Another Smithfraud C.Core Prob (Work)

C

conanis

New member
I am having a heck of a time ridding a computer at work of the smithfraud c.core array of malware. Any help that I get eliminating this malfeasance would be greatly appreciated.

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:56:36 AM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\system32\pogoaqug.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Rimage\Messaging\bin\ems.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Rimage\Bridge Server\BridgeSrv.exe
C:\Program Files\Rimage\Imaging Server\eis.exe
C:\Program Files\Rimage\Production Server\eps.exe
C:\Program Files\Rimage\ers\ers.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SKS~1\ati2evxx.exe
C:\Documents and Settings\cmpvideo\Application Data\??sembly\??rvices.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\cmpvideo\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cmpvideo.com/admin/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/campaign.asp?cid=7467&affid=105-57
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: eGrabber AutoNext - {ACD1C8D6-2B2F-4F33-847A-6C7F9DA71A84} - C:\Program Files\eGrabber\ListGrabber Standard 4.5\AutoNextBar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DLPSP] "c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\afxfbccg.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [Tair] "C:\WINDOWS\system32\SKS~1\ati2evxx.exe" -vt yazb
O4 - HKCU\..\Run: [Gcocsvfv] "C:\Documents and Settings\cmpvideo\Application Data\??sembly\??rvices.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ListGrabber Standard 4.5 - {1B617093-5CD4-42f5-91CA-AD1004C83588} - C:\Program Files\eGrabber\ListGrabber Standard 4.5\InternetAddress.exe
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{11910F4F-5339-4A0C-AEC8-E126B9D7C777}: NameServer = 4.2.2.4,198.6.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: DomainService - - C:\WINDOWS\system32\pogoaqug.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Rimage Bridge Server (Rimage_BridgeSrv) - Rimage Corporation - C:\Program Files\Rimage\Bridge Server\BridgeSrv.exe
O23 - Service: Rimage Imaging Server (Rimage_eIS) - Rimage Corp - C:\Program Files\Rimage\Imaging Server\eis.exe
O23 - Service: Rimage Messaging Server (Rimage_eMS) - Alexandria Software Consulting - C:\Program Files\Rimage\Messaging\bin\ems.exe
O23 - Service: Rimage Production Server (Rimage_ePS) - Rimage Corporation - C:\Program Files\Rimage\Production Server\eps.exe
O23 - Service: Rimage Registrar Server (Rimage_eRS) - Rimage Corp - C:\Program Files\Rimage\ers\ers.exe
 
First of all, you are using an older version of HijackThis. Please do the following to download and install the latest version of HijackThis v2.0.2:

CLICK HERE to download the HijackThis Installer:
  1. Save HJTInstall.exe to your desktop.
  2. Double-click on HJTInstall.exe to run the program.
  3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  4. Accept the license agreement by clicking the "I Accept" button.
  5. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  6. Click "Save log" to save the log file and then the log will open in Notepad.
  7. Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
  8. Come back here to this thread and paste the log in your next reply.
  9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

You may delete the older version once you have successfully downloaded and installed the latest version of HijackThis v2.0.2.

Download the latest version of ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
 
Log Files

Thanks for all of your help thus far. We have been extremely busy at work, otherwise I would have responded sooner. Here is the hijackthis updated version log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:06 PM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Rimage\Messaging\bin\ems.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Rimage\Bridge Server\BridgeSrv.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Rimage\Imaging Server\eis.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe
C:\Program Files\Rimage\Production Server\eps.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Rimage\ers\ers.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cmpvideo.com/admin/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/campaign.asp?cid=7467&affid=105-57
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: InternetContext Class - {2BE38694-1044-4C28-8ADE-5F0078226B48} - C:\Program Files\eGrabber\ListGrabber Standard 4.5\PxToolbarHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: eGrabber AutoNext - {ACD1C8D6-2B2F-4F33-847A-6C7F9DA71A84} - C:\Program Files\eGrabber\ListGrabber Standard 4.5\AutoNextBar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DLPSP] "c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [Tair] "C:\WINDOWS\system32\SKS~1\ati2evxx.exe" -vt yazb
O4 - HKCU\..\Run: [Gcocsvfv] "C:\Documents and Settings\cmpvideo\Application Data\??sembly\??rvices.exe"
O4 - HKCU\..\Run: [Blsc] "C:\Documents and Settings\cmpvideo\Application Data\?ymbols\?ttrib.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ListGrabber Standard 4.5 - {1B617093-5CD4-42f5-91CA-AD1004C83588} - C:\Program Files\eGrabber\ListGrabber Standard 4.5\InternetAddress.exe
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{11910F4F-5339-4A0C-AEC8-E126B9D7C777}: NameServer = 4.2.2.4,198.6.1.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Rimage Bridge Server (Rimage_BridgeSrv) - Rimage Corporation - C:\Program Files\Rimage\Bridge Server\BridgeSrv.exe
O23 - Service: Rimage Imaging Server (Rimage_eIS) - Rimage Corp - C:\Program Files\Rimage\Imaging Server\eis.exe
O23 - Service: Rimage Messaging Server (Rimage_eMS) - Alexandria Software Consulting - C:\Program Files\Rimage\Messaging\bin\ems.exe
O23 - Service: Rimage Production Server (Rimage_ePS) - Rimage Corporation - C:\Program Files\Rimage\Production Server\eps.exe
O23 - Service: Rimage Registrar Server (Rimage_eRS) - Rimage Corp - C:\Program Files\Rimage\ers\ers.exe

--
End of file - 7216 bytes


Here is the Combofix log:

ComboFix 07-07-30.2 - "cmpvideo" 2007-07-31 17:10:18.1 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\brpgokqa.dll
C:\WINDOWS\system32\dgckvfpk.dll
C:\WINDOWS\system32\egpdftwc.dll
C:\WINDOWS\system32\fuhgufqg.dll
C:\WINDOWS\system32\hcggrrcl.dll
C:\WINDOWS\system32\hllnjwdx.dll
C:\WINDOWS\system32\hxuqmuhp.dll
C:\WINDOWS\system32\nxixacjr.dll
C:\WINDOWS\system32\dgckvfpk.dll
C:\WINDOWS\system32\hxuqmuhp.dll
C:\WINDOWS\system32\nxixacjr.dll
C:\WINDOWS\system32\vvvwa.bak1
C:\WINDOWS\system32\vvvwa.bak2
C:\WINDOWS\system32\vvvwa.ini
C:\WINDOWS\system32\gqfughuf.ini
C:\WINDOWS\system32\xdwjnllh.ini
C:\WINDOWS\system32\vvvwa.bak1
C:\WINDOWS\system32\vvvwa.bak2
C:\WINDOWS\system32\vvvwa.ini
C:\WINDOWS\system32\awvvv.dll
C:\WINDOWS\system32\yayvvwv.dll
C:\WINDOWS\system32\yayvvwv.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\cmpvideo\APPLIC~1.\sembly~1
C:\DOCUME~1\cmpvideo\APPLIC~1.\sembly~1\??rvices.exe
C:\DOCUME~1\cmpvideo\APPLIC~1.\ymbols~1
C:\DOCUME~1\cmpvideo\APPLIC~1.\ymbols~1\?ttrib.exe
C:\DOCUME~1\cmpvideo\APPLIC~1\WinTouch
C:\DOCUME~1\cmpvideo\APPLIC~1\WinTouch\wintouch.cfg
C:\DOCUME~1\cmpvideo\APPLIC~1\WinTouch\WinTouch.exe
C:\DOCUME~1\cmpvideo\APPLIC~1\WinTouch\WTUninstaller.exe
C:\DOCUME~1\cmpvideo\Desktop.\internet explorer.lnk
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\b104.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\system32\auvkequl.exe
C:\WINDOWS\system32\ayagst.dll
C:\WINDOWS\system32\badlbpip.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\bvdeqxaj.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\dvzaiez.dll
C:\WINDOWS\system32\erywdkpe.exe
C:\WINDOWS\system32\jdcqnsdw.exe
C:\WINDOWS\system32\jecivbqk.exe
C:\WINDOWS\system32\kotmvfdw.exe
C:\WINDOWS\system32\media
C:\WINDOWS\system32\media\AvidRender.wav
C:\WINDOWS\system32\nkqfpasy.exe
C:\WINDOWS\system32\ntqermgn.exe
C:\WINDOWS\system32\odsfmbkn.exe
C:\WINDOWS\system32\pogoaqug.exe
C:\WINDOWS\system32\ryrifqpf.exe
C:\WINDOWS\system32\sks~1
C:\WINDOWS\system32\sks~1\ati2evxx.exe
C:\WINDOWS\system32\ukrwkqq.dll
C:\WINDOWS\system32\uudriilr.exe
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\system32\wtssvsu.exe
C:\WINDOWS\system32\x.exe
C:\WINDOWS\system32\yqqgilmo.exe
C:\WINDOWS\wr.txt
C:\WINDOWS\ymante~1


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\core
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-31 )))))))))))))))))))))))))))))))


2007-07-31 17:08 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-31 16:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-31 12:38 125,504 --a------ C:\WINDOWS\system32\dhfydyip.dll
2007-07-26 16:12 <DIR> d-------- C:\temp
2007-07-26 13:24 <DIR> d-------- C:\Program Files\Safer Networking
2007-07-26 12:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-05 10:04 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Talkback
2007-07-05 09:14 <DIR> d--hs---- C:\WINDOWS\Y21wdmlkZW8
2007-07-02 22:51 2,624 --a------ C:\WINDOWS\system32\cmnbnweu.exe
2007-07-02 11:06 <DIR> d-------- C:\Program Files\Required
2007-07-02 11:06 <DIR> d-------- C:\Fonts
2007-07-02 11:05 <DIR> d-------- C:\Program Files\Fonts
2007-07-02 10:50 <DIR> d-------- C:\DOCUME~1\cmpvideo\Required
2007-07-02 10:45 <DIR> d-------- C:\bintheredunthat
2007-06-19 16:03 56,912 --a------ C:\DOCUME~1\cmpvideo\g2mdlhlpx.exe
2007-06-19 16:03 <DIR> d-------- C:\Program Files\Citrix


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-08 18:53 --------- d-------- C:\DOCUME~1\cmpvideo\APPLIC~1\Report Viewer
2007-06-29 19:48 --------- d-------- C:\Program Files\WebCEO ReportViewer
2007-06-26 13:49 --------- d-------- C:\DOCUME~1\cmpvideo\APPLIC~1\AdobeUM
2007-06-19 16:16 --------- d-------- C:\Program Files\Mozilla Thunderbird
2007-05-31 14:07 7170 --a--c--- C:\WINDOWS\mozver.dat
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2005-08-02 20:46:54 187,904 --sha-r C:\WINDOWS\Y21wdmlkZW8\asappsrv.dll
2005-08-02 20:58:38 293,888 --sha-r C:\WINDOWS\Y21wdmlkZW8\command.exe
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\Y21wdmlkZW8\sZYTxA54tqf.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2BE38694-1044-4C28-8ADE-5F0078226B48}]
2006-01-17 12:23 131072 --a------ C:\Program Files\eGrabber\ListGrabber Standard 4.5\PxToolbarHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-02-23 17:49]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-10 07:34]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"DLPSP"="c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [2005-01-13 01:00]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 17:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"OurPictures"="C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" [2006-06-19 18:30]
"Tair"="C:\WINDOWS\system32\SKS~1\ati2evxx.exe" []
"Gcocsvfv"="C:\Documents and Settings\cmpvideo\Application Data\??sembly\??rvices.exe" []
"Blsc"="C:\Documents and Settings\cmpvideo\Application Data\?ymbols\?ttrib.exe" []

C:\Documents and Settings\cmpvideo\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 00:37:56]

R0 sbp2port;SBP-2 Transport/Protocol Bus Driver;C:\WINDOWS\system32\DRIVERS\sbp2port.sys
R2 DLSDB;Dell Printer Status Database;c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
R2 Hardlock;Hardlock;\??\C:\WINDOWS\system32\drivers\hardlock.sys
R2 Rimage_BridgeSrv;Rimage Bridge Server;C:\Program Files\Rimage\Bridge Server\BridgeSrv.exe -scm
R2 Rimage_eIS;Rimage Imaging Server;C:\Program Files\Rimage\Imaging Server\eis.exe -scm
R2 Rimage_eMS;Rimage Messaging Server;C:\Program Files\Rimage\Messaging\bin\ems.exe
R2 Rimage_eRS;Rimage Registrar Server;C:\Program Files\Rimage\ers\ers.exe -scm
R3 Cdrec2k;CD/DVD Recorder Driver;C:\WINDOWS\system32\DRIVERS\cdrec2k.sys
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 slabbus;CP2101 USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\slabbus.sys
R3 slabser;CP2101 USB to UART Bridge Controller Drivers;C:\WINDOWS\system32\DRIVERS\slabser.sys
S3 61883;61883 Unit Device;C:\WINDOWS\system32\DRIVERS\61883.sys
S3 Avc;AVC Device;C:\WINDOWS\system32\DRIVERS\avc.sys
S3 MSDV;Microsoft DV Camera and VCR;C:\WINDOWS\system32\DRIVERS\msdv.sys
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
Start Pending2 Rimage_ePS;Rimage Production Server;C:\Program Files\Rimage\Production Server\eps.exe -scm


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-31 17:20:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-31 17:22:28 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-31 17:21

--- E O F ---

Thanks in advance for your help, I am looking forward to your reply.

conanis
 
  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    Code: 
    File::
C:\WINDOWS\system32\dhfydyip.dll
C:\WINDOWS\system32\cmnbnweu.exe
C:\DOCUME~1\cmpvideo\g2mdlhlpx.exe
Folder::
C:\WINDOWS\Y21wdmlkZW8
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tair"=-
"Gcocsvfv"=-
"Blsc"=-
DirLook::
C:\Program Files\Required
C:\Fonts
C:\Program Files\Fonts
C:\DOCUME~1\cmpvideo\Required
C:\temp
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    CFScript.gif
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
 
As you instructed

This is the log produced by combofix per the instructions in your last reply:

ComboFix 07-07-30.2 - "cmpvideo" 2007-08-02 17:52:21.2 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\cmpvideo\Desktop\CFscript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\cmpvideo\g2mdlhlpx.exe
C:\WINDOWS\system32\cmnbnweu.exe
C:\WINDOWS\system32\dhfydyip.dll
C:\WINDOWS\Y21wdmlkZW8
C:\WINDOWS\Y21wdmlkZW8\asappsrv.dll
C:\WINDOWS\Y21wdmlkZW8\command.exe
C:\WINDOWS\Y21wdmlkZW8\sZYTxA54tqf.vbs


((((((((((((((((((((((((( Files Created from 2007-07-02 to 2007-08-02 )))))))))))))))))))))))))))))))


2007-07-31 17:08 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-31 16:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-26 16:12 <DIR> d-------- C:\temp
2007-07-26 13:24 <DIR> d-------- C:\Program Files\Safer Networking
2007-07-26 12:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-05 10:04 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Talkback
2007-07-02 11:06 <DIR> d-------- C:\Program Files\Required
2007-07-02 11:06 <DIR> d-------- C:\Fonts
2007-07-02 11:05 <DIR> d-------- C:\Program Files\Fonts
2007-07-02 10:50 <DIR> d-------- C:\DOCUME~1\cmpvideo\Required
2007-07-02 10:45 <DIR> d-------- C:\bintheredunthat


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-08 18:53 --------- d-------- C:\DOCUME~1\cmpvideo\APPLIC~1\Report Viewer
2007-06-29 19:48 --------- d-------- C:\Program Files\WebCEO ReportViewer
2007-06-26 13:49 --------- d-------- C:\DOCUME~1\cmpvideo\APPLIC~1\AdobeUM
2007-06-19 16:16 --------- d-------- C:\Program Files\Mozilla Thunderbird
2007-06-19 16:03 --------- d-------- C:\Program Files\Citrix
2007-05-31 14:07 7170 --a--c--- C:\WINDOWS\mozver.dat
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll


(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))


---- Directory of C:\Program Files\Required ----


---- Directory of C:\Fonts ----


---- Directory of C:\Program Files\Fonts ----


---- Directory of C:\DOCUME~1\cmpvideo\Required ----


---- Directory of C:\temp ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2BE38694-1044-4C28-8ADE-5F0078226B48}]
2006-01-17 12:23 131072 --a------ C:\Program Files\eGrabber\ListGrabber Standard 4.5\PxToolbarHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-02-23 17:49]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-10 07:34]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"DLPSP"="c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [2005-01-13 01:00]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 17:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"OurPictures"="C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" [2006-06-19 18:30]

C:\Documents and Settings\cmpvideo\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 00:37:56]

R0 sbp2port;SBP-2 Transport/Protocol Bus Driver;C:\WINDOWS\system32\DRIVERS\sbp2port.sys
R2 DLSDB;Dell Printer Status Database;c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
R2 Hardlock;Hardlock;\??\C:\WINDOWS\system32\drivers\hardlock.sys
R2 Rimage_BridgeSrv;Rimage Bridge Server;C:\Program Files\Rimage\Bridge Server\BridgeSrv.exe -scm
R2 Rimage_eIS;Rimage Imaging Server;C:\Program Files\Rimage\Imaging Server\eis.exe -scm
R2 Rimage_eMS;Rimage Messaging Server;C:\Program Files\Rimage\Messaging\bin\ems.exe
R2 Rimage_ePS;Rimage Production Server;C:\Program Files\Rimage\Production Server\eps.exe -scm
R2 Rimage_eRS;Rimage Registrar Server;C:\Program Files\Rimage\ers\ers.exe -scm
R3 Cdrec2k;CD/DVD Recorder Driver;C:\WINDOWS\system32\DRIVERS\cdrec2k.sys
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 slabbus;CP2101 USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\slabbus.sys
R3 slabser;CP2101 USB to UART Bridge Controller Drivers;C:\WINDOWS\system32\DRIVERS\slabser.sys
S3 61883;61883 Unit Device;C:\WINDOWS\system32\DRIVERS\61883.sys
S3 Avc;AVC Device;C:\WINDOWS\system32\DRIVERS\avc.sys
S3 MSDV;Microsoft DV Camera and VCR;C:\WINDOWS\system32\DRIVERS\msdv.sys
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

*Newly Created Service* - CATCHME

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-02 17:55:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-02 17:56:14
C:\ComboFix-quarantined-files.txt ... 2007-08-02 17:55
C:\ComboFix2.txt ... 2007-07-31 17:22

--- E O F ---


AND - This is the current HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:00:10 PM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Rimage\Messaging\bin\ems.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Rimage\Bridge Server\BridgeSrv.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Rimage\Imaging Server\eis.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Rimage\ers\ers.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Rimage\Production Server\eps.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cmpvideo.com/admin/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/campaign.asp?cid=7467&affid=105-57
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: InternetContext Class - {2BE38694-1044-4C28-8ADE-5F0078226B48} - C:\Program Files\eGrabber\ListGrabber Standard 4.5\PxToolbarHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: eGrabber AutoNext - {ACD1C8D6-2B2F-4F33-847A-6C7F9DA71A84} - C:\Program Files\eGrabber\ListGrabber Standard 4.5\AutoNextBar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DLPSP] "c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ListGrabber Standard 4.5 - {1B617093-5CD4-42f5-91CA-AD1004C83588} - C:\Program Files\eGrabber\ListGrabber Standard 4.5\InternetAddress.exe
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{11910F4F-5339-4A0C-AEC8-E126B9D7C777}: NameServer = 4.2.2.4,198.6.1.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Rimage Bridge Server (Rimage_BridgeSrv) - Rimage Corporation - C:\Program Files\Rimage\Bridge Server\BridgeSrv.exe
O23 - Service: Rimage Imaging Server (Rimage_eIS) - Rimage Corp - C:\Program Files\Rimage\Imaging Server\eis.exe
O23 - Service: Rimage Messaging Server (Rimage_eMS) - Alexandria Software Consulting - C:\Program Files\Rimage\Messaging\bin\ems.exe
O23 - Service: Rimage Production Server (Rimage_ePS) - Rimage Corporation - C:\Program Files\Rimage\Production Server\eps.exe
O23 - Service: Rimage Registrar Server (Rimage_eRS) - Rimage Corp - C:\Program Files\Rimage\ers\ers.exe

--
End of file - 6835 bytes

Thanks in advance (again!) for all of you help. It is greatly appreciated.

conanis
 
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 .
  • Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

Go here to run an online scannner from Kaspersky.
  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log as "KAV.txt" to the desktop.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post back with the kaspersky log & a new HijackThis log

Also, do you know what program these belong to?


O2 - BHO: InternetContext Class - {2BE38694-1044-4C28-8ADE-5F0078226B48} - C:\Program Files\eGrabber\ListGrabber Standard 4.5\PxToolbarHelper.dll
O3 - Toolbar: eGrabber AutoNext - {ACD1C8D6-2B2F-4F33-847A-6C7F9DA71A84} - C:\Program Files\eGrabber\ListGrabber Standard 4.5\AutoNextBar.dll
O9 - Extra button: ListGrabber Standard 4.5 - {1B617093-5CD4-42f5-91CA-AD1004C83588} - C:\Program Files\eGrabber\ListGrabber Standard 4.5\InternetAddress.exe
 
This topic has been archived due to lack of a response. :spider:

If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.
 
You must log in or register to reply here.
Back
Top