MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Nasty Popups in IE (even though I use Mozilla)
April 23, 2019, 07:22:33 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
April 23, 2019, 07:22:33 PM

Login with username, password and session length
 
News
New  Check out our improved Download section for tons of software....
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Nasty Popups in IE (even though I use Mozilla)  (Read 1979 times)
brianmik
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 47


Bookmark and Share

View Profile
« on: March 26, 2008, 07:22:55 PM »

I ran TrendMicro Housecall, which couldn't delete all of the infected files . . .  BTW, I'm running Windows XP (Home)
Thanks! (in advance)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:41 PM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Movielink\MovielinkManager\Movielink User.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Tracy\MYDOCU~1\PPPATC~1\scanregw.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~2.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LoadMSvcmm] "C:\Program Files\Movielink\MovielinkManager\Movielink User.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [34564427] rundll32.exe "C:\WINDOWS\system32\gyolgyya.dll",b
O4 - HKCU\..\Run: [Ltho] "C:\DOCUME~1\Tracy\MYDOCU~1\PPPATC~1\scanregw.exe" -vt yazb
O4 - HKCU\..\Run: [Ixlqbbex] "C:\Program Files\??pPatch\c?rss.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsof...?1169092269687
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://vpnch.jenner.com/dana-cached...erSetupSP1.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program

Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Movielink Core Service - Movielink LLC - C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~2.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 6340 bytes
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #1 on: March 27, 2008, 01:02:46 AM »

Please download SDFix from here and save it to your desktop

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Please copy and paste that log in your next reply.

=================================


Ok.We  need to download ComboFix.exe. This will  give a better view to the files running and also hidden on your computer.

Please visit this webpage for download links, and instructions for running the tool


When the tool is finished, it will produce a report for you. Please copy and paste the "C:\ComboFix.txt" along with a new HijackThis log so that we can continue to do any further cleaning that your system may require.

Caution: Never run and remove files with Combofix unless supervised by a security analyst.

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.
Logged

An Australian Member of

EDDY
brianmik
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 47


Bookmark and Share

View Profile
« Reply #2 on: March 28, 2008, 02:41:15 AM »

Thanks for the help!  Here are the (3) logs - (SDFix, ComboFix, HJT) - in 3 individual messages


SDFix: Version 1.163

Run by Tracy on Thu 03/27/2008 at 06:28 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name:
WA301BB

Path:
System32\drivers\wa301bb.sys

WA301BB - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\MSVCMM32.EXE - Deleted
C:\PROGRA~1\COMMON~1\ZYRIL - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Temp\gbRve12\csLioes.log - Deleted
C:\WINDOWS\system32\aqVreo01\aqVreo011065.exe - Deleted
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe - Deleted
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk  - Deleted
C:\WINDOWS\system32\pac.txt  - Deleted
C:\WINDOWS\system32\drivers\WA301BB.sys - Deleted



Folder C:\Documents and Settings\LocalService\Application Data\NetMon - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\gbRve12 - Removed
Folder C:\Temp\tn3 - Removed
Folder C:\WINDOWS\system32\aqVreo01 - Removed


Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 18:37:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Gateway\\HPA\\GWMenu.exe"="C:\\Program Files\\Gateway\\HPA\\GWMenu.exe:*:Enabled:HPA/SCCD/SRCD New Code"
"C:\\Program Files\\Autodesk\\3dsMax8\\3dsmax.exe"="C:\\Program Files\\Autodesk\\3dsMax8\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 8"
"C:\\Program Files\\Autodesk\\backburner\\monitor.exe"="C:\\Program Files\\Autodesk\\backburner\\monitor.exe:*:Enabled:backburner 2.3 monitor"
"C:\\Program Files\\Autodesk\\backburner\\manager.exe"="C:\\Program Files\\Autodesk\\backburner\\manager.exe:*:Enabled:backburner 2.3 manager"
"C:\\Program Files\\Autodesk\\backburner\\server.exe"="C:\\Program Files\\Autodesk\\backburner\\server.exe:*:Enabled:backburner 2.3 server"
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"="C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe:*:Enabled:Secure Application Manager Proxy"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 13 Oct 2004     1,694,208 ...H. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed  4 Aug 2004        60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Wed 23 Jan 2008         4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 22 Dec 2004        76,568 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Thu 13 Jan 2005        11,360 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Sat  2 Feb 2008             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sun 23 Mar 2008        68,608 ..SHR --- "C:\Documents and Settings\Tracy\My Documents\?ppPatch\scanregw.exe"
Fri 27 Oct 2006        24,646 ..SHR --- "C:\Documents and Settings\Tracy\Local Settings\Temp\Juniper Networks\setup\NeoterisSetupApp.exe"

Finished!
Logged

 
brianmik
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 47


Bookmark and Share

View Profile
« Reply #3 on: March 28, 2008, 02:41:47 AM »


_____

ComboFix 08-03-26.3 - Tracy 2008-03-27 18:44:27.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.188 [GMT -5:00]
Running from: C:\Documents and Settings\Tracy\Desktop\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
-- Script messages for sUBs --

GREP -Eis "\.Windows Shell$|\.TIEBHOCom$" 
swreg query HKCR 
swreg query HKCR 

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Tracy\My Documents\PPPATC~1
C:\Documents and Settings\Tracy\My Documents\PPPATC~1\?ppPatch\
C:\Documents and Settings\Tracy\My Documents\PPPATC~1\scanregw.exe
C:\Documents and Settings\Tracy\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Tracy\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Tracy\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\curity~1
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\ppatch~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\awvtu.dll
C:\WINDOWS\system32\hsfysmnt.ini
C:\WINDOWS\system32\tnmsyfsh.dll
C:\WINDOWS\system32\tsks~1
C:\WINDOWS\system32\utvwa.ini
C:\WINDOWS\system32\utvwa.ini2
C:\WINDOWS\system32\xxywttt.dll
G:\Autorun.inf

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Service_cmdService


(((((((((((((((((((((((((   Files Created from 2008-02-28 to 2008-03-28  )))))))))))))))))))))))))))))))
.

2008-03-27 18:24 . 2008-03-27 18:24   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-03-27 18:20 . 2008-03-27 18:40   <DIR>   d--------   C:\SDFix
2008-03-27 08:23 . 2008-03-27 08:23   1,583,861   ---hs----   C:\WINDOWS\system32\eerfdmvk.ini
2008-03-25 07:54 . 2008-03-27 08:22   1,578,335   ---hs----   C:\WINDOWS\system32\ayygloyg.ini
2008-03-24 07:54 . 2008-03-24 19:38   1,549,118   ---hs----   C:\WINDOWS\system32\ocpbiaid.ini
2008-03-23 22:34 . 2008-03-23 22:34   <DIR>   d--------   C:\Program Files\Trend Micro
2008-03-23 21:31 . 2008-03-27 18:17   <DIR>   d--------   C:\Documents and Settings\Tracy\.housecall6.6
2008-03-23 17:34 . 2008-03-23 17:35   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-23 16:40 . 2008-03-23 16:40   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-03-23 15:21 . 2008-03-23 15:21   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-23 15:20 . 2008-03-24 22:16   <DIR>   d--hs----   C:\WINDOWS\VHJhY3kgR2VyYWxkZXo
2008-03-23 15:20 . 2008-03-23 16:25   <DIR>   d--------   C:\WINDOWS\system32\xTmp
2008-03-23 15:20 . 2008-03-23 16:25   <DIR>   d--------   C:\WINDOWS\system32\usnv
2008-03-23 15:20 . 2008-03-23 16:25   <DIR>   d--------   C:\WINDOWS\system32\md2
2008-03-23 15:20 . 2008-03-23 15:20   <DIR>   d--------   C:\WINDOWS\system32\IDME
2008-03-23 15:19 . 2008-03-27 18:37   <DIR>   d--------   C:\Temp
2008-02-28 08:54 . 2008-02-28 08:54   <DIR>   d--------   C:\Program Files\iPod

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 22:34   ---------   d-----w   C:\Program Files\Lavasoft
2008-03-23 22:34   ---------   d-----w   C:\Documents and Settings\Tracy\Application Data\Lavasoft
2008-03-21 01:56   ---------   d-----w   C:\Documents and Settings\Tracy\Application Data\OpenOffice.org2
2008-02-28 13:55   ---------   d-----w   C:\Program Files\iTunes
2008-02-12 14:35   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-02-11 18:29   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\pdf995
2008-02-11 03:51   ---------   d-----w   C:\Program Files\QuickTime
2008-02-11 03:51   ---------   d-----w   C:\Program Files\Bonjour
2008-02-11 03:49   ---------   d-----w   C:\Program Files\Common Files\Apple
2008-02-11 03:49   ---------   d-----w   C:\Program Files\Apple Software Update
2008-02-11 03:49   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Apple
2008-02-03 03:50   ---------   d-----w   C:\Documents and Settings\Tracy\Application Data\Skype
2008-02-03 03:31   ---------   d-----w   C:\Program Files\Windows Media Connect 2
2008-02-02 22:01   ---------   d-----w   C:\Documents and Settings\Tracy\Application Data\skypePM
2008-01-04 03:39   32   ----a-w   C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4235CA92-0207-06F3-0015-5200B9C7DC91}]
         C:\WINDOWS\system32\rmnexxo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4630CEC0-040C-0BF4-0266-5C00B9B2DDC7}]
         C:\WINDOWS\system32\yvvdleca.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F3698C0-5253-5483-5166-5E00B9C9DCC5}]
         C:\WINDOWS\system32\tbtlnjem.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b25a85db-bc09-41f3-a62e-4dbe8d3cb75d}]
         C:\WINDOWS\system32\tuqingsi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ltho"="C:\DOCUME~1\Tracy\MYDOCU~1\PPPATC~1\scanregw.exe" [ ]
"Ixlqbbex"="C:\Program Files\??pPatch\c?rss.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRISMSVR.EXE"="C:\WINDOWS\System32\PRISMSVR.exe" [ ]
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" [2004-05-25 06:24 393216]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2007-01-15 19:58 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2007-01-15 19:58 118784]
"LoadMSvcmm"="C:\Program Files\Movielink\MovielinkManager\Movielink User.exe" [2007-09-10 18:14 124248]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 17:02 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 17:06 2027792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-18 21:40:40 113664]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-18 21:40:40 113664]
Belkin Wireless Utility.lnk - C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe [2005-08-18 18:09:58 1388544]
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-01-15 20:15:21 135680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywttt]
xxywttt.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
--------- 2001-12-07 04:48 258118 C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 14:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gateway\\HPA\\GWMenu.exe"=
"C:\\Program Files\\Autodesk\\3dsMax8\\3dsmax.exe"=
"C:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\backburner\\server.exe"=
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 NEOFLTR_530_11255;Juniper Networks TDI Filter Driver (NEOFLTR_530_11255);C:\WINDOWS\system32\Drivers\NEOFLTR_530_11255.SYS [2006-10-27 17:01]
R3 BLKWGD;Belkin Wireless G Desktop Card Service;C:\WINDOWS\system32\DRIVERS\BLKWGD.sys [2005-06-01 22:37]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2006-10-27 16:56]
R3 wlanndi5;wlanndi5 NDIS Protocol Driver;C:\WINDOWS\System32\wlanndi5.SYS [2004-04-21 18:51]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-28 02:14:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 20:36:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~2.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2008-03-27 20:38:17 - machine was rebooted
ComboFix-quarantined-files.txt  2008-03-28 01:38:14
Pre-Run: 149,521,596,416 bytes free
Post-Run: 149,536,804,864 bytes free
.
2008-03-18 02:36:19   --- E O F --- 
Logged

 
brianmik
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 47


Bookmark and Share

View Profile
« Reply #4 on: March 28, 2008, 02:42:07 AM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:51 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~2.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Movielink\MovielinkManager\Movielink User.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4235CA92-0207-06F3-0015-5200B9C7DC91} - C:\WINDOWS\system32\rmnexxo.dll (file missing)
O2 - BHO: (no name) - {4630CEC0-040C-0BF4-0266-5C00B9B2DDC7} - C:\WINDOWS\system32\yvvdleca.dll (file missing)
O2 - BHO: (no name) - {4F3698C0-5253-5483-5166-5E00B9C9DCC5} - C:\WINDOWS\system32\tbtlnjem.dll (file missing)
O2 - BHO: {d57bc3d8-ebd4-e26a-3f14-90cbbd58a52b} - {b25a85db-bc09-41f3-a62e-4dbe8d3cb75d} - C:\WINDOWS\system32\tuqingsi.dll (file missing)
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LoadMSvcmm] "C:\Program Files\Movielink\MovielinkManager\Movielink User.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Ltho] "C:\DOCUME~1\Tracy\MYDOCU~1\PPPATC~1\scanregw.exe" -vt yazb
O4 - HKCU\..\Run: [Ixlqbbex] "C:\Program Files\??pPatch\c?rss.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169092269687
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://vpnch.jenner.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: xxywttt - xxywttt.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Movielink Core Service - Movielink LLC - C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~2.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7246 bytes
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #5 on: March 28, 2008, 03:55:03 AM »

We need to install your Recovery Console first.
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System





Download the file  & save it as its originally named, next to ComboFix.exe. 






Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.









Logged

An Australian Member of

EDDY
brianmik
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 47


Bookmark and Share

View Profile
« Reply #6 on: March 28, 2008, 01:59:22 PM »

Here it is . . .

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #7 on: March 29, 2008, 12:30:37 AM »

This should be the last of the cleanup but you will need to update your Java.I will post details on how to do that when we are finished.


Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.


O2 - BHO: (no name) - {4235CA92-0207-06F3-0015-5200B9C7DC91} - C:\WINDOWS\system32\rmnexxo.dll (file missing)
O2 - BHO: (no name) - {4630CEC0-040C-0BF4-0266-5C00B9B2DDC7} - C:\WINDOWS\system32\yvvdleca.dll (file missing)
O2 - BHO: (no name) - {4F3698C0-5253-5483-5166-5E00B9C9DCC5} - C:\WINDOWS\system32\tbtlnjem.dll (file missing)
O2 - BHO: {d57bc3d8-ebd4-e26a-3f14-90cbbd58a52b} - {b25a85db-bc09-41f3-a62e-4dbe8d3cb75d} - C:\WINDOWS\system32\tuqingsi.dll (file missing)
O4 - HKCU\..\Run: [Ltho] "C:\DOCUME~1\Tracy\MYDOCU~1\PPPATC~1\scanregw.exe" -vt yazb
O4 - HKCU\..\Run: [Ixlqbbex] "C:\Program Files\??pPatch\c?rss.exe"
O20 - Winlogon Notify: xxywttt - xxywttt.dll (file missing)

Reboot....................

============================

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote

Killall::

File::
C:\WINDOWS\system32\eerfdmvk.ini
 C:\WINDOWS\system32\ayygloyg.ini
C:\WINDOWS\system32\ocpbiaid.ini

Folder::
C:\WINDOWS\VHJhY3kgR2VyYWxkZXo
 C:\WINDOWS\system32\xTmp
 C:\WINDOWS\system32\usnv
  C:\WINDOWS\system32\md2
 C:\WINDOWS\system32\IDME

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4235CA92-0207-06F3-0015-5200B9C7DC91}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4630CEC0-040C-0BF4-0266-5C00B9B2DDC7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F3698C0-5253-5483-5166-5E00B9C9DCC5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b25a85db-bc09-41f3-a62e-4dbe8d3cb75d}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ltho"=-
"Ixlqbbex"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywttt]

 

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply  please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

« Last Edit: March 29, 2008, 12:35:19 AM by Pancake » Logged

An Australian Member of

EDDY
brianmik
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 47


Bookmark and Share

View Profile
« Reply #8 on: March 29, 2008, 03:21:56 PM »

Thanks! Here are the logs (2 posts)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:33 AM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~2.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Movielink\MovielinkManager\Movielink User.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LoadMSvcmm] "C:\Program Files\Movielink\MovielinkManager\Movielink User.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169092269687
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://vpnch.jenner.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Movielink Core Service - Movielink LLC - C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~2.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 6510 bytes
Logged

 
brianmik
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 47


Bookmark and Share

View Profile
« Reply #9 on: March 29, 2008, 03:22:12 PM »

ComboFix 08-03-26.3 - Tracy 2008-03-29 10:07:41.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.272 [GMT -5:00]
Running from: C:\Documents and Settings\Tracy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tracy\Desktop\CFScript.txt.txt
 * Created a new restore point

FILE ::
C:\WINDOWS\system32\ayygloyg.ini
C:\WINDOWS\system32\eerfdmvk.ini
C:\WINDOWS\system32\ocpbiaid.ini
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ayygloyg.ini
C:\WINDOWS\system32\eerfdmvk.ini
C:\WINDOWS\system32\IDME
C:\WINDOWS\system32\IDME\dimnet201.exe
C:\WINDOWS\system32\md2
C:\WINDOWS\system32\ocpbiaid.ini
C:\WINDOWS\system32\usnv
C:\WINDOWS\system32\xTmp
C:\WINDOWS\VHJhY3kgR2VyYWxkZXo

.
(((((((((((((((((((((((((   Files Created from 2008-02-28 to 2008-03-29  )))))))))))))))))))))))))))))))
.

2008-03-27 18:24 . 2008-03-27 18:24   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-03-27 18:20 . 2008-03-27 18:40   <DIR>   d--------   C:\SDFix
2008-03-23 22:34 . 2008-03-23 22:34   <DIR>   d--------   C:\Program Files\Trend Micro
2008-03-23 21:31 . 2008-03-27 18:17   <DIR>   d--------   C:\Documents and Settings\Tracy\.housecall6.6
2008-03-23 17:34 . 2008-03-23 17:35   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-23 16:40 . 2008-03-23 16:40   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-03-23 15:21 . 2008-03-23 15:21   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-23 15:19 . 2008-03-27 18:37   <DIR>   d--------   C:\Temp

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 22:34   ---------   d-----w   C:\Program Files\Lavasoft
2008-03-23 22:34   ---------   d-----w   C:\Documents and Settings\Tracy\Application Data\Lavasoft
2008-03-21 01:56   ---------   d-----w   C:\Documents and Settings\Tracy\Application Data\OpenOffice.org2
2008-02-28 13:55   ---------   d-----w   C:\Program Files\iTunes
2008-02-28 13:54   ---------   d-----w   C:\Program Files\iPod
2008-02-12 14:35   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-02-11 18:29   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\pdf995
2008-02-11 03:51   ---------   d-----w   C:\Program Files\QuickTime
2008-02-11 03:51   ---------   d-----w   C:\Program Files\Bonjour
2008-02-11 03:49   ---------   d-----w   C:\Program Files\Common Files\Apple
2008-02-11 03:49   ---------   d-----w   C:\Program Files\Apple Software Update
2008-02-11 03:49   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Apple
2008-02-03 03:50   ---------   d-----w   C:\Documents and Settings\Tracy\Application Data\Skype
2008-02-03 03:31   ---------   d-----w   C:\Program Files\Windows Media Connect 2
2008-02-02 22:01   ---------   d-----w   C:\Documents and Settings\Tracy\Application Data\skypePM
2008-01-04 03:39   32   ----a-w   C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRISMSVR.EXE"="C:\WINDOWS\System32\PRISMSVR.exe" [ ]
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" [2004-05-25 06:24 393216]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2007-01-15 19:58 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2007-01-15 19:58 118784]
"LoadMSvcmm"="C:\Program Files\Movielink\MovielinkManager\Movielink User.exe" [2007-09-10 18:14 124248]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 17:02 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 17:06 2027792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-18 21:40:40 113664]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-18 21:40:40 113664]
Belkin Wireless Utility.lnk - C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe [2005-08-18 18:09:58 1388544]
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-01-15 20:15:21 135680]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
--------- 2001-12-07 04:48 258118 C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 14:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gateway\\HPA\\GWMenu.exe"=
"C:\\Program Files\\Autodesk\\3dsMax8\\3dsmax.exe"=
"C:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\backburner\\server.exe"=
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 NEOFLTR_530_11255;Juniper Networks TDI Filter Driver (NEOFLTR_530_11255);C:\WINDOWS\system32\Drivers\NEOFLTR_530_11255.SYS [2006-10-27 17:01]
R3 BLKWGD;Belkin Wireless G Desktop Card Service;C:\WINDOWS\system32\DRIVERS\BLKWGD.sys [2005-06-01 22:37]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2006-10-27 16:56]
R3 wlanndi5;wlanndi5 NDIS Protocol Driver;C:\WINDOWS\System32\wlanndi5.SYS [2004-04-21 18:51]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-28 02:14:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-29 10:10:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~2.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2008-03-29 10:12:45 - machine was rebooted
ComboFix-quarantined-files.txt  2008-03-29 15:12:42
ComboFix2.txt  2008-03-28 01:38:18
Pre-Run: 149,531,009,024 bytes free
Post-Run: 149,515,075,584 bytes free
.
2008-03-18 02:36:19   --- E O F --- 
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #10 on: March 29, 2008, 10:07:19 PM »

Ok.Thats it...all done,all clean.


This will clear away any of the files and folders that were created by ComboFix.

Go to :
Start > Run then copy and paste the following highlighted text below  and click OK.

Quote

ComboFix /u




Now that you are clean,and If you wish to do so, here are a few things that you can do that will help keep your computer a bit more clean and secure..they can be done at your leisure.

Download and scan with CCleaner from http://www.ccleaner.com/downloadbuilds.asp

1. Starting with v1.27.260, http://www.ccleaner.com/downloadbuilds.asp installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free Basic or Slim versions instead of the Standard Build.

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Logged

An Australian Member of

EDDY
brianmik
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 47


Bookmark and Share

View Profile
« Reply #11 on: March 31, 2008, 10:40:50 PM »

Thanks!  You're a lifesaver!
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #12 on: March 31, 2008, 11:15:33 PM »

Your welcome.
Logged

An Australian Member of

EDDY
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page September 11, 2017, 07:54:02 PM