 02:11 65536 C:\WINDOWS\system32\TP4EX.exe] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57 30208] "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 11:09 49152] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-23 00:58 579072] "googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 17:22 3739648] "QCTRAY"="C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE" [2005-02-01 04:07 741376] "QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-02-01 04:07 86016] "eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 13:21 116224] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-23 00:58 219136] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-01-25 02:16:19 24576] eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2008-01-04 12:07:10 629248] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina] QConGina.dll 2005-02-01 04:07 262144 C:\WINDOWS\system32\QConGina.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] tphklock.dll 2005-11-30 21:16 24576 C:\WINDOWS\system32\tphklock.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= "C:\\Program Files\\eMule\\emule.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\BitTorrent\\bittorrent.exe"= "C:\\StubInstaller.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "C:\\Program Files\\BitTorrent_DNA\\dna.exe"= "C:\\Program Files\\AIM\\aim.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\DNA\\btdna.exe"= "C:\\bytes' Anti-Malware\\mbam.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8100:TCP"= 8100:TCP:Apache R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-09-28 17:29] R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-09-28 17:28] R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-02-01 04:07] R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2005-02-01 04:07] R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-20 02:38] S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2005-02-01 04:07] . Contents of the 'Scheduled Tasks' folder "2008-03-19 13:38:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, (redacted) Rootkit scan 2008-03-23 11:35:07 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\tphklock.dll . Completion time: 2008-03-23 11:35:50 ComboFix-quarantined-files.txt 2008-03-23 15:35:35 ComboFix2.txt 2008-03-23 06:30:19 ComboFix3.txt 2008-03-23 04:56:24 . 2008-03-12 07:06:23 --- E O F --- |
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
