View Full Version : Popups and Ads Malware
chris125
2007-06-02, 09:05
Hi,
I'm getting annoying pop ups when ever I open Internet Explorer.
This is my Hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 3:12:09 PM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CLI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\All Users\Application Data\novsvida.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRAM FILES\BITTORRENT\BITTORRENT.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccVScan.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [novsvida.exe] C:\Documents and Settings\All Users\Application Data\novsvida.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\dgjkpvbh.dll",realset
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\PROGRAM FILES\BITCOMET\BITCOMET.EXE/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\PROGRAM FILES\BITCOMET\BITCOMET.EXE/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\PROGRAM FILES\BITCOMET\BITCOMET.EXE/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137127858093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Angelfire777
2007-06-02, 14:00
Hi, welcome to safer networking forums!
Are you using Trend Micro internet security along with Kaspersky Antivirus or AOL Active shield?
*Download combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
1. Double click combofix.exe & follow the prompts.
2. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Open HijackThis > Click "Misc Tools Section"
Click "Open Uninstall Manager".
Click "Save List".
Save it to your Desktop.
Copy the contents of the file to your next reply.
chris125
2007-06-02, 19:58
Here's the combofix log
"Chris" - 2007-06-02 9:38:03 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Chris\Desktop\"
(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\elcvvmke.dll
C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\nnnmljj.dll
C:\WINDOWS\system32\qommlmj.dll
C:\WINDOWS\system32\winnxm32.dll
C:\WINDOWS\system32\gjkkj.bak1
C:\WINDOWS\system32\gjkkj.bak2
C:\WINDOWS\system32\gjkkj.ini
C:\WINDOWS\system32\gjkkj.ini2
C:\WINDOWS\system32\gjkkj.tmp
C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\gjkkj.bak1
C:\WINDOWS\system32\gjkkj.bak2
C:\WINDOWS\system32\gjkkj.ini
C:\WINDOWS\system32\gjkkj.ini2
C:\WINDOWS\system32\gjkkj.tmp
C:\WINDOWS\system32\gjkkj.bak1
C:\WINDOWS\system32\gjkkj.bak2
C:\WINDOWS\system32\gjkkj.ini
C:\WINDOWS\system32\gjkkj.ini2
C:\WINDOWS\system32\gjkkj.tmp
C:\WINDOWS\system32\jkkjg.dll
C:\WINDOWS\system32\gebxvwv.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((( Files Created from 2007-05-02 to 2007-06-02 ))))))))))))))))))))))))))))))))))
2007-06-01 12:57 2,580 --a------ C:\WINDOWS\system32\vfxcujld.exe
2007-06-01 12:54 131,124 --a------ C:\WINDOWS\system32\dgjkpvbh.dll
2007-05-31 01:19 1,310,720 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-30 12:45 56,832 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\novsvida.exe
2007-05-30 12:23 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2007-05-30 12:23 <DIR> d-------- C:\Program Files\Propellerhead
2007-05-30 12:15 331,263 --a------ C:\WINDOWS\LOOP.exe
2007-05-30 12:15 <DIR> d-------- C:\Program Files\Recycle
2007-05-30 12:15 <DIR> d-------- C:\DOCUME~1\Chris\APPLIC~1\Propellerhead Software
2007-05-30 12:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Propellerhead Software
2007-05-30 12:13 225,280 --a------ C:\WINDOWS\system32\ReWire.dll
2007-05-30 12:13 <DIR> d-------- C:\Program Files\Ableton
2007-05-30 12:13 <DIR> d-------- C:\DOCUME~1\Chris\APPLIC~1\Ableton
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-02 06:08:02 -------- d-----w C:\DOCUME~1\Chris\APPLIC~1\BitTorrent
2007-05-31 16:34:12 -------- d-----w C:\Program Files\Steam
2007-05-31 05:10:49 -------- d-----w C:\Program Files\QuickTime
2007-05-31 05:05:48 -------- d-----w C:\Program Files\MSN Messenger
2007-05-31 05:03:19 -------- d-----w C:\Program Files\Microsoft IntelliType Pro
2007-05-31 05:03:03 -------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-05-31 04:59:01 -------- d-----w C:\Program Files\iTunes
2007-05-31 04:56:32 -------- d-----w C:\Program Files\ewido anti-malware
2007-05-31 04:50:26 -------- d-----w C:\Program Files\ATI Multimedia
2007-05-31 00:01:12 -------- d-----w C:\Program Files\BitTorrent
2007-05-30 21:44:35 -------- d-----w C:\Program Files\Soulseek
2007-05-09 17:07:58 -------- d-----w C:\DOCUME~1\Chris\APPLIC~1\ATI MMC
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-14 21:03:29 -------- d-----w C:\Program Files\BitComet
2007-04-14 21:02:17 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-03 04:14:59 21,764 ----a-w C:\WINDOWS\system32\CoreAAC-uninstall.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}=C:\PROGRAM FILES\BITCOMET\tools\BitCometBHO_1.1.3.28.dll [2007-03-29 07:31]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 17:39]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 17:38]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" [2005-09-28 22:07]
"UserFaultCheck"="%systemroot%\system32\dumprep 0 -u" []
"SoundMan"="SOUNDMAN.EXE" []
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 17:12]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"novsvida.exe"="C:\Documents and Settings\All Users\Application Data\novsvida.exe" [2007-05-30 12:45]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"@"="" []
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2006-07-12 21:25]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2006-07-12 21:22]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE" [2006-07-12 21:23]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="C:\Program Files\ewido anti-malware\shellhook.dll" [2004-09-30 05:21]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
Contents of the 'Scheduled Tasks' folder
2007-05-29 22:40:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
********************************************************************
catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-02 09:49:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\WindowsUpdate.log
C:\WINDOWS\winhelp.exe
C:\WINDOWS\winhlp32.exe
C:\WINDOWS\WININIT.INI
C:\WINDOWS\winnt.bmp
C:\WINDOWS\winnt256.bmp
C:\WINDOWS\WinSxS
C:\WINDOWS\WMCSetup.log
C:\WINDOWS\WMFDist11.log
C:\WINDOWS\wmp11.log
C:\WINDOWS\wmsetup.log
C:\WINDOWS\wmsetup10.log
C:\WINDOWS\WMSysPr9.prx
C:\WINDOWS\Wudf01000Inst.log
C:\WINDOWS\Wudf01000UnInst.log
C:\WINDOWS\ydi.log
C:\WINDOWS\Zapotec.bmp
C:\WINDOWS\_default.pif
C:\WINDOWS\_nvidia_xxx_.log
C:\WINDOWS\WindowsShell.Manifest
scan completed successfully
hidden files: 20
********************************************************************
Completion time: 2007-06-02 9:51:44 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-02 09:51
--- E O F ---
And here's the uninstal list
Ableton Live v5.0.2
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.9
AMD Power Monitor
Apple Software Update
AsusUpdate
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Decoder
ATI Display Driver
ATI Multimedia Center 9.15
ATI Parental Control & Encoder
ATI TV Settings
AviSynth 2.5
AVIVO Codecs
BitComet 0.86
BitTorrent 5.0.7
Combined Community Codec Pack 2006-12-15
CoreAAC Audio Decoder (remove only)
Creative DVD Audio Plugin for Audigy Series
DAO
DiscWizard for Windows
DVDFab Decrypter 3.0.7.0
ewido anti-malware
GUIDE PLUS+(TM) for Windows® System - ATI
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
iConcertCal
InterVideo WinDVD 5
iPod for Windows 2006-03-23
iTunes
Java(TM) SE Runtime Environment 6 Update 1
Lexmark Z600 Series
MadOnion.com/3DMark2001 SE
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows XP Video Decoder Checkup Utility
MSN
MSXML 4.0 SP2 (KB927978)
Nero 7 Ultra Edition
NVIDIA Drivers
NvMixer
Panda ActiveScan
PC Probe II
PCMark04
pdfFactory Pro
QSuite Ver2.1
QuickTime
RealPlayer
Realtek AC'97 Audio
Reason 3.0
ReCycle v2.1
Registry First Aid
Seagate SeaTools English Online
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
SiSoftware Sandra Lite 2007.SP1 (Win64/32/CE)
SoulSeek Client 156c
Spybot - Search & Destroy 1.4
Steam(TM)
TitanTV Client components for ATI
Trend Micro PC-cillin Internet Security 2006
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Videora iPod Converter 0.91
ViewSonic Monitor Drivers
Vodei Multimedia Processor 2.00
VP6 VFW Codec
WinAce Archiver
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Connect
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinZip
Angelfire777
2007-06-03, 04:39
Hi,
Please answer this question:
Are you using Trend Micro internet security along with Kaspersky Antivirus or AOL Active shield?
Please run this first before we continue:
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
chris125
2007-06-04, 05:50
Hey,
I have trendmicro internet security but I don't use anything else.
Here's the SDFix Report
SDFix: Version 1.85
Run by Administrator - Sun 06/03/2007 - 19:18:17.03
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
No Trojan Files Found
Removing Temp Files...
ADS Check:
Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.
Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
Checking For Files with Hidden Attributes:
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\Black Mountain-Druganaut-2005[www.pctorrent.com]\Thumbs.db
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\Broken_Social_Scene-Feel_Good_Lost-2001-VBR235-bitsarah.com-\AlbumArtSmall.jpg
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\Broken_Social_Scene-Feel_Good_Lost-2001-VBR235-bitsarah.com-\AlbumArt_{17FC2E0B-5CE2-459A-B6F1-76BB641B1344}_Large.jpg
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\Broken_Social_Scene-Feel_Good_Lost-2001-VBR235-bitsarah.com-\AlbumArt_{17FC2E0B-5CE2-459A-B6F1-76BB641B1344}_Small.jpg
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\Broken_Social_Scene-Feel_Good_Lost-2001-VBR235-bitsarah.com-\desktop.ini
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\Broken_Social_Scene-Feel_Good_Lost-2001-VBR235-bitsarah.com-\folder.jpg
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\Broken_Social_Scene-Feel_Good_Lost-2001-VBR235-bitsarah.com-\Thumbs.db
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\Brooke Valentine - Chain Letter (Advance 2005) - R&B [www.torrentazos.com]\Thumbs.db
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\Clipse-Hell_Hath_No_Fury-(RapGodFathers.com)\AlbumArtSmall.jpg
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\Clipse-Hell_Hath_No_Fury-(RapGodFathers.com)\Folder.jpg
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\Gorillaz-Gorillaz.mp3.256k[www.wozzaworld.com]\AlbumArtSmall.jpg
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\Gorillaz-Gorillaz.mp3.256k[www.wozzaworld.com]\AlbumArt_{2CBE01CE-35AC-4A94-9010-6EEAB1D0BBB1}_Large.jpg
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\Gorillaz-Gorillaz.mp3.256k[www.wozzaworld.com]\AlbumArt_{2CBE01CE-35AC-4A94-9010-6EEAB1D0BBB1}_Small.jpg
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\Gorillaz-Gorillaz.mp3.256k[www.wozzaworld.com]\desktop.ini
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\Gorillaz-Gorillaz.mp3.256k[www.wozzaworld.com]\Folder.jpg
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\Gorillaz-Gorillaz.mp3.256k[www.wozzaworld.com]\Thumbs.db
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\M83 - Before The Dawn Heals Us (2005)- Electronic - www.torrentazos.com By FEFE2003\Thumbs.db
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\madonna - confessions on a dance floor (2005) - pop [www.torrentazos.com]\AlbumArtSmall.jpg
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\madonna - confessions on a dance floor (2005) - pop [www.torrentazos.com]\albumart_{f8a0753e-88cc-4794-8662-8caf9c6e1156}_large.jpg
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\madonna - confessions on a dance floor (2005) - pop [www.torrentazos.com]\AlbumArt_{F8A0753E-88CC-4794-8662-8CAF9C6E1156}_Small.jpg
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\madonna - confessions on a dance floor (2005) - pop [www.torrentazos.com]\desktop.ini
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\madonna - confessions on a dance floor (2005) - pop [www.torrentazos.com]\folder.jpg
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\madonna - confessions on a dance floor (2005) - pop [www.torrentazos.com]\Thumbs.db
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\New_Order-Waiting_for_the_Sirens_Call-2005 [KrUsTy][www.torrentazos.com]\AlbumArtSmall.jpg
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\New_Order-Waiting_for_the_Sirens_Call-2005 [KrUsTy][www.torrentazos.com]\AlbumArt_{B50DC02A-DD1D-4098-8F58-2DDAB267E171}_Large.jpg
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\New_Order-Waiting_for_the_Sirens_Call-2005 [KrUsTy][www.torrentazos.com]\AlbumArt_{B50DC02A-DD1D-4098-8F58-2DDAB267E171}_Small.jpg
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\New_Order-Waiting_for_the_Sirens_Call-2005 [KrUsTy][www.torrentazos.com]\desktop.ini
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\New_Order-Waiting_for_the_Sirens_Call-2005 [KrUsTy][www.torrentazos.com]\Folder.jpg
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\New_Order-Waiting_for_the_Sirens_Call-2005 [KrUsTy][www.torrentazos.com]\Thumbs.db
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\Talib Kweli - The Beautiful Struggle (2004) - Rap [www.torrentazos.com]\Thumbs.db
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\The Streets - When You Wasnt Famous - (CDM) [HipHop][2006][www.pctrecords.com]\AlbumArtSmall.jpg
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\The Streets - When You Wasnt Famous - (CDM) [HipHop][2006][www.pctrecords.com]\AlbumArt_{4460700E-E3DC-467D-96A9-D15A913D9C78}_Large.jpg
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\The Streets - When You Wasnt Famous - (CDM) [HipHop][2006][www.pctrecords.com]\AlbumArt_{4460700E-E3DC-467D-96A9-D15A913D9C78}_Small.jpg
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\The Streets - When You Wasnt Famous - (CDM) [HipHop][2006][www.pctrecords.com]\desktop.ini
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\The Streets - When You Wasnt Famous - (CDM) [HipHop][2006][www.pctrecords.com]\Folder.jpg
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\The Streets - When You Wasnt Famous - (CDM) [HipHop][2006][www.pctrecords.com]\Thumbs.db
C:\Documents and Settings\Chris\My Documents\My Music\entire albums\Z-Trip - Shifting Gears (Advance 2005) - Hip Hop - www.torrentazos.com By FEFE2003\Thumbs.db
C:\Documents and Settings\Chris\My Documents\My Music\incoming music\jack johnson - sing-a-longs and lullabies for the film curious george (2006) - acoustic [www.torrentazos.com]\albumartsmall.jpg
C:\Documents and Settings\Chris\My Documents\My Music\incoming music\jack johnson - sing-a-longs and lullabies for the film curious george (2006) - acoustic [www.torrentazos.com]\albumart_{3e33b958-92c2-421c-81d1-9a5ade6ce433}_large.jpg
C:\Documents and Settings\Chris\My Documents\My Music\incoming music\jack johnson - sing-a-longs and lullabies for the film curious george (2006) - acoustic [www.torrentazos.com]\albumart_{3e33b958-92c2-421c-81d1-9a5ade6ce433}_small.jpg
C:\Documents and Settings\Chris\My Documents\My Music\incoming music\jack johnson - sing-a-longs and lullabies for the film curious george (2006) - acoustic [www.torrentazos.com]\desktop.ini
C:\Documents and Settings\Chris\My Documents\My Music\incoming music\jack johnson - sing-a-longs and lullabies for the film curious george (2006) - acoustic [www.torrentazos.com]\folder.jpg
C:\Documents and Settings\Chris\My Documents\My Music\incoming music\jack johnson - sing-a-longs and lullabies for the film curious george (2006) - acoustic [www.torrentazos.com]\Thumbs.db
C:\Documents and Settings\Chris\My Documents\My Music\incoming music\Lets.Go.To.Prison.CAM.XViD-PreVail.[www.torrentfive.com]\Thumbs.db
C:\Documents and Settings\All Users\DRM\Cache\Indiv04.tmp
C:\Documents and Settings\Chris\Application Data\Microsoft\Word\~WRL0252.tmp
C:\Documents and Settings\Chris\Application Data\Microsoft\Word\~WRL0603.tmp
C:\Documents and Settings\Chris\Application Data\Microsoft\Word\~WRL1033.tmp
C:\Documents and Settings\Chris\Application Data\Microsoft\Word\~WRL2567.tmp
C:\Documents and Settings\Chris\Application Data\Microsoft\Word\~WRL2952.tmp
C:\Documents and Settings\Chris\Local Settings\Application Data\Ahead\Nero Home\TempSBE\SBE10.tmp
C:\Documents and Settings\Chris\Local Settings\Application Data\Ahead\Nero Home\TempSBE\SBE11.tmp
C:\Documents and Settings\Chris\Local Settings\Application Data\Ahead\Nero Home\TempSBE\SBE12.tmp
C:\Documents and Settings\Chris\Local Settings\Application Data\Ahead\Nero Home\TempSBE\SBE13.tmp
C:\Documents and Settings\Chris\Local Settings\Application Data\Ahead\Nero Home\TempSBE\SBE1E.tmp
C:\Documents and Settings\Chris\Local Settings\Application Data\Ahead\Nero Home\TempSBE\SBE1F.tmp
C:\Documents and Settings\Chris\Local Settings\Application Data\Ahead\Nero Home\TempSBE\SBE20.tmp
C:\Documents and Settings\Chris\Local Settings\Application Data\Ahead\Nero Home\TempSBE\SBE6.tmp
C:\Documents and Settings\Chris\Local Settings\Application Data\Ahead\Nero Home\TempSBE\SBE7.tmp
C:\Documents and Settings\Chris\Local Settings\Application Data\Ahead\Nero Home\TempSBE\SBE8.tmp
C:\Documents and Settings\Chris\Local Settings\Application Data\Ahead\Nero Home\TempSBE\SBE9.tmp
C:\Documents and Settings\Chris\Local Settings\Application Data\Ahead\Nero Home\TempSBE\SBEA.tmp
C:\Documents and Settings\Chris\Local Settings\Application Data\Ahead\Nero Home\TempSBE\SBEB.tmp
C:\Documents and Settings\Chris\Local Settings\Application Data\Ahead\Nero Home\TempSBE\SBEC.tmp
C:\Documents and Settings\Chris\Local Settings\Application Data\Ahead\Nero Home\TempSBE\SBED.tmp
C:\Documents and Settings\Chris\Local Settings\Application Data\Ahead\Nero Home\TempSBE\SBEE.tmp
C:\Documents and Settings\Chris\Local Settings\Application Data\Ahead\Nero Home\TempSBE\SBEF.tmp
C:\Documents and Settings\Chris\My Documents\~WRL0364.tmp
C:\Documents and Settings\Chris\My Documents\my documents\word documents\~WRL3881.tmp
C:\Documents and Settings\Chris\My Documents\My Music\iTunes\iTunes Music\Downloads\Podcasts\Coverville 247_ The covers that list.tmp\AlbumArtSmall.jpg
C:\Documents and Settings\Chris\My Documents\My Music\iTunes\iTunes Music\Downloads\Podcasts\Coverville 247_ The covers that list.tmp\Folder.jpg
Finished
chris125
2007-06-04, 05:51
and here's the new hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 7:46:13 PM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\All Users\Application Data\novsvida.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\PROGRAM FILES\BITCOMET\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [novsvida.exe] C:\Documents and Settings\All Users\Application Data\novsvida.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\PROGRAM FILES\BITCOMET\BITCOMET.EXE/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\PROGRAM FILES\BITCOMET\BITCOMET.EXE/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\PROGRAM FILES\BITCOMET\BITCOMET.EXE/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137127858093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Angelfire777
2007-06-05, 14:34
*A few optionals that I would recommend be uninstalled.
BitComet 0.86
SoulSeek Client 156c
BitTorrent 5.0.7
These programs may be the reason your system is infected with malware. Even when programs like these are not infected theirselves, they may still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove these programs from your system.
*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.
*Reboot
____________
Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [novsvida.exe] C:\Documents and Settings\All Users\Application Data\novsvida.exe
This is a registration reminder that is used by several companies. It is also believed to report back to the installing company some information about your computer. I recommend that you fix it.
O4 - Startup: PowerReg Scheduler.exe
Please fix the following if you uninstalled BitComet:
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\PROGRAM FILES\BITCOMET\tools\BitCometBHO_1.1.3.28.dll
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\PROGRAM FILES\BITCOMET\BITCOMET.EXE/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\PROGRAM FILES\BITCOMET\BITCOMET.EXE/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\PROGRAM FILES\BITCOMET\BITCOMET.EXE/AddAllLink.htm
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
_____________
[u]Combo-Deletions
Right click on your desktop, click new then click "New Text Document"
Name it as Combofix-do.txt
Copy and paste the following text in the code box to the new notepad file.
File::
C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
C:\WINDOWS\system32\vfxcujld.exe
C:\WINDOWS\system32\dgjkpvbh.dll
C:\DOCUMEnts and settings\ALL users\APPLICation data\novsvida.exe
C:\WINDOWS\system32\BitCometRes.dll (include this line if you uninstalled Bitcomet)
Folder::
C:\DOCUMEnts and settings\Chris\APPLICation data\BitTorrent (include this line if you uninstalled BitTorrent)
C:\Program Files\BitTorrent (include this line if you uninstalled BitTorrent)
C:\Program Files\Soulseek (include this line if you uninstalled SoulSeek)
C:\Program Files\BitComet (include this line if you uninstalled Bitcomet)
After you copy and paste the text above, drag and drop Combofix-do.txt to your copy of combofix.
Combofix will reboot your machine and it will produce a log after reboot.
Please copy and paste the contents of the combofix log to your next reply along with a fresh HijackThis log.
_______________
*Configure your machine to view hidden files:
Windows XP
Click Start.
Open My Computer..
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the "Hidden files and folders" heading select Show hidden files and folders.
Uncheck the Hide Protected Operating System Files Option.
Click Yes to confirm.
Click OK.
I would like you to scan a few files for me.
Please go HERE (http://virusscan.jotti.org/). Click browse then, navigate to this file:
C:\WINDOWS\winhelp.exe
Then click submit.
Do the same for this file: C:\WINDOWS\winhlp32.exe
Please post the results to your next reply.
If Jotti is too busy, you can go HERE (www.virustotal.com) and do the same as above.
*Download Gmer (http://www.majorgeeks.com/downloadget.php?id=5198&file=15&evp=3f18075291813a665b2a25536a70b307)
Disconnect from internet and close running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
If no warning....
Click "Rootkit" tab and click "Scan"
Once done, click "Copy"
Open Notepad and hit "ctrl+v" to paste the log.
Reconnect to the internet and post the log back to this thread please.
On your next reply, please include a fresh HijackThis log, the combofix log, the results of the jotti scan, gmer log and a description on how your machine is doing.
chris125
2007-06-05, 22:53
Logfile of HijackThis v1.99.1
Scan saved at 12:49:49 PM, on 6/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRAM FILES\JAVA\JRE1.6.0_01\BIN\JUSCHED.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\DOCUME~1\Chris\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137127858093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
chris125
2007-06-05, 22:53
"Chris" - 2007-06-05 12:06:02 Service Pack 2 NTFS
Command switches used :: ""C:\Documents and Settings\Chris\Desktop\Combofix-do.txt""
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUMEnts and settings\ALL users\APPLICation data\novsvida.exe
C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
C:\WINDOWS\system32\dgjkpvbh.dll
C:\WINDOWS\system32\vfxcujld.exe
((((((((((((((((((((((((( Files Created from 2007-05-05 to 2007-06-05 )))))))))))))))))))))))))))))))
2007-06-02 09:51 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-31 01:19 1,310,720 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-30 12:23 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2007-05-30 12:23 <DIR> d-------- C:\Program Files\Propellerhead
2007-05-30 12:15 331,263 --a------ C:\WINDOWS\LOOP.exe
2007-05-30 12:15 <DIR> d-------- C:\Program Files\Recycle
2007-05-30 12:15 <DIR> d-------- C:\DOCUME~1\Chris\APPLIC~1\Propellerhead Software
2007-05-30 12:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Propellerhead Software
2007-05-30 12:13 225,280 --a------ C:\WINDOWS\system32\ReWire.dll
2007-05-30 12:13 <DIR> d-------- C:\Program Files\Ableton
2007-05-30 12:13 <DIR> d-------- C:\DOCUME~1\Chris\APPLIC~1\Ableton
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-05 18:53:22 -------- d-----w C:\Program Files\BitComet
2007-06-02 06:08:02 -------- d-----w C:\DOCUME~1\Chris\APPLIC~1\BitTorrent
2007-05-31 16:34:12 -------- d-----w C:\Program Files\Steam
2007-05-31 05:10:49 -------- d-----w C:\Program Files\QuickTime
2007-05-31 05:05:48 -------- d-----w C:\Program Files\MSN Messenger
2007-05-31 05:03:19 -------- d-----w C:\Program Files\Microsoft IntelliType Pro
2007-05-31 05:03:03 -------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-05-31 04:59:01 -------- d-----w C:\Program Files\iTunes
2007-05-31 04:56:32 -------- d-----w C:\Program Files\ewido anti-malware
2007-05-31 04:50:26 -------- d-----w C:\Program Files\ATI Multimedia
2007-05-31 00:01:12 -------- d-----w C:\Program Files\BitTorrent
2007-05-30 21:44:35 -------- d-----w C:\Program Files\Soulseek
2007-05-09 17:07:58 -------- d-----w C:\DOCUME~1\Chris\APPLIC~1\ATI MMC
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 17:39]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 17:38]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" [2005-09-28 22:07]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 22:42 C:\WINDOWS\SOUNDMAN.EXE]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 17:12]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"@"="" []
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2006-07-12 21:25]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2006-07-12 21:22]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE" [2006-07-12 21:23]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="C:\Program Files\ewido anti-malware\shellhook.dll" [2004-09-30 05:21]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
Contents of the 'Scheduled Tasks' folder
2007-05-29 22:40:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
**************************************************************************
catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-05 12:07:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\WindowsUpdate.log
C:\WINDOWS\winhelp.exe
C:\WINDOWS\winhlp32.exe
C:\WINDOWS\WININIT.INI
C:\WINDOWS\winnt.bmp
C:\WINDOWS\winnt256.bmp
C:\WINDOWS\WinSxS
C:\WINDOWS\WMCSetup.log
C:\WINDOWS\WMFDist11.log
C:\WINDOWS\wmp11.log
C:\WINDOWS\wmsetup.log
C:\WINDOWS\wmsetup10.log
C:\WINDOWS\WMSysPr9.prx
C:\WINDOWS\Wudf01000Inst.log
C:\WINDOWS\Wudf01000UnInst.log
C:\WINDOWS\ydi.log
C:\WINDOWS\Zapotec.bmp
C:\WINDOWS\_default.pif
C:\WINDOWS\_nvidia_xxx_.log
C:\WINDOWS\WindowsShell.Manifest
scan completed successfully
hidden files: 20
**************************************************************************
Completion time: 2007-06-05 12:07:48
C:\ComboFix-quarantined-files.txt ... 2007-06-05 12:07
C:\ComboFix2.txt ... 2007-06-02 09:51
--- E O F ---
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-06-05 12:48:54
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT \??\C:\Program Files\ewido anti-malware\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\ewido anti-malware\guard.sys ZwTerminateProcess
---- Kernel code sections - GMER 1.0.12 ----
? C:\WINDOWS\system32\DRIVERS\update.sys
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified.
---- User code sections - GMER 1.0.12 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[2980] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F205 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2980] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 4309FF9F C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2980] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 4309FF20 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2980] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 4309FF64 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2980] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 4309FEAC C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2980] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 4309FEE6 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2980] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 4309FFDA C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2980] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F315D2 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3464] kernel32.dll!SetUnhandledExceptionFilter 7C84479D 5 Bytes JMP 004DE392 C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
.text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F205 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 4309FF9F C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 4309FF20 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 4309FF64 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 4309FEAC C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 4309FEE6 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 4309FFDA C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4052] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F315D2 C:\WINDOWS\system32\IEFRAME.dll
---- EOF - GMER 1.0.12 ----
chris125
2007-06-05, 22:58
The Jotti scan came back clean, and I haven't had any pop ups or solictations for bogus antivirus spftware for at least a day now. I deleted the bitcomet software, but kept the other p-2-p software because I use them regularly. Thank you for pointing out the chances I'm taking with them, I'll be more careful.
Thank you for your help, my machine is running much nicer now.
Angelfire777
2007-06-09, 12:06
Hi, sorry for the delay..I didn't get a notification of your reply...
Ewido Antispyware
Ewido is now called AVG AntiSpyware. If you have the paid version of Ewido, I suggest that you upgrade it and use it to scan your system.
You can get the latest version of AVG Antispyware from here: www.ewido.net
*Click Start > Control Panel > Add or Remove Programs and uninstall Ewido.
*Reboot and delete these folders:
C:\Program Files\ewido anti-malware
C:\Program Files\BitComet
____________
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
____________
Other than those,
Congratulations! Your log looks clean!
This is a good time to clear your existing system restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.
______________________
Here are some free programs I recommend that could help you improve your pc's security.
Install SpyWare Blaster
~You can download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
~You can read the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Install WinPatrol
~You can download it from here (http://www.winpatrol.com/download.html)
~You can get some information about how WinPatrol works here (http://www.winpatrol.com/features.html)
IESpyAds
~You can download it from here (http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD)
~If you want to know how IEspyads work you can take a look at it here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
~Please note that IESpyAds only works with Internet Explorer.
Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)
Happy safe surfing!