chiaz

sorry for the delay with this report
bmorrisey


ComboFix 09-04-04.01 - Owner 2009-04-05 15:52:16.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.90 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\lsass.exe . . . is infected!!
c:\windows\system32\services.exe . . . is infected!!
c:\windows\system32\svchost.exe . . . is infected!!
c:\windows\system32\spoolsv.exe . . . is infected!!
c:\windows\explorer.exe . . . is infected!!
.
((((((((((((((((((((((((( Files Created from 2009-03-05 to 2009-04-05 )))))))))))))))))))))))))))))))
.
2009-04-01 20:33 . 2009-04-01 20:33 <DIR> d-------- C:\New Folder
2009-04-01 17:40 . 2009-04-01 17:40 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-04-01 17:39 . 2009-04-01 17:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-01 17:39 . 2009-04-01 17:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-01 17:39 . 2009-03-26 17:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-01 17:39 . 2009-03-26 17:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-30 08:12 . 2009-03-30 14:53 342,048 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-03-30 08:12 . 2009-03-30 18:00 90,656 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2009-03-30 08:12 . 2009-03-30 08:12 32 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2009-03-30 08:12 . 2009-03-30 08:12 32 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-03-28 22:42 . 2009-03-31 06:14 <DIR> d-------- c:\documents and settings\Owner\Application Data\DMCache
2009-03-28 22:28 . 2009-03-28 22:28 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-28 17:24 . 2009-03-28 17:25 <DIR> d--h----- c:\windows\msdownld.tmp
2009-03-28 12:49 . 2009-04-05 06:45 <DIR> d-------- c:\program files\RegCure
2009-03-15 08:07 . 2009-03-15 08:07 <DIR> d-------- c:\program files\alot
2009-03-15 08:07 . 2009-03-31 18:17 <DIR> d-------- c:\documents and settings\Owner\Application Data\alot
2009-03-09 15:55 . 2009-03-09 15:55 <DIR> d-------- c:\program files\Microsoft Silverlight
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-04-05 21:01 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-05 20:40 3,836 ----a-w c:\windows\viassary-hp.reg
2009-04-04 00:00 --------- d-----w c:\program files\Norton Security Scan
2009-04-02 11:41 --------- d-----w c:\program files\LimeWire
2009-04-02 11:38 --------- d-----w c:\documents and settings\Owner\Application Data\LimeWire
2009-04-01 22:03 --------- d-----w c:\program files\iTunes
2009-04-01 22:03 --------- d-----w c:\program files\iPod
2009-04-01 11:18 --------- d-----w c:\program files\DefenderPro
2009-03-31 20:02 --------- d-----w c:\program files\Google
2009-03-30 23:32 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-30 23:31 --------- d-----w c:\documents and settings\All Users\Application Data\Defender Pro
2009-03-28 17:58 --------- d-----w c:\program files\Java
2009-03-28 12:29 --------- d-----w c:\program files\Norton AntiVirus
2009-03-25 14:01 --------- d-----w c:\program files\Defender Pro
2009-03-19 22:15 --------- d-----w c:\documents and settings\Owner\Application Data\AdobeUM
2009-03-18 21:47 --------- d-----w c:\program files\Easy Internet signup
2003-08-29 03:16 32 --sha-w c:\windows\{14B431FF-99E9-4C1E-8574-051F227CB5BD}.dat
2004-08-04 06:56 164,746 --sha-r c:\windows\system32\xlnia.dll
2003-08-29 03:16 32 --sha-w c:\windows\system32\{C6B785D4-A2EC-4320-AADD-7778E174E81D}.dat
.
------- Sigcheck -------
2002-08-29 07:00 19968 9f0f424bb86399b7ebf0a4f8de995971 c:\windows\$NtServicePackUninstall$\svchost.exe
2004-08-04 01:56 21504 fcd11649990452c980ba484d419f1d0b c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-13 19:12 21504 8d1d5cc770ac5cb902157b0da960f53d c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\svchost.exe
2004-08-04 01:56 21504 fcd11649990452c980ba484d419f1d0b c:\windows\system32\svchost.exe
2004-08-04 01:56 1039360 33d337a321dddd16890dbe1ae432ccfd c:\windows\explorer.exe
2002-08-29 07:00 1011200 7b9524db853dabdb4d1f7a35cf052b4a c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-04 01:56 1039360 33d337a321dddd16890dbe1ae432ccfd c:\windows\ServicePackFiles\i386\explorer.exe
2008-04-13 19:12 1040896 603c0b1963f1e772dfaa79db5e5514d4 c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\explorer.exe
2002-08-29 07:00 108544 cfd63f340a8bcfce1a262099c6f8d1ea c:\windows\$NtServicePackUninstall$\services.exe
2004-08-04 01:56 115200 985af5b81798a7b5e0a2744178929e50 c:\windows\ServicePackFiles\i386\services.exe
2008-04-13 19:12 115712 61a0b116be06417948656475feab2178 c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\services.exe
2004-08-04 01:56 115200 985af5b81798a7b5e0a2744178929e50 c:\windows\system32\services.exe
2002-08-29 07:00 18944 2a8f517634ee220827ef916debf9161c c:\windows\$NtServicePackUninstall$\lsass.exe
2004-08-04 01:56 20480 46ef5da4090259cc4eb0e66787cb3ac6 c:\windows\ServicePackFiles\i386\lsass.exe
2008-04-13 19:12 20480 5f4b463fbc3a68b400066d4751a3995e c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\lsass.exe
2004-08-04 01:56 20480 46ef5da4090259cc4eb0e66787cb3ac6 c:\windows\system32\lsass.exe
2002-08-29 07:00 20480 3250464487bb0e29467d223d2861d691 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2004-08-04 01:56 22528 e7823e952793139432825a42c0e94b1b c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 19:12 22528 c0f902097f3c674839d820f1c2ecd878 c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\ctfmon.exe
2004-08-04 01:56 22528 e35aa8079683c53876761197b43c8ae9 c:\windows\system32\ctfmon.exe
2002-08-29 07:00 58368 6ff5476ad381d1e2e14a614f487a1b59 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 01:56 65024 c5a9946dd08c140c7582fba601b52641 c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 19:12 65024 63bb017eaca8454035628bdcf1b4f2f9 c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\spoolsv.exe
2004-08-04 01:56 65024 c5a9946dd08c140c7582fba601b52641 c:\windows\system32\spoolsv.exe
2002-08-29 07:00 146944 2acf005cc1d4f1f3f13cf708a086801f c:\windows\$NtServicePackUninstall$\wuauclt.exe
2004-08-04 01:56 118272 b7809b29572c73b24fab9dcb3c3c9162 c:\windows\ServicePackFiles\i386\wuauclt.exe
2008-04-13 19:12 118272 417ee48e745fb277ce3d347253d528c3 c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\wuauclt.exe
2004-08-04 01:56 118272 38b0ccab300128a08e4cbd615de1028c c:\windows\system32\wuauclt.exe
2002-08-29 07:00 29184 d5312b133560aa2cff2f6360a1384544 c:\windows\$NtServicePackUninstall$\userinit.exe
2004-08-04 01:56 31744 13058a63f29ba8cb5c8a295b8fbd4209 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-13 19:12 33280 13a0ea68a71c51931a89cd7d1c3d39bf c:\windows\SoftwareDistribution\Download\59fc8f12b 80caa991163249076d0bcca\userinit.exe
2004-08-04 01:56 31744 5ab6099859b3b5a02bdc9f518cba3b2f c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-04-02_ 8.48.33.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 02:02:28 174,080 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 01:02:28 174,080 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 14:00:00 38,912 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 38,912 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 14:00:00 169,472 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 13:00:00 169,472 ----a-w c:\windows\SWREG.exe
- 2009-04-02 14:40:46 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
+ 2009-04-05 20:59:26 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
- 2009-04-02 14:40:46 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-05 20:59:26 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-04-02 14:40:46 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-05 20:59:26 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-21 10:10:42 53,436 ----a-w c:\windows\system32\perfc009.dat
+ 2009-04-05 11:50:04 53,436 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-21 10:10:42 381,692 ----a-w c:\windows\system32\perfh009.dat
+ 2009-04-05 11:50:04 381,692 ----a-w c:\windows\system32\perfh009.dat
+ 2009-04-05 21:00:41 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"BackupNotify"="c:\program files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe" [2003-06-22 32768]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1674752]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 208959]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 22528]
"NVIEW"="nview.dll" [2003-05-03 c:\windows\system32\nview.dll]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 59904]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 122880]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 98304]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-06-14 57344]
"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-23 57344]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 491520]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 69632]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 163840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-08-23 159789]
"AutoTKit"="c:\hp\bin\AUTOTKIT.EXE" [2003-06-18 66092]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 221184]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-03 4640768]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 90112]
"NAV CfgWiz"="c:\progra~1\NORTON~1\Cfgwiz.exe" [2002-11-15 476792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-11-15 54976]
"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-11-15 59072]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-08-09 147456]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2003-06-17 126976]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-02-24 61440]
"KEMailKb"="c:\progra~1\MICROI~1\INTERN~1\KEMailKb .EXE" [2005-08-09 409600]
"KPDrv4XP"="c:\progra~1\MICROI~1\INTERN~1\KPDrv4XP .EXE" [2005-02-21 49152]
"LaunchAntiSpy"="c:\program files\DefenderPro\TSAntiSpy.exe" [2007-03-07 1564672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 421888]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-28 148888]
"nwiz"="nwiz.exe" [2003-05-03 c:\windows\system32\nwiz.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 c:\windows\ALCXMNTR.EXE]
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
AutoTBar.exe [2003-06-18 66092]
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-07 34304]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
Adobe Media Player.lnk - c:\program files\Adobe Media Player\Adobe Media Player.exe [2008-11-02 267264]
HP Organize.lnk - c:\program files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2003-08-23 36864]
spamsubtract.lnk - c:\program files\interMute\SpamSubtract\SpamSubtract.exe [2003-08-28 561152]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2003-06-13 241664]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2002-09-20 61440]
Updates from HP.lnk - c:\program files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-08-23 24576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 05:50 40960 c:\program files\Softex\OmniPass\OPXPGina.dll
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"6178:TCP"= 6178:TCPfjktb
R2 HIDKbFlt;HIDKbFlt.SvcDesc%;c:\windows\system32\dri vers\HIDKbFlt.sys [2005-07-25 23680]
S2 mrtRate;mrtRate; [x]
S2 zzykti;System Support;c:\windows\system32\svchost.exe -k netsvcs [2003-08-08 21504]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
zzykti
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Autorun.exe
.
Contents of the 'Scheduled Tasks' folder
2009-01-17 c:\windows\Tasks\AntiSpy.job
- c:\program files\DefenderPro\TSAntiSpy.exe [2007-03-07 07:41]
2009-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
2009-03-18 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2003-05-23 18:13]
2009-04-04 c:\windows\Tasks\Norton Security Scan for Owner.job
- c:\program files\Norton Security Scan\Nss.exe [2009-03-11 21:20]
2009-04-05 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 12:58]
2009-04-05 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 12:58]
2009-04-05 c:\windows\Tasks\WebReg officejet 4300 series.job
- c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqwrg.exe [2002-12-11 01:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uDefault_Search_URL = hxxp://srch-us9.hpwis.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://srch-us9.hpwis.com/
uInternet Connection Wizard,ShellNext = hxxp://us9.hpwis.com/
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: SpSubLSP.dll
TCP: {848426D5-804E-4366-AAC3-C23C5DC578CA} = 216.49.224.10 216.49.224.11
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
************************************************** ************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-05 16:01:14
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\z zykti]
"ServiceDll"="c:\windows\system32\xlnia.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\klogon.dll
c:\program files\Softex\OmniPass\opxpgina.dll
c:\program files\Bonjour\mdnsNSP.dll
- - - - - - - > 'lsass.exe'(736)
c:\windows\system32\SpSubLSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton AntiVirus\Navapsvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Softex\OmniPass\omniServ.exe
c:\program files\Softex\OmniPass\OPXPApp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
.
************************************************** ************************
.
Completion time: 2009-04-05 16:07:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-05 21:07:42
ComboFix2.txt 2009-04-04 13:59:49
ComboFix3.txt 2009-04-04 13:17:41
ComboFix4.txt 2009-04-04 12:54:23
ComboFix5.txt 2009-04-05 20:51:07
Pre-Run: 90,392,190,976 bytes free
Post-Run: 90,164,535,296 bytes free
257

1) Please download the Killbox.
Save it to the desktop and run it.

2) Select "Delete on Reboot", and then select "All files".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:



c:\windows\viassary-hp.reg
c:\windows\system32\xlnia.dll



4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.



Next, please run Notepad and paste the following text into a new file:
Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.



Finally, restart your computer, and post a new ComboFix log in your reply.

having trouble copying the files to clipboard and then pasteing them

What is the exact trouble you are having?

Just highlight those 2 files, press Ctrl+C and click "Paste from Clipboard" on Killbox.

i have completed all steps however i cannot get a log report. i get this error message cannot find c;\docume~1\ownerlocals~temp\logtxt file

Download a fresh copy of ComboFix and run it again.

i get the same error message every time.