MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Agent trojan
June 06, 2020, 09:46:02 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
June 06, 2020, 09:46:02 AM

Login with username, password and session length
 Featured Sites:
News
Help us help you! Help us help you by helping out! The more people know about us, the more help will be available. Click here to find out how...
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Agent trojan  (Read 1467 times)
fabuliz
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 26


Bookmark and Share

View Profile
« on: October 12, 2007, 03:54:16 PM »

Hi,
I accidentally subjected my system to some malware.Sad
 Here is the log..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:08 AM, on 10/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Comodo\Comodo AntiVirus\cavse.exe
C:\Program Files\Comodo\Comodo AntiVirus\cavse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\system32\vMW15a\vMW15a2157.exe
C:\Program Files\Web Buying\v1.8.5\webbuying.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://waltwhitmancenter.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {18DD0883-E382-402C-8DE1-95961FC5292A} - C:\Program Files\MSN\metocom4444.dll
O2 - BHO: 0 - {49C5559C-A803-4EEB-CCBD-538ED1A44A76} - C:\Program Files\Internet Explorer\qugavanah538.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8d704dad-3c28-4cd1-a19d-2de4245a795b} - C:\WINDOWS\system32\ybmysmt.dll
O2 - BHO: (no name) - {97F334CF-95B8-47A2-9B71-3A80DC6AF9CE} - C:\Program Files\MSN\metocom83122.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: IKatzu Class - {EA5159DF-E413-4878-8AE2-D921D41BB942} - C:\WINDOWS\system32\bkinnlyo.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.5\webbuying.exe
O4 - HKCU\..\Run: [ArtChk] C:\WINDOWS\system32\artchker.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = waltwhitmancenter.org
O17 - HKLM\Software\..\Telephony: DomainName = waltwhitmancenter.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = waltwhitmancenter.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = waltwhitmancenter.org
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 8966 bytes

Please help!
Thank you.
fabuliz
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #1 on: October 13, 2007, 12:22:13 AM »

Please download Combofix from  HERE or HERE


Save ComboFix to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Copy and Paste the contents of that log in your next reply with a new hijackthis log. Do not use Code or html unless asked for.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Logged

An Australian Member of

EDDY
fabuliz
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 26


Bookmark and Share

View Profile
« Reply #2 on: October 15, 2007, 03:23:02 PM »

Thanks for your help, Pancake.
Before I received your reply I ran Housecall and Adaware on my system.
Here is the ComboFix Log:
ComboFix 07-10-14.5 - lspencer 2007-10-15 11:14:02.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.523 [GMT -4:00]
Running from: C:\Documents and Settings\lspencer\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\MSN\metocom4444.dll
C:\Program Files\MSN\metocom83122.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\xOe
C:\Temp\xOe\tOasF.log
C:\WINDOWS\system32\h1
C:\WINDOWS\system32\h1\wr12drver.exe
C:\WINDOWS\system32\p1
C:\WINDOWS\system32\q21

.
(((((((((((((((((((((((((   Files Created from 2007-09-15 to 2007-10-15  )))))))))))))))))))))))))))))))
.

2007-10-15 11:08   51,200   --a------   C:\WINDOWS\NirCmd.exe
2007-10-12 14:54   <DIR>   d--------   C:\Documents and Settings\lspencer\.housecall6.6
2007-10-12 14:54   102,664   --a------   C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-12 11:42   <DIR>   d--------   C:\Program Files\Trend Micro
2007-10-11 15:16   421,888   --a------   C:\WINDOWS\system32\bkinnlyo.dll
2007-10-11 15:16   118,784   --a------   C:\WINDOWS\system32\artchker.exe
2007-10-11 15:16   45,056   --a------   C:\WINDOWS\system32\katzppd.exe
2007-10-11 15:16   45,056   --a------   C:\WINDOWS\system32\katzpbnua.exe
2007-10-11 15:16   44,922   --a------   C:\WINDOWS\system32\IKatzuUninstall.exe
2007-10-11 15:15   <DIR>   d--------   C:\WINDOWS\system32\kat1
2007-10-11 15:15   <DIR>   d--------   C:\WINDOWS\system32\ipd2
2007-10-11 15:14   <DIR>   d--------   C:\WINDOWS\system32\vMW15a
2007-10-11 15:14   <DIR>   d--------   C:\Temp
2007-10-09 20:39   582,656   ---------   C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-08 11:52   <DIR>   d--------   C:\Program Files\DivX
2007-09-28 12:08   156,992   --a------   C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 12:07   3,596,288   --a------   C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 12:07   1,044,480   --a------   C:\WINDOWS\system32\libdivx.dll
2007-09-28 12:07   524,288   --a------   C:\WINDOWS\system32\DivXsm.exe
2007-09-28 12:07   200,704   --a------   C:\WINDOWS\system32\ssldivx.dll
2007-09-20 10:38   <DIR>   d--------   C:\Documents and Settings\lspencer\Application Data\Viewpoint
2007-09-18 15:28   <DIR>   d--------   C:\Documents and Settings\lspencer\Application Data\acccore
2007-09-18 15:26   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-18 15:26   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\AOL
2007-09-18 15:24   <DIR>   d--------   C:\Program Files\Viewpoint
2007-09-18 15:24   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-18 15:23   <DIR>   d--------   C:\Program Files\Common Files\AOL
2007-09-18 15:23   <DIR>   d--------   C:\Program Files\AIM6
2007-09-18 15:22   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\AOL Downloads

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-12 15:48   ---------   d-----w   C:\Documents and Settings\lspencer\Application Data\Azureus
2007-10-10 23:02   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-05 19:33   ---------   d-----w   C:\Program Files\Azureus
2007-10-02 14:32   ---------   d-----w   C:\Documents and Settings\lspencer\Application Data\Move Networks
2007-09-28 16:07   9,464   ------w   C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-09-28 16:07   9,336   ------w   C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-09-28 16:07   43,528   ------w   C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-09-26 19:44   ---------   d-----w   C:\Program Files\Common Files\Adobe
2007-09-20 13:52   102,400   ----a-w   C:\WINDOWS\system32\drivers\cavasm.sys
2007-09-17 17:51   ---------   d-----w   C:\Documents and Settings\lspencer\Application Data\Apple Computer
2007-09-11 16:13   ---------   d-----w   C:\Documents and Settings\lspencer\Application Data\U3
2007-08-29 17:55   ---------   d-----w   C:\Program Files\JupiterClub
2007-08-23 14:09   ---------   d-----w   C:\Program Files\Java
2007-06-20 15:20   22,864   ----a-w   C:\Documents and Settings\lspencer\Application Data\GDIPFONTCACHEV1.DAT
2007-07-03 16:28:56   32,768   --sha-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007070320070704\index.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8d704dad-3c28-4cd1-a19d-2de4245a795b}]
         C:\WINDOWS\system32\ybmysmt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA5159DF-E413-4878-8AE2-D921D41BB942}]
2007-10-11 15:16   421888   --a------   C:\WINDOWS\system32\bkinnlyo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-10 15:07]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40]
"cnfgCav"="C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe" [2007-09-20 09:53]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.0\masqform.exe" [2003-12-03 12:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
"ArtChk"="C:\WINDOWS\system32\artchker.exe" [2007-10-11 15:16]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46]
Wireless USB 2.0 WLAN Card Utility.lnk - C:\Program Files\Dell Wireless\PRISMCFG.exe [2006-03-20 16:22:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\monln]
monln.dll 2007-09-20 09:49 216576 C:\WINDOWS\system32\monln.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL]
PRISMAPI.DLL 2005-12-22 22:08 450646 C:\WINDOWS\system32\PRISMAPI.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3449969929-2726385501-1374433946-1141\Scripts\Logon\0\0]
"Script"=shared.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3449969929-2726385501-1374433946-1146\Scripts\Logon\0\0]
"Script"=shared.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3449969929-2726385501-1374433946-1150\Scripts\Logon\0\0]
"Script"=shared.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3449969929-2726385501-1374433946-1151\Scripts\Logon\0\0]
"Script"=shared.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3449969929-2726385501-1374433946-1174\Scripts\Logon\0\0]
"Script"=shared.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3449969929-2726385501-1374433946-1180\Scripts\Logon\0\0]
"Script"=shared.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3449969929-2726385501-1374433946-500\Scripts\Logon\0\0]
"Script"=shared.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"ECenter"="c:\dell\E-Center\gtb.exe"
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"=C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
"MSKDetectorExe"=C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe

R0 Cavasm;Cavasm;C:\WINDOWS\system32\DRIVERS\cavasm.sys
R2 Comodo Anti-Virus and Anti-Spyware Service;Comodo Anti-Virus and Anti-Spyware Service;"C:\Program Files\Comodo\common\CAVASpy\cavasm.exe"
R2 PRISMSVC;PRISMSVC;C:\WINDOWS\system32\PRISMSVC.EXE
R3 DELL_A02;Dell TrueMobile 1300 USB2.0 WLAN Card Driver;C:\WINDOWS\system32\DRIVERS\PRISMA02.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f232e9b-20d6-11dc-9008-0014a581e700}]
AutoRun\command - E:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 21:15:51 C:\WINDOWS\Tasks\1-Click Maintenance.job"
"2007-10-12 22:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (artistic-admin).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-15 11:18:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-15 11:22:02 - machine was rebooted
.
   --- E O F ---
Thanks again,
I will be awaiting your reply Smiley
fabuliz
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #3 on: October 15, 2007, 10:28:42 PM »


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Open *notepad* and copy/paste the text in the quotebox below into it:


Quote




File::
C:\WINDOWS\system32\bkinnlyo.dll
C:\WINDOWS\system32\artchker.exe
C:\WINDOWS\system32\katzppd.exe
 C:\WINDOWS\system32\katzpbnua.exe
C:\WINDOWS\system32\IKatzuUninstall.exe

Folder::
C:\WINDOWS\system32\kat1
C:\Documents and Settings\lspencer\Application Data\Viewpoint
C:\Program Files\Viewpoint

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8d704dad-3c28-4cd1-a19d-2de4245a795b}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA5159DF-E413-4878-8AE2-D921D41BB942}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ArtChk"=-

 

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe

Restart your computer.

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste  the ComboFix.txt along with a fresh HijackThis log in your next reply  please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
Logged

An Australian Member of

EDDY
fabuliz
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 26


Bookmark and Share

View Profile
« Reply #4 on: October 16, 2007, 04:15:41 PM »

Hi Pancake,
I followed your instructions. When I dragged the text file to the combofix icon it prompted me to run combofix which I did. It automatically rebooted when it was finished.
Here is the log:
ComboFix 07-10-14.5 - lspencer 2007-10-16 12:00:06.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.578 [GMT -4:00]
Running from: C:\Documents and Settings\lspencer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\lspencer\Desktop\CFScript.txt.txt
 * Created a new restore point

FILE::
C:\WINDOWS\system32\artchker.exe
C:\WINDOWS\system32\bkinnlyo.dll
C:\WINDOWS\system32\IKatzuUninstall.exe
C:\WINDOWS\system32\katzpbnua.exe
C:\WINDOWS\system32\katzppd.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\lspencer\Application Data\Viewpoint
C:\Documents and Settings\lspencer\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\URLCache.ini
C:\Documents and Settings\lspencer\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\URLCache.ini
C:\Documents and Settings\lspencer\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\URLCache.ini
C:\Documents and Settings\lspencer\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\24244891.mtj&p2=1&p3=13605786005353833102950410930350&p4=50463258
C:\Documents and Settings\lspencer\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\URLCache.ini
C:\Documents and Settings\lspencer\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\UpdateVersionList_v2.mtx
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Experience Technology\AxMetaStream_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ComponentMgr_0305001C.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ComponentRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLArt.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLShell.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\DataTracking.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\GifReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\LensFlares.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ObjectMovie.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ServiceComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VectorView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPAudio.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPExtras.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ZoomView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\DownloadedComponents\ComponentMgr_Win\ComponentMgr_0305001C.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\DownLoadHist.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\HostRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MetaStreamConfig.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MTSDownloadSites.txt
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.xpt
C:\WINDOWS\system32\artchker.exe
C:\WINDOWS\system32\bkinnlyo.dll
C:\WINDOWS\system32\IKatzuUninstall.exe
C:\WINDOWS\system32\kat1
C:\WINDOWS\system32\kat1\IKtzudll2.exe
C:\WINDOWS\system32\katzpbnua.exe
C:\WINDOWS\system32\katzppd.exe

.
(((((((((((((((((((((((((   Files Created from 2007-09-16 to 2007-10-16  )))))))))))))))))))))))))))))))
.

2007-10-15 11:08   51,200   --a------   C:\WINDOWS\NirCmd.exe
2007-10-12 14:54   <DIR>   d--------   C:\Documents and Settings\lspencer\.housecall6.6
2007-10-12 14:54   102,664   --a------   C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-12 11:42   <DIR>   d--------   C:\Program Files\Trend Micro
2007-10-11 15:15   <DIR>   d--------   C:\WINDOWS\system32\ipd2
2007-10-11 15:14   <DIR>   d--------   C:\WINDOWS\system32\vMW15a
2007-10-11 15:14   <DIR>   d--------   C:\Temp
2007-10-09 20:39   582,656   ---------   C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-08 11:52   <DIR>   d--------   C:\Program Files\DivX
2007-09-28 12:08   156,992   --a------   C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 12:07   3,596,288   --a------   C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 12:07   1,044,480   --a------   C:\WINDOWS\system32\libdivx.dll
2007-09-28 12:07   524,288   --a------   C:\WINDOWS\system32\DivXsm.exe
2007-09-28 12:07   200,704   --a------   C:\WINDOWS\system32\ssldivx.dll
2007-09-18 15:28   <DIR>   d--------   C:\Documents and Settings\lspencer\Application Data\acccore
2007-09-18 15:26   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-18 15:26   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\AOL
2007-09-18 15:24   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-18 15:23   <DIR>   d--------   C:\Program Files\Common Files\AOL
2007-09-18 15:23   <DIR>   d--------   C:\Program Files\AIM6
2007-09-18 15:22   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\AOL Downloads

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-15 17:17   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-12 15:48   ---------   d-----w   C:\Documents and Settings\lspencer\Application Data\Azureus
2007-10-05 19:33   ---------   d-----w   C:\Program Files\Azureus
2007-10-02 14:32   ---------   d-----w   C:\Documents and Settings\lspencer\Application Data\Move Networks
2007-09-28 16:07   9,464   ------w   C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-09-28 16:07   9,336   ------w   C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-09-28 16:07   43,528   ------w   C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-09-26 19:44   ---------   d-----w   C:\Program Files\Common Files\Adobe
2007-09-20 13:52   102,400   ----a-w   C:\WINDOWS\system32\drivers\cavasm.sys
2007-09-17 17:51   ---------   d-----w   C:\Documents and Settings\lspencer\Application Data\Apple Computer
2007-09-11 16:13   ---------   d-----w   C:\Documents and Settings\lspencer\Application Data\U3
2007-08-29 17:55   ---------   d-----w   C:\Program Files\JupiterClub
2007-08-23 14:09   ---------   d-----w   C:\Program Files\Java
2007-06-20 15:20   22,864   ----a-w   C:\Documents and Settings\lspencer\Application Data\GDIPFONTCACHEV1.DAT
2007-07-03 16:28:56   32,768   --sha-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007070320070704\index.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-10 15:07]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40]
"cnfgCav"="C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe" [2007-09-20 09:53]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.0\masqform.exe" [2003-12-03 12:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 09:01]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46]
Wireless USB 2.0 WLAN Card Utility.lnk - C:\Program Files\Dell Wireless\PRISMCFG.exe [2006-03-20 16:22:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\monln]
monln.dll 2007-09-20 09:49 216576 C:\WINDOWS\system32\monln.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL]
PRISMAPI.DLL 2005-12-22 22:08 450646 C:\WINDOWS\system32\PRISMAPI.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3449969929-2726385501-1374433946-1141\Scripts\Logon\0\0]
"Script"=shared.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3449969929-2726385501-1374433946-1146\Scripts\Logon\0\0]
"Script"=shared.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3449969929-2726385501-1374433946-1150\Scripts\Logon\0\0]
"Script"=shared.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3449969929-2726385501-1374433946-1151\Scripts\Logon\0\0]
"Script"=shared.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3449969929-2726385501-1374433946-1174\Scripts\Logon\0\0]
"Script"=shared.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3449969929-2726385501-1374433946-1180\Scripts\Logon\0\0]
"Script"=shared.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3449969929-2726385501-1374433946-500\Scripts\Logon\0\0]
"Script"=shared.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"ECenter"="c:\dell\E-Center\gtb.exe"
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"=C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
"MSKDetectorExe"=C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe

R0 Cavasm;Cavasm;C:\WINDOWS\system32\DRIVERS\cavasm.sys
R2 Comodo Anti-Virus and Anti-Spyware Service;Comodo Anti-Virus and Anti-Spyware Service;"C:\Program Files\Comodo\common\CAVASpy\cavasm.exe"
R2 PRISMSVC;PRISMSVC;C:\WINDOWS\system32\PRISMSVC.EXE
R3 DELL_A02;Dell TrueMobile 1300 USB2.0 WLAN Card Driver;C:\WINDOWS\system32\DRIVERS\PRISMA02.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24301b8f-7bf2-11dc-9032-0014a581e700}]
AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f232e9b-20d6-11dc-9008-0014a581e700}]
AutoRun\command - E:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 21:15:51 C:\WINDOWS\Tasks\1-Click Maintenance.job"
"2007-10-12 22:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (artistic-admin).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-16 12:05:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-16 12:08:34 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-15 11:22
.
   --- E O F ---


It's saying I am exceeding the maximum amount of characters in the message so I am going to post the hijack this log in a separate post.
Logged

 
fabuliz
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 26


Bookmark and Share

View Profile
« Reply #5 on: October 16, 2007, 04:16:20 PM »

And here is the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09, on 2007-10-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Comodo\Comodo AntiVirus\cavse.exe
C:\Program Files\Comodo\Comodo AntiVirus\cavse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://waltwhitmancenter.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = waltwhitmancenter.org
O17 - HKLM\Software\..\Telephony: DomainName = waltwhitmancenter.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = waltwhitmancenter.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = waltwhitmancenter.org
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 8131 bytes
Thanks again Cheesy,
fabuliz

Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #6 on: October 16, 2007, 10:11:22 PM »

Thats all fine,all fixed.Your good to go...




Now that you are clean,and If you wish to do so, here are a few things that you can do that will help keep your computer a bit more clean and secure..they can be done at your leisure.



THESE STEPS ARE VERY IMPORTANT

(ITEM 1)

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.



A To disable the System Restore feature:

1. Click on the Start button.
2. Go to My Computer icon on the desktop, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Uncheck any checkboxes listed for your hard drives.
7. Press OK.


B. Reboot.

C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 6. check any checkboxes listed for your hard drives.
========================================
( ITEM 2)

Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free Basic or Slim versions instead of the Standard Build.

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

   In the Windows Tab:
       
Logged

An Australian Member of

EDDY
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page December 30, 2019, 04:27:25 PM