PDA

View Full Version : IE Opening Multiple Windows



nath23
2007-12-27, 23:49
Hi, I am running XP SP2 and IE6 (rolled back from IE hoping to cure to problem).

When I navigate away from my home page IE opens multiple windows, in fact IE keeps opening windows until I runout of available memory.

I was advised to run hijackthis and post the log to this site for some expert advise. Any help would be appreciated as IE is completely usless currently.

Thanks
Nath23

Log file as follows;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:32:14, on 27/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Router\Router.exe
C:\Program Files\WinAble\winable.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Documents and Settings\Ellen Allen\Desktop\hijackthis.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 2705 bytes

shelf life
2007-12-29, 06:54
hi,

you have some nasties on there including a possible IRC backdoor.
you should use this computer as little as possible and even pull the plug on your modem when not in use and dont use it for anything that requires passwords and or financial transactions.

you hjt log is incomplete also, missing a large part

i would do this:
boot your computer into safe mode. to reach safe mode you would tap the f8 key during acomputer restart, chose the first option from the list: safe mode

copy/paste this into notepad and save it so you can read it in safe mode:

navigate to the C:\Windows dir and delete the following:
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\mrofinu1188.exe

navigate to the C:\Program Files and delete both these folders:
Router
WinAble

while you are still in safe mode:
run spybot and your antivirus app.
last in safe mode: rescan with hjt and save the log file somewhere
---------------------------------------------------
reboot computer normally.
first stop is to get combofix, then pull the plug again and run combofix:
Download combofix from one of these links and save it to Desktop:

http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
------------------------------------------
post the hjt log and the combofix log please.

shelf life

nath23
2007-12-29, 19:18
Hi,

Thanks for the feedback. I have followed your instructions and have posted both log's. I couldn't delete the folder WinAble as I could not find this.

Once again thanks.
Nathan

shelf life
2007-12-30, 00:06
hi,

ok thanks for the info. i have pasted the logs below in two posts.


Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:32:08, on 29/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Boot mode: Safe mode



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Ellen Allen\Desktop\hijackthis.exe



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=5061220

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe

O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe

O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [fc5fefc7] rundll32.exe "C:\WINDOWS\system32\tqcxkfqt.dll",b

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?43c75a20b5194fb489b5121b52778a16

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?43c75a20b5194fb489b5121b52778a16

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167329334781

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

shelf life
2007-12-30, 00:07
and the combofix log:

ComboFix 07-12-28.1 - Ellen Allen 2007-12-29 16:41:55.1 - NTFSx86

Running from: C:\Documents and Settings\Ellen Allen\Desktop\ComboFix.exe

* Created a new restore point

.



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.



C:\Documents and Settings\All Users\Application Data\Starware347

C:\Documents and Settings\All Users\Application Data\Starware347\buttons\FindIt.bmp

C:\Documents and Settings\All Users\Application Data\Starware347\buttons\FindItHot.bmp

C:\Documents and Settings\All Users\Application Data\Starware347\buttons\findithotxp.png

C:\Documents and Settings\All Users\Application Data\Starware347\buttons\finditxp.png

C:\Documents and Settings\All Users\Application Data\Starware347\buttons\Highlight.bmp

C:\Documents and Settings\All Users\Application Data\Starware347\buttons\HighlightHot.bmp

C:\Documents and Settings\All Users\Application Data\Starware347\buttons\highlighthotxp.png

C:\Documents and Settings\All Users\Application Data\Starware347\buttons\highlightxp.png

C:\Documents and Settings\All Users\Application Data\Starware347\buttons\jokesearch.bmp

C:\Documents and Settings\All Users\Application Data\Starware347\buttons\pranks.bmp

C:\Documents and Settings\All Users\Application Data\Starware347\buttons\starware_toolbar_icon.bmp

C:\Documents and Settings\All Users\Application Data\Starware347\contexts\error.xml

C:\Documents and Settings\All Users\Application Data\Starware347\contexts\related.xml

C:\Documents and Settings\All Users\Application Data\Starware347\contexts\travel.xml

C:\Temp\bkR11

C:\WINDOWS\b122.exe

C:\WINDOWS\cookies.ini

C:\WINDOWS\system32\bbadd.ini

C:\WINDOWS\system32\bbadd.ini2

C:\WINDOWS\system32\ddabb.dll

C:\WINDOWS\system32\fbheksyo.dll

C:\WINDOWS\system32\ixjrfgue.dll

C:\WINDOWS\system32\mcrh.tmp

C:\WINDOWS\system32\pac.txt

C:\WINDOWS\system32\tqcxkfqt.dll

C:\WINDOWS\system32\tqfkxcqt.ini

C:\WINDOWS\system32\vbtgnrfx.dll

C:\WINDOWS\system32\yjtivrvk(2).dll

C:\WINDOWS\Fonts\-



.

((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 )))))))))))))))))))))))))))))))

.



2007-12-29 14:22 . 2007-12-29 14:22 552 --a------ C:\WINDOWS\system32\d3d8caps.dat

2007-12-29 13:39 . 2006-12-20 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver

2007-12-29 13:39 . 2006-12-20 18:32 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek

2007-12-29 13:39 . 2006-12-28 16:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL

2007-12-27 22:03 . 2007-12-27 23:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-12-27 19:04 . 2007-12-27 19:04 <DIR> d-------- C:\Program Files\Lavasoft

2007-12-27 19:04 . 2007-12-27 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2007-12-27 19:01 . 2007-12-27 19:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-12-27 18:15 . 2007-12-29 13:48 1,031,799 --ahs---- C:\WINDOWS\system32\komrsmog.ini

2007-12-26 22:06 . 2005-10-14 20:45 135,168 --a------ C:\WINDOWS\system32\igfxres.dll

2007-12-26 22:05 . 2007-12-26 22:05 13,726 --a------ C:\WINDOWS\system32\wpa.bak

2007-12-26 21:43 . 2004-08-04 10:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex

2007-12-26 21:42 . 2004-08-04 10:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll

2007-12-26 21:41 . 2004-08-04 10:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll

2007-12-26 21:40 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll

2007-12-26 21:37 . 2007-12-26 21:37 749 -rah----- C:\WINDOWS\WindowsShell.Manifest

2007-12-26 21:37 . 2007-12-26 21:37 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest

2007-12-26 21:37 . 2007-12-26 21:37 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest

2007-12-26 21:37 . 2007-12-26 21:37 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest

2007-12-26 21:37 . 2007-12-26 21:37 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest

2007-12-26 21:36 . 2004-08-04 10:00 32,768 --a--c--- C:\WINDOWS\system32\dllcache\icwdl.dll

2007-12-26 21:35 . 2004-08-04 10:00 214,528 --a--c--- C:\WINDOWS\system32\dllcache\icwconn1.exe

2007-12-26 21:35 . 2004-08-04 10:00 86,016 --a--c--- C:\WINDOWS\system32\dllcache\icwconn2.exe

2007-12-26 21:35 . 2004-08-04 10:00 20,480 --a--c--- C:\WINDOWS\system32\dllcache\inetwiz.exe

2007-12-26 21:10 . 2004-08-04 10:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll

2007-12-26 21:10 . 2004-08-04 10:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll

2007-12-26 21:10 . 2004-08-04 10:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll

2007-12-26 21:10 . 2004-08-04 10:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll

2007-12-26 20:57 . 2007-12-26 20:57 <DIR> d-------- C:\WINDOWS\dell

2007-12-26 17:37 . 2007-12-27 18:13 1,028,080 --ahs---- C:\WINDOWS\system32\jrtbwqaf.ini

2007-12-13 20:19 . 2007-12-13 20:19 <DIR> d-------- C:\Program Files\Real

2007-12-13 20:19 . 2007-12-13 20:19 <DIR> d-------- C:\Program Files\Common Files\Oberon Media

2007-12-09 22:15 . 2007-12-13 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Exetender

2007-12-09 22:15 . 2007-12-09 22:15 68 --a------ C:\WINDOWS\GPlrLanc.dat

2007-12-09 22:14 . 2007-12-12 22:40 <DIR> d-------- C:\Remote Programs

2007-12-09 22:14 . 2007-12-13 20:15 <DIR> d-------- C:\Program Files\Metaboli Player

2007-12-08 14:27 . 2007-12-08 14:27 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll

2007-12-08 14:23 . 2007-12-08 14:23 <DIR> d-------- C:\WINDOWS\system32\daSgo05

2007-12-08 14:23 . 2007-12-29 16:49 <DIR> d-------- C:\Temp

2007-12-08 09:24 . 2007-12-08 09:31 <DIR> d-------- C:\Program Files\Prima Games

2007-12-07 20:21 . 2007-12-07 20:21 4,096 --a------ C:\WINDOWS\d3dx.dat

2007-12-07 19:40 . 2007-12-09 18:14 <DIR> d-------- C:\Program Files\Oberon Media

2007-12-06 20:53 . 2007-12-06 22:00 <DIR> d-------- C:\Program Files\Private Eye Greatest Unsolved Mysteries



.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-29 16:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-12-29 14:50 --------- d-----w C:\Program Files\Norton Security Scan

2007-12-27 18:30 --------- d-----w C:\Documents and Settings\Ellen Allen\Application Data\SiteAdvisor

2007-12-26 23:20 --------- d-----w C:\Documents and Settings\Nathan Allen\Application Data\LimeWire

2007-12-26 17:41 --------- d-----w C:\Program Files\SiteAdvisor

2007-12-13 20:20 --------- d-----w C:\Program Files\McAfee

2007-12-13 20:19 --------- d-----w C:\Program Files\QuickTime

2007-12-09 22:14 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-12-09 19:25 --------- d-----w C:\Program Files\Common Files\Real

2007-12-08 09:30 --------- d-----w C:\Program Files\Common Files\Adobe

2007-12-07 21:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP

2007-12-04 17:09 --------- d-----w C:\Program Files\Windows Live Toolbar

2007-12-02 17:01 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor

2007-11-08 20:33 32,320 ----a-w C:\Documents and Settings\Ellen Allen\Application Data\GDIPFONTCACHEV1.DAT

2007-02-11 11:23 32,320 ----a-w C:\Documents and Settings\Nathan Allen\Application Data\GDIPFONTCACHEV1.DAT

2006-12-28 17:41 0 ----a-w C:\Documents and Settings\Ellen Allen\Application Data\wklnhst.dat

2007-02-16 16:19 168 -csh--r C:\WINDOWS\system32\D89B8F0DD6.sys

2007-02-16 16:21 5,642 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys

.



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4



[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D728346-1DC2-4A3A-9978-A182CB287EA4}]



[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4f41171d-4643-49e5-a28d-934df558e6e2}]

C:\WINDOWS\system32\vbtgnrfx.dll



[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B21F0EC6-0DB6-41EB-81A5-C669D1263BA5}]

C:\WINDOWS\system32\ddabb.dll



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:00]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-03 19:23]

"Router"="C:\Program Files\Router\Router.exe" []

"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]

"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 03:12]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 18:48]

"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-01 04:48]

"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20]

"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50]

"@"="" []

"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 10:00 C:\WINDOWS\system32\bthprops.cpl]

"Corel Photo Downloader"="C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 14:20]

"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 16:30]

"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-04-10 18:35]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 20:49]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 20:46]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 20:50]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 23:30 C:\WINDOWS\stsystra.exe]

"fc5fefc7"="C:\WINDOWS\system32\tqcxkfqt.dll" []

"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 10:00]



[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 10:00]



C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]

Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-12-20 18:19:52]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrpolk]

rqrpolk.dll



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

"LoadAppInit_DLLs"=1 (0x1)



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

2005-06-06 23:46 57344 --a------ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe /startup



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

C:\Program Files\QuickTime\qttask.exe -atboottime



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER



R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;C:\WINDOWS\system32\DRIVERS\hnm_wrls_pkt.sys [2006-07-14 01:01]

R2 wsppkt;Wireless Security Protocol;C:\WINDOWS\system32\DRIVERS\wsp_pkt.sys [2006-07-14 01:02]

S3 usb2vcom;USB to Serial Bridge Controller;C:\WINDOWS\system32\Drivers\usb2vcom.sys [2005-12-28 15:42]

S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\w300bus.sys [2006-03-13 16:49]

S3 w300mdfl;Sony Ericsson W300 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w300mdfl.sys [2006-03-13 16:50]

S3 w300mdm;Sony Ericsson W300 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w300mdm.sys [2006-03-13 16:50]

S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w300mgmt.sys [2006-03-13 16:50]

S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w300obex.sys [2006-03-13 16:50]



.

Contents of the 'Scheduled Tasks' folder

"2007-12-29 16:27:08 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"

- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE

"2007-01-18 20:15:03 C:\WINDOWS\Tasks\Low Battery Alarm Program.job"

"2007-04-18 21:31:11 C:\WINDOWS\Tasks\McDefragTask.job"

- c:\program files\mcafee\mqc\QcConsol.exe'

"2007-04-18 21:31:10 C:\WINDOWS\Tasks\McQcTask.job"

- c:\program files\mcafee\mqc\QcConsol.exe

"2007-10-08 19:24:52 C:\WINDOWS\Tasks\Norton Security Scan.job"

- C:\Program Files\Norton Security Scan\Nss.exe

"2007-12-29 16:50:01 C:\WINDOWS\Tasks\User_Feed_Synchronization-{136FABBF-C4F5-4BBA-A191-99063CF123E1}.job"

- C:\WINDOWS\system32\msfeedssync.exe

.

**************************************************************************



catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-29 16:57:17

Windows 5.1.2600 Service Pack 2 NTFS



scanning hidden processes ...



scanning hidden autostart entries ...



scanning hidden files ...



scan completed successfully

hidden files: 0



**************************************************************************

.

Completion time: 2007-12-29 17:00:15 - machine was rebooted

.

2007-12-13 23:42:46 --- E O F ---

shelf life
2007-12-30, 00:30
hi,

ok. first disable spybots tea timer so it will allow these changes:

how to disable tea timer:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
--------------------------------------------------
start HJT, click the "Scan" button. check the items below, if present--close any open windows, then click "Fixed checked"

O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe

O4 - HKLM\..\Run: [fc5fefc7] rundll32.exe "C:\WINDOWS\system32\tqcxkfqt.dll",b
----------------------------------------
look in C: Program Files and delete the entire Router folder.

one more download:

download and run vundofix.exe:



http://www.atribune.org/ccount/click.php?id=4



* Double-click VundoFix.exe to run it.

* Click the Scan for Vundo button.

* Once it's done scanning, click the Remove Vundo button.

* You will receive a prompt asking if you want to remove the files, click YES

* Once you click yes, your desktop will go blank as it starts removing Vundo.

* When completed, it will prompt that it will reboot your computer, click OK.

* Please post the contents of C:\vundofix.txt and a new HiJackThis log.



Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

run vundo first, then scan with hjt and post the vundo log and the new hjt log.

nath23
2007-12-30, 18:44
Hi,

I have followed your instructions and attached both logs.
I didn't find the files for removal, I guess this is a good thing.

Thanks again for the help.
Nathan

shelf life
2007-12-31, 03:20
hi,


I guess this is a good thing.
yes it is a good thing. i will get back to you.

shelf life
2007-12-31, 18:34
hi,

i've posted your hjt log:


Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:35:11, on 30/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Unable to get Internet Explorer version!

Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\PROGRA~1\McAfee\MPS\mps.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\MPS\mpsevh.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

C:\Program Files\McAfee\MSK\MskAgent.exe

C:\Program Files\SiteAdvisor\6172\SiteAdv.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

C:\Documents and Settings\Ellen Allen\Desktop\hijackthis.exe



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=5061220

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe

O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?43c75a20b5194fb489b5121b52778a16

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?43c75a20b5194fb489b5121b52778a16

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167329334781

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O20 - Winlogon Notify: rqrpolk - rqrpolk.dll (file missing)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE



--

End of file - 11529 bytes
---------------------------------------------------------
we will create a little script file to run with combofix:

Open [I]Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad. at the top do to File, save as.
in the File Name save as: CFScrpit
save it to your desktop.

now locate both the txt file you jsut saved and the combofix icon on your desktop.
left click on the .txt file and holding down the mouse button, drag it right on top of the combofix icon and release. combofix will run.
please post the new log it will produce after the scan.






FILE::
C:\WINDOWS\system32\vbtgnrfx.dll

REGISTRY::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D728346-1DC2-4A3A-9978-A182CB287EA4}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4f41171d-4643-49e5-a28d-934df558e6e2}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B21F0EC6-0DB6-41EB-81A5-C669D1263BA5}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Router"=-

nath23
2008-01-01, 00:12
Hi,

Log file attached.

Thanks and Happy New Year
Nathan

shelf life
2008-01-13, 19:41
hi nath23,

I dont see the log file you attached. since its been so long please scan with and post a new hjt log also.

shelf life