Author Topic: multiple problems including keyboard issues & browser hijack attempts  (Read 33015 times)

0 Members and 1 Guest are viewing this topic.

Meeme

  • Guest
Re: multiple problems including keyboard issues & browser hijack attempts
« Reply #15 on: February 11, 2008, 08:54:11 AM »
As usual I seem to have spoken too soon
I did try to upload the file twice last night after replying to your previous message
The first time it said that zero bites had uploaded which I assume means that the upload was unsuccessful
The second time I tried to upload the file seemed to be gone!  It is not there but the file still shows up in the log
Also this morning when I opened the laptop there were more than a hundred applications open and more attempting to start
I was unable to do anything and so I had to reboot now I am back to this (essentially where we started I think)

I am at a loss  This thing is nastier than I could ever have imagined

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: multiple problems including keyboard issues & browser hijack attempts
« Reply #16 on: February 11, 2008, 02:36:19 PM »
Don't worry about trying to submit the file for now.

 I think you had a file running from a temp location and DSS cleaned out the temp files, so some of you problems where temporarily fixed.

Please run combofix and post the log.

Thanks

Meeme

  • Guest
Re: multiple problems including keyboard issues & browser hijack attempts
« Reply #17 on: February 11, 2008, 07:47:53 PM »
ComboFix 08-02.05.3 - Carrie 2008-02-10 17:28:35.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.101 [GMT -5:00]
Running from: C:\Documents and Settings\Carrie\Desktop\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((   Files Created from 2008-01-10 to 2008-02-10  )))))))))))))))))))))))))))))))
.

2008-02-10 02:49 . 2008-02-10 02:49   <DIR>   d--------   C:\Deckard
2008-02-09 16:32 . 2008-02-09 16:36   <DIR>   d--------   C:\Documents and Settings\Carrie\.housecall6.6
2008-02-05 14:06 . 2008-02-05 14:06   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-05 14:05 . 2008-02-09 16:29   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-02-05 14:05 . 2008-02-05 14:05   <DIR>   d--------   C:\Documents and Settings\Carrie\Application Data\SUPERAntiSpyware.com
2008-02-05 13:56 . 2008-02-05 13:56   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-30 03:40 . 2008-01-30 03:40   <DIR>   d--------   C:\Program Files\Trend Micro
2008-01-30 01:38 . 2007-10-10 18:55   63,488   -----c---   C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-20 01:29 . 2007-03-07 18:51   129,784   ---------   C:\WINDOWS\system32\pxafs.dll
2008-01-20 01:29 . 2007-03-07 18:51   9,464   ---------   C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-20 01:29 . 2007-03-07 18:51   9,336   ---------   C:\WINDOWS\system32\drivers\cdr4_xp.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 22:27   ---------   d-----w   C:\Program Files\Microsoft AntiSpyware
2008-02-10 19:40   ---------   d-----w   C:\Program Files\Common Files\Symantec Shared
2008-02-05 19:02   ---------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2008-01-26 00:27   ---------   d-----w   C:\Program Files\SpywareBlaster
2008-01-20 06:33   ---------   d-----w   C:\Program Files\Winamp
2008-01-09 18:29   ---------   d-----w   C:\Program Files\Google
2008-01-05 20:55   ---------   d-----w   C:\Program Files\Juno
2007-12-30 18:10   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Musicnotes
2007-12-29 21:15   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54   95,608   ----a-w   C:\WINDOWS\system32\AvastSS.scr
2005-06-30 02:47   192,424   -c--a-w   C:\Documents and Settings\Carrie\Application Data\GDIPFONTCACHEV1.DAT
2005-05-12 13:43   184,680   -c--a-w   C:\Documents and Settings\Carrie\Application Data\shb.dat
2005-04-24 23:34   92,047   ----a-w   C:\Documents and Settings\Carrie\png2ico-win-2002-12-08.zip
2005-02-16 11:59   12,930,019   ----a-w   C:\WINDOWS\Internet Logs\zlclient_2nd_2005_02_16_06_05_29.dmp.zip
2005-02-16 11:05   12,930,601   ----a-w   C:\WINDOWS\Internet Logs\zlclient_2nd_2005_02_16_05_42_42.dmp.zip
2005-02-16 10:42   12,933,522   ----a-w   C:\WINDOWS\Internet Logs\zlclient_2nd_2005_02_16_05_31_30.dmp.zip
2005-02-16 10:31   12,933,017   ----a-w   C:\WINDOWS\Internet Logs\zlclient_2nd_2005_02_15_23_16_02.dmp.zip
2005-02-11 14:22   140,288   -c--a-w   C:\WINDOWS\Internet Logs\xDB43.tmp
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 06:24 65536]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2003-04-15 23:01 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 23:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-02-06 19:31 32881]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 14:20 88363 C:\WINDOWS\agrsmmsg.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-30 22:25 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-30 22:23 614400]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 21:00 126976]
"TFNF5"="TFNF5.exe" [2003-07-18 20:41 73728 C:\WINDOWS\system32\TFNF5.exe]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"TPSMain"="TPSMain.exe" [2003-09-25 13:19 278528 C:\WINDOWS\system32\TPSMain.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 11:39 159744]
"B'sCLiP"="C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe" [2004-02-04 08:43 1409024]
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 04:36 86016]
"SpyBlocker"="C:\Program Files\SpyBlocker Software\spyblocker.exe" [ ]
"AirCardEnabler"="C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe" [2003-10-09 16:20 163840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-18 09:34 98304]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-06-24 14:24 473928]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 03:51 172032]
"horygyxi"="C:\Program Files\WindowsUpdate\horygyxi22011.exe" [ ]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2005-02-04 18:32 135168]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-09-24 21:00 4861952]
"SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2003-08-03 19:01 86073]
"TFncKy"="TFncKy.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 17:54 37376]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-06-13 20:15:19 98304]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
HP Digital Imaging Monitor.lnk.disabled [2007-06-02 18:01:28 1842]
j2 DllCmd 4.0.lnk - C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe [2006-01-20 19:38:46 107008]
j2 Live Menu 3.2.lnk - C:\Program Files\j2 Messenger 3.2\J2GDllCmd.exe [2004-06-10 13:39:44 17408]
j2 Tray Menu 3.2.lnk - C:\Program Files\j2 Messenger 3.2\J2GTray.exe [2004-06-10 13:38:26 39936]
j2 Tray Menu 4.0.lnk - C:\Program Files\j2 Messenger 4.0\J2GTray.exe [2006-01-20 19:38:47 500224]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 16:23:32 51776]

Meeme

  • Guest
Re: multiple problems including keyboard issues & browser hijack attempts
« Reply #18 on: February 11, 2008, 07:48:20 PM »
part 2:

RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-02-06 19:53:02 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\System32\LgNotify.dll 2003-12-16 18:49 110592 c:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\jkhebcy.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"spc_w"="C:\Program Files\JUSearch\juspc.exe" -w

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"CamMonitor"=C:\Program Files\HP\Digital Imaging\\Unload\hpqcmon.exe
"TomcatStartup"=C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
"HPLJ Config"=C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Direct -p DOT4_002 -pn "hp LaserJet 1010 Series Driver" -n 0 -l 1033 -sl 120000
"nwiz"=nwiz.exe /installquiet
"Share-to-Web Namespace Daemon"=C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
"StatusClient"=C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2004-02-04 04:08]
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys [2003-05-14 20:38]
R4 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys [2004-02-02 22:05]
S3 AIR555;Sierra Wireless AirCard 555 NIC + Modem (NIC Interface);C:\WINDOWS\system32\DRIVERS\air555.sys [2003-09-16 11:47]
S3 HSFHWCD2;HSFHWCD2;C:\WINDOWS\system32\DRIVERS\HSFHWCD2.sys [2004-04-27 13:23]
S3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys [2003-02-12 12:03]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-23 00:20:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1087946104.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
"2008-01-08 00:14:00 C:\WINDOWS\Tasks\WebReg 20040630191426.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exeX/TaskName 20040630191426 /N
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 17:34:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-10 17:38:01
.
2008-02-09 21:33:26   --- E O F --- 

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: multiple problems including keyboard issues & browser hijack attempts
« Reply #19 on: February 12, 2008, 05:47:26 AM »
Hi, sorry about the delay, but I'm but to my butt in snow.

Now to your problem. If I've got this straight, you left the laptop running and it went into hibernation, you open it and all h--- had broke loose. If that's the case let's take care of one thing that may be the source of some of this.

Open the Windows Control Panel
Double-click Power Options

Click the Hibernate tab, uncheck the 'Enable hibernate support' check box, and then click Apply.

Restart your computer. We can re-enable it when we are done.


Please  rename combofix.exe to bugout.exe  When I ask you to run combofix, run the renamed exe.


Now we find we this ones living.

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop. 
 
Quote
RegSearch Options File 
 
[Search] 

catchme.sys


[Exclude] 
 

[Options] 
Filter=KVDLUI
 

2. Download Registry Search to your desktop.
  • Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
  • Open the new folder, and double click on regsearch.exe
  • Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
  • Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
  • Please reply here with the entire contents of the Notepad file from RegSearch
NOTE: it's important to get this imformation before running avenger. If you are not sure that you set it up right or are having problems, please do not hesitate to ask.



Now let's see if we can get this guy's attention.

Please download The Avenger by Swandog46 to your Desktop.


    1.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Do not run it yet fiirst do this

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [horygyxi] C:\Program Files\WindowsUpdate\horygyxi22011.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - AppInit_DLLs: c:\windows\system32\jkhebcy.dll


Close all other browsers/windows, click fix, close HJT.

Now for Avenger

Quote
Drivers to unload:
catchme

Files to delete:
c:\docume~1\carrie\locals~1\temp\catchme.sys
c:\windows\system32\jkhebcy.dll



Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Copy/Paste all the text  in the above quote box into this window by
  • MAKE SURE THE TEXT MATCHES EXACTLY
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
3. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions.  This log file will be located at  C:\avenger.txt

4. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DSS log


Then run the renamed combofix, followed by DSS. Please post the avenger results, the combofix and DSS logs, and the registry search results.

You can attach the logs by using the additional options button on the reply page. You may have to scroll down to see the browse button.
[/list]
« Last Edit: February 12, 2008, 05:57:34 AM by oldman »

Meeme

  • Guest
Re: multiple problems including keyboard issues & browser hijack attempts
« Reply #20 on: February 13, 2008, 08:28:26 AM »
Here is the result

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 2/13/2008 2:20:37 AM for strings:
;  'catchme.sys'
; Strings excluded from search:
;  (None)
; Search in:
; Registry Keys  Registry Values  Registry Data 
; HKEY_LOCAL_MACHINE  HKEY_USERS 


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\catchme]
; Contents of value:
;   \??\C:\DOCUME~1\Carrie\LOCALS~1\Temp\catchme.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,44,00,4f,00,43,00,\
  55,00,4d,00,45,00,7e,00,31,00,5c,00,43,00,61,00,72,00,72,00,69,00,65,00,5c,\
  00,4c,00,4f,00,43,00,41,00,4c,00,53,00,7e,00,31,00,5c,00,54,00,65,00,6d,00,\
  70,00,5c,00,63,00,61,00,74,00,63,00,68,00,6d,00,65,00,2e,00,73,00,79,00,73,\
  00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\catchme]
; Contents of value:
;   \??\C:\DOCUME~1\Carrie\LOCALS~1\Temp\catchme.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,44,00,4f,00,43,00,\
  55,00,4d,00,45,00,7e,00,31,00,5c,00,43,00,61,00,72,00,72,00,69,00,65,00,5c,\
  00,4c,00,4f,00,43,00,41,00,4c,00,53,00,7e,00,31,00,5c,00,54,00,65,00,6d,00,\
  70,00,5c,00,63,00,61,00,74,00,63,00,68,00,6d,00,65,00,2e,00,73,00,79,00,73,\
  00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme]
; Contents of value:
;   \??\C:\DOCUME~1\Carrie\LOCALS~1\Temp\catchme.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,44,00,4f,00,43,00,\
  55,00,4d,00,45,00,7e,00,31,00,5c,00,43,00,61,00,72,00,72,00,69,00,65,00,5c,\
  00,4c,00,4f,00,43,00,41,00,4c,00,53,00,7e,00,31,00,5c,00,54,00,65,00,6d,00,\
  70,00,5c,00,63,00,61,00,74,00,63,00,68,00,6d,00,65,00,2e,00,73,00,79,00,73,\
  00,00,00

; End Of The Log...

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: multiple problems including keyboard issues & browser hijack attempts
« Reply #21 on: February 13, 2008, 08:39:17 AM »
Perfect. It's past my bedtime now, but please continue and post the logs.

Please do all the steps.

Thanks.

Meeme

  • Guest
Re: multiple problems including keyboard issues & browser hijack attempts
« Reply #22 on: February 15, 2008, 03:18:04 AM »
I cannot select additional options when my computer is on the fritz
That is why I have been pasting the contents of the logs instead of attaching
When I try to click the "additional options" link a new blank window opens
here is the combofix log (part one):

2008-02-14 09:33 . 2008-02-14 09:33   <DIR>   d--------   C:\WINDOWS\system32\wd11
2008-02-14 09:33 . 2008-02-14 09:33   <DIR>   d--------   C:\WINDOWS\system32\vb6
2008-02-14 09:33 . 2008-02-14 09:33   <DIR>   d--------   C:\WINDOWS\system32\kp9
2008-02-14 09:33 . 2008-02-14 09:33   <DIR>   d--------   C:\WINDOWS\system32\bk5
2008-02-14 09:33 . 2008-02-14 09:36   <DIR>   d--------   C:\Program Files\RABCO
2008-02-14 09:29 . 2008-02-14 09:29   483,406   --a------   C:\TEMP\chtOna0119.exe
2008-02-14 09:28 . 2008-02-14 09:28   <DIR>   d--------   C:\WINDOWS\system32\nGpxx01
2008-02-14 09:28 . 2008-02-14 09:29   <DIR>   d--------   C:\TEMP\isgTi19
2008-02-13 11:20 . 2004-08-04 02:56   388,608   --a------   C:\kmd.exe
2008-02-11 12:42 . 2008-02-11 12:42   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-02-11 12:42 . 2008-02-11 12:42   1,409   --a------   C:\WINDOWS\QTFont.for
2008-02-11 12:40 . 2008-02-11 13:25   <DIR>   d--------   C:\ComboFix
2008-02-10 02:49 . 2008-02-10 02:49   <DIR>   d--------   C:\Deckard
2008-02-09 16:32 . 2008-02-09 16:36   <DIR>   d--------   C:\Documents and Settings\Carrie\.housecall6.6
2008-02-05 14:06 . 2008-02-05 14:06   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-05 14:05 . 2008-02-11 12:47   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-02-05 14:05 . 2008-02-05 14:05   <DIR>   d--------   C:\Documents and Settings\Carrie\Application Data\SUPERAntiSpyware.com
2008-02-05 13:56 . 2008-02-05 13:56   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-30 03:40 . 2008-01-30 03:40   <DIR>   d--------   C:\Program Files\Trend Micro
2008-01-30 01:38 . 2007-10-10 18:55   63,488   -----c---   C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-20 01:29 . 2007-03-07 18:51   129,784   --a------   C:\WINDOWS\system32\pxafs.dll
2008-01-20 01:29 . 2007-03-07 18:51   9,464   --a------   C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-20 01:29 . 2007-03-07 18:51   9,336   --a------   C:\WINDOWS\system32\drivers\cdr4_xp.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-14 20:59   ---------   d-----w   C:\Program Files\Microsoft AntiSpyware
2008-02-10 19:40   ---------   d-----w   C:\Program Files\Common Files\Symantec Shared
2008-02-05 19:02   ---------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2008-01-26 00:27   ---------   d-----w   C:\Program Files\SpywareBlaster
2008-01-20 06:33   ---------   d-----w   C:\Program Files\Winamp
2008-01-09 18:29   ---------   d-----w   C:\Program Files\Google
2008-01-05 20:55   ---------   d-----w   C:\Program Files\Juno
2007-12-30 18:10   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Musicnotes
2007-12-29 21:15   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2005-06-30 02:47   192,424   -c--a-w   C:\Documents and Settings\Carrie\Application Data\GDIPFONTCACHEV1.DAT
2005-05-12 13:43   184,680   -c--a-w   C:\Documents and Settings\Carrie\Application Data\shb.dat
2005-04-24 23:34   92,047   ----a-w   C:\Documents and Settings\Carrie\png2ico-win-2002-12-08.zip
.

Meeme

  • Guest
Re: multiple problems including keyboard issues & browser hijack attempts
« Reply #23 on: February 15, 2008, 03:20:08 AM »
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C2E5D27-A17C-4D89-85DD-3553C189380D}]
2008-01-30 14:02   414992   --a------   C:\Program Files\RABCO\RABCO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ECC79C4F-7986-4420-B111-27DBFFEBD2A8}]
2008-02-07 20:07   217088   --a------   C:\Program Files\Windows Media Player\qasuza89104.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 06:24 65536]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2003-04-15 23:01 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 23:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-02-06 19:31 32881]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 14:20 88363 C:\WINDOWS\agrsmmsg.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-30 22:25 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-30 22:23 614400]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 21:00 126976]
"TFNF5"="TFNF5.exe" [2003-07-18 20:41 73728 C:\WINDOWS\system32\TFNF5.exe]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"TPSMain"="TPSMain.exe" [2003-09-25 13:19 278528 C:\WINDOWS\system32\TPSMain.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 11:39 159744]
"B'sCLiP"="C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe" [2004-02-04 08:43 1409024]
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 04:36 86016]
"SpyBlocker"="C:\Program Files\SpyBlocker Software\spyblocker.exe" [ ]
"AirCardEnabler"="C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe" [2003-10-09 16:20 163840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-18 09:34 98304]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-06-24 14:24 473928]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 03:51 172032]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2005-02-04 18:32 135168]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-09-24 21:00 4861952]
"SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2003-08-03 19:01 86073]
"TFncKy"="TFncKy.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]

C:\Documents and Settings\Carrie\Start Menu\Programs\Startup\
RABCO - Auto Update.lnk - C:\Program Files\RABCO\RABCOse.exe [2008-02-14 09:33:27 183216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-06-13 20:15:19 98304]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
HP Digital Imaging Monitor.lnk.disabled [2007-06-02 18:01:28 1842]
j2 DllCmd 4.0.lnk - C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe [2006-01-20 19:38:46 107008]
j2 Live Menu 3.2.lnk - C:\Program Files\j2 Messenger 3.2\J2GDllCmd.exe [2004-06-10 13:39:44 17408]
j2 Tray Menu 3.2.lnk - C:\Program Files\j2 Messenger 3.2\J2GTray.exe [2004-06-10 13:38:26 39936]
j2 Tray Menu 4.0.lnk - C:\Program Files\j2 Messenger 4.0\J2GTray.exe [2006-01-20 19:38:47 500224]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 16:23:32 51776]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-02-06 19:53:02 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{E180F496-8A4B-44E2-9FE0-0364E345DB7F}"= C:\WINDOWS\system32\hggfgfe.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\System32\LgNotify.dll 2003-12-16 18:49 110592 c:\WINDOWS\system32\LgNotify.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"spc_w"="C:\Program Files\JUSearch\juspc.exe" -w

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"CamMonitor"=C:\Program Files\HP\Digital Imaging\\Unload\hpqcmon.exe
"TomcatStartup"=C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
"HPLJ Config"=C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Direct -p DOT4_002 -pn "hp LaserJet 1010 Series Driver" -n 0 -l 1033 -sl 120000
"nwiz"=nwiz.exe /installquiet
"Share-to-Web Namespace Daemon"=C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
"StatusClient"=C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2004-02-04 04:08]
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys [2003-05-14 20:38]
R4 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys [2004-02-02 22:05]
S3 AIR555;Sierra Wireless AirCard 555 NIC + Modem (NIC Interface);C:\WINDOWS\system32\DRIVERS\air555.sys [2003-09-16 11:47]
S3 HSFHWCD2;HSFHWCD2;C:\WINDOWS\system32\DRIVERS\HSFHWCD2.sys [2004-04-27 13:23]
S3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys [2003-02-12 12:03]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-23 00:20:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1087946104.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
"2008-02-13 00:14:00 C:\WINDOWS\Tasks\WebReg 20040630191426.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exeX/TaskName 20040630191426 /N
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-14 15:59:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
.
**************************************************************************
.
Completion time: 2008-02-14 16:03:49 - machine was rebooted
ComboFix-quarantined-files.txt  2008-02-14 21:03:44
ComboFix2.txt  2008-02-13 16:28:00
ComboFix3.txt  2008-02-11 18:25:34
ComboFix4.txt  2008-02-10 22:38:02
.
2008-02-09 21:33:26   --- E O F --- 

Meeme

  • Guest
Re: multiple problems including keyboard issues & browser hijack attempts
« Reply #24 on: February 15, 2008, 03:28:22 AM »
here is part one of deckards

Deckard's System Scanner v20071014.68
Run by Carrie on 2008-02-14 21:07:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Carrie.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:45 PM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Carrie\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Carrie.exe


Meeme

  • Guest
Re: multiple problems including keyboard issues & browser hijack attempts
« Reply #25 on: February 15, 2008, 03:29:46 AM »
part two of deckards

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - C:\Program Files\RABCO\RABCO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: (no name) - {ECC79C4F-7986-4420-B111-27DBFFEBD2A8} - C:\Program Files\Windows Media Player\qasuza89104.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\Toolbar.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [AirCardEnabler] C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: j2 DllCmd 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: j2 Live Menu 3.2.lnk = C:\Program Files\j2 Messenger 3.2\J2GDllCmd.exe
O4 - Global Startup: j2 Tray Menu 3.2.lnk = C:\Program Files\j2 Messenger 3.2\J2GTray.exe
O4 - Global Startup: j2 Tray Menu 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.onerateld.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe


Meeme

  • Guest
Re: multiple problems including keyboard issues & browser hijack attempts
« Reply #26 on: February 15, 2008, 03:30:27 AM »
part three of deckards


--
End of file - 9838 bytes

-- Files created between 2008-01-14 and 2008-02-14 -----------------------------

2008-02-14 09:33:53         0 d-------- C:\Program Files\RABCO
2008-02-14 09:33:23         0 d-------- C:\WINDOWS\system32\wd11
2008-02-14 09:33:23         0 d-------- C:\WINDOWS\system32\kp9
2008-02-14 09:33:11         0 d-------- C:\WINDOWS\system32\vb6
2008-02-14 09:33:11         0 d-------- C:\WINDOWS\system32\bk5
2008-02-14 09:28:48         0 d-------- C:\WINDOWS\system32\nGpxx01
2008-02-10 17:27:38     68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-10 17:27:38     98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-10 17:27:38     80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-10 17:27:38     73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-09 16:32:52         0 d-------- C:\Documents and Settings\Carrie\.housecall6.6
2008-02-05 14:06:00         0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-05 14:05:47         0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-05 14:05:46         0 d-------- C:\Documents and Settings\Carrie\Application Data\SUPERAntiSpyware.com
2008-02-05 13:56:45         0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-30 03:40:56         0 d-------- C:\Program Files\Trend Micro


-- Find3M Report ---------------------------------------------------------------

2008-02-14 15:59:05         0 d-------- C:\Program Files\Microsoft AntiSpyware
2008-02-10 14:40:02         0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-05 14:02:24         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-25 19:27:24         0 d-------- C:\Program Files\SpywareBlaster
2008-01-20 01:33:24         0 d-------- C:\Program Files\Winamp
2008-01-09 13:29:10         0 d-------- C:\Program Files\Google
2008-01-05 15:55:20         0 d-------- C:\Program Files\Juno
2007-12-29 16:15:57         0 d--h----- C:\Program Files\InstallShield Installation Information


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C2E5D27-A17C-4D89-85DD-3553C189380D}]
01/30/2008 02:02 PM   414992   --a------   C:\Program Files\RABCO\RABCO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ECC79C4F-7986-4420-B111-27DBFFEBD2A8}]
02/07/2008 08:07 PM   217088   --a------   C:\Program Files\Windows Media Player\qasuza89104.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [04/15/2003 11:01 PM]
"000StTHK"="000StTHK.exe" [06/23/2001 11:28 PM C:\WINDOWS\system32\000StTHK.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [02/06/2004 07:31 PM]
"AGRSMMSG"="AGRSMMSG.exe" [04/18/2003 02:20 PM C:\WINDOWS\agrsmmsg.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [05/30/2003 10:25 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [05/30/2003 10:23 PM]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [01/21/2003 09:00 PM]
"TFNF5"="TFNF5.exe" [07/18/2003 08:41 PM C:\WINDOWS\system32\TFNF5.exe]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [08/20/2002 01:29 PM]
"TPSMain"="TPSMain.exe" [09/25/2003 01:19 PM C:\WINDOWS\system32\TPSMain.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [10/20/2003 11:39 AM]
"B'sCLiP"="C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe" [02/04/2004 08:43 AM]
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [12/10/2003 04:36 AM]
"SpyBlocker"="C:\Program Files\SpyBlocker Software\spyblocker.exe" []
"AirCardEnabler"="C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe" [10/09/2003 04:20 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08/18/2004 09:34 AM]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [06/24/2005 02:24 PM]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [06/03/2004 03:51 AM]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [02/04/2005 06:32 PM]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [09/24/2003 09:00 PM]
"SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [08/03/2003 07:01 PM]
"TFncKy"="TFncKy.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 08:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [09/05/2003 06:24 AM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]

C:\Documents and Settings\Carrie\Start Menu\Programs\Startup\
RABCO - Auto Update.lnk - C:\Program Files\RABCO\RABCOse.exe [2/14/2008 9:33:27 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [6/13/2004 8:15:19 PM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 4:44:06 AM]
HP Digital Imaging Monitor.lnk.disabled [6/2/2007 6:01:28 PM]
j2 DllCmd 4.0.lnk - C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe [1/20/2006 7:38:46 PM]
j2 Live Menu 3.2.lnk - C:\Program Files\j2 Messenger 3.2\J2GDllCmd.exe [6/10/2004 1:39:44 PM]
j2 Tray Menu 3.2.lnk - C:\Program Files\j2 Messenger 3.2\J2GTray.exe [6/10/2004 1:38:26 PM]
j2 Tray Menu 4.0.lnk - C:\Program Files\j2 Messenger 4.0\J2GTray.exe [1/20/2006 7:38:47 PM]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [8/6/2003 4:23:32 PM]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2/6/2004 7:53:02 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]
"{E180F496-8A4B-44E2-9FE0-0364E345DB7F}"= C:\WINDOWS\system32\hggfgfe.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\System32\LgNotify.dll 12/16/2003 06:49 PM 110592 c:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"spc_w"="C:\Program Files\JUSearch\juspc.exe" -w

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"CamMonitor"=C:\Program Files\HP\Digital Imaging\\Unload\hpqcmon.exe
"TomcatStartup"=C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
"HPLJ Config"=C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Direct -p DOT4_002 -pn "hp LaserJet 1010 Series Driver" -n 0 -l 1033 -sl 120000
"nwiz"=nwiz.exe /installquiet
"Share-to-Web Namespace Daemon"=C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
"StatusClient"=C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-02-14 21:08:25 ------------


Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: multiple problems including keyboard issues & browser hijack attempts
« Reply #27 on: February 15, 2008, 04:45:50 AM »
Have you done the avenger yet? If so, may I see the results?


Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com



copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\TEMP\chtOna0119.exe

scroll down a bit and click "send file", wait for the results and post then in your next reply.

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - {ECC79C4F-7986-4420-B111-27DBFFEBD2A8} - C:\Program Files\Windows Media Player\qasuza89104.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.onerateld.com


Close all other browsers/windows, click fix, close HJT.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.


Quote
File::
C:\Program Files\Windows Media Player\qasuza89104.dll
C:\Program Files\WindowsUpdate\horygyxi22011.exe

Folder::
C:\WINDOWS\system32\wd11
C:\WINDOWS\system32\kp9
C:\WINDOWS\system32\vb6
C:\WINDOWS\system32\bk5
C:\WINDOWS\system32\nGpxx01
C:\TEMP\isgTi19

DirLook::
C:\Program Files\RABCO

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E180F496-8A4B-44E2-9FE0-0364E345DB7F}"=-




This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.


note when doing the combofix fix

A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Click File,  click Exit and answer 'Yes' to save changes


edit: forgot the image.
« Last Edit: February 15, 2008, 06:31:56 AM by oldman »

Meeme

  • Guest
Re: multiple problems including keyboard issues & browser hijack attempts
« Reply #28 on: February 15, 2008, 06:52:46 AM »
Sorry about the avenger log
Not sure how I missed that
Here it is:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\sojijudh

*******************

Script file located at: \??\C:\WINDOWS\system32\abhbovjm.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Registry key \Registry\Machine\System\CurrentControlSet\Services\catchme not found!
Unload of driver catchme failed!

Could not process line:
catchme
Status: 0xc0000034



File c:\docume~1\carrie\locals~1\temp\catchme.sys not found!
Deletion of file c:\docume~1\carrie\locals~1\temp\catchme.sys failed!

Could not process line:
c:\docume~1\carrie\locals~1\temp\catchme.sys
Status: 0xc0000034

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: multiple problems including keyboard issues & browser hijack attempts
« Reply #29 on: February 15, 2008, 07:03:25 AM »
That was strange  ??? the darn thing wasn't there. It didn't show in either your last combofix log or DSS log, and avenger didn't get it.

Do the rest of the fixes so far and we'll see where we stand. Any improvement?

Let me know.