Avast WEBforum
Other => Viruses and worms => Topic started by: thughes4050 on December 30, 2007, 06:07:35 AM
-
I am experiencing repeated requests for reboot from avast that is not associated with any virus alert each time I start or restart my computer. What might be causing these requests?
-
I'm having the same problem, just started this morning as well. Avast requests to reboot at the startup, however I'm getting a warning once pc has rebooted; "avast has detected a change in a program continuing can be dangerous" with this tag "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe"
-
Can you check your ashdisp properties and wait... seems this problem requires Alwil solution...
http://forum.avast.com/index.php?topic=32297.msg270107#msg270107
-
not sure what to look for in the ashDisp properties or even if I found them. But I tried some troubleshooting of my own: Uninstalled and Reinstalled avast! - after the intial scan it did still ask me to reboot again once it was finished. But the "modified ...ashDisp.exe program warning" didn't pop up. I also downloaded the tool from essexboy from your forum attachment, the RenV.exe, ran it the log didn't show anything except that it ran time and date. Does that mean everthing is fixed or should I restore my system to before the infection?
-
If the log didn't show anthing, then you probably don't have any modified files.
I'd wait and see if the problem returns. System restore may or may not be a solution as it's not the entire system that is backed up, so you could end up at a previous point, but with the same problem.
You can check your ashdisp at www.virustotal.com
If you have installed avast in the default location copy and paste this line into the submit box on their webpage
C:\Program Files\Alwil Software\Avast4\Ashdisp.exe
-
There are no warnings associated with my system it simply tells me that avast needs to reboot. I tell it no and go about my business right now and there doesn't seem to be any problems, additional warnings, or further avast activity.
-
Yeah System restore didn't work, not much change. avast! is still asking for reboot at random times, but no more warnings about modified programs. I checked the ashdisp at virustotal and it came up with this:
File Ashdisp.exe received on 12.31.2007 19:12:14 (CET)Antivirus Version Last Update Result
AhnLab-V3 2008.1.1.10 2007.12.31 -
AntiVir 7.6.0.46 2007.12.31 -
Authentium 4.93.8 2007.12.30 W32/Virtumonde.OQ
Avast 4.7.1098.0 2007.12.31 -
AVG 7.5.0.516 2007.12.31 Dropper.Agent.GIT
BitDefender 7.2 2007.12.31 Trojan.Dropper.Vundo.D
CAT-QuickHeal 9.00 2007.12.31 -
ClamAV 0.91.2 2007.12.31 Trojan.Dropper-3531
DrWeb 4.44.0.09170 2007.12.31 Trojan.MulDrop.10006
eSafe 7.0.15.0 2007.12.31 -
eTrust-Vet 31.3.5419 2007.12.31 Win32/Trats.A
Ewido 4.0 2007.12.31 Dropper.Agent.dgo
FileAdvisor 1 2007.12.31 -
Fortinet 3.14.0.0 2007.12.31 -
F-Prot 4.4.2.54 2007.12.31 W32/Virtumonde.OQ
F-Secure 6.70.13030.0 2007.12.31 Trojan-Dropper.Win32.Agent.dgo
Ikarus T3.1.1.15 2007.12.31 Trojan-Dropper.Win32.Agent.dgo
Kaspersky 7.0.0.125 2007.12.31 Trojan-Dropper.Win32.Agent.dgo
McAfee 5195 2007.12.28 -
Microsoft 1.3109 2007.12.31 Virus:Win32/Trats.C
NOD32v2 2758 2007.12.31 Win32/TrojanDropper.Agent.DGO
Norman 5.80.02 2007.12.31 -
Panda 9.0.0.4 2007.12.31 -
Prevx1 V2 2007.12.31 -
Rising 20.24.52.00 2007.12.29 -
Sophos 4.24.0 2007.12.31 W32/VirtInf-B
Sunbelt 2.2.907.0 2007.12.30 -
Symantec 10 2007.12.31 W32.Trats!inf
TheHacker 6.2.9.175 2007.12.29 -
VBA32 3.12.2.5 2007.12.29 Trojan-Dropper.Win32.Agent.dgo
VirusBuster 4.3.26:9 2007.12.31 Win32.Trats.Gen
Webwasher-Gateway 6.6.2 2007.12.31 -
Additional information
File size: 445952 bytes
MD5: 3d41044c8737ef95dbfa75c9647c36b5
SHA1: aa8fe969ece2211fc578f21d0df39cfffa20f7ff
PEiD: -
is this a bad thing?
-
is this a bad thing?
Yes... you're infected with Virtumonde.
Maybe this help: http://www.symantec.com/security_response/writeup.jsp?docid=2003-120914-4108-99&tabid=3
-
Ran the symantec tool, but it came up saying "Adware.VirtuMonde has not been found on your computer." Even checked the registry to delete the said subkeys, but none of the ones listed in the instructions were in there. Is there another way to fix this infection, and is it safe for me to do things like online banking on this computer?
And avast! isn't asking for reboot anymore.
-
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
Also download but do not use yet
- Download RenV.exe by sUBs (http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe) to your desktop
You will also need hijackthis
Click here (http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis) to download HJTsetup.exe
- Save HJTsetup.exe to your desktop.
- Doubleclick on the HJTsetup.exe icon on your desktop.
- By default it will install to C:\Program Files\Hijack This.
- Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
- Put a check by Create a desktop icon then click Next again.
- Continue to follow the rest of the prompts from there.
- At the final dialogue box click Finish and it will launch Hijack This.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- Come back here to this thread and Paste the log in your next reply.
- DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
-
I ran the HJT program first then the ComboFix.
Here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:48 PM, on 1/2/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\windows\system\hpsysdrv .exe
C:\Program Files\USB Storage RW\udsi.exe
C:\Program Files\USB Storage RW\udsi .exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\ps2 .exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd .exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01 .exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd .exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09 .exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp .exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8.hpwis.com/
F3 - REG:win.ini: load=C:\WINDOWS\System32\mljjj.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_UDSI] "C:\Program Files\USB Storage RW\udsi.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [28292d23] rundll32.exe "C:\WINDOWS\System32\mwsdeowj.dll",b
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\csapsxui.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
--
End of file - 7195 bytes
-
And here is the ComboFix log:
ComboFix 08-01-03.1 - Owner 2008-01-02 12:27:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.141 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\hp\KBD\KBD.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\USB Storage RW\udsi.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\WINDOWS\system\hpsysdrv.exe
C:\WINDOWS\system32\cnmmfopq.dll
C:\WINDOWS\system32\cyoiblgp.dll
C:\WINDOWS\system32\fmsvmkon.ini
C:\WINDOWS\system32\gvxmhyrj.dll
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\system32\jdyopxfk.dll
C:\WINDOWS\system32\jjjlm.ini
C:\WINDOWS\system32\jjjlm.ini2
C:\WINDOWS\system32\jwoedswm.ini
C:\WINDOWS\system32\kfxpoydj.ini
C:\WINDOWS\system32\khfffff.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljjj.dll
C:\WINDOWS\system32\mljjj.exe
C:\WINDOWS\system32\mwsdeowj.dll
C:\WINDOWS\system32\nokmvsmf.dll
C:\WINDOWS\system32\ppnyddwd.dll
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\RCX38.tmp
C:\WINDOWS\system32\RCX51.tmp
C:\WINDOWS\system32\RCX55.tmp
C:\WINDOWS\system32\RCX69.tmp
C:\WINDOWS\system32\RCX6A.tmp
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
"C:\hp\KBD\KBD .EXE" replaces infected copy of "C:\hp\KBD\KBD.EXE"
"C:\Program Files\Alwil Software\Avast4\ashDisp .exe" replaces infected copy of "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
"C:\Program Files\Common Files\Real\Update_OB\realsched .exe" replaces infected copy of "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe" replaces infected copy of "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01 .exe" replaces infected copy of "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd .exe" replaces infected copy of "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
"C:\Program Files\HP\hpcoretech\hpcmpmgr .exe" replaces infected copy of "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"C:\Program Files\Qwest\QuickCare\bin\sprtcmd .exe" replaces infected copy of "C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe"
"C:\Program Files\USB Storage RW\udsi .exe" replaces infected copy of "C:\Program Files\USB Storage RW\udsi.exe"
"C:\WINDOWS\SMINST\RECGUARD .EXE" replaces infected copy of "C:\WINDOWS\SMINST\RECGUARD.EXE"
"C:\WINDOWS\system\hpsysdrv .exe" replaces infected copy of "C:\WINDOWS\system\hpsysdrv.exe"
"C:\WINDOWS\system32\hkcmd .exe" replaces infected copy of "C:\WINDOWS\system32\hkcmd.exe"
"C:\WINDOWS\system32\igfxtray .exe" replaces infected copy of "C:\WINDOWS\system32\igfxtray.exe"
"C:\WINDOWS\system32\ps2 .exe" replaces infected copy of "C:\WINDOWS\system32\ps2.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe" replaces infected copy of "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))
.
2008-01-02 12:25 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-02 12:17 . 2008-01-02 12:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-31 11:16 . 2007-12-31 11:16 1,031,148 --ahs---- C:\WINDOWS\system32\orsqkgfx.ini
2007-12-30 11:57 . 2004-01-09 02:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-30 11:57 . 2007-12-04 05:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-30 11:57 . 2007-12-04 07:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-30 11:57 . 2007-12-04 07:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-30 11:57 . 2007-12-04 07:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-30 11:57 . 2007-12-04 07:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-30 09:57 . 2008-01-01 11:56 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2007-12-30 09:57 . 2008-01-01 11:56 114,688 --a------ C:\WINDOWS\system32\hkcmd.exe
2007-12-30 09:57 . 2008-01-01 11:56 81,920 --a------ C:\WINDOWS\system32\ps2.exe
2007-12-30 09:57 . 2008-01-01 11:56 52,736 --a------ C:\WINDOWS\system\hpsysdrv.exe
2007-12-30 09:57 . 2008-01-03 12:33 182 --a------ C:\WINDOWS\system\hpsysdrv .DAT
2007-12-29 12:06 . 2007-12-29 12:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Motive
2007-12-27 14:42 . 2007-12-27 14:42 <DIR> d-------- C:\Program Files\Google
2007-12-19 09:44 . 2007-12-26 23:41 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-12-19 09:10 . 2007-12-19 09:10 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2007-12-19 09:10 . 2007-12-19 09:44 35,759 --a------ C:\WINDOWS\DIIUnin.dat
2007-12-19 09:10 . 2007-12-19 09:10 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2007-12-19 09:00 . 2007-12-27 23:41 <DIR> d-------- C:\Program Files\Diablo II
2007-12-06 13:13 . 2007-12-06 13:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\VERITAS
2007-12-06 12:22 . 2007-12-06 12:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-12-06 00:34 . 2007-12-06 00:34 248 --a------ C:\WINDOWS\RomeTW.ini
2007-12-05 22:46 . 2007-12-15 12:02 <DIR> d-------- C:\Program Files\Activision
2007-12-03 09:54 . 2007-12-03 09:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Corel
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 19:35 --------- d-----w C:\Program Files\USB Storage RW
2008-01-01 19:02 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSN6
2007-12-31 00:03 --------- d-----w C:\Program Files\AWS
2007-12-29 19:06 --------- d-----w C:\Program Files\Easy Internet signup
2007-12-16 16:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2007-12-15 19:39 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-12-15 19:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-05 06:14 --------- d-----w C:\Program Files\Common Files\Real
2007-12-05 06:13 --------- d-----w C:\Program Files\Real
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-02 20:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-12-02 20:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeAUM
2007-12-02 19:34 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-02 19:23 --------- d-----w C:\Program Files\Macromedia
2007-12-02 19:21 --------- d-----w C:\Program Files\Common Files\Macromedia
2007-12-01 18:43 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-12-01 18:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Macrovision
2007-12-01 18:39 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-30 05:39 --------- d-----w C:\Program Files\Western Digital Technologies
2007-11-30 05:23 --------- d-----w C:\Program Files\Rhapsody
2007-11-30 05:20 8,413 ----a-w C:\WINDOWS\system32\drivers\mcstrm.sys
2007-11-30 04:47 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-30 04:46 --------- d-----w C:\Program Files\HP
2007-11-30 04:26 --------- d-----w C:\Program Files\Common Files\HP
2007-11-30 04:23 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-11-29 20:51 --------- d-----w C:\Program Files\Alwil Software
2007-11-29 20:38 --------- d-----w C:\Program Files\MSN Messenger
2007-11-29 20:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSNInstaller
2007-11-29 20:36 --------- d-----w C:\Program Files\Qwest
2007-11-29 20:31 --------- d-----w C:\Program Files\Common Files\supportsoft
2007-11-29 20:31 --------- d-----w C:\Program Files\Actiontec
2007-11-29 20:31 --------- d-----w C:\Program Files\2Wire
2007-11-29 20:29 --------- d-----w C:\Documents and Settings\Owner\Application Data\InstallShield
2007-11-29 09:02 --------- d-----w C:\Program Files\Quicken
2007-11-29 09:01 --------- d-----w C:\Program Files\Symantec
2007-11-29 09:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-29 09:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-29 08:04 --------- d-----w C:\Program Files\PC-Doctor for Windows
.
-
more log:
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-03-03 11:44 831557 C:\WINDOWS\system32\nview.dll]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [2008-01-01 11:56 52736]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-01-01 11:56 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-01-01 11:56 114688]
"KYE_UDSI"="C:\Program Files\USB Storage RW\udsi.exe" [2008-01-01 11:56 212992]
"KBD"="C:\HP\KBD\KBD.EXE" [2008-01-01 11:56 61440]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-01-01 11:56 155648]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2008-01-01 11:56 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-03 11:44 4595712]
"nwiz"="nwiz.exe" [2003-03-03 11:44 323584 C:\WINDOWS\system32\nwiz.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2008-01-01 11:56 81920]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 20:35 50176 C:\WINDOWS\ALCXMNTR.EXE]
"QUICKCARE"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [2008-01-01 11:56 198800]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2008-01-01 11:56 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2008-01-01 11:57 212992]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2008-01-01 11:57 229437]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2008-01-01 11:57 188416]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-01 11:57 185896]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-01-01 11:57 79224]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [2003-04-10 04:21:36]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-01 11:42:56]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-04-10 00:04:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 03:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll
*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2007-11-30 22:07:11 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#deskjet5100#MY37E3P1437A.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe+/#Hewlett-Packard#deskjet5100#MY37E3P1437A
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 12:36:59
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
Completion time: 2008-01-03 12:42:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-03 19:41:59
-
Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.
Copy and paste all the text in the quote box below into Notepad.
Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.
File::
C:\WINDOWS\system32\orsqkgfx.ini
This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.
Run HJT after everything else is done.
- Copy the entire contents of the Code Box below to Notepad.
- Name the file as Log.txt (Overwrite the existing one)
- Change the Save as Type to All Files
- and Save it on the desktop
"C:\hp\KBD\KBD .EXE" replaces infected copy of "C:\hp\KBD\KBD.EXE"
"C:\Program Files\Alwil Software\Avast4\ashDisp .exe" replaces infected copy of "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
"C:\Program Files\Common Files\Real\Update_OB\realsched .exe" replaces infected copy of "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe" replaces infected copy of "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01 .exe" replaces infected copy of "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd .exe" replaces infected copy of "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
"C:\Program Files\HP\hpcoretech\hpcmpmgr .exe" replaces infected copy of "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"C:\Program Files\Qwest\QuickCare\bin\sprtcmd .exe" replaces infected copy of "C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe"
"C:\Program Files\USB Storage RW\udsi .exe" replaces infected copy of "C:\Program Files\USB Storage RW\udsi.exe"
"C:\WINDOWS\SMINST\RECGUARD .EXE" replaces infected copy of "C:\WINDOWS\SMINST\RECGUARD.EXE"
"C:\WINDOWS\system\hpsysdrv .exe" replaces infected copy of "C:\WINDOWS\system\hpsysdrv.exe"
"C:\WINDOWS\system32\hkcmd .exe" replaces infected copy of "C:\WINDOWS\system32\hkcmd.exe"
"C:\WINDOWS\system32\igfxtray .exe" replaces infected copy of "C:\WINDOWS\system32\igfxtray.exe"
"C:\WINDOWS\system32\ps2 .exe" replaces infected copy of "C:\WINDOWS\system32\ps2.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe" replaces infected copy of "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe"
(http://img.photobucket.com/albums/v666/sUBs/RenV.gif)
Refering to the picture above, drag Log.txt into RenV.exe and attach the resulting report to your reply.
-
Hi hap66
Due to a change in the way combofix is handling this bug, you don't need to do the RENV part. Just can across this.
-
Here is the new ComboFix log:
ComboFix 08-01-03.1 - Owner 2008-01-03 14:14:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.233 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFscript.txt
* Created a new restore point
FILE
C:\WINDOWS\system32\orsqkgfx.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\orsqkgfx.ini
.
((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))
.
2008-01-02 12:25 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-02 12:17 . 2008-01-02 12:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-30 11:57 . 2004-01-09 02:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-30 11:57 . 2007-12-04 05:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-30 11:57 . 2007-12-04 07:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-30 11:57 . 2007-12-04 07:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-30 11:57 . 2007-12-04 07:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-30 11:57 . 2007-12-04 07:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-30 09:57 . 2008-01-01 11:56 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2007-12-30 09:57 . 2008-01-01 11:56 114,688 --a------ C:\WINDOWS\system32\hkcmd.exe
2007-12-30 09:57 . 2008-01-01 11:56 81,920 --a------ C:\WINDOWS\system32\ps2.exe
2007-12-30 09:57 . 2008-01-01 11:56 52,736 --a------ C:\WINDOWS\system\hpsysdrv.exe
2007-12-30 09:57 . 2008-01-03 12:33 182 --a------ C:\WINDOWS\system\hpsysdrv .DAT
2007-12-29 12:06 . 2007-12-29 12:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Motive
2007-12-27 14:42 . 2007-12-27 14:42 <DIR> d-------- C:\Program Files\Google
2007-12-19 09:44 . 2007-12-26 23:41 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-12-19 09:10 . 2007-12-19 09:10 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2007-12-19 09:10 . 2007-12-19 09:44 35,759 --a------ C:\WINDOWS\DIIUnin.dat
2007-12-19 09:10 . 2007-12-19 09:10 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2007-12-19 09:00 . 2007-12-27 23:41 <DIR> d-------- C:\Program Files\Diablo II
2007-12-06 13:13 . 2007-12-06 13:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\VERITAS
2007-12-06 12:22 . 2007-12-06 12:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-12-06 00:34 . 2007-12-06 00:34 248 --a------ C:\WINDOWS\RomeTW.ini
2007-12-05 22:46 . 2007-12-15 12:02 <DIR> d-------- C:\Program Files\Activision
2007-12-03 09:54 . 2007-12-03 09:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Corel
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 21:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSN6
2008-01-03 19:35 --------- d-----w C:\Program Files\USB Storage RW
2007-12-31 00:03 --------- d-----w C:\Program Files\AWS
2007-12-29 19:06 --------- d-----w C:\Program Files\Easy Internet signup
2007-12-16 16:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2007-12-15 19:39 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-12-15 19:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-05 06:14 --------- d-----w C:\Program Files\Common Files\Real
2007-12-05 06:13 --------- d-----w C:\Program Files\Real
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-02 20:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-12-02 20:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeAUM
2007-12-02 19:34 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-02 19:23 --------- d-----w C:\Program Files\Macromedia
2007-12-02 19:21 --------- d-----w C:\Program Files\Common Files\Macromedia
2007-12-01 18:43 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-12-01 18:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Macrovision
2007-12-01 18:39 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-30 05:39 --------- d-----w C:\Program Files\Western Digital Technologies
2007-11-30 05:23 --------- d-----w C:\Program Files\Rhapsody
2007-11-30 05:20 8,413 ----a-w C:\WINDOWS\system32\drivers\mcstrm.sys
2007-11-30 04:47 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-30 04:46 --------- d-----w C:\Program Files\HP
2007-11-30 04:26 --------- d-----w C:\Program Files\Common Files\HP
2007-11-30 04:23 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-11-29 20:51 --------- d-----w C:\Program Files\Alwil Software
2007-11-29 20:38 --------- d-----w C:\Program Files\MSN Messenger
2007-11-29 20:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSNInstaller
2007-11-29 20:36 --------- d-----w C:\Program Files\Qwest
2007-11-29 20:31 --------- d-----w C:\Program Files\Common Files\supportsoft
2007-11-29 20:31 --------- d-----w C:\Program Files\Actiontec
2007-11-29 20:31 --------- d-----w C:\Program Files\2Wire
2007-11-29 20:29 --------- d-----w C:\Documents and Settings\Owner\Application Data\InstallShield
2007-11-29 09:02 --------- d-----w C:\Program Files\Quicken
2007-11-29 09:01 --------- d-----w C:\Program Files\Symantec
2007-11-29 09:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-29 09:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-29 08:04 --------- d-----w C:\Program Files\PC-Doctor for Windows
.
((((((((((((((((((((((((((((( snapshot@2008-01-03_12.41.48.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-02 19:27:13 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT
+ 2008-01-03 21:14:33 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT
.
-
the rest of the log:
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-03-03 11:44 831557 C:\WINDOWS\system32\nview.dll]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [2008-01-01 11:56 52736]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-01-01 11:56 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-01-01 11:56 114688]
"KYE_UDSI"="C:\Program Files\USB Storage RW\udsi.exe" [2008-01-01 11:56 212992]
"KBD"="C:\HP\KBD\KBD.EXE" [2008-01-01 11:56 61440]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-01-01 11:56 155648]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2008-01-01 11:56 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-03 11:44 4595712]
"nwiz"="nwiz.exe" [2003-03-03 11:44 323584 C:\WINDOWS\system32\nwiz.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2008-01-01 11:56 81920]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 20:35 50176 C:\WINDOWS\ALCXMNTR.EXE]
"QUICKCARE"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [2008-01-01 11:56 198800]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2008-01-01 11:56 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2008-01-01 11:57 212992]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2008-01-01 11:57 229437]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2008-01-01 11:57 188416]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-01 11:57 185896]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-01-01 11:57 79224]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [2003-04-10 04:21:36]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-01 11:42:56]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-04-10 00:04:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 03:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll
*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2007-11-30 22:07:11 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#deskjet5100#MY37E3P1437A.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe+/#Hewlett-Packard#deskjet5100#MY37E3P1437A
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 14:15:33
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
Completion time: 2008-01-03 14:16:48
ComboFix-quarantined-files.txt 2008-01-03 21:15:58
ComboFix2.txt 2008-01-03 19:42:02
-
And here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:20:24 PM, on 1/3/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\udsi.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_UDSI] "C:\Program Files\USB Storage RW\udsi.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
--
End of file - 6263 bytes
-
Well,that looks good from here. How is it at your end?
-
guys, i know that's a quite annoying trouble (when avast executables are infected), essexboy reported it to me already... i'm collecting the samples and inspecting the relations between infected ashdisp and the infection dropper (that's the most important part, ashdisp can be repaired from setup, but we must stop the reinfecting)..
-
Hi Maxx
Depending on how comfortable this user is with the process, I will try to retreive a copy of the ashdisp file.
-
Everything looks great, even ran the Ashdisp.exe in Virus Total, came up clean. computers running great thank you for your help. Can these tools I have now (ComboFix/HJT) be used for other viruses or adware problems, if another infection happens in the future?
-
Can these tools I have now (ComboFix/HJT) be used for other viruses or adware problems, if another infection happens in the future?
Most probably. Anyway, you can stay tunned to download new versions of them in the future (although they're not as frequently updated as an antivirus, of course).
-
If you are up to it, I'd like you sumbit a sample from the combofix quarantine.
Right click the "a" icon, click start avast ant virus. Once the interface comes up, click on the chest, then the user section button.
Right click anywhere in the window and select add
Use the browse to navigate to the following folder
C:\QOOBOX\QUARANTINE\c\program flies
in the right hand panel a list of files should appear with the added .vir extention.
single click on each instance os ashdisp, click add each time
Back in the chest right click on the file and select "email to alwill software"
In the box that appears paste this line in
ATTN: Maxx
http://forum.avast.com/index.php?topic=32314.15
infected sample of ashdisp
Make sure the box beside MAPI is checked. click send. You can send only one sample per mail.
To remove the file from the chest, right click on it and select delete.
You will have to do this before we remove combofix.
Hijack this is ok to keep around, but combofix should be removed. It won't work after, I think it's 10 days. Tech wasn't quiet right, combofix is updated constantly, sometimes daily, so the freshest version is best. And yes it can be used for other things, but is usually used in conjunction with other tools.
So we'll leave HJT and remove combofix. This will take the nasties with it.
Click start button, click run, copy and paste this line into the box
combofix /u
It looks like you are using windows firewall. It doesn't provide outbound protection. A third party firewall will.
A discussion on free firewalls can be found here.
http://forum.avast.com/index.php?topic=30808.0
-
I don't know if I did it right. Found one aishDisp.exe.vir file that was in the ALWILS~1\avast4 folder, sent that file, was I suppose to send all the other .vir files from the other folders in the ...\program files folder? But I already uninstalled ComboFix so I guess thats it.
Thanks again for your help oldman and tech, and thanks for the firewall info.
-
No, I think just the ashdisp file will be good enough, Alwil may not be able to do much with some else product. So go ahead and remove them from the chest. And Thank You for taking the time to submit the file, it may save our butts down the road.
You're welcome and stay safe. ;)
You should also do this
Create a new restore point
You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create
Remove old restore points
Disk Cleanup
- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one
-
cool good to know I could be of some help, and restore point made old ones deleted! ;D