View Full Version : savetheinformation.com
medic6341
2007-11-30, 18:46
Hi,
My computer has become infected with this malware as well as some others too I think.
Here are the HJT Log and KAspersky Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:55 AM, on 30/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SecCenter\scprot4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OE.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\Internet Security\UfUpdUi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\SYSTEM32\twedyktu.dll (file missing)
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [yjqrwtsv] rundll32.exe "C:\Program Files\yjqrwtsv\gtqfcpit.dll",Init
O4 - HKLM\..\Run: [sxgdgdev] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\sxgdgdev.dll"
O4 - HKLM\..\Run: [242a125c] rundll32.exe "C:\WINDOWS\system32\tqspfyny.dll",b
O4 - HKLM\..\Run: [hcvulsfa] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\hcvulsfa.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {28AF57CC-DD0B-4166-92C3-5F8F7F8C8ABA} (Illuminatus 5 IE Plugin) - http://www.digitalworkshop.com/OpusPlugins/ilm500.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab33902.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/heavyweapon/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 7642 bytes
Thanks,
Chris
medic6341
2007-11-30, 18:50
Here is the KApersky report.
KASPERSKY ONLINE SCANNER REPORT
Thursday, November 29, 2007 3:40:14 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/11/2007
Kaspersky Anti-Virus database records: 468518
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
Scan Statistics
Total number of scanned objects 85860
Number of viruses found 14
Number of infected objects 37
Number of suspicious objects 2
Duration of the scan process 01:14:07
Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\bd37e6e15015e961d46161a92a320c3e_9192d17a-9a72-4204-823a-85ab53b53cd0 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1162OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Falcon Lake EMS\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\History\History.IE5\MSHist012007112920071130\index.dat Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Temp\~DFD77E.tmp Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Temp\~DFD793.tmp Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Temp\~DFF596.tmp Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Temp\~DFF5D7.tmp Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Temporary Internet Files\Content.IE5\06QM1IFS\search1[2].htm Infected: Trojan-Downloader.JS.Remora.w skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Temporary Internet Files\Content.IE5\06QM1IFS\search1[3].htm Infected: Trojan-Downloader.JS.Remora.w skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Temporary Internet Files\Content.IE5\06QM1IFS\search[6].htm Infected: Trojan-Downloader.JS.Remora.w skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Temporary Internet Files\Content.IE5\0LEC94BO\install_en[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Temporary Internet Files\Content.IE5\0LEC94BO\search[3].htm Infected: Trojan-Downloader.JS.Remora.w skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Temporary Internet Files\Content.IE5\AFLSD5NT\search1[1].htm Infected: Trojan-Downloader.JS.Remora.w skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Temporary Internet Files\Content.IE5\DUMHAOF2\search1[1].htm Infected: Trojan-Downloader.JS.Remora.w skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Temporary Internet Files\Content.IE5\DUMHAOF2\search[4].htm Infected: Trojan-Downloader.JS.Remora.w skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Temporary Internet Files\Content.IE5\NJIKUMOG\install_en[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Temporary Internet Files\Content.IE5\NJIKUMOG\search1[1].htm Infected: Trojan-Downloader.JS.Remora.w skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Temporary Internet Files\Content.IE5\NJIKUMOG\search1[2].htm Infected: Trojan-Downloader.JS.Remora.w skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Temporary Internet Files\Content.IE5\NJIKUMOG\search[1].htm Infected: Trojan-Downloader.JS.Remora.w skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Temporary Internet Files\Content.IE5\Q7OE9PPK\search[3].htm Infected: Trojan-Downloader.JS.Remora.w skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Temporary Internet Files\Content.IE5\TSC47579\search[2].htm Infected: Trojan-Downloader.JS.Remora.w skipped
C:\Documents and Settings\Falcon Lake EMS\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1C2.tmp Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1C5.tmp Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\32A3.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\32A5.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\32A6.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\5.tmp Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Program Files\Trend Micro\Internet Security\Trusted.dat Object is locked skipped
C:\RECYCLER\S-1-5-21-719952643-353684879-644189985-1006\Dc1.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-719952643-353684879-644189985-1006\Dc2.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-719952643-353684879-644189985-1006\Dc3.xls Object is locked skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1195\A0178311.exe Infected: not-a-virus:FraudTool.Win32.IeDefender.d skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1217\A0182871.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1218\A0182999.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1218\A0183000.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1218\A0183001.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1218\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB833407$\bssym7.ttf Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{1033E650-930E-4FCE-B725-834685700E56}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\drvhic.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\jnbqcanu.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINDOWS\SYSTEM32\skjlrsjp\skjlrsjp2.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped
C:\WINDOWS\SYSTEM32\skjlrsjp\skjlrsjp3.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.d skipped
C:\WINDOWS\SYSTEM32\ssqqpon.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.arv skipped
C:\WINDOWS\SYSTEM32\tnrtmwuk\tnrtmwuk2.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped
C:\WINDOWS\SYSTEM32\tnrtmwuk\tnrtmwuk3.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.d skipped
C:\WINDOWS\SYSTEM32\tqspfyny.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\SYSTEM32\twedyktu.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\winwly32.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\WINDOWS\Temp\gosB.tmp Infected: Trojan.Win32.Dialer.qn skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Hello medic6341 and welcome to the Forums :)
You're infected.
Rename HijackThis.exe to skanneri.exe by doing the following;
Navigate here using Windows Explorer (windows button + E) or My Computer Local Disk C: C:\Program Files\Trend Micro\HijackThis
Right-click on the HijackThis.exe
Choose from the pull-down menu; "Rename"
And now Rename HijackThis.exe to skanneri.exe
When you've renamed HijackThis, open HijackThis again.
Take a fresh HijackThis log (click Do a system scan and save a log file)
Post the fresh HijackThis log here.
:bigthumb:
medic6341
2007-12-03, 23:42
Thanks for your response here is the HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:26 PM, on 03/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SecCenter\scprot4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Trend Micro\HijackThis\skanneri.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
O2 - BHO: (no name) - {023A8D96-1120-4196-B227-2E2A8424EEB1} - C:\WINDOWS\system32\gebyy.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {158A95B4-1F79-3B06-78BF-0424CDB17C2E} - C:\Program Files\Eqthvltq\zyjockhq.dll
O2 - BHO: (no name) - {52DFF71E-3CC3-4087-9732-61241907106f} - C:\WINDOWS\system32\dmtkydxe.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {62780D18-D103-03D3-323A-01F43008B839} - C:\Program Files\Allkmiqq\pliasxxu.dll
O2 - BHO: (no name) - {6C2EF5FA-A247-4922-A98E-F1840CA19B84} - C:\WINDOWS\system32\pmnlm.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {950A310A-BE86-470C-A295-C75A4EDD222C} - (no file)
O2 - BHO: (no name) - {99889776-612F-4AE7-8E3A-A9F079CCB34C} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\SYSTEM32\twedyktu.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {ED203331-9C33-49D8-8714-D24A366A04EC} - C:\WINDOWS\system32\ssqqpon.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\SYSTEM32\twedyktu.dll (file missing)
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [yjqrwtsv] rundll32.exe "C:\Program Files\yjqrwtsv\gtqfcpit.dll",Init
O4 - HKLM\..\Run: [sxgdgdev] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\sxgdgdev.dll"
O4 - HKLM\..\Run: [hcvulsfa] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\hcvulsfa.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [242a125c] rundll32.exe "C:\WINDOWS\system32\tqspfyny.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {28AF57CC-DD0B-4166-92C3-5F8F7F8C8ABA} (Illuminatus 5 IE Plugin) - http://www.digitalworkshop.com/OpusPlugins/ilm500.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab33902.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/heavyweapon/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: gebyy - C:\WINDOWS\system32\gebyy.dll
O20 - Winlogon Notify: gos5F - gos5F.tmp (file missing)
O20 - Winlogon Notify: ssqqpon - C:\WINDOWS\SYSTEM32\ssqqpon.dll
O20 - Winlogon Notify: twedyktu - twedyktu.dll (file missing)
O20 - Winlogon Notify: winwly32 - C:\WINDOWS\SYSTEM32\winwly32.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\lwarkenb.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 9399 bytes
Hi :)
You're infected
At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...
Disable Spybot S&D Teatimer.
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
medic6341
2007-12-04, 22:32
Thanks again for your help,
Here is the Combofix Log
ComboFix 07-12-02.6 - Falcon Lake EMS 2007-12-04 14:11:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.77 [GMT -6:00]
Running from: C:\Documents and Settings\Falcon Lake EMS\Local Settings\Temporary Internet Files\Content.IE5\Y44D39UP\ComboFix[1].exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Falcon Lake EMS\Favorites\Online Security Guide.lnk
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\system32\awtsp.dll
C:\WINDOWS\system32\awvtt.dll
C:\WINDOWS\system32\awvtu.dll
C:\WINDOWS\system32\awvvs.dll
C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\ddayy.dll
C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\fuaypxjr.dll
C:\WINDOWS\system32\fulwbpow.dll
C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\geeda.dll
C:\WINDOWS\system32\jbylxprc.dll
C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhff.dll
C:\WINDOWS\system32\jkhhe.dll
C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\jkkjg.dll
C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\lyhsufbn.dll
C:\WINDOWS\system32\mljgd.dll
C:\WINDOWS\system32\mlljk.dll
C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\mllmn.dll
C:\WINDOWS\SYSTEM32\mlnmp.ini
C:\WINDOWS\SYSTEM32\mlnmp.ini2
C:\WINDOWS\system32\nehtuhet.dll
C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\pmnlm.dll
C:\WINDOWS\system32\pmnno.dll
C:\WINDOWS\system32\skjlrsjp
C:\WINDOWS\system32\skjlrsjp\bg1.gif
C:\WINDOWS\system32\skjlrsjp\bgtop.gif
C:\WINDOWS\system32\skjlrsjp\bottom1.gif
C:\WINDOWS\system32\skjlrsjp\essentials.gif
C:\WINDOWS\system32\skjlrsjp\icon1.ico
C:\WINDOWS\system32\skjlrsjp\install1.gif
C:\WINDOWS\system32\skjlrsjp\left1.gif
C:\WINDOWS\system32\skjlrsjp\li.gif
C:\WINDOWS\system32\skjlrsjp\logo.gif
C:\WINDOWS\system32\skjlrsjp\main.htm
C:\WINDOWS\system32\skjlrsjp\mainframe.htm
C:\WINDOWS\system32\skjlrsjp\reinstall1.gif
C:\WINDOWS\system32\skjlrsjp\right1.gif
C:\WINDOWS\system32\skjlrsjp\s1.htm
C:\WINDOWS\system32\skjlrsjp\s2.htm
C:\WINDOWS\system32\skjlrsjp\s3.htm
C:\WINDOWS\system32\skjlrsjp\skjlrsjp1.exe
C:\WINDOWS\system32\skjlrsjp\skjlrsjp2.exe
C:\WINDOWS\system32\skjlrsjp\skjlrsjp3.exe
C:\WINDOWS\system32\skjlrsjp\SMTop1.gif
C:\WINDOWS\system32\skjlrsjp\SMTop2.gif
C:\WINDOWS\system32\skjlrsjp\SMTop3.gif
C:\WINDOWS\system32\skjlrsjp\SMTop4.gif
C:\WINDOWS\system32\skjlrsjp\soft1_off.gif
C:\WINDOWS\system32\skjlrsjp\soft1_off_ext.gif
C:\WINDOWS\system32\skjlrsjp\soft1_on.gif
C:\WINDOWS\system32\skjlrsjp\soft1_on_ext.gif
C:\WINDOWS\system32\skjlrsjp\soft2_off.gif
C:\WINDOWS\system32\skjlrsjp\soft2_off_ext.gif
C:\WINDOWS\system32\skjlrsjp\soft2_on.gif
C:\WINDOWS\system32\skjlrsjp\soft2_on_ext.gif
C:\WINDOWS\system32\skjlrsjp\soft3_off.gif
C:\WINDOWS\system32\skjlrsjp\soft3_off_ext.gif
C:\WINDOWS\system32\skjlrsjp\soft3_on.gif
C:\WINDOWS\system32\skjlrsjp\soft3_on_ext.gif
C:\WINDOWS\system32\skjlrsjp\softbottom_off.gif
C:\WINDOWS\system32\skjlrsjp\softbottom_on.gif
C:\WINDOWS\system32\skjlrsjp\softleft_off.gif
C:\WINDOWS\system32\skjlrsjp\softleft_on.gif
C:\WINDOWS\system32\skjlrsjp\top1.gif
C:\WINDOWS\system32\skjlrsjp\top2.gif
C:\WINDOWS\system32\skjlrsjp\turnoff1.gif
C:\WINDOWS\system32\skjlrsjp\turnon1.gif
C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\ssqqpon.dll
C:\WINDOWS\system32\ssqrs.dll
C:\WINDOWS\system32\tnrtmwuk
C:\WINDOWS\system32\tnrtmwuk\bg1.gif
C:\WINDOWS\system32\tnrtmwuk\bgtop.gif
C:\WINDOWS\system32\tnrtmwuk\bottom1.gif
C:\WINDOWS\system32\tnrtmwuk\essentials.gif
C:\WINDOWS\system32\tnrtmwuk\icon1.ico
C:\WINDOWS\system32\tnrtmwuk\install1.gif
C:\WINDOWS\system32\tnrtmwuk\left1.gif
C:\WINDOWS\system32\tnrtmwuk\li.gif
C:\WINDOWS\system32\tnrtmwuk\logo.gif
C:\WINDOWS\system32\tnrtmwuk\main.htm
C:\WINDOWS\system32\tnrtmwuk\mainframe.htm
C:\WINDOWS\system32\tnrtmwuk\reinstall1.gif
C:\WINDOWS\system32\tnrtmwuk\right1.gif
C:\WINDOWS\system32\tnrtmwuk\s1.htm
C:\WINDOWS\system32\tnrtmwuk\s2.htm
C:\WINDOWS\system32\tnrtmwuk\s3.htm
C:\WINDOWS\system32\tnrtmwuk\SMTop1.gif
C:\WINDOWS\system32\tnrtmwuk\SMTop2.gif
C:\WINDOWS\system32\tnrtmwuk\SMTop3.gif
C:\WINDOWS\system32\tnrtmwuk\SMTop4.gif
C:\WINDOWS\system32\tnrtmwuk\soft1_off.gif
C:\WINDOWS\system32\tnrtmwuk\soft1_off_ext.gif
C:\WINDOWS\system32\tnrtmwuk\soft1_on.gif
C:\WINDOWS\system32\tnrtmwuk\soft1_on_ext.gif
C:\WINDOWS\system32\tnrtmwuk\soft2_off.gif
C:\WINDOWS\system32\tnrtmwuk\soft2_off_ext.gif
C:\WINDOWS\system32\tnrtmwuk\soft2_on.gif
C:\WINDOWS\system32\tnrtmwuk\soft2_on_ext.gif
C:\WINDOWS\system32\tnrtmwuk\soft3_off.gif
C:\WINDOWS\system32\tnrtmwuk\soft3_off_ext.gif
C:\WINDOWS\system32\tnrtmwuk\soft3_on.gif
C:\WINDOWS\system32\tnrtmwuk\soft3_on_ext.gif
C:\WINDOWS\system32\tnrtmwuk\softbottom_off.gif
C:\WINDOWS\system32\tnrtmwuk\softbottom_on.gif
C:\WINDOWS\system32\tnrtmwuk\softleft_off.gif
C:\WINDOWS\system32\tnrtmwuk\softleft_on.gif
C:\WINDOWS\system32\tnrtmwuk\tnrtmwuk1.exe
C:\WINDOWS\system32\tnrtmwuk\tnrtmwuk2.exe
C:\WINDOWS\system32\tnrtmwuk\tnrtmwuk3.exe
C:\WINDOWS\system32\tnrtmwuk\top1.gif
C:\WINDOWS\system32\tnrtmwuk\top2.gif
C:\WINDOWS\system32\tnrtmwuk\turnoff1.gif
C:\WINDOWS\system32\tnrtmwuk\turnon1.gif
C:\WINDOWS\system32\vicgtvtn.dll
C:\WINDOWS\system32\vtsqp.dll
C:\WINDOWS\system32\vtstq.dll
C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\vturq.dll
C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\winwly32.dll
C:\WINDOWS\system32\xtvlsnbn.dll
C:\WINDOWS\SYSTEM32\yybeg.bak1
C:\WINDOWS\SYSTEM32\yybeg.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.
2007-12-03 14:26 . 2007-12-03 14:26 6,675 --a------ C:\WINDOWS\SYSTEM32\phhttory.dll
2007-12-02 11:16 . 2007-12-02 11:16 354 --ahs---- C:\WINDOWS\SYSTEM32\pwxymapo.ini
2007-12-01 11:13 . 2007-12-02 11:13 294 --ahs---- C:\WINDOWS\SYSTEM32\nvkkwlxj.ini
2007-11-30 11:11 . 2007-11-30 18:00 768,463 --ahs---- C:\WINDOWS\SYSTEM32\tmgmlgbp.ini
2007-11-29 10:33 . 2007-11-29 10:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-29 10:33 . 2007-11-29 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-29 10:16 . 2007-11-29 10:16 <DIR> d-------- C:\Program Files\Allkmiqq
2007-11-29 10:05 . 2007-11-30 01:13 662 --a------ C:\WINDOWS\wininit.ini
2007-11-28 14:11 . 2007-11-29 11:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-28 14:00 . 2007-11-29 10:18 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2007-11-28 13:59 . 2007-11-28 14:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-11-28 10:05 . 2007-11-28 11:13 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2007-11-28 08:11 . 2007-11-30 21:00 768,463 --ahs---- C:\WINDOWS\SYSTEM32\ynyfpsqt.ini
2007-11-25 12:23 . 2007-11-27 12:23 784,245 --ahs---- C:\WINDOWS\SYSTEM32\jjkabcwb.ini
2007-11-24 10:10 . 2007-11-24 10:10 7,033 --a------ C:\WINDOWS\SYSTEM32\ssttr.dll
2007-11-24 09:10 . 2007-11-24 09:10 7,033 --a------ C:\WINDOWS\SYSTEM32\pmnnl.dll
2007-11-23 22:23 . 2007-11-23 22:23 7,033 --a------ C:\WINDOWS\SYSTEM32\mlljj.dll
2007-11-23 14:30 . 2007-11-23 14:44 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-11-23 13:54 . 2007-11-23 13:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-11-23 13:49 . 2007-11-23 13:57 <DIR> d-------- C:\Program Files\ACW
2007-11-23 08:27 . 2007-11-23 11:27 7,033 --a------ C:\WINDOWS\SYSTEM32\ssqro.dll
2007-11-23 04:27 . 2007-11-23 04:27 7,033 --a------ C:\WINDOWS\SYSTEM32\vtsqo.dll
2007-11-23 03:27 . 2007-11-23 03:27 7,033 --a------ C:\WINDOWS\SYSTEM32\pmkhg.dll
2007-11-23 01:27 . 2007-11-23 10:27 7,033 --a------ C:\WINDOWS\SYSTEM32\ddcyv.dll
2007-11-22 22:27 . 2007-11-22 22:27 7,033 --a------ C:\WINDOWS\SYSTEM32\awtqq.dll
2007-11-22 21:27 . 2007-11-22 21:27 7,033 --a------ C:\WINDOWS\SYSTEM32\vtutr.dll
2007-11-22 18:27 . 2007-11-22 18:27 7,033 --a------ C:\WINDOWS\SYSTEM32\mljgh.dll
2007-11-22 16:27 . 2007-11-22 16:27 7,033 --a------ C:\WINDOWS\SYSTEM32\mljjh.dll
2007-11-22 08:07 . 2007-11-22 08:07 7,033 --a------ C:\WINDOWS\SYSTEM32\ddcyy.dll
2007-11-21 22:07 . 2007-11-21 22:07 7,033 --a------ C:\WINDOWS\SYSTEM32\awtsq.dll
2007-11-21 19:07 . 2007-11-21 19:07 7,033 --a------ C:\WINDOWS\SYSTEM32\geede.dll
2007-11-21 18:07 . 2007-11-21 18:07 7,033 --a------ C:\WINDOWS\SYSTEM32\geedd.dll
2007-11-21 16:07 . 2007-11-21 16:07 7,033 --a------ C:\WINDOWS\SYSTEM32\mlljh.dll
2007-11-21 14:07 . 2007-11-22 10:07 7,033 --a------ C:\WINDOWS\SYSTEM32\jkkli.dll
2007-11-21 10:19 . 2007-11-21 10:19 7,033 --a------ C:\WINDOWS\SYSTEM32\ddayv.dll
2007-11-21 08:19 . 2007-11-21 08:19 7,033 --a------ C:\WINDOWS\SYSTEM32\geeba.dll
2007-11-21 07:47 . 2007-11-22 07:07 7,033 --a------ C:\WINDOWS\SYSTEM32\jkhfd.dll
2007-11-21 05:47 . 2007-11-21 05:47 7,033 --a------ C:\WINDOWS\SYSTEM32\vtsqn.dll
2007-11-21 04:47 . 2007-11-21 04:47 7,033 --a------ C:\WINDOWS\SYSTEM32\mljji.dll
2007-11-21 01:47 . 2007-11-21 01:47 7,033 --a------ C:\WINDOWS\SYSTEM32\awtsr.dll
2007-11-20 23:47 . 2007-11-23 09:27 7,033 --a------ C:\WINDOWS\SYSTEM32\jkkjk.dll
2007-11-20 22:47 . 2007-11-20 22:47 7,033 --a------ C:\WINDOWS\SYSTEM32\vtstr.dll
2007-11-20 16:47 . 2007-11-20 16:47 7,033 --a------ C:\WINDOWS\SYSTEM32\geedc.dll
2007-11-20 16:42 . 2007-11-20 16:42 <DIR> d-------- C:\Program Files\Eqthvltq
2007-11-20 16:41 . 2007-11-20 16:41 <DIR> d-------- C:\Program Files\yjqrwtsv
2007-11-20 15:27 . 2007-09-18 00:29 138,512 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-11-20 15:27 . 2007-09-18 00:29 52,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmactmon.sys
2007-11-20 15:27 . 2007-09-18 00:29 52,368 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmevtmgr.sys
2007-11-20 15:26 . 2007-11-21 10:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-11-20 15:25 . 2007-11-30 10:24 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-20 10:33 . 2007-11-20 10:33 <DIR> d-------- C:\Program Files\TryMedia
2007-11-19 16:07 . 2007-11-19 16:07 102,912 --a------ C:\WINDOWS\SYSTEM32\drvhic.dll
2007-11-05 13:15 . 2007-11-05 13:15 <DIR> d-------- C:\Documents and Settings\Casuals\Application Data\Grisoft
2007-11-05 08:56 . 2007-11-29 10:18 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2007-11-05 08:56 . 2007-11-29 10:18 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-01 03:06 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-23 20:44 --------- d-----w C:\Documents and Settings\Falcon Lake EMS\Application Data\U3
2007-11-20 22:20 --------- d-----w C:\Program Files\MSN Messenger
2007-11-20 21:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-20 21:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-05 18:14 --------- d-----w C:\Program Files\Lexmark X74-X75
2007-01-07 17:59 848 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{158A95B4-1F79-3B06-78BF-0424CDB17C2E}]
2007-11-20 16:42 106496 --a------ C:\Program Files\Eqthvltq\zyjockhq.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52DFF71E-3CC3-4087-9732-61241907106f}]
C:\WINDOWS\system32\dmtkydxe.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62780D18-D103-03D3-323A-01F43008B839}]
2007-11-29 10:16 98304 --a------ C:\Program Files\Allkmiqq\pliasxxu.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C2EF5FA-A247-4922-A98E-F1840CA19B84}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{950A310A-BE86-470C-A295-C75A4EDD222C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99889776-612F-4AE7-8E3A-A9F079CCB34C}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-09-18 00:30]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 17:22]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 16:48]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 13:05]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-01-13 09:19]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-01-09 08:21]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-09-18 00:29]
"242a125c"="C:\WINDOWS\system32\tqspfyny.dll" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gos5F]
gos5F.tmp
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\twedyktu]
twedyktu.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
R0 tffsport;M-Systems DiskOnChip 2000;C:\WINDOWS\system32\DRIVERS\tffsport.sys
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe
R2 AsfAlrt;AsfAlrt;\??\C:\WINDOWS\System32\drivers\AsfAlrt.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-12-04 19:48:06 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 14:28:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background?g
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-04 14:29:57 - machine was rebooted
.
--- E O F ---
Hi again, we'll continue :)
Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\DCEBoot.exe
Click on Send
Wait for the scan to end.
Copy & Paste the scan results to here.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\SYSTEM32\phhttory.dll
C:\WINDOWS\SYSTEM32\pwxymapo.ini
C:\WINDOWS\SYSTEM32\nvkkwlxj.ini
C:\WINDOWS\SYSTEM32\tmgmlgbp.ini
C:\WINDOWS\SYSTEM32\ynyfpsqt.ini
C:\WINDOWS\system32\tqspfyny.dll
C:\WINDOWS\SYSTEM32\jjkabcwb.ini
C:\WINDOWS\SYSTEM32\ssttr.dll
C:\WINDOWS\SYSTEM32\pmnnl.dll
C:\WINDOWS\SYSTEM32\mlljj.dll
C:\WINDOWS\SYSTEM32\ssqro.dll
C:\WINDOWS\SYSTEM32\vtsqo.dll
C:\WINDOWS\SYSTEM32\pmkhg.dll
C:\WINDOWS\SYSTEM32\ddcyv.dll
C:\WINDOWS\SYSTEM32\awtqq.dll
C:\WINDOWS\SYSTEM32\vtutr.dll
C:\WINDOWS\SYSTEM32\mljgh.dll
C:\WINDOWS\SYSTEM32\mljjh.dll
C:\WINDOWS\SYSTEM32\ddcyy.dll
C:\WINDOWS\SYSTEM32\awtsq.dll
C:\WINDOWS\SYSTEM32\geede.dll
C:\WINDOWS\SYSTEM32\geedd.dll
C:\WINDOWS\SYSTEM32\mlljh.dll
C:\WINDOWS\SYSTEM32\jkkli.dll
C:\WINDOWS\SYSTEM32\ddayv.dll
C:\WINDOWS\SYSTEM32\geeba.dll
C:\WINDOWS\SYSTEM32\jkhfd.dll
C:\WINDOWS\SYSTEM32\vtsqn.dll
C:\WINDOWS\SYSTEM32\mljji.dll
C:\WINDOWS\SYSTEM32\awtsr.dll
C:\WINDOWS\SYSTEM32\jkkjk.dll
C:\WINDOWS\SYSTEM32\vtstr.dll
C:\WINDOWS\SYSTEM32\geedc.dll
C:\WINDOWS\SYSTEM32\drvhic.dll
C:\WINDOWS\system32\dmtkydxe.dll
Folder::
C:\Program Files\Allkmiqq
C:\Program Files\Eqthvltq
C:\Program Files\yjqrwtsv
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{158A95B4-1F79-3B06-78BF-0424CDB17C2E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52DFF71E-3CC3-4087-9732-61241907106f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62780D18-D103-03D3-323A-01F43008B839}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C2EF5FA-A247-4922-A98E-F1840CA19B84}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{950A310A-BE86-470C-A295-C75A4EDD222C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99889776-612F-4AE7-8E3A-A9F079CCB34C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"242a125c"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gos5F]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\twedyktu]
Save this as "CFScript"
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log + the virustotal results
medic6341
2007-12-07, 20:06
Here is the Scan results from Virus Total, I will post the rest right away.
File DCEBoot.exe received on 12.07.2007 18:55:57 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 54 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2007.12.8.0 2007.12.07 -
AntiVir 7.6.0.40 2007.12.07 -
Authentium 4.93.8 2007.12.06 -
Avast 4.7.1098.0 2007.12.06 -
AVG 7.5.0.503 2007.12.07 -
BitDefender 7.2 2007.12.07 -
CAT-QuickHeal 9.00 2007.12.07 -
ClamAV 0.91.2 2007.12.07 -
DrWeb 4.44.0.09170 2007.12.07 -
eSafe 7.0.15.0 2007.12.06 -
eTrust-Vet 31.3.5359 2007.12.07 -
Ewido 4.0 2007.12.07 -
FileAdvisor 1 2007.12.07 -
Fortinet 3.14.0.0 2007.12.07 -
F-Prot 4.4.2.54 2007.12.06 -
F-Secure 6.70.13030.0 2007.12.07 -
Ikarus T3.1.1.12 2007.12.07 -
Kaspersky 7.0.0.125 2007.12.07 -
McAfee 5179 2007.12.06 -
Microsoft 1.3007 2007.12.07 -
NOD32v2 2710 2007.12.07 -
Norman 5.80.02 2007.12.07 -
Panda 9.0.0.4 2007.12.06 -
Prevx1 V2 2007.12.07 -
Rising 20.21.42.00 2007.12.07 -
Sophos 4.24.0 2007.12.07 -
Sunbelt 2.2.907.0 2007.12.07 -
Symantec 10 2007.12.07 -
TheHacker 6.2.9.152 2007.12.07 -
VBA32 3.12.2.5 2007.12.05 -
VirusBuster 4.3.26:9 2007.12.07 -
Webwasher-Gateway 6.6.2 2007.12.07 -
Additional information
File size: 10752 bytes
MD5: 7fbc2a5cc5a47fbb67bd27d38a19f0f1
SHA1: a6982409e417221b290436d0e595556ace0e01c5
PEiD: -
Chris
medic6341
2007-12-07, 21:53
Here are the other 2 logs, after running combofix with the cfscript it rebooted the machine but I could not find the log, so I re ran combofix with the cfscript and it prodiced this log.
Thanks again for your help
Chris
ComboFix 07-12-07.3 - Falcon Lake EMS 2007-12-07 13:44:44.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.118 [GMT -6:00]
Running from: C:\Documents and Settings\Falcon Lake EMS\My Documents\ComboFix.exe
Command switches used :: C:\Documents and Settings\Falcon Lake EMS\Desktop\CFScript.lnk
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Program Files\Allkmiqq
C:\Program Files\Allkmiqq\pliasxxu.dll
C:\Program Files\Eqthvltq
C:\Program Files\Eqthvltq\zyjockhq.dll
C:\Program Files\yjqrwtsv
C:\Program Files\yjqrwtsv\gtqfcpit.dll
C:\WINDOWS\SYSTEM32\awtqq.dll
C:\WINDOWS\SYSTEM32\awtsq.dll
C:\WINDOWS\SYSTEM32\awtsr.dll
C:\WINDOWS\SYSTEM32\ddayv.dll
C:\WINDOWS\SYSTEM32\ddcyv.dll
C:\WINDOWS\SYSTEM32\ddcyy.dll
C:\WINDOWS\SYSTEM32\drvhic.dll
C:\WINDOWS\SYSTEM32\geeba.dll
C:\WINDOWS\SYSTEM32\geedc.dll
C:\WINDOWS\SYSTEM32\geedd.dll
C:\WINDOWS\SYSTEM32\geede.dll
C:\WINDOWS\SYSTEM32\jjkabcwb.ini
C:\WINDOWS\SYSTEM32\jkhfd.dll
C:\WINDOWS\SYSTEM32\jkkjk.dll
C:\WINDOWS\SYSTEM32\jkkli.dll
C:\WINDOWS\SYSTEM32\mljgh.dll
C:\WINDOWS\SYSTEM32\mljjh.dll
C:\WINDOWS\SYSTEM32\mljji.dll
C:\WINDOWS\SYSTEM32\mlljh.dll
C:\WINDOWS\SYSTEM32\mlljj.dll
C:\WINDOWS\SYSTEM32\nvkkwlxj.ini
C:\WINDOWS\SYSTEM32\phhttory.dll
C:\WINDOWS\SYSTEM32\pmkhg.dll
C:\WINDOWS\SYSTEM32\pmnnl.dll
C:\WINDOWS\SYSTEM32\pwxymapo.ini
C:\WINDOWS\SYSTEM32\ssqro.dll
C:\WINDOWS\SYSTEM32\ssttr.dll
C:\WINDOWS\SYSTEM32\tmgmlgbp.ini
C:\WINDOWS\SYSTEM32\vtsqn.dll
C:\WINDOWS\SYSTEM32\vtsqo.dll
C:\WINDOWS\SYSTEM32\vtstr.dll
C:\WINDOWS\SYSTEM32\vtutr.dll
C:\WINDOWS\SYSTEM32\ynyfpsqt.ini
.
((((((((((((((((((((((((( Files Created from 2007-11-07 to 2007-12-07 )))))))))))))))))))))))))))))))
.
2007-11-29 10:33 . 2007-11-29 10:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-29 10:33 . 2007-11-29 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-29 10:05 . 2007-11-30 01:13 662 --a------ C:\WINDOWS\wininit.ini
2007-11-28 14:11 . 2007-11-29 11:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-28 14:00 . 2007-11-29 10:18 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2007-11-28 13:59 . 2007-11-28 14:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-11-28 10:05 . 2007-11-28 11:13 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2007-11-23 14:30 . 2007-11-23 14:44 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-11-23 13:54 . 2007-11-23 13:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-11-23 13:49 . 2007-11-23 13:57 <DIR> d-------- C:\Program Files\ACW
2007-11-20 15:27 . 2007-09-18 00:29 138,512 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-11-20 15:27 . 2007-09-18 00:29 52,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmactmon.sys
2007-11-20 15:27 . 2007-09-18 00:29 52,368 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmevtmgr.sys
2007-11-20 15:26 . 2007-11-21 10:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-11-20 15:25 . 2007-11-30 10:24 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-20 10:33 . 2007-11-20 10:33 <DIR> d-------- C:\Program Files\TryMedia
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-01 03:06 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-23 20:44 --------- d-----w C:\Documents and Settings\Falcon Lake EMS\Application Data\U3
2007-11-20 22:20 --------- d-----w C:\Program Files\MSN Messenger
2007-11-20 21:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-20 21:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-05 19:15 --------- d-----w C:\Documents and Settings\Casuals\Application Data\Grisoft
2007-11-05 18:14 --------- d-----w C:\Program Files\Lexmark X74-X75
2007-10-26 03:36 8,454,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-01-07 17:59 848 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{158A95B4-1F79-3B06-78BF-0424CDB17C2E}]
C:\Program Files\Eqthvltq\zyjockhq.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52DFF71E-3CC3-4087-9732-61241907106f}]
C:\WINDOWS\system32\dmtkydxe.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62780D18-D103-03D3-323A-01F43008B839}]
C:\Program Files\Allkmiqq\pliasxxu.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C2EF5FA-A247-4922-A98E-F1840CA19B84}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{950A310A-BE86-470C-A295-C75A4EDD222C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99889776-612F-4AE7-8E3A-A9F079CCB34C}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-09-18 00:30]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 17:22]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 16:48]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 13:05]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-01-13 09:19]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-01-09 08:21]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-09-18 00:29]
"242a125c"="C:\WINDOWS\system32\tqspfyny.dll" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gos5F]
gos5F.tmp
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\twedyktu]
twedyktu.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
R0 tffsport;M-Systems DiskOnChip 2000;C:\WINDOWS\system32\DRIVERS\tffsport.sys
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe
R2 AsfAlrt;AsfAlrt;\??\C:\WINDOWS\System32\drivers\AsfAlrt.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-12-07 19:48:06 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-07 13:48:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-07 13:48:53
C:\ComboFix2.txt ... 2007-12-04 14:29
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:23 PM, on 07/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\skanneri.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {28AF57CC-DD0B-4166-92C3-5F8F7F8C8ABA} (Illuminatus 5 IE Plugin) - http://www.digitalworkshop.com/OpusPlugins/ilm500.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab33902.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/heavyweapon/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 7233 bytes
Hi, looks much better.
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post along with a fresh HijackThis log.
medic6341
2007-12-08, 21:25
Here are the 2 reports as requested
KASPERSKY ONLINE SCANNER REPORT
Saturday, December 08, 2007 1:19:07 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/12/2007
Kaspersky Anti-Virus database records: 477351
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
Scan Statistics
Total number of scanned objects 65362
Number of viruses found 12
Number of infected objects 31
Number of suspicious objects 0
Duration of the scan process 01:04:53
Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\bd37e6e15015e961d46161a92a320c3e_9192d17a-9a72-4204-823a-85ab53b53cd0 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Application Data\Sun\Java\Deployment\log\plugin142_03.trace Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Application Data\Microsoft\Windows Media\11.0\WMSDKNSD.XML Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\History\History.IE5\MSHist012007120820071209\index.dat Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\temp\Acr2A6.tmp Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\temp\hsperfdata_Falcon Lake EMS\3464 Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\temp\~DF864E.tmp Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\temp\~DF8661.tmp Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Falcon Lake EMS\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1C2.tmp Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1C5.tmp Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\32A3.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\32A5.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\32A6.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\5.tmp Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Program Files\Trend Micro\Internet Security\Trusted.dat Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\drvhic.dll.vir Infected: Trojan.Win32.Dialer.qn skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\skjlrsjp\skjlrsjp2.exe.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\skjlrsjp\skjlrsjp3.exe.vir Infected: not-a-virus:Downloader.Win32.UltimateFix.d skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\tnrtmwuk\tnrtmwuk2.exe.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\tnrtmwuk\tnrtmwuk3.exe.vir Infected: not-a-virus:Downloader.Win32.UltimateFix.d skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\winwly32.dll.vir Infected: Trojan.Win32.Dialer.qn skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\xtvlsnbn.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ae skipped
C:\qoobox\Quarantine\catchme2007-12-04_142643.37.zip/ssqqpon.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.arv skipped
C:\qoobox\Quarantine\catchme2007-12-04_142643.37.zip ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-719952643-353684879-644189985-1006\Dc1.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-719952643-353684879-644189985-1006\Dc2.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-719952643-353684879-644189985-1006\Dc3.xls Object is locked skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1195\A0178311.exe Infected: not-a-virus:FraudTool.Win32.IeDefender.d skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1226\A0183661.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1226\A0183662.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.d skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1226\A0183664.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1226\A0183665.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.d skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1226\A0183705.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ae skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1226\A0183706.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1226\A0183716.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.arv skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1229\A0183866.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1230\A0183993.DLL Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1230\A0183994.DLL Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1230\A0183995.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1230\A0183996.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1230\A0183997.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1230\A0183998.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1230\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB833407$\bssym7.ttf Object is locked skipped
C:\WINDOWS\$_hpcst$.hpc Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:44 PM, on 08/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\skanneri.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {28AF57CC-DD0B-4166-92C3-5F8F7F8C8ABA} (Illuminatus 5 IE Plugin) - http://www.digitalworkshop.com/OpusPlugins/ilm500.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab33902.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/heavyweapon/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 7308 bytes
Hi again :)
Looks very good, only a few leftovers.
You should print these instructions or save these to a text file. Follow these instructions carefully.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - hxtp://www.shockwave.com/content/hea...ploader_v6.cab
Restart your computer
Open "My Computer" and delete the following files (if present):
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
Post a one more HijackThis log and also let me know how the pc is running :)
medic6341
2007-12-12, 18:42
Hi again,
Here is the latest HJT Log, the computer also seems to be running much better now, it had been running quite slow.
Again thank you so much for your assistance.
Chris
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:18 AM, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\HijackThis\skanneri.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {28AF57CC-DD0B-4166-92C3-5F8F7F8C8ABA} (Illuminatus 5 IE Plugin) - http://www.digitalworkshop.com/OpusPlugins/ilm500.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab33902.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 6938 bytes
Hi again, it is looking clean now :)
You can remove the tools we used.
Okay so slow...please check these instructions -> Help! My computer is slow! by miekiemoes (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)
Then you should update your Java to the latest version (6u3) Start
Control Panel
Add/Remove Programs
Delete the old Java,
Java 2 Runtime Environment, SE v1.4.2_03
Download the latest version of Java Runtime Environment (JRE) 6u3 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)
medic6341
2007-12-15, 19:55
Thank you very much for all your assistance, you guys are great!
You're very welcome :D:
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.
Glad we could help :2thumb: