Other > Viruses and worms

multiple problems including keyboard issues & browser hijack attempts

<< < (5/11) > >>

Meeme: Here is the result Windows Registry Editor Version 5.00 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.5.0 ; Results at 2/13/2008 2:20:37 AM for strings: ;  'catchme.sys' ; Strings excluded from search: ;  (None) ; Search in: ; Registry Keys  Registry Values  Registry Data  ; HKEY_LOCAL_MACHINE  HKEY_USERS  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\catchme] ; Contents of value: ;   \??\C:\DOCUME~1\Carrie\LOCALS~1\Temp\catchme.sys "ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,44,00,4f,00,43,00,\   55,00,4d,00,45,00,7e,00,31,00,5c,00,43,00,61,00,72,00,72,00,69,00,65,00,5c,\   00,4c,00,4f,00,43,00,41,00,4c,00,53,00,7e,00,31,00,5c,00,54,00,65,00,6d,00,\   70,00,5c,00,63,00,61,00,74,00,63,00,68,00,6d,00,65,00,2e,00,73,00,79,00,73,\   00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\catchme] ; Contents of value: ;   \??\C:\DOCUME~1\Carrie\LOCALS~1\Temp\catchme.sys "ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,44,00,4f,00,43,00,\   55,00,4d,00,45,00,7e,00,31,00,5c,00,43,00,61,00,72,00,72,00,69,00,65,00,5c,\   00,4c,00,4f,00,43,00,41,00,4c,00,53,00,7e,00,31,00,5c,00,54,00,65,00,6d,00,\   70,00,5c,00,63,00,61,00,74,00,63,00,68,00,6d,00,65,00,2e,00,73,00,79,00,73,\   00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme] ; Contents of value: ;   \??\C:\DOCUME~1\Carrie\LOCALS~1\Temp\catchme.sys "ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,44,00,4f,00,43,00,\   55,00,4d,00,45,00,7e,00,31,00,5c,00,43,00,61,00,72,00,72,00,69,00,65,00,5c,\   00,4c,00,4f,00,43,00,41,00,4c,00,53,00,7e,00,31,00,5c,00,54,00,65,00,6d,00,\   70,00,5c,00,63,00,61,00,74,00,63,00,68,00,6d,00,65,00,2e,00,73,00,79,00,73,\   00,00,00 ; End Of The Log...

oldman: Perfect. It's past my bedtime now, but please continue and post the logs. Please do all the steps. Thanks.

Meeme: I cannot select additional options when my computer is on the fritz That is why I have been pasting the contents of the logs instead of attaching When I try to click the "additional options" link a new blank window opens here is the combofix log (part one): 2008-02-14 09:33 . 2008-02-14 09:33   <DIR>   d--------   C:\WINDOWS\system32\wd11 2008-02-14 09:33 . 2008-02-14 09:33   <DIR>   d--------   C:\WINDOWS\system32\vb6 2008-02-14 09:33 . 2008-02-14 09:33   <DIR>   d--------   C:\WINDOWS\system32\kp9 2008-02-14 09:33 . 2008-02-14 09:33   <DIR>   d--------   C:\WINDOWS\system32\bk5 2008-02-14 09:33 . 2008-02-14 09:36   <DIR>   d--------   C:\Program Files\RABCO 2008-02-14 09:29 . 2008-02-14 09:29   483,406   --a------   C:\TEMP\chtOna0119.exe 2008-02-14 09:28 . 2008-02-14 09:28   <DIR>   d--------   C:\WINDOWS\system32\nGpxx01 2008-02-14 09:28 . 2008-02-14 09:29   <DIR>   d--------   C:\TEMP\isgTi19 2008-02-13 11:20 . 2004-08-04 02:56   388,608   --a------   C:\kmd.exe 2008-02-11 12:42 . 2008-02-11 12:42   54,156   --ah-----   C:\WINDOWS\QTFont.qfn 2008-02-11 12:42 . 2008-02-11 12:42   1,409   --a------   C:\WINDOWS\QTFont.for 2008-02-11 12:40 . 2008-02-11 13:25   <DIR>   d--------   C:\ComboFix 2008-02-10 02:49 . 2008-02-10 02:49   <DIR>   d--------   C:\Deckard 2008-02-09 16:32 . 2008-02-09 16:36   <DIR>   d--------   C:\Documents and Settings\Carrie\.housecall6.6 2008-02-05 14:06 . 2008-02-05 14:06   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-02-05 14:05 . 2008-02-11 12:47   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware 2008-02-05 14:05 . 2008-02-05 14:05   <DIR>   d--------   C:\Documents and Settings\Carrie\Application Data\SUPERAntiSpyware.com 2008-02-05 13:56 . 2008-02-05 13:56   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Avg7 2008-01-30 03:40 . 2008-01-30 03:40   <DIR>   d--------   C:\Program Files\Trend Micro 2008-01-30 01:38 . 2007-10-10 18:55   63,488   -----c---   C:\WINDOWS\system32\dllcache\icardie.dll 2008-01-20 01:29 . 2007-03-07 18:51   129,784   --a------   C:\WINDOWS\system32\pxafs.dll 2008-01-20 01:29 . 2007-03-07 18:51   9,464   --a------   C:\WINDOWS\system32\drivers\cdralw2k.sys 2008-01-20 01:29 . 2007-03-07 18:51   9,336   --a------   C:\WINDOWS\system32\drivers\cdr4_xp.sys . ((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-02-14 20:59   ---------   d-----w   C:\Program Files\Microsoft AntiSpyware 2008-02-10 19:40   ---------   d-----w   C:\Program Files\Common Files\Symantec Shared 2008-02-05 19:02   ---------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard 2008-01-26 00:27   ---------   d-----w   C:\Program Files\SpywareBlaster 2008-01-20 06:33   ---------   d-----w   C:\Program Files\Winamp 2008-01-09 18:29   ---------   d-----w   C:\Program Files\Google 2008-01-05 20:55   ---------   d-----w   C:\Program Files\Juno 2007-12-30 18:10   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Musicnotes 2007-12-29 21:15   ---------   d--h--w   C:\Program Files\InstallShield Installation Information 2005-06-30 02:47   192,424   -c--a-w   C:\Documents and Settings\Carrie\Application Data\GDIPFONTCACHEV1.DAT 2005-05-12 13:43   184,680   -c--a-w   C:\Documents and Settings\Carrie\Application Data\shb.dat 2005-04-24 23:34   92,047   ----a-w   C:\Documents and Settings\Carrie\png2ico-win-2002-12-08.zip .

Meeme: (((((((((((((((((((((((((((((((((((((   Reg Loading Points   )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C2E5D27-A17C-4D89-85DD-3553C189380D}] 2008-01-30 14:02   414992   --a------   C:\Program Files\RABCO\RABCO.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ECC79C4F-7986-4420-B111-27DBFFEBD2A8}] 2008-02-07 20:07   217088   --a------   C:\Program Files\Windows Media Player\qasuza89104.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 06:24 65536] "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [ ] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2003-04-15 23:01 258048] "000StTHK"="000StTHK.exe" [2001-06-23 23:28 24576 C:\WINDOWS\system32\000StTHK.exe] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-02-06 19:31 32881] "AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 14:20 88363 C:\WINDOWS\agrsmmsg.exe] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-30 22:25 110592] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-30 22:23 614400] "TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 21:00 126976] "TFNF5"="TFNF5.exe" [2003-07-18 20:41 73728 C:\WINDOWS\system32\TFNF5.exe] "ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960] "TPSMain"="TPSMain.exe" [2003-09-25 13:19 278528 C:\WINDOWS\system32\TPSMain.exe] "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 11:39 159744] "B'sCLiP"="C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe" [2004-02-04 08:43 1409024] "PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 04:36 86016] "SpyBlocker"="C:\Program Files\SpyBlocker Software\spyblocker.exe" [ ] "AirCardEnabler"="C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe" [2003-10-09 16:20 163840] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-18 09:34 98304] "gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-06-24 14:24 473928] "type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 03:51 172032] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2005-02-04 18:32 135168] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-09-24 21:00 4861952] "SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2003-08-03 19:01 86073] "TFncKy"="TFncKy.exe" [] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224] C:\Documents and Settings\Carrie\Start Menu\Programs\Startup\ RABCO - Auto Update.lnk - C:\Program Files\RABCO\RABCOse.exe [2008-02-14 09:33:27 183216] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-06-13 20:15:19 98304] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696] HP Digital Imaging Monitor.lnk.disabled [2007-06-02 18:01:28 1842] j2 DllCmd 4.0.lnk - C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe [2006-01-20 19:38:46 107008] j2 Live Menu 3.2.lnk - C:\Program Files\j2 Messenger 3.2\J2GDllCmd.exe [2004-06-10 13:39:44 17408] j2 Tray Menu 3.2.lnk - C:\Program Files\j2 Messenger 3.2\J2GTray.exe [2004-06-10 13:38:26 39936] j2 Tray Menu 4.0.lnk - C:\Program Files\j2 Messenger 4.0\J2GTray.exe [2006-01-20 19:38:47 500224] Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 16:23:32 51776] RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-02-06 19:53:02 155648] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] "{E180F496-8A4B-44E2-9FE0-0364E345DB7F}"= C:\WINDOWS\system32\hggfgfe.dll [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring] c:\WINDOWS\System32\LgNotify.dll 2003-12-16 18:49 110592 c:\WINDOWS\system32\LgNotify.dll [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe "spc_w"="C:\Program Files\JUSearch\juspc.exe" -w [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "CamMonitor"=C:\Program Files\HP\Digital Imaging\\Unload\hpqcmon.exe "TomcatStartup"=C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe "HPLJ Config"=C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Direct -p DOT4_002 -pn "hp LaserJet 1010 Series Driver" -n 0 -l 1033 -sl 120000 "nwiz"=nwiz.exe /installquiet "Share-to-Web Namespace Daemon"=C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe "StatusClient"=C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2004-02-04 04:08] R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys [2003-05-14 20:38] R4 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys [2004-02-02 22:05] S3 AIR555;Sierra Wireless AirCard 555 NIC + Modem (NIC Interface);C:\WINDOWS\system32\DRIVERS\air555.sys [2003-09-16 11:47] S3 HSFHWCD2;HSFHWCD2;C:\WINDOWS\system32\DRIVERS\HSFHWCD2.sys [2004-04-27 13:23] S3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys [2003-02-12 12:03] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder "2007-12-23 00:20:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1087946104.job" - C:\Program Files\HP\hpcoretech\comp\hpdarc.exe "2008-02-13 00:14:00 C:\WINDOWS\Tasks\WebReg 20040630191426.job" - C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exeX/TaskName 20040630191426 /N . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-14 15:59:11 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\System32\S24EvMon.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\WINDOWS\System32\1XConfig.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\RegSrvc.exe C:\WINDOWS\System32\snmp.exe c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe . ************************************************************************** . Completion time: 2008-02-14 16:03:49 - machine was rebooted ComboFix-quarantined-files.txt  2008-02-14 21:03:44 ComboFix2.txt  2008-02-13 16:28:00 ComboFix3.txt  2008-02-11 18:25:34 ComboFix4.txt  2008-02-10 22:38:02 . 2008-02-09 21:33:26   --- E O F ---

Meeme: here is part one of deckards Deckard's System Scanner v20071014.68 Run by Carrie on 2008-02-14 21:07:31 Computer is in Normal Mode. -------------------------------------------------------------------------------- Total Physical Memory: 511 MiB (512 MiB recommended). -- HijackThis (run as Carrie.exe) ---------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:07:45 PM, on 2/14/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\S24EvMon.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\WINDOWS\System32\1XConfig.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\RegSrvc.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\00THotkey.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\WINDOWS\system32\TFNF5.exe C:\WINDOWS\System32\ezSP_Px.exe C:\toshiba\ivp\ism\pinger.exe C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\Carrie\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Carrie.exe

Navigation

 Message Index

Next page

Previous page

Go to full version