View Full Version : Trojan problems incl. Antivirus 2008
Hi guys.
I'm so happy this forum exists! I have followed the instructions given in the stickies but I still have problems. My computer was infected with Antivrius 2008. I downloaded the AntiMalware software from Malwarebytes and ran this and fixed all the problems. But still I have the Windows Security pop-up informing me I still have a Trojan problem: First it was Trojan-Spy.Win32.Keylogger.aa, then Trojan-Clicker.Win32.Tinyh and now Trojan-Downloader.Win32.Agent.Bq.
I have also followed your instructions and installed and run Spybot, and fixed all the problems reported.
But still I have the pop-up reporting Trojans.
Please can some help! This is my HiJack log from just now.
Thankyou so much!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:54, on 17/08/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\kpmhabmp\ytqhghar.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINNT\system32\slajglwj.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA6187] command /c del "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6139] cmd /c del "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [appapi] C:\WINNT\system32\slajglwj.exe
O4 - HKCU\..\Run: [chkutilwin] C:\WINNT\system32\bengfmds.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [chksyscmd] C:\WINNT\system32\bwvmrsde.exe
O4 - HKLM\..\Policies\Explorer\Run: [cgF9t6jGst] C:\Documents and Settings\All Users\Application Data\kpmhabmp\ytqhghar.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178913723749
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: enmsg - {25376014-51B5-7BA7-7C7F-04763FE3FD4F} - C:\Program Files\cevxqsd\enmsg.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
--
End of file - 8618 bytes
shelf life
2008-08-19, 23:02
hi pigdog
ok first we will use hjt, then get two download to use.
hjt:
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"
O4 - HKCU\..\Run: [appapi] C:\WINNT\system32\slajglwj.exe
O4 - HKCU\..\Run: [chkutilwin] C:\WINNT\system32\bengfmds.exe
O4 - HKCU\..\Run: [chksyscmd] C:\WINNT\system32\bwvmrsde.exe
O4 - HKLM\..\Policies\Explorer\Run: [cgF9t6jGst] C:\Documents and Settings\All Users\Application Data\kpmhabmp\ytqhghar.exe
next download and run SDFix first. link and directions:
Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt back in your reply
---------------------------------------------------
next download and run combofix. link and directions:
Download combofix from one of these links and save it to your Desktop:
http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
last: rescan and post a new hjt log along with the two above.
hi shelf life
I've followed your instructions and the log files are below. When I ran SDFIx an registry error message came up saying: Cannot import assosfix.reg:Error opening the file. There may be a disk or file system error. I carried on with the fix.
The computer seems to have slowed down a lot particularly when in My Computer looking at the hard drive etc.
SDFix: Version 1.218
Run by Administrator on Wed 20/08/2008 at 1:24
Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Resetting SecurityProviders Value
Rebooting
Checking Files :
Trojan Files Found:
C:\Documents and Settings\Administrator\Application Data\Install.dat - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-20 01:46:43
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 7 Jul 2008 2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 23 Nov 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 13 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\0266545f856be3cc932da3d384b519a7\BIT48.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\06daf06a9753470e963e48f3b6e96ff1\BIT35.tmp"
Fri 11 May 2007 985,864 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\09858840c39345eeb4db7d6d56cf0544\BIT2D.tmp"
Fri 11 May 2007 5,629,208 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\09cb817dc3540e715f6f79d4a0adf6be\BIT36.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\0d65ebc6751140f74e37f3b96d65d73c\BIT52.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\1db2296914bc26f06b2de0e16f421e84\BIT38.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\1efc0cb89b1f526ac7a8f952c1842f28\BIT4E.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\2009d0d18d8376180dbcaf57f31d74e6\BIT45.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\2d8898db1d4bb686d3834a15aa48485b\BIT57.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\2f04cbe5ea16e5594c9e358fc629bc3c\BIT4C.tmp"
Fri 11 May 2007 493,952 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\2f944d5e11dce220ce1c03885cd31457\BIT37.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\30cbf95338dd606d073d91b0babdd411\BIT61.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\40b58893f7238765ab96a07ccd554f3f\BIT4D.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\411b948fb5be347d3dc32609a107c44d\BIT62.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\479e8782c07fb9fb3be22a2e16a2bb78\BIT4A.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\485bc0734df07718573f9e82aee950a0\BIT31.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\487473894e7a1942b56189c3606583b1\BIT5D.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\526536b92f17e105fa8be3869393cf4c\BIT4B.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\5d17fc6ace7dd921234267a3324c8b63\BIT51.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\62145e23576dc4a42fd8bc4c270a2d3d\BIT58.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\65d42d4d49a1c57fef8939839f78e1f3\BIT46.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\6a0e410db9dedef22c1dd1b96f5cd3f5\BIT5E.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\6bbdf719009276710de5a5000159cd31\BIT39.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\6e4787979e57e120c5c78d92735f9f3a\BIT2E.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\6f73bcbef3a5da9b6216ba153c8d0f2e\BIT34.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\70b0f8d4aa986db66d8c11d59e5e44de\BIT4F.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\76596ae7b8be91eaebf90c5f78887942\BIT30.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\80340438e0f91553e7f1455bc22fd0b7\BIT3D.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\80afe8e7b2e4126e2425e934eba0c449\BIT55.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\89b3a4d4cb1efd1d138c2573c0a1be68\BIT33.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\8ab65b5c35c79be31ac5a3907d3a6f63\BIT2A.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\a18d252937dd508bac6a54ec334f1f7f\BIT32.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\afec87dc2b8706ced7397e447b30db44\BIT3A.tmp"
Fri 11 May 2007 611,592 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\b644f487577711809366dbf3bb5f84d7\BIT49.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\bcb46cf72b1dc7d832c9f162c34f2bfc\BIT47.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\c02f0e8c30b7379ef1ced34dd711bbc8\BIT50.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\c5e445e4c6c208f9eb8ab8e2b972824e\BIT5A.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\d5fadb300a18dfd0a4e790f888a20e45\BIT53.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\de8ee63fe1a53132db68077e94ac91b1\BIT5C.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\e530c2e9de1aa91ebfbad658f83e0271\BIT5F.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\fb43cf822ceb1525ae3088a522b82f8d\BIT2C.tmp"
Fri 11 May 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\S-1-5-18\961183bc3a7355a3729784d9f23d4d92\download\BIT44.tmp"
Finished!
ComboFix 08-08-18.05 - Administrator 20/08/2008 1:59:35.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.147 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@clicktorrent[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@edge.ru4[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hits.gureport.co[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@peach.bskyb[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@specificclick[2].txt
C:\WINNT\system32\actskn43.ocx
C:\WINNT\Web\default.htt
.
((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.
2008-08-20 01:17 . 08-08-20 01:17 <DIR> d-------- C:\WINNT\ERUNT
2008-08-20 01:11 . 08-08-20 01:52 <DIR> d-------- C:\SDFix
2008-08-17 11:43 . 08-08-17 11:43 77,824 --a------ C:\WINNT\system32\jqbevqhk.exe
2008-08-17 10:19 . 08-08-17 10:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-16 23:43 . 08-08-16 23:43 86,016 --a------ C:\WINNT\system32\bwvmrsde.exe
2008-08-16 22:15 . 08-08-16 22:15 122 --a------ C:\WINNT\wininit.ini
2008-08-16 21:09 . 08-08-16 21:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-16 21:09 . 08-08-16 21:15 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-16 17:08 . 08-08-16 17:08 94,208 --a------ C:\WINNT\system32\bengfmds.exe
2008-08-16 16:14 . 08-08-16 16:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-16 16:14 . 08-08-16 16:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-16 16:14 . 08-08-16 16:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-16 16:14 . 08-07-30 20:14 38,472 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-08-16 16:14 . 08-07-30 20:14 17,144 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-08-16 13:57 . 08-08-16 13:57 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2008-08-16 11:44 . 08-08-17 10:05 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-16 10:58 . 08-08-16 10:58 <DIR> d-------- C:\Program Files\cevxqsd
2008-08-16 10:58 . 08-08-16 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\kpmhabmp
2008-08-16 10:58 . 08-08-16 10:58 86,016 --a------ C:\WINNT\system32\slajglwj.exe
2008-08-16 09:37 . 08-08-16 09:37 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_3c0.dat
2008-08-15 22:02 . 08-08-15 22:02 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_3d0.dat
2008-08-13 22:54 . 08-08-13 22:54 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_3cc.dat
2008-08-04 10:27 . 08-08-06 12:14 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-08-04 10:27 . 08-08-04 10:27 1,409 --a------ C:\WINNT\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 00:56 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-08-19 23:31 --------- d-----w C:\Documents and Settings\Administrator\Application Data\skypePM
2008-08-12 22:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-05 14:50 --------- d-----w C:\Program Files\IrfanView
2008-07-20 21:48 --------- d-----w C:\Program Files\Java
2008-07-14 19:42 --------- d-----w C:\Program Files\Common Files\Skype
2008-07-10 10:00 251,152 ----a-w C:\WINNT\system32\es.dll
2008-06-25 14:35 91,136 ----a-w C:\WINNT\system32\MSOERT2.DLL
2008-06-25 14:35 601,088 ----a-w C:\WINNT\system32\INETCOMM.DLL
2008-06-25 14:35 47,616 ----a-w C:\WINNT\system32\INETRES.DLL
2008-06-25 14:35 229,376 ----a-w C:\WINNT\system32\MSOEACCT.DLL
2008-06-25 14:34 44,032 ----a-w C:\WINNT\system32\MSIDENT.DLL
2008-06-25 12:51 69,904 ----a-w C:\WINNT\system32\mscms.dll
2008-06-25 09:41 64,784 ----a-w C:\WINNT\system32\mswsock.dll
2008-06-25 09:41 105,744 ----a-w C:\WINNT\system32\msafd.dll
2008-06-20 08:53 575,488 ----a-w C:\WINNT\system32\WININET.DLL
2008-03-23 13:03 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2005-08-06 11:52 271 ---h--w C:\Program Files\desktop.ini
2005-08-06 11:52 21,952 ---h--w C:\Program Files\folder.htt
2003-07-14 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [07-09-04 16:40 6856704]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [08-05-30 15:54 21718312]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-06-20 23:21 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08-07-07 09:42 2156368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [02-08-27 16:57 294912]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [04-04-22 16:23 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [04-04-22 16:23 507904]
"NeroCheck"="C:\WINNT\system32\NeroCheck.exe" [01-08-06 19:03 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [08-06-10 04:27 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07-07-27 20:14 271672]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [07-01-26 13:36 495616]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [07-10-16 21:50 111952]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [06-12-19 12:27 136768]
"Synchronization Manager"="mobsync.exe" [03-07-14 13:00 111376 C:\WINNT\system32\mobsync.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA6187"="command" [X]
"SpybotDeletingC6139"="del" [X]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [03-07-14 13:00 20752 C:\WINNT\system32\internat.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-07-14 13:00 186640]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-08-06 14:42:13 110592]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Wireless-G Notebook Adapter with SpeedBooster Utility.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe [2007-02-28 00:01:19 24576]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"enmsg"= {25376014-51B5-7BA7-7C7F-04763FE3FD4F} - C:\Program Files\cevxqsd\enmsg.dll [08-08-16 10:58 106496]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);C:\WINNT\system32\DRIVERS\SONYPVM1.SYS [00-05-27 05:37 ]
R2 NICSer_WPC54GS;NICSer_WPC54GS;C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe [03-11-13 14:29 ]
R3 ati2mtai;ati2mtai;C:\WINNT\system32\DRIVERS\ati2mtai.sys [02-11-18 15:48 ]
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINNT\system32\CBTNDIS5.SYS [03-07-16 23:28 ]
R3 maestro;ESS Maestro Audio Driver (WDM);C:\WINNT\system32\drivers\es198xdl.sys [02-06-20 17:53 ]
S3 NeodioUSBSTOR;USB Card Reader Driver;C:\WINNT\system32\DRIVERS\USBNEOD.SYS []
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);C:\WINNT\system32\DRIVERS\sea1bus.sys [07-02-08 12:55 ]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;C:\WINNT\system32\DRIVERS\sea1mdfl.sys [07-02-08 12:55 ]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;C:\WINNT\system32\DRIVERS\sea1mdm.sys [07-02-08 12:55 ]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);C:\WINNT\system32\DRIVERS\sea1mgmt.sys [07-02-08 12:56 ]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);C:\WINNT\system32\DRIVERS\sea1nd5.sys [07-02-08 12:56 ]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;C:\WINNT\system32\DRIVERS\sea1obex.sys [07-02-08 12:56 ]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);C:\WINNT\system32\DRIVERS\sea1unic.sys [07-02-08 12:56 ]
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-01-10 C:\WINNT\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [07-07-25 13:15 ]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-SpyHunter Security Suite - C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lj841c63.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-20 02:05:04
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-20 2:07:12
ComboFix-quarantined-files.txt 2008-08-20 01:07:02
Pre-Run: 5,650,911,232 bytes free
Post-Run: 5,827,608,576 bytes free
149 --- E O F --- 2008-08-15 21:38:04
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:10:46, on 20/08/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA6187] command /c del "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6139] cmd /c del "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178913723749
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: enmsg - {25376014-51B5-7BA7-7C7F-04763FE3FD4F} - C:\Program Files\cevxqsd\enmsg.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
--
End of file - 8156 bytes
shelf life
2008-08-20, 04:06
hi pigdog,
ok thanks for the info. i see you already have antimalwarebytes. is it coming up clean after a scan?
we will use combofix to remove some files.
Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:
File::
C:\WINNT\system32\jqbevqhk.exe
C:\WINNT\system32\bwvmrsde.exe
C:\WINNT\system32\bengfmds.exe
C:\WINNT\system32\slajglwj.exe
Folder::
C:\Program Files\Enigma Software Group
C:\Program Files\cevxqsd
C:\Documents and Settings\All Users\Application Data\kpmhabmp
Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop.
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.
Hi Shelf Life
I have done what you suggested and ran the Antimalware scan and it comes up clean. He are the log files you asked for.
thankyou so much for helping
ComboFix 08-08-18.05 - Administrator 21/08/2008 1:18:40.2 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINNT\system32\bengfmds.exe
C:\WINNT\system32\bwvmrsde.exe
C:\WINNT\system32\jqbevqhk.exe
C:\WINNT\system32\slajglwj.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\kpmhabmp
C:\Documents and Settings\All Users\Application Data\kpmhabmp\ytqhghar.exe
C:\Program Files\cevxqsd
C:\Program Files\cevxqsd\enmsg.dll
C:\Program Files\Enigma Software Group
C:\WINNT\system32\bengfmds.exe
C:\WINNT\system32\bwvmrsde.exe
C:\WINNT\system32\jqbevqhk.exe
C:\WINNT\system32\slajglwj.exe
.
((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.
2008-08-21 00:07 . 08-08-21 00:07 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_39c.dat
2008-08-20 01:17 . 08-08-20 01:17 <DIR> d-------- C:\WINNT\ERUNT
2008-08-20 01:11 . 08-08-20 01:52 <DIR> d-------- C:\SDFix
2008-08-17 10:19 . 08-08-17 10:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-16 22:15 . 08-08-16 22:15 122 --a------ C:\WINNT\wininit.ini
2008-08-16 21:09 . 08-08-16 21:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-16 21:09 . 08-08-16 21:15 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-16 16:14 . 08-08-16 16:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-16 16:14 . 08-08-16 16:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-16 16:14 . 08-08-16 16:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-16 16:14 . 08-07-30 20:14 38,472 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-08-16 16:14 . 08-07-30 20:14 17,144 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-08-16 13:57 . 08-08-16 13:57 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2008-08-16 09:37 . 08-08-16 09:37 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_3c0.dat
2008-08-15 22:02 . 08-08-15 22:02 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_3d0.dat
2008-08-04 10:27 . 08-08-06 12:14 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-08-04 10:27 . 08-08-04 10:27 1,409 --a------ C:\WINNT\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 00:07 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-08-20 23:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\skypePM
2008-08-12 22:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-05 14:50 --------- d-----w C:\Program Files\IrfanView
2008-07-20 21:48 --------- d-----w C:\Program Files\Java
2008-07-14 19:42 --------- d-----w C:\Program Files\Common Files\Skype
2008-07-10 10:00 251,152 ----a-w C:\WINNT\system32\es.dll
2008-06-25 14:35 91,136 ----a-w C:\WINNT\system32\MSOERT2.DLL
2008-06-25 14:35 601,088 ----a-w C:\WINNT\system32\INETCOMM.DLL
2008-06-25 14:35 47,616 ----a-w C:\WINNT\system32\INETRES.DLL
2008-06-25 14:35 229,376 ----a-w C:\WINNT\system32\MSOEACCT.DLL
2008-06-25 14:34 44,032 ----a-w C:\WINNT\system32\MSIDENT.DLL
2008-06-25 12:51 69,904 ----a-w C:\WINNT\system32\mscms.dll
2008-06-25 09:41 64,784 ----a-w C:\WINNT\system32\mswsock.dll
2008-06-25 09:41 105,744 ----a-w C:\WINNT\system32\msafd.dll
2008-06-20 08:53 575,488 ----a-w C:\WINNT\system32\WININET.DLL
2008-03-23 13:03 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2005-08-06 11:52 271 ---h--w C:\Program Files\desktop.ini
2005-08-06 11:52 21,952 ---h--w C:\Program Files\folder.htt
2003-07-14 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [07-09-04 16:40 6856704]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [08-05-30 15:54 21718312]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-06-20 23:21 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08-07-07 09:42 2156368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [02-08-27 16:57 294912]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [04-04-22 16:23 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [04-04-22 16:23 507904]
"NeroCheck"="C:\WINNT\system32\NeroCheck.exe" [01-08-06 19:03 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [08-06-10 04:27 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07-07-27 20:14 271672]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [07-01-26 13:36 495616]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [07-10-16 21:50 111952]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [06-12-19 12:27 136768]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [BU]
"Synchronization Manager"="mobsync.exe" [03-07-14 13:00 111376 C:\WINNT\system32\mobsync.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA6187"="command" [X]
"SpybotDeletingC6139"="del" [X]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [03-07-14 13:00 20752 C:\WINNT\system32\internat.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-07-14 13:00 186640]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-08-06 14:42:13 110592]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Wireless-G Notebook Adapter with SpeedBooster Utility.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe [2007-02-28 00:01:19 24576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);C:\WINNT\system32\DRIVERS\SONYPVM1.SYS [00-05-27 05:37 ]
R2 NICSer_WPC54GS;NICSer_WPC54GS;C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe [03-11-13 14:29 ]
R3 ati2mtai;ati2mtai;C:\WINNT\system32\DRIVERS\ati2mtai.sys [02-11-18 15:48 ]
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINNT\system32\CBTNDIS5.SYS [03-07-16 23:28 ]
R3 maestro;ESS Maestro Audio Driver (WDM);C:\WINNT\system32\drivers\es198xdl.sys [02-06-20 17:53 ]
S3 NeodioUSBSTOR;USB Card Reader Driver;C:\WINNT\system32\DRIVERS\USBNEOD.SYS []
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);C:\WINNT\system32\DRIVERS\sea1bus.sys [07-02-08 12:55 ]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;C:\WINNT\system32\DRIVERS\sea1mdfl.sys [07-02-08 12:55 ]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;C:\WINNT\system32\DRIVERS\sea1mdm.sys [07-02-08 12:55 ]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);C:\WINNT\system32\DRIVERS\sea1mgmt.sys [07-02-08 12:56 ]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);C:\WINNT\system32\DRIVERS\sea1nd5.sys [07-02-08 12:56 ]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;C:\WINNT\system32\DRIVERS\sea1obex.sys [07-02-08 12:56 ]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);C:\WINNT\system32\DRIVERS\sea1unic.sys [07-02-08 12:56 ]
.
Contents of the 'Scheduled Tasks' folder
2008-01-10 C:\WINNT\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [07-07-25 13:15 ]
.
- - - - ORPHANS REMOVED - - - -
SSODL-enmsg-{25376014-51B5-7BA7-7C7F-04763FE3FD4F} - C:\Program Files\cevxqsd\enmsg.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-21 01:23:19
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-21 1:26:30
ComboFix-quarantined-files.txt 2008-08-21 00:26:23
ComboFix2.txt 2008-08-20 01:07:14
Pre-Run: 5,854,896,128 bytes free
Post-Run: 5,847,719,936 bytes free
138 --- E O F --- 2008-08-15 21:38:04
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:06:25, on 21/08/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA6187] command /c del "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6139] cmd /c del "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178913723749
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
--
End of file - 8315 bytes
shelf life
2008-08-21, 23:17
hi pigdog,
ok good. hows it looking on your end now?
did you install this:
SpyHunter
at one time it was a rouge anti-malware app. it can be removed via the add/remove programs panel.
everything looks good :-)
SpyHunter isn't listed in the add/remove programs
think you have solved my problem.
thankyou!
shelf life
2008-08-22, 03:37
hi pigdog,
good. your welcome.
before using hjt please disable spybots tea timer so it dosnt interfere with changes hjt is trying to make. How:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA6187] command /c del "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6139] cmd /c del "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"
after the above, take a look here:
C:\Program Files: and delete the Enigma software Group folder if it is present.
---------------------------------------
to remove sdfix and combofix we will get one more download that will remove everything automatically.
Please download the OTMoveIt2 by OldTimer.
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
* Save it to your desktop.
* Please double-click OTMoveIt2.exe to run it.
in the main window click the CleanUp! button and follow the prompts.
---------------------------------------
keep malwarebytes and always check for updates before scanning with it. its a good habit to update every few days even if you dont scan with it very often. Scanning frequency is really a function of your computing habits.
check your java version:
Vulnerabilities/exploits in versions of Sun Java may be responsible for some malware installs via your browser.
It is important to keep Sun Java up to date and also to remove older versions which may have vulnerabilites/exploits that can be taken advantage of to possibly introduce malware via your browser.
* 1. Uninstall old versions of Sun Java via Add/Remove Programs.
* 2. Click the Remove or Change/Remove button
* 3. Reboot your PC if prompted.
to check if you have the latest version of Java and to download the latest version:
http://www.java.com/en/download/installed.jsp
re-enable tea timer
and last, some info for you:
My Top Ten List
The Short Version:
1) Keep your OS, (Windows) browser (IE, FireFox) and software up to date.
2) Know what you are installing to your computer. Alot of software can come with add-ons. Do you trust the source?
3) Install, keep updated: antivirus and two anti-malware applications.
4) Don't click on links or install files you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message may be.
5) Don't click on ads/pop ups or offers from websites to install software.
6) Don't click on offers to "scan" your computer.
7) Set up and use limited accounts rather than administrator accounts.
8) Consider using an alternate browser and E-mail client.
9) Install and understand the limitations of a third party software firewall.
10) If your habits include visiting or installing files from: warez, crack sites or p2p networks you are much more likely to encounter malicious code. Do you trust the source?
longer version in link below
happy safe surfing
hi shelf life
this last step is proving difficult.
If I disable Spybot Tea Timer then only this is present when I run HJT
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
If I fix this, then it seems ok, but when I redo HJT the entry is back. If I put Tea Timer back on, all 3 registry entries are back. I also get the following pop-up "Registry Change Denied: Identified as User Blacklist"
Tea Timer is definitely off. Everytime I boot up Windows I also get pop-ups reporting all 3 registry enteries as "Change Denied"
I've also noticed when I boot up Windows, and before the desktop appears, the Command Line window appears with C:WINNT\Sys32\ntvdm.exe and then Command.exe
No idea why I cannot fix these registry entries..
cheers
pigdog
Don't know whats going on.
shelf life
2008-08-27, 02:51
hi pigdog,
ok. Could you post a updated hjt log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:50:41, on 27/08/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA6187] command /c del "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6139] cmd /c del "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178913723749
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
--
End of file - 8376 bytes
shelf life
2008-08-29, 01:07
hi pigdog,
once tea timer is disabled it should allow the changes that hjt will make. not sure why its not. i am not really familiar with spybots tea timer other than disabling it. dont do anything with tea timer and lets try running spybot, after the scan "fix" anything it flags. also if you havent look in c:/programs files and delete the Enigma Software Group folder. see if that helps. the other msg at boot up not sure why thats happening.
Hi Shelf Life
I have run a full-scan with Spybot and with Malwares Antimalwarebytes and both report no problems.
So maybe everything is ok eventhough I cannot delete these 3 registry enteries?
cheers
theres also no Enigma Group folder in my program directory..
shelf life
2008-08-31, 15:37
hi,
So maybe everything is ok even though I cannot delete these 3 registry enteries
correct. it all looks good. just those 3. since spybots dosnt report any problems please try disabling tea timer again then use hjt and select those items again:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA6187] command /c del "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6139] cmd /c del "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"