My father's computer is having problems that appear to be malware. His system is running very slow. When clicking on icons after a period time of using the computer, an error message would say something like "not connected to a program". He is running Windows Vista on a HP Pavillion PC. I was able to run the Combofix.exe on his computer with the following results:
ComboFix 08-02.01.6 - HP_Owner 2008-02-01 18:28:00.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.288 [GMT -6:00]
Running from: C:\Users\HP_Owner\Desktop\dad.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
D:\Autorun.inf
----- BITS: Possible infected sites -----
hxxp://epg.tvdownload.microsoft.com
hxxp://origin.onecare.live.com
.
((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 23:08 --------- d-----w C:\ProgramData\Google Updater
2008-02-01 21:45 --------- d-----w C:\Program Files\Common Files\Scanner
2008-02-01 21:37 --------- d-----w C:\Program Files\Microsoft Windows OneCare Live
2008-01-25 15:31 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-01-25 15:31 --------- d-----w C:\ProgramData\CA
2008-01-25 15:31 --------- d-----w C:\Program Files\InterMute
2008-01-25 15:31 --------- d-----w C:\Program Files\Google
2008-01-25 15:31 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-01-22 23:15 --------- d-----w C:\Program Files\Audit Support Center
2008-01-18 16:31 --------- d-----w ;C:\Us ers\HP_Owner\AppData\Roaming\Intuit
2008-01-18 16:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-18 16:22 --------- d-----w C:\Program Files\TurboTax
2008-01-12 13:23 --------- d-----w C:\Program Files\Trend Micro
2008-01-11 01:17 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-11 01:17 --------- d-----w C:\Program Files\Windows Mail
2008-01-11 01:13 802,816 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-01-11 01:13 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-01-11 01:13 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-01-11 01:13 216,760 ----a-w C:\Windows\system32\drivers\netio.sys
2008-01-11 01:13 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-01-11 01:11 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
20 08-01- 11 01:11 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-11 01:11 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-11 01:11 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-11 01:11 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-11 01:11 1,686,016 ----a-w C:\Windows\System32\gameux.dll
2008-01-11 01:10 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-01-11 01:10 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-11 01:10 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-01-11 01:10 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-01-11 01:10 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-01-11 01:10 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-01-11 01:10 1,060, 920&nb sp;----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-11 01:09 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-07 10:01 --------- d-----w C:\ProgramData\HP
2008-01-03 23:09 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
2008-01-03 15:02 --------- d-----w C:\Users\HP_Owner\AppData\Roaming\Image Zone Express
2007-12-14 02:06 --------- d-----w C:\Users\HP_Owner\AppData\Roaming\QuickVerse11
2007-12-14 02:06 --------- d-----w C:\Program Files\QuickVerse 2007
2007-12-13 09:05 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-13 09:05 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-13 09:05 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-13 09:04 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-13 09:04 56,320 ----a-w C:\Windows \Syste m32\iesetup.dll
2007-12-13 09:04 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-13 09:04 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-13 09:03 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-13 09:03 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-13 09:03 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-13 09:03 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-13 09:01 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-13 09:01 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-11-18 09:01 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-11-15 09:04 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-11-15 09:04 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-11-15 09:04&n bsp;2, 027,008 ----a-w C:\Windows\System32\win32k.sys
2007-11-15 09:03 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-11-15 09:03 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-11-15 09:03 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-11-15 09:03 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-11-15 09:03 297,984 ----a-w C:\Windows\System32\wlansec.dll
2007-11-15 09:03 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2007-11-15 09:03 2,923,520 ----a-w C:\Windows\explorer.exe
2007-11-15 09:02 8,704 ----a-w C:\Windows\System32\hcrstco.dll
2007-11-15 09:02 8,704 ----a-w C:\Windows\System32\hccoin.dll
2007-10-12 22:11 126,072 ----a-w C:\Users\HP_Owner\AppData\Roaming\GDIPFONTCACHEV1.DAT
2007-08-30 09:54 174 --sha-w C:\Program Files\desktop.ini
2007-01-26 20:0 0 ;396,800 ----a-w C:\Windows\Internet Logs\xDB14.tmp
2007-01-26 20:00 2,718,720 ----a-w C:\Windows\Internet Logs\xDB13.tmp
2006-12-29 23:56 118,784 ----a-w C:\Windows\Internet Logs\xDB12.tmp
2006-12-29 23:48 2,576,896 ----a-w C:\Windows\Internet Logs\xDB11.tmp
2006-12-22 22:44 2,516,480 ----a-w C:\Windows\Internet Logs\xDBF.tmp
2006-12-22 19:52 57,856 ----a-w C:\Windows\Internet Logs\xDB10.tmp
2006-12-18 20:29 1,031,168 ----a-w C:\Windows\Internet Logs\xDBE.tmp
2006-12-18 17:54 2,521,600 ----a-w C:\Windows\Internet Logs\xDBD.tmp
2006-09-22 23:51 1,918,976 ----a-w C:\Windows\Internet Logs\xDBB.tmp
2006-09-22 16:53 445,440 ----a-w C:\Windows\Internet Logs\xDBC.tmp
2006-08-07 22:22 221,184 ----a-w C:\Windows\Internet Logs\xDBA.tmp
2006-08-07 22:22 1,890,304 ----a-w C:\Windows \Inter net Logs\xDB9.tmp
2006-07-18 21:19 650,752 ----a-w C:\Windows\Internet Logs\xDB8.tmp
2006-07-18 21:19 1,856,512 ----a-w C:\Windows\Internet Logs\xDB6.tmp
2006-05-28 01:10 1,717,248 ----a-w C:\Windows\Internet Logs\xDB5.tmp
2006-05-27 19:06 492,544 ----a-w C:\Windows\Internet Logs\xDB7.tmp
2006-04-12 23:24 1,663,488 ----a-w C:\Windows\Internet Logs\xDB2.tmp
2006-04-12 12:57 89,600 ----a-w C:\Windows\Internet Logs\xDB4.tmp
2006-04-05 21:07 1,604,608 ----a-w C:\Windows\Internet Logs\xDB39.tmp
2006-04-05 18:13 172,544 ----a-w C:\Windows\Internet Logs\xDB3A.tmp
2006-03-22 22:24 244,736 ----a-w C:\Windows\Internet Logs\xDB3.tmp
2006-03-22 22:24 1,538,560 ----a-w C:\Windows\Internet Logs\xDB1.tmp
2006-02-13 23:34 146 ----a-w C:\Users\HP_Owner\AppData\Roaming\wklnhst.dat
2005-05-12 05:3 6 ;12,288 ----a-w C:\Windows\Fonts\RandFont.dll
2005-04-15 17:46 0 --sha-w C:\Windows\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-12-11 09:42 67112]
"Zone Labs Client"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" [2005-01-26 03:43 722712]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-11 02:01 1006264]
"VTTimer"="C:\hp\patches\51WW1VIA\src\VTTimer.exe" [2004-10-23 05:53 53248]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 09:01 110592]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-10-21 18:27 32881]
"SiSPower"="SiSPower.dll" [2004-09-24 10:49 49152 C:\Windows\System32\SiSPower.dll]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 21:43 233472]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-11-04 15:15 20480]
"PD0620 STISvc"="P0620Pin.dll" [2005-05-10 11:03 36864 C:\Windo ws\Sys tem32\P0620Pin.dll]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 22:54 253952]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 15:44 61440]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-06-04 20:38 286720]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 23:55 155648]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04 52736]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 19:53 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 19:42 659456]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 15:24 54840]
"DXM6Patch_981116"="C:\WINDOWS\p_981116.exe" [1998-11-30 18:04 497376]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2 008-01 -12 10:29 29744]
"ddoctorv2"="C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2007-04-19 13:21 198184]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 08:59 224248]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
PDF-Capture.lnk - C:\Program Files\PDF-XChangeSDKEU\PDFSaver.exe [2005-07-29 18:05:56 61440]
TabUserW.exe.lnk - C:\Windows\System32\Wtablet\TabUserW.exe [2003-12-04 10:48:40 77824]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2004-10-21 20:25:38 45056]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-12 10:29]
.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 23:53:01 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-02-01 18:31:27
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-01 18:32:34
ComboFix-quarantined-files.txt 2008-02-02 00:32:30
.
2008-01-11 01:14:16 --- E O F ---
Login 
Search 
Twitter! |
TechGuy.TV |
Mobile |
Advertise 
