# HELP! something is stealing my bandwidth



## jtrang (Dec 6, 2007)

Hello,

I only use my computer to do simple emailing and reading news. recently my browser is so slow. It took me more than 30 min to post this because my browser kept timing out with message "The page cannot be displayed". I noticed in my network connection status window, packets were sent/received by the hundreds but yet my browser can not even get to yahoo. I have been reading this forum and tried AVG anti-spyware scan and SuperantiSpyware scan. They found some tracking cookies and were deleted but it still did not catch the thieves of stealing.  below is my HiJackThis log, please help!

=============================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:49 PM, on 12/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\spoolv.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\John Trang\My Documents\Kills\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [dumprep] C:\WINDOWS\system32\spoolv.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [mtd2002Svr] "C:\Program Files\mtd2002"\mtdserver.exe -f
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5265 bytes


----------



## Jintan (Oct 4, 2007)

Hello jtrang,

Welcome to TSG. The log shows at least an SDBot backdoor loaded there, so let's start repairs.

Be sure to temporarily disable any protective software when running the scan tools we use here.

Download SDFix.exe and save it to your desktop.

===================================================

Reboot into *Safe Mode* (at startup tap the F8 key and select Safe Mode).

In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click *RunThis.bat* to start the script.

Next type *Y* to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.

When the desktop loads the Fixtool will complete the removal and display *Finished*, then press any key to end the script and load your desktop icons.

Then open the C:\SDFix folder and copy and paste the contents of the results file *Report.txt* back here.

===================

After the reboot Download ComboFix.exe from here to your desktop, and click the downloaded file to run the repair.

When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

(ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver)

Post back the C:\ComboFix.txt log as well as the SDFix report.txt and a new HijackThis log please.


----------



## jtrang (Dec 6, 2007)

Thank You Jintan,

I followed your instructions and here are all the logs

SDFix log
========================================

SDFix: Version 1.117

Run by Administrator on Thu 12/13/2007 at 02:08 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\JOHNTR~1\MYDOCU~1\Kills\SDFix\SDFix

Safe Mode:
Checking Services:

Name:
noskrnl.sys

Path:
\??\C:\WINDOWS\system32\noskrnl.sys

noskrnl.sys - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\away.exe.exe - Deleted
C:\WINDOWS\noskrnl.config - Deleted
C:\WINDOWS\noskrnl.exe - Deleted
C:\WINDOWS\system32\noskrnl.sys - Deleted

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 02:13:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,f6,f0,16,59,6e,a9,c5,ca,52,f3,ca,a7,ca,64,50,05,d6,..
"hj34z0"=hex:ea,28,5c,36,fd,ae,dc,d3,1d,28,47,71,42,37,32,96,02,60,68,67,f1,..
"hj34z1"=hex:26,28,5c,36,85,ae,dc,d3,1c,28,46,71,43,37,32,96,02,60,68,67,31,..
"hj34z2"=hex:26,28,5c,36,85,ae,dc,d3,1c,28,46,71,43,37,32,96,02,60,68,67,31,..
"hj34z3"=hex:26,28,5c,36,85,ae,dc,d3,1c,28,46,71,43,37,32,96,02,60,68,67,31,..
"hj34z4"=hex:26,28,5c,36,85,ae,dc,d3,1c,28,46,71,43,37,32,96,02,60,68,67,31,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41]
"khjeh"=hex:20,02,00,00,13,8b,83,21,57,46,9e,b2,be,f2,53,6b,49,ec,2a,d0,f8,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\\Program Files\\USvoiz\\usvfone.exe"="C:\\Program Files\\USvoiz\\usvfone.exe:*:Enabled:usvfone Module"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\RingVoiz Dialer\\RingVoiz.exe"="C:\\Program Files\\RingVoiz Dialer\\RingVoiz.exe:*:Enabled:RingVoiz"
"C:\\Program Files\\mtd2002\\mtdserver.exe"="C:\\Program Files\\mtd2002\\mtdserver.exe:*isabled:mtdServer"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\WINDOWS\\lsass.exe"="C:\\WINDOWS\\lsass.exe:*:Enabled:lsass.exe"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
@=":*:Enabled:"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"C:\\WINDOWS\\system32\\spoolv.exe"="C:\\WINDOWS\\system32\\spoolv.exe:*isabled:spoolv"
"C:\\Program Files\\RingVoiz Dialer\\ring-Voiz.exe"="C:\\Program Files\\RingVoiz Dialer\\ring-Voiz.exe:*:Enabled:ring-Voiz"
"F:\\Paigow\\dealer\\dealer.exe"="F:\\Paigow\\dealer\\dealer.exe:*isabled:dealer"
"C:\\WINDOWS\\noskrnl.exe"="C:\\WINDOWS\\noskrnl.exe:*:Enabled:enable"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"

Remaining Files:
---------------

File Backups: - C:\DOCUME~1\JOHNTR~1\MYDOCU~1\Kills\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Wed 4 Aug 2004 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Wed 18 Oct 2006 64,000 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Mon 10 Jul 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 22 Dec 2004 76,568 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Thu 13 Jan 2005 11,360 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Sun 6 May 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 5 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\410ff09308a833491dba7686f0aee2eb\BIT6.tmp"

Finished!

=====================================
ComboFix log
=====================================

ComboFix 07-12-02.7 - John Trang 2007-12-13 2:22:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.158 [GMT -8:00]
Running from: C:\Documents and Settings\John Trang\My Documents\Kills\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\drabste.exe
C:\WINDOWS\system32\winter.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.

2007-12-13 02:07 . 2007-12-13 02:07 d--------	C:\WINDOWS\ERUNT
2007-12-06 20:01 . 2007-12-06 20:01 d--------	C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-06 19:38 . 2007-12-07 22:25 d--------	C:\Program Files\SUPERAntiSpyware
2007-12-06 19:38 . 2007-12-07 22:25 d--------	C:\Documents and Settings\John Trang\Application Data\SUPERAntiSpyware.com
2007-12-06 19:38 . 2007-12-06 19:38 d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-06 08:57 . 2004-11-20 02:53 d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-06 08:57 . 2004-11-20 02:39 d--------	C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-06 08:57 . 2007-12-06 08:57 d--------	C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-06 08:57 . 2004-11-20 02:52 d--------	C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-12-06 08:48 . 2007-12-06 08:48 d--------	C:\Documents and Settings\John Trang\Application Data\Grisoft
2007-12-06 08:48 . 2007-12-06 08:48 d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-06 08:48 . 2007-05-30 04:10	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-29 20:53 . 2007-11-29 20:53	230	--a------	C:\WINDOWS\system32\spupdsvc.inf
2007-11-22 22:03 . 2007-11-22 22:04 d--------	C:\Documents and Settings\John Trang\Application Data\ring-Voiz
2007-11-13 20:29 . 2007-12-09 21:28 d--------	C:\Program Files\Bkav2006
2007-11-13 20:29 . 2007-12-09 21:11	8,650,358	--a------	C:\WINDOWS\system32\drivers\SysLib.sys
2007-11-13 20:29 . 2007-12-09 21:11	7,804,485	--a------	C:\WINDOWS\system32\BkavAuto.vxd
2007-11-13 20:29 . 2007-12-09 21:11	32,677	--a------	C:\WINDOWS\system32\drivers\BkavAuto.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 04:05	---------	d-----w	C:\Program Files\Windows Media Connect 2
2007-11-30 04:05	---------	d-----w	C:\Program Files\SymNetDrv
2007-11-30 04:05	---------	d-----w	C:\Program Files\RingVoiz Dialer
2007-11-30 04:05	---------	d-----w	C:\Program Files\QuickTime
2007-11-30 04:05	---------	d-----w	C:\Program Files\Easy Internet signup
2007-11-30 04:05	---------	d-----w	C:\Program Files\D-Tools
2007-11-30 04:05	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2007-11-30 04:05	---------	d-----w	C:\Program Files\Common Files\Autodesk Shared
2007-11-30 04:05	---------	d-----w	C:\Program Files\AVIcodec
2007-11-30 04:05	---------	d-----w	C:\Program Files\AutoCAD 2006
2007-11-30 04:04	---------	d-----w	C:\Program Files\Norton AntiVirus
2007-11-30 04:04	---------	d-----w	C:\Program Files\mtd2002
2007-11-30 04:04	---------	d-----w	C:\Program Files\Microsoft Works
2007-11-30 04:04	---------	d-----w	C:\Program Files\iTunes
2007-11-26 04:00	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-26 03:59	---------	d-----w	C:\Program Files\Yahoo!
2007-11-26 03:59	---------	d-----w	C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-14 05:06	---------	d-----w	C:\Program Files\Symantec
2007-11-14 02:34	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-13 06:52	55,808	----a-w	C:\WINDOWS\system32\spoolv.exe
2007-11-13 06:52	289,280	----a-w	C:\WINDOWS\system32\libcurl.dll
2007-11-12 03:18	123,754	----a-w	C:\WINDOWS\system32\dllcache\_install.exe
2007-10-26 03:34	8,460,288	----a-w	C:\WINDOWS\system32\dllcache\shell32.dll
2006-04-05 06:09	92,976	----a-w	C:\Documents and Settings\John Trang\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mtd2002Svr"="C:\Program Files\mtd2002\mtdserver.exe" [2002-10-05 13:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-06-17 12:48]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-06-17 12:43]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-03 22:05]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 08:25]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 08:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-06-04 12:38]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 16:19]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-10-13 17:34]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"dumprep"="C:\WINDOWS\system32\spoolv.exe" [2007-11-12 22:52]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 06:59]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-06 11:44:23]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{034e52f0-70ad-11da-b91d-00c09fb6d28d}]
\Shell\1\Command - F:\autorun.pif
\Shell\2\Command - F:\autorun.pif
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{636283a0-d2a0-11db-abe9-00c09fb6d28d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5b50805-d8e7-11db-abf1-00c09fb6d28d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f12b2a44-876e-11dc-acae-0015001d694b}]
\Shell\1\Command - autorun.pif
\Shell\2\Command - autorun.pif
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.pif

*Newly Created Service* - CATCHME 
*Newly Created Service* - PROCEXP90 
.
Contents of the 'Scheduled Tasks' folder
"2007-12-13 10:24:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 02:24:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????1?9?1?0??????? ???B?????????????H<C? ??????

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-13 2:25:27
.
--- E O F ---

==========================================
New HiJackThis Log
==========================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:59 AM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\spoolv.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\John Trang\My Documents\Kills\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [dumprep] C:\WINDOWS\system32\spoolv.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [mtd2002Svr] "C:\Program Files\mtd2002"\mtdserver.exe -f
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5112 bytes


----------



## Jintan (Oct 4, 2007)

Looks like an SDBot infection and relying on an autorun component to reinfect. Did you transfer software recently from someone else's computer? Let's continue repairs here.

I am not familiar with these, but can see they are related to Vietnamese software. If you could explain their use I would appreciate it:

C:\Program Files\mtd2002
C:\Program Files\Bkav2006

Be sure to temporarily disable any protective software when running the scan tools we use here.

------------------------------------

Go here and download Flash_Disinfector.exe and save it to your desktop.

Doubleclick on Flash_Disinfector.exe to run it and follow the prompts. Wait until it has finished scanning and then exit the program.

The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.

-----------------------------------

Open notepad (go to Start, Run, type *notepad* and press Enter) and copy/paste the text in the codebox below into it:


```
File::
C:\WINDOWS\noskrnl.exe
C:\WINDOWS\system32\spoolv.exe
C:\WINDOWS\lsass.exe
C:\WINDOWS\system32\libcurl.dll
C:\WINDOWS\system32\dllcache\_install.exe
Folder::
C:\Recycled
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{034e52f0-70ad-11da-b91d-00c09fb6d28d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{636283a0-d2a0-11db-abe9-00c09fb6d28d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5b50805-d8e7-11db-abf1-00c09fb6d28d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f12b2a44-876e-11dc-acae-0015001d694b}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dumprep"=-
```
Save this as *"CFScript"*

(include the "quotation marks" with the name)










Referring to the picture above, drag CFScript.txt into ComboFix.exe

ComboFix will now run as it did before. When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt. If ComboFix brings on a reboot to complete it's repairs the log will appear after the reboot is done.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

---------------------------------------

Run F-Secure's online scanner here. You will need to use IE and allow the activeX controls to load. Click Full System Scan and allow the components to download and the scan to complete. If malware is found during the scan, check Submit Samples to F-Secure then select Automatic cleaning. When the scan has finished, click the Show Report button and copy and paste the entire report in your next reply.

Then post back that log along with the ComboFix.txt log and a new HijackThis log please.


----------



## jtrang (Dec 6, 2007)

Thanks again Jintan for your help!

I don't recalled transfer software from someone else recently but I did used someone's flashdrive to copy some files for him.

C:\Program Files\mtd2002 - is a Viet<->English dictionary
C:\Program Files\Bkav2006 - is a free antivirus software by a local tech university in Vietnam. It is widely used. I thought I uninstalled it a couple of weeks ago.

I did the flash disinfector first and here are logs for the others

=======================================================
ComboFix
=======================================================

ComboFix 07-12-14.4 - John Trang 2007-12-14 1:28:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.168 [GMT -8:00]
Running from: C:\Documents and Settings\John Trang\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John Trang\Desktop\CFScript
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-14 to 2007-12-14 )))))))))))))))))))))))))))))))
.

2007-12-13 02:07 . 2007-12-13 02:07 d--------	C:\WINDOWS\ERUNT
2007-12-06 20:01 . 2007-12-06 20:01 d--------	C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-06 19:38 . 2007-12-07 22:25 d--------	C:\Program Files\SUPERAntiSpyware
2007-12-06 19:38 . 2007-12-07 22:25 d--------	C:\Documents and Settings\John Trang\Application Data\SUPERAntiSpyware.com
2007-12-06 19:38 . 2007-12-06 19:38 d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-06 08:57 . 2004-11-20 02:53 d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-06 08:57 . 2004-11-20 02:39 d--------	C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-06 08:57 . 2007-12-06 08:57 d--------	C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-06 08:57 . 2004-11-20 02:52 d--------	C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-12-06 08:48 . 2007-12-06 08:48 d--------	C:\Documents and Settings\John Trang\Application Data\Grisoft
2007-12-06 08:48 . 2007-12-06 08:48 d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-06 08:48 . 2007-05-30 04:10	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-29 20:53 . 2007-11-29 20:53	230	--a------	C:\WINDOWS\system32\spupdsvc.inf
2007-11-22 22:03 . 2007-11-22 22:04 d--------	C:\Documents and Settings\John Trang\Application Data\ring-Voiz

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-10 05:28	---------	d-----w	C:\Program Files\Bkav2006
2007-12-10 05:11	8,650,358	----a-w	C:\WINDOWS\system32\drivers\SysLib.sys
2007-12-10 05:11	32,677	----a-w	C:\WINDOWS\system32\drivers\BkavAuto.sys
2007-11-30 04:05	---------	d-----w	C:\Program Files\Windows Media Connect 2
2007-11-30 04:05	---------	d-----w	C:\Program Files\SymNetDrv
2007-11-30 04:05	---------	d-----w	C:\Program Files\RingVoiz Dialer
2007-11-30 04:05	---------	d-----w	C:\Program Files\QuickTime
2007-11-30 04:05	---------	d-----w	C:\Program Files\Easy Internet signup
2007-11-30 04:05	---------	d-----w	C:\Program Files\D-Tools
2007-11-30 04:05	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2007-11-30 04:05	---------	d-----w	C:\Program Files\Common Files\Autodesk Shared
2007-11-30 04:05	---------	d-----w	C:\Program Files\AVIcodec
2007-11-30 04:05	---------	d-----w	C:\Program Files\AutoCAD 2006
2007-11-30 04:04	---------	d-----w	C:\Program Files\Norton AntiVirus
2007-11-30 04:04	---------	d-----w	C:\Program Files\mtd2002
2007-11-30 04:04	---------	d-----w	C:\Program Files\Microsoft Works
2007-11-30 04:04	---------	d-----w	C:\Program Files\iTunes
2007-11-26 04:00	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-26 03:59	---------	d-----w	C:\Program Files\Yahoo!
2007-11-26 03:59	---------	d-----w	C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-14 05:06	---------	d-----w	C:\Program Files\Symantec
2007-11-14 02:34	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-13 06:52	55,808	----a-w	C:\WINDOWS\system32\spoolv.exe
2007-11-13 06:52	289,280	----a-w	C:\WINDOWS\system32\libcurl.dll
2007-11-12 03:18	123,754	----a-w	C:\WINDOWS\system32\dllcache\_install.exe
2007-10-26 03:34	8,460,288	----a-w	C:\WINDOWS\system32\dllcache\shell32.dll
2006-04-05 06:09	92,976	----a-w	C:\Documents and Settings\John Trang\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutoCAD Digital Signatures Icon Overlay Handler]
@={36A21736-36C2-4C11-8ACB-D4136F2B57BD}

[HKEY_CLASSES_ROOT\CLSID\{36A21736-36C2-4C11-8ACB-D4136F2B57BD}]
2005-03-05 04:18	136312	--a------	C:\WINDOWS\system32\AcSignIcon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mtd2002Svr"="C:\Program Files\mtd2002\mtdserver.exe" [2002-10-05 13:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-06-17 12:48]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-06-17 12:43]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-03 22:05]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 08:25]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 08:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-06-04 12:38]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 16:19]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-10-13 17:34]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 06:59]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-06 11:44:23]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0
FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0
Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0
Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0
Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0
WmdmPmSp\0winmgmt\0wscsvc\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN

.
Contents of the 'Scheduled Tasks' folder
"2007-12-14 09:29:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-14 01:30:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????1?9?1?0??????? ???B?????????????H<C? ??????

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-14 1:31:18
C:\ComboFix2.txt ... 2007-12-13 02:25
.
2007-12-07 03:56:04	--- E O F ---

============================================
F-Secure Online Scan Report
============================================

Scanning Report
Friday, December 14, 2007 02:23:23 - 10:06:56
Computer name: EASON 
Scanning type: Scan system for viruses, rootkits, spyware 
Target: C:\

--------------------------------------------------------------------------------

Result: 41 malware found
Backdoor.Win32.Agent.cpv (virus) 
C:\WINDOWS\SYSTEM32\SPOOLV.EXE (Renamed & Submitted) 
Email-Worm.Win32.Zhelatin.ml (virus) 
C:\WINDOWS\SYSTEM32\DLLCACHE\_INSTALL.EXE (Renamed & Submitted) 
C:\WINDOWS\INSTALLER\{E9787678-1033-0000-8E67-000000000001}\_INSTALL.EXE (Renamed & Submitted) 
C:\WINDOWS\INSTALLER\{DBC20735-34E6-4E97-A9E5-2066B66B243D}\_INSTALL.EXE (Renamed & Submitted) 
C:\WINDOWS\INSTALLER\{C04E32E0-0416-434D-AFB9-6969D703A9EF}\_INSTALL.EXE (Renamed & Submitted) 
C:\WINDOWS\INSTALLER\{B74D4E10-1033-0000-0000-000000000001}\_INSTALL.EXE (Renamed & Submitted) 
C:\WINDOWS\INSTALLER\{AC76BA86-7AD7-1033-7B44-A70900000002}\_INSTALL.EXE (Renamed & Submitted) 
C:\WINDOWS\INSTALLER\{AAE10BE5-F398-41C1-9AAF-A59EBF17DFDE}\_INSTALL.EXE (Renamed & Submitted) 
C:\WINDOWS\INSTALLER\{9541FED0-327F-4DF0-8B96-EF57EF622F19}\_INSTALL.EXE (Renamed & Submitted) 
C:\WINDOWS\INSTALLER\{91120409-6000-11D3-8CFE-0150048383C9}\_INSTALL.EXE (Renamed & Submitted) 
C:\WINDOWS\INSTALLER\{90280409-6000-11D3-8CFE-0050048383C9}\_INSTALL.EXE (Renamed & Submitted) 
C:\WINDOWS\INSTALLER\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\_INSTALL.EXE (Renamed & Submitted) 
C:\WINDOWS\INSTALLER\{8105684D-8CA6-440D-8F58-7E5FD67A499D}\_INSTALL.EXE (Renamed & Submitted) 
C:\WINDOWS\INSTALLER\{77772678-817F-4401-9301-ED1D01A8DA56}\_INSTALL.EXE (Renamed & Submitted) 
C:\WINDOWS\INSTALLER\{66C018BD-6F16-4B32-B4CD-1DC1B21FBDFF}\_INSTALL.EXE (Renamed & Submitted) 
C:\WINDOWS\INSTALLER\{5783F2D7-4001-0409-0002-0060B0CE6BBA}\_INSTALL.EXE (Renamed & Submitted) 
C:\WINDOWS\INSTALLER\{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}\_INSTALL.EXE (Renamed & Submitted) 
C:\WINDOWS\INSTALLER\{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}\_INSTALL.EXE (Renamed & Submitted) 
C:\WINDOWS\INSTALLER\{37477865-A3F1-4772-AD43-AAFC6BCFF99F}\_INSTALL.EXE (Renamed & Submitted) 
C:\WINDOWS\INSTALLER\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}\_INSTALL.EXE (Renamed & Submitted) 
C:\WINDOWS\INSTALLER\{236BB7C4-4419-42FD-0409-1E257A25E34D}\_INSTALL.EXE (Renamed & Submitted) 
C:\WINDOWS\INSTALLER\{219B0DA4-8F1A-499D-8795-4A07C632521E}\_INSTALL.EXE (Renamed & Submitted) 
C:\WINDOWS\INSTALLER\{00FC6799-866E-44A1-A60C-DCF394CF56FD}\_INSTALL.EXE (Renamed & Submitted) 
Tracking Cookie (spyware) 
System (Disinfected) 
System 
System 
System 
System 
System 
System 
System 
System 
System 
System 
System 
System 
System 
System 
System 
System 
W32/DLoader.EGRY (virus) 
C:\WINDOWS\SYSTEM32\LIBCURL.DLL (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 29884 
System: 4608 
Not scanned: 5 
Actions:
Disinfected: 1 
Renamed: 23 
Deleted: 0 
None: 17 
Submitted: 24 
Files not scanned:
C:\HIBERFIL.SYS 
C:\PAGEFILE.SYS 
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT 
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{90BC5000-35B6-4991-BF49-9D7590854766}.BIN 
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MUVEE TECHNOLOGIES\030625\0102\0106\VALUES

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-12-14 
F-Secure AVP: 7.0.171, 2007-12-14 
F-Secure Orion: 1.2.37, 2007-12-14 
F-Secure Blacklight: 1.0.64 
F-Secure Draco: 1.0.35, 0598-150-72 
F-Secure Pegasus: 1.19.0, 2007-11-09 
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX 
Use Advanced heuristics

======================================
New HiJackThis Log
=======================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:27 AM, on 12/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\spoolv.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\John Trang\My Documents\Kills\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [mtd2002Svr] "C:\Program Files\mtd2002"\mtdserver.exe -f
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5178 bytes


----------



## Jintan (Oct 4, 2007)

Did something not work right with using CFScript this last time? The log does not show any activity from it, suggesting it either wasn't used (just ComboFix alone was run) or it failed to function. And the later F-Secure scan removed one of the files CFScript was set to have removed already. Please run a new ComboFix scan now and post that log.


----------



## jtrang (Dec 6, 2007)

Hi Jintan,

I thought the combofix ran and completed ok because I did not even dare to touch the keyboard while it ran. Anyway, since the last fix and the f-secure scan, I have lost my network connection on my computer. I can not start the network services. I can't create a new connection either. I have to post this from a friend's computer. 

Here are the new combofix log (just the combofix no CFScript) and a new HiJackThis log...thanks again

===================================================
ComboFix 07-12-14.4 - John Trang 2007-12-16 7:43:20.3 - NTFSx86

Running from: C:\Documents and Settings\John Trang\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-16 to 2007-12-16 )))))))))))))))))))))))))))))))
.

2007-12-15 02:43 . 2004-08-04 05:00	35,328	--a------	C:\WINDOWS\system32\iprip.dll
2007-12-15 02:43 . 2004-08-04 05:00	18,944	--a------	C:\WINDOWS\system32\simptcp.dll
2007-12-13 02:07 . 2007-12-13 02:07 d--------	C:\WINDOWS\ERUNT
2007-12-06 20:01 . 2007-12-06 20:01 d--------	C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-06 19:38 . 2007-12-07 22:25 d--------	C:\Program Files\SUPERAntiSpyware
2007-12-06 19:38 . 2007-12-07 22:25 d--------	C:\Documents and Settings\John Trang\Application Data\SUPERAntiSpyware.com
2007-12-06 19:38 . 2007-12-06 19:38 d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-06 08:57 . 2004-11-20 02:53 d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-06 08:57 . 2004-11-20 02:39 d--------	C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-06 08:57 . 2007-12-06 08:57 d--------	C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-06 08:57 . 2004-11-20 02:52 d--------	C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-12-06 08:48 . 2007-12-06 08:48 d--------	C:\Documents and Settings\John Trang\Application Data\Grisoft
2007-12-06 08:48 . 2007-12-06 08:48 d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-06 08:48 . 2007-05-30 04:10	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-29 20:53 . 2007-11-29 20:53	230	--a------	C:\WINDOWS\system32\spupdsvc.inf
2007-11-22 22:03 . 2007-11-22 22:04 d--------	C:\Documents and Settings\John Trang\Application Data\ring-Voiz

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-10 05:28	---------	d-----w	C:\Program Files\Bkav2006
2007-12-10 05:11	8,650,358	----a-w	C:\WINDOWS\system32\drivers\SysLib.sys
2007-12-10 05:11	32,677	----a-w	C:\WINDOWS\system32\drivers\BkavAuto.sys
2007-11-30 04:05	---------	d-----w	C:\Program Files\Windows Media Connect 2
2007-11-30 04:05	---------	d-----w	C:\Program Files\SymNetDrv
2007-11-30 04:05	---------	d-----w	C:\Program Files\RingVoiz Dialer
2007-11-30 04:05	---------	d-----w	C:\Program Files\QuickTime
2007-11-30 04:05	---------	d-----w	C:\Program Files\Easy Internet signup
2007-11-30 04:05	---------	d-----w	C:\Program Files\D-Tools
2007-11-30 04:05	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2007-11-30 04:05	---------	d-----w	C:\Program Files\Common Files\Autodesk Shared
2007-11-30 04:05	---------	d-----w	C:\Program Files\AVIcodec
2007-11-30 04:05	---------	d-----w	C:\Program Files\AutoCAD 2006
2007-11-30 04:04	---------	d-----w	C:\Program Files\Norton AntiVirus
2007-11-30 04:04	---------	d-----w	C:\Program Files\mtd2002
2007-11-30 04:04	---------	d-----w	C:\Program Files\Microsoft Works
2007-11-30 04:04	---------	d-----w	C:\Program Files\iTunes
2007-11-26 04:00	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-26 03:59	---------	d-----w	C:\Program Files\Yahoo!
2007-11-26 03:59	---------	d-----w	C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-14 05:06	---------	d-----w	C:\Program Files\Symantec
2007-11-14 02:34	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2006-04-05 06:09	92,976	----a-w	C:\Documents and Settings\John Trang\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( [email protected]_ 1.30.33.99 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-08 00:38:46	500,120	----a-w	C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-08 00:39:00	192,920	----a-w	C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-08 00:39:24	254,360	----a-w	C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2007-03-13 18:57:10	163,328	----a-w	C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2004-08-04 08:00:00	239,616	----a-w	C:\WINDOWS\system32\upnpui.dll
+ 2004-08-04 13:00:00	239,616	----a-w	C:\WINDOWS\system32\upnpui.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutoCAD Digital Signatures Icon Overlay Handler]
@={36A21736-36C2-4C11-8ACB-D4136F2B57BD}

[HKEY_CLASSES_ROOT\CLSID\{36A21736-36C2-4C11-8ACB-D4136F2B57BD}]
2005-03-05 04:18	136312	--a------	C:\WINDOWS\system32\AcSignIcon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mtd2002Svr"="C:\Program Files\mtd2002\mtdserver.exe" [2002-10-05 13:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-06-17 12:48]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-06-17 12:43]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-03 22:05]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 08:25]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 08:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-06-04 12:38]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 16:19]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-10-13 17:34]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 06:59]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-06 11:44:23]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc	REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2007-12-14 18:39:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-16 07:47:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????1?9?1?0??????? ???B?????????????H<C? ??????

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-16 7:48:29 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-14 01:31
C:\ComboFix3.txt ... 2007-12-13 02:25
.
2007-12-07 03:56:04	--- E O F ---

=====================================
HiJackThis
=====================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:32 AM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\John Trang\My Documents\Kills\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [mtd2002Svr] "C:\Program Files\mtd2002"\mtdserver.exe -f
O4 - HKUS\S-1-5-21-594377015-134541910-1442209731-1006\..\Run: [mtd2002Svr] "C:\Program Files\mtd2002"\mtdserver.exe -f (User '?')
O4 - S-1-5-21-594377015-134541910-1442209731-1006 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5485 bytes


----------



## Jintan (Oct 4, 2007)

I'm sorry - there was a glitch in the previous version of ComboFix that incorrectly altered one of your registry settings.

Download and click to run this fix on the computer we are working on (goodness knows don't click it on the download computer though):

http://download.bleepingcomputer.com/sUBs/Beta/NetSvc_Repair.exe

This will locate and return the corrected value, and will also create a log I would like you to post back here. Reboot after and then attempt to repair net access and access again.


----------



## jtrang (Dec 6, 2007)

Hi Jintan,

THANK YOU! I'm back online! 
I ran your repair exe and finished with the message of reboot. I then rebooted and tried to look for the log file. I can't seems to find it anywhere. I looked in C:\ and the directory that I ran the repair from. No luck  Anyway attached is the new HiJackLog. Please help in locating the log file.

==========================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:39 AM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\John Trang\My Documents\Kills\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [mtd2002Svr] "C:\Program Files\mtd2002"\mtdserver.exe -f
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5363 bytes


----------



## Jintan (Oct 4, 2007)

Good you got that repaired, and for now don't worry about that log file. We'll need to remove that older ComboFix copy and start with an updated one to get back on track here, though things were diong well already.

Go to Start - Run, type the following then OK:

*ComboFix /u*

This will remove the older version and some changes it made. Then download the newer copy from here to your desktop, and click the downloaded file to run the repair.

When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

(ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver)

Post back the C:\ComboFix.txt log please.


----------



## jtrang (Dec 6, 2007)

Hello again Jintan,

Here are the logs for ComboFix and a new HiJackThis...
Thanks again...I just can not thank you enough!

=========================================================
ComboFix
=========================================================

ComboFix 07-12-17.1 - John Trang 2007-12-17 21:24:04.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.163 [GMT -8:00]
Running from: C:\Documents and Settings\John Trang\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-18 to 2007-12-18 )))))))))))))))))))))))))))))))
.

2007-12-16 21:48 . 2004-08-04 05:00	49,275	--a------	C:\WINDOWS\system32\wfospf.mib
2007-12-16 21:48 . 2004-08-04 05:00	38,608	--a------	C:\WINDOWS\system32\nipx.mib
2007-12-16 21:48 . 2004-08-04 05:00	34,317	--a------	C:\WINDOWS\system32\msiprip2.mib
2007-12-16 21:48 . 2004-08-04 05:00	26,236	--a------	C:\WINDOWS\system32\wins.mib
2007-12-16 21:48 . 2004-08-04 05:00	4,332	--a------	C:\WINDOWS\system32\smi.mib
2007-12-15 02:43 . 2004-08-04 05:00	35,328	--a------	C:\WINDOWS\system32\iprip.dll
2007-12-15 02:43 . 2004-08-04 05:00	18,944	--a------	C:\WINDOWS\system32\simptcp.dll
2007-12-13 02:07 . 2007-12-13 02:07 d--------	C:\WINDOWS\ERUNT
2007-12-06 20:01 . 2007-12-06 20:01 d--------	C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-06 19:38 . 2007-12-07 22:25 d--------	C:\Program Files\SUPERAntiSpyware
2007-12-06 19:38 . 2007-12-07 22:25 d--------	C:\Documents and Settings\John Trang\Application Data\SUPERAntiSpyware.com
2007-12-06 19:38 . 2007-12-06 19:38 d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-06 08:57 . 2004-11-20 02:53 d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-06 08:57 . 2004-11-20 02:39 d--------	C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-06 08:57 . 2007-12-06 08:57 d--------	C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-06 08:57 . 2004-11-20 02:52 d--------	C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-12-06 08:48 . 2007-12-06 08:48 d--------	C:\Documents and Settings\John Trang\Application Data\Grisoft
2007-12-06 08:48 . 2007-12-06 08:48 d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-06 08:48 . 2007-05-30 04:10	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-29 20:53 . 2007-11-29 20:53	230	--a------	C:\WINDOWS\system32\spupdsvc.inf
2007-11-22 22:03 . 2007-11-22 22:04 d--------	C:\Documents and Settings\John Trang\Application Data\ring-Voiz

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-10 05:28	---------	d-----w	C:\Program Files\Bkav2006
2007-12-10 05:11	8,650,358	----a-w	C:\WINDOWS\system32\drivers\SysLib.sys
2007-12-10 05:11	32,677	----a-w	C:\WINDOWS\system32\drivers\BkavAuto.sys
2007-11-30 04:05	---------	d-----w	C:\Program Files\Windows Media Connect 2
2007-11-30 04:05	---------	d-----w	C:\Program Files\SymNetDrv
2007-11-30 04:05	---------	d-----w	C:\Program Files\RingVoiz Dialer
2007-11-30 04:05	---------	d-----w	C:\Program Files\QuickTime
2007-11-30 04:05	---------	d-----w	C:\Program Files\Easy Internet signup
2007-11-30 04:05	---------	d-----w	C:\Program Files\D-Tools
2007-11-30 04:05	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2007-11-30 04:05	---------	d-----w	C:\Program Files\Common Files\Autodesk Shared
2007-11-30 04:05	---------	d-----w	C:\Program Files\AVIcodec
2007-11-30 04:05	---------	d-----w	C:\Program Files\AutoCAD 2006
2007-11-30 04:04	---------	d-----w	C:\Program Files\Norton AntiVirus
2007-11-30 04:04	---------	d-----w	C:\Program Files\mtd2002
2007-11-30 04:04	---------	d-----w	C:\Program Files\Microsoft Works
2007-11-30 04:04	---------	d-----w	C:\Program Files\iTunes
2007-11-26 04:00	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-26 03:59	---------	d-----w	C:\Program Files\Yahoo!
2007-11-26 03:59	---------	d-----w	C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-14 05:06	---------	d-----w	C:\Program Files\Symantec
2007-11-14 02:34	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-13 06:52	289,280	----a-w	C:\WINDOWS\system32\libcurl.dll
2007-10-26 03:34	8,460,288	----a-w	C:\WINDOWS\system32\dllcache\shell32.dll
2006-04-05 06:09	92,976	----a-w	C:\Documents and Settings\John Trang\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutoCAD Digital Signatures Icon Overlay Handler]
@={36A21736-36C2-4C11-8ACB-D4136F2B57BD}

[HKEY_CLASSES_ROOT\CLSID\{36A21736-36C2-4C11-8ACB-D4136F2B57BD}]
2005-03-05 04:18	136312	--a------	C:\WINDOWS\system32\AcSignIcon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mtd2002Svr"="C:\Program Files\mtd2002\mtdserver.exe" [2002-10-05 13:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-06-17 12:48]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-06-17 12:43]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-03 22:05]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 08:25]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 08:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-06-04 12:38]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 16:19]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-10-13 17:34]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 06:59]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-06 11:44:23]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc []
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc []
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc []
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc	REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f12b2a44-876e-11dc-acae-0015001d694b}]
\Shell\1\Command - autorun.pif
\Shell\2\Command - autorun.pif
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.pif

.
Contents of the 'Scheduled Tasks' folder
"2007-12-18 05:24:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 21:26:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????1?9?1?0??????? ???B?????????????H<C? ??????

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-17 21:26:59
C:\ComboFix2.txt ... 2007-12-16 07:48
C:\ComboFix3.txt ... 2007-12-14 01:31
.
2007-12-07 03:56:04	--- E O F ---

=================================
HiJackThis
=================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:21 PM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\John Trang\My Documents\Kills\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [mtd2002Svr] "C:\Program Files\mtd2002"\mtdserver.exe -f
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5208 bytes


----------



## Jintan (Oct 4, 2007)

No outright active infection showing but some changes still. At some point in this recent bit of registry change/correction the log now suggests the Peer Networking services there have had some changes, but I can't be sure they were enabled earlier on right now. Go to Start - Run, type *services.msc* (and Enter). Locate and double click on *Peer Networking* on that list, and just check and post back if it is stopped, and what Startup Type is showing.

Then we still have to assess/correct infection issues, starting with a remaining autoload item.


```
REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f12b2a44-876e-11dc-acae-0015001d694b}]
```
Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it fixer.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.

--------------------------------

As you already have it do a scan using SuperAntiSpyware now. Open and update it, but don't scan just yet.

Also Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).

If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.

===============================================

Reboot into *Safe Mode* (at startup tap the F8 key and select Safe Mode).

Open SUPERAntiSpyware and click the *Scan your Computer* button. You may need to start SUPERAntiSpyware, then right click the Taskbar icon (the little bug shaped icon) and select "Scan for Spyware, Adware, Malware..." to access the scan panel. Making sure that Fixed Drive (NTFS) is checked (typically the C Drive), check "Perform Complete Scan", then click Next. SUPERAntiSpyware will now complete a system scan.

SUPERAntiSpyware will now scan your computer and when its finished it will list all the infections it has found. Make sure that they all have a check next to them and click next. If prompted allow the reboot (or manually reboot at this time), and after the reboot open SUPERAntiSpyware again (double click the bug-shaped Taskbar icon).

Click Preferences, then under the Statistics/Logs tab, click to select the most recent Scan Log, then click View Log. Save the log to your desktop, and copy/paste the text from the log back here.

Run a new ComboFix scan, and post that back here along with a new HijackThis log and the SUPERAntiSpyware log please.


----------



## jtrang (Dec 6, 2007)

Hi Jintan,

The Peer Networking startup type = Manual and I don't think it was running.

Merged file with registry - OK

One thing, I mistakenly ran AVG anti-spyware while I was in Safe mode. Once I realized it, I let it finished then I ran SuperAntispyware after. Attached are both logs

====================================
AVG Anti-Spyware - Scan Report
====================================

+ Created at:	12:07:18 AM 12/19/2007

+ Scan result:

Nothing found.

::Report end

=================================
Super Anti Spyware Log
=================================

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/19/2007 at 01:33 AM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 00:39:52

Memory items scanned : 165
Memory threats detected : 0
Registry items scanned : 6302
Registry threats detected : 0
File items scanned : 28588
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and Settings\John Trang\Cookies\john [email protected][1].txt

======================================
ComboFix Log
======================================

ComboFix 07-12-17.1 - John Trang 2007-12-19 6:35:19.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.176 [GMT -8:00]
Running from: C:\Documents and Settings\John Trang\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-19 to 2007-12-19 )))))))))))))))))))))))))))))))
.

2007-12-19 00:32 . 2007-12-19 00:32 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-12-16 21:48 . 2004-08-04 05:00	49,275	--a------	C:\WINDOWS\system32\wfospf.mib
2007-12-16 21:48 . 2004-08-04 05:00	38,608	--a------	C:\WINDOWS\system32\nipx.mib
2007-12-16 21:48 . 2004-08-04 05:00	34,317	--a------	C:\WINDOWS\system32\msiprip2.mib
2007-12-16 21:48 . 2004-08-04 05:00	26,236	--a------	C:\WINDOWS\system32\wins.mib
2007-12-16 21:48 . 2004-08-04 05:00	4,332	--a------	C:\WINDOWS\system32\smi.mib
2007-12-15 02:43 . 2004-08-04 05:00	35,328	--a------	C:\WINDOWS\system32\iprip.dll
2007-12-15 02:43 . 2004-08-04 05:00	18,944	--a------	C:\WINDOWS\system32\simptcp.dll
2007-12-13 02:07 . 2007-12-13 02:07 d--------	C:\WINDOWS\ERUNT
2007-12-06 20:01 . 2007-12-06 20:01 d--------	C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-06 19:38 . 2007-12-19 06:22 d--------	C:\Program Files\SUPERAntiSpyware
2007-12-06 19:38 . 2007-12-07 22:25 d--------	C:\Documents and Settings\John Trang\Application Data\SUPERAntiSpyware.com
2007-12-06 19:38 . 2007-12-06 19:38 d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-06 08:57 . 2004-11-20 02:53 d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-06 08:57 . 2004-11-20 02:39 d--------	C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-06 08:57 . 2007-12-06 08:57 d--------	C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-06 08:57 . 2004-11-20 02:52 d--------	C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-12-06 08:48 . 2007-12-06 08:48 d--------	C:\Documents and Settings\John Trang\Application Data\Grisoft
2007-12-06 08:48 . 2007-12-06 08:48 d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-06 08:48 . 2007-05-30 04:10	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-29 20:53 . 2007-11-29 20:53	230	--a------	C:\WINDOWS\system32\spupdsvc.inf
2007-11-22 22:03 . 2007-11-22 22:04 d--------	C:\Documents and Settings\John Trang\Application Data\ring-Voiz

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-19 06:55	---------	d-----w	C:\Documents and Settings\John Trang\Application Data\Skype
2007-12-10 05:28	---------	d-----w	C:\Program Files\Bkav2006
2007-12-10 05:11	8,650,358	----a-w	C:\WINDOWS\system32\drivers\SysLib.sys
2007-12-10 05:11	32,677	----a-w	C:\WINDOWS\system32\drivers\BkavAuto.sys
2007-11-30 04:05	---------	d-----w	C:\Program Files\Windows Media Connect 2
2007-11-30 04:05	---------	d-----w	C:\Program Files\SymNetDrv
2007-11-30 04:05	---------	d-----w	C:\Program Files\RingVoiz Dialer
2007-11-30 04:05	---------	d-----w	C:\Program Files\QuickTime
2007-11-30 04:05	---------	d-----w	C:\Program Files\Easy Internet signup
2007-11-30 04:05	---------	d-----w	C:\Program Files\D-Tools
2007-11-30 04:05	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2007-11-30 04:05	---------	d-----w	C:\Program Files\Common Files\Autodesk Shared
2007-11-30 04:05	---------	d-----w	C:\Program Files\AVIcodec
2007-11-30 04:05	---------	d-----w	C:\Program Files\AutoCAD 2006
2007-11-30 04:04	---------	d-----w	C:\Program Files\Norton AntiVirus
2007-11-30 04:04	---------	d-----w	C:\Program Files\mtd2002
2007-11-30 04:04	---------	d-----w	C:\Program Files\Microsoft Works
2007-11-30 04:04	---------	d-----w	C:\Program Files\iTunes
2007-11-26 04:00	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-26 03:59	---------	d-----w	C:\Program Files\Yahoo!
2007-11-26 03:59	---------	d-----w	C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-14 05:06	---------	d-----w	C:\Program Files\Symantec
2007-11-14 02:34	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-13 06:52	289,280	----a-w	C:\WINDOWS\system32\libcurl.dll
2007-10-26 03:34	8,460,288	----a-w	C:\WINDOWS\system32\dllcache\shell32.dll
2006-04-05 06:09	92,976	----a-w	C:\Documents and Settings\John Trang\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( [email protected]_21.26.14.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-19 08:35:15	29,696	----a-r	C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-12-19 08:35:15	18,944	----a-r	C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-12-19 08:35:15	65,024	----a-r	C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2007-12-19 14:25:32	16,384	----atw	C:\WINDOWS\TEMP\Perflib_Perfdata_498.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutoCAD Digital Signatures Icon Overlay Handler]
@={36A21736-36C2-4C11-8ACB-D4136F2B57BD}

[HKEY_CLASSES_ROOT\CLSID\{36A21736-36C2-4C11-8ACB-D4136F2B57BD}]
2005-03-05 04:18	136312	--a------	C:\WINDOWS\system32\AcSignIcon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mtd2002Svr"="C:\Program Files\mtd2002\mtdserver.exe" [2002-10-05 13:05]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-06-17 12:48]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-06-17 12:43]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-03 22:05]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 08:25]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 08:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-06-04 12:38]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 16:19]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-10-13 17:34]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 06:59]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-06 11:44:23]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc []
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc []
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc []
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc	REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2007-12-19 14:34:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-19 06:37:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????1?9?1?0??????? ???B?????????????H<C? ??????

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-19 6:38:00
.
2007-12-07 03:56:04	--- E O F ---

=====================================
New HiJackThis
=====================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:27 AM, on 12/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\John Trang\My Documents\Kills\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [mtd2002Svr] "C:\Program Files\mtd2002"\mtdserver.exe -f
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5387 bytes


----------



## Jintan (Oct 4, 2007)

That service stopped is likely what I am seeing reflected in the log results, so should be okay. The logs suggest something was just installed, but I am not getting a handle on what from the files shown. Skype has recent activity - did you just install or modify that? Tough one on a system with bandwith problems at the outset if so.

That is fine you ran AVG, and it looks like no malware found by either. Any issues right now we need to check out? You do need to update your very vulnerable older Java there, so post back how things are running and do these steps as well:

Go to Add/Remove Programs in Control Panel and uninstall all versions Java/JRE (Sun Java Runtime Environment/J2SE Runtime Environment) and reboot. When you have done that, go here and download and install the latest version of Sun Java *Java Runtime Environment (JRE) 6 Update 3*. The current file name for that is jre-6u3-windows-i586-p.exe. Then reboot after.


----------



## jtrang (Dec 6, 2007)

Hello Jintan,

Thank you so much for all your help!! I certainly will make a donation and it is well worth the money!!
There need to be more services like techguy for people who are being attacked everyday from all these vicious viruses. You made my holidays!! Thanks again. Well wishes to you and your family!

I recently used Skype after a few months off and I guess it updated with a new version.
I updated to the new JRE 6 Update 3. Things seems to be back to how it was before the attack. 

Merry Christmas and Happy New Year!


----------



## Jintan (Oct 4, 2007)

I am surely glad to be of assistance, and thank you for the kind greetings as well. You can delete any files/folders of tools we used here. To have ComboFix remove it's files/folders and undo some changes it made go to Start - Run, type the following then OK:

*ComboFix /u*

Then a good idea would be to reset the System Restore now. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.

You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.

When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.


----------

