1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Malware problems.. hijack this and combofix log incl.

Discussion in 'Windows - Virus and spyware problems' started by latino209, Mar 22, 2008.

Thread Status:
Not open for further replies.
  1. latino209

    latino209 Regular member

    Joined:
    Nov 24, 2006
    Messages:
    190
    Likes Received:
    0
    Trophy Points:
    26
    I bought this computer from a friend of myns that was moving to mexico and it had some malware that makes the computer run slow... i scanned with various things but its still slow...



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:48:50 AM, on 3/22/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
    C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\Program Files\SiteAdvisor\6172\SAService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
    O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
    O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
    O4 - Startup: Compaq Organize.lnk = ?
    O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
    O4 - Startup: SpamSubtract.lnk = C:\Program Files\InterMute\SpamSubtract\SpamSub.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
    O4 - Global Startup: PopSubtract.lnk = C:\Program Files\InterMute\PopSubtract\PopSub.exe
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\spysub.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O23 - Service: McAfee Application Installer Cleanup (0294291206169266) (0294291206169266mcinstcleanup) - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\029429~1.EXE (file missing)
    O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

    --
    End of file - 6925 bytes









    ComboFix 08-03-22.1 - Owner 2008-03-22 11:08:01.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.80 [GMT -5:00]
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Program Files\Common Files\microsoft shared\web folders\ibm00004.dll
    C:\Program Files\Common Files\microsoft shared\web folders\ibm00005.dll
    C:\Program Files\Common Files\microsoft shared\web folders\ibm00005.exe
    C:\Program Files\Common Files\microsoft shared\web folders\ibm00006.dll
    C:\Program Files\security toolbar
    C:\Program Files\security toolbar\Uninstall.bat
    D:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2008-02-22 to 2008-03-22 )))))))))))))))))))))))))))))))
    .

    2008-03-22 11:02 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
    2008-03-22 11:02 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
    2008-03-22 11:02 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
    2008-03-22 11:02 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
    2008-03-22 11:02 . 2004-08-03 14:03 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
    2008-03-22 11:02 . 2004-08-03 14:03 167,704 --a------ C:\WINDOWS\system32\wuaucpl.cpl.wusetup.655687.bak
    2008-03-22 11:02 . 2004-08-03 14:01 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
    2008-03-22 11:02 . 2004-08-03 13:59 39,704 --a------ C:\WINDOWS\system32\wups.dll
    2008-03-22 11:00 . 2008-03-22 11:04 <DIR> d-------- C:\WINDOWS\LastGood
    2008-03-22 10:58 . 2008-03-22 10:58 2,095 --a------ C:\WINDOWS\system32\Config.MPF
    2008-03-22 02:06 . 2008-03-22 02:06 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
    2008-03-22 02:05 . 2008-03-22 02:06 <DIR> d-------- C:\Program Files\SiteAdvisor
    2008-03-22 02:05 . 2008-03-22 02:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SiteAdvisor
    2008-03-22 02:05 . 2008-03-22 02:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
    2008-03-22 02:04 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
    2008-03-22 02:01 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
    2008-03-22 02:01 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
    2008-03-22 02:01 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
    2008-03-22 02:01 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
    2008-03-22 02:01 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
    2008-03-22 02:01 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
    2008-03-22 02:00 . 2008-03-22 02:00 <DIR> d-------- C:\Program Files\McAfee.com
    2008-03-22 01:59 . 2008-03-22 02:05 <DIR> d-------- C:\Program Files\McAfee
    2008-03-22 01:59 . 2008-03-22 02:01 <DIR> d-------- C:\Program Files\Common Files\McAfee
    2008-03-22 01:44 . 2008-03-22 02:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
    2008-03-22 01:17 . 2002-12-12 03:34 208,896 --a------ C:\WINDOWS\system32\wmpns.dll
    2008-03-22 01:16 . 2004-02-10 20:50 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
    2008-03-22 01:15 . 2008-03-22 01:15 4,132 -rahs---- C:\WINDOWS\system32\drivers\HP_PC182A-ABA SR1103WM NA430_YC_Pres_QCNC426_E43NAheREG3_4_IGamila Giovani Neon series_SMICRO-STAR INTERNATIONAL CO., LTD_V030_B3.11_T040517_WXH1_L409_M248_J40_7Intel_8Celeron_92.53_1_N10EC8139_P_Z11C1048C_K_A808624C5.MRK
    2008-03-22 01:12 . 2004-04-02 05:07 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
    2008-03-22 01:12 . 2004-04-03 03:05 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
    2008-03-22 01:12 . 2004-04-02 20:28 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SampleView
    2008-03-22 01:11 . 2004-03-05 21:16 1,194,496 --a--c--- C:\WINDOWS\system32\dllcache\comsvcs.dll
    2008-03-22 01:09 . 2002-08-29 02:01 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys
    2008-03-22 01:09 . 2002-08-29 01:32 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
    2008-03-22 01:07 . 2002-08-29 02:06 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
    2008-03-22 01:07 . 2002-08-29 01:27 23,424 --a------ C:\WINDOWS\system32\drivers\kbdclass.sys
    2008-03-22 01:04 . 2001-08-17 16:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
    2008-03-22 01:04 . 2001-08-17 17:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
    2008-03-21 23:27 . 2008-03-22 11:04 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-03-22 15:57 3,888 ----a-w C:\WINDOWS\viassary-hp.reg
    2008-03-22 06:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-03-22 06:43 --------- d-----w C:\Program Files\Quicken
    2008-03-22 06:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2008-03-22 06:37 --------- d-----w C:\Program Files\IntelliMover Data Transfer Demo
    2008-03-22 06:36 --------- d-----w C:\Program Files\Easy Internet signup
    2008-03-22 06:34 --------- d-----w C:\Program Files\Altnet
    2008-03-22 06:22 --------- d-----w C:\Program Files\NoAdware4
    2008-03-22 06:20 --------- d-----w C:\Program Files\InterMute
    2008-03-22 06:15 4,132 --sha-r C:\WINDOWS\system32\drivers\HP_PC182A-ABA SR1103WM NA430_YC_Pres_QCNC426_E43NAheREG3_4_IGamila Giovani Neon series_SMICRO-STAR INTERNATIONAL CO., LTD_V030_B3.11_T040517_WXH1_L409_M248_J40_7Intel_8Celeron_92.53_1_N10EC8139_P_Z11C1048C_K_A808624C5.MRK
    2008-03-22 04:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\WeatherBug
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-04-02 03:49 32881]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
    "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 20:51 118784]
    "KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-04-02 04:43 151597]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-01-16 22:16 229376]
    "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-13 23:43 233472]
    "VTTimer"="VTTimer.exe" []
    "AGRSMMSG"="AGRSMMSG.exe" [2004-01-16 22:34 88363 C:\WINDOWS\AGRSMMSG.exe]
    "PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 22:13 98304]
    "AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 23:35 50176 C:\WINDOWS\ALCXMNTR.EXE]
    "Reminder"="C:\Windows\Creator\Remind_XP.exe" [2003-12-18 02:31 118784]
    "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
    "SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 16:57 36640]
    "McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]

    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
    Compaq Organize.lnk - C:\Program Files\Hewlett-Packard\Compaq Organize\bin\displayAgent.exe [2004-04-02 19:02:10 36864]
    IMStart.lnk - C:\Program Files\InterMute\IMStart.exe [2004-04-02 05:02:27 57344]
    SpamSubtract.lnk - C:\Program Files\InterMute\SpamSubtract\SpamSub.exe [2006-10-31 10:44:16 589824]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Compaq Connections.lnk - C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2004-04-02 19:04:03 16384]
    PopSubtract.lnk - C:\Program Files\InterMute\PopSubtract\PopSub.exe [2006-10-31 10:43:52 233472]
    SpySubtract.lnk - C:\Program Files\InterMute\SpySubtract\spysub.exe [2006-10-31 10:44:13 983040]

    S2 0294291206169266mcinstcleanup;McAfee Application Installer Cleanup (0294291206169266);C:\DOCUME~1\Owner\LOCALS~1\Temp\029429~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []

    *Newly Created Service* - 0294291206169266MCINSTCLEANUP
    *Newly Created Service* - IPFILTERDRIVER
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-03-22 06:46:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
    - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
    "2008-03-22 07:00:48 C:\WINDOWS\Tasks\McDefragTask.job"
    - c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
    "2008-03-22 07:00:46 C:\WINDOWS\Tasks\McQcTask.job"
    - c:\PROGRA~1\mcafee\mqc\QcConsol.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-03-22 11:13:29
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-03-22 11:15:33
    ComboFix-quarantined-files.txt 2008-03-22 16:15:22
     
Thread Status:
Not open for further replies.

Share This Page