Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Ie Problems, Msconfig Gone


  • This topic is locked This topic is locked
8 replies to this topic

#1 txman

txman

    Authentic Member

  • Authentic Member
  • PipPip
  • 30 posts

Posted 05 July 2007 - 06:58 PM

My girlfriend downloaded something, and now my computer is sick as a dog.

Here's the HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 7:52:17 PM, on 7/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\deabjuip.exe
C:\Documents and Settings\Matt\Desktop\General carp**\General Downloads\anti-spyware\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wtfcomics.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\mpmeyaxw.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


When I run internet explorer, it takes a few seconds to load up, and once I hit a link I'm bombarded by popups and downloads. Also, my msconfig seems to be missing *shrug* so any help on that would be nice too.

I've run AVG, SBS&D, and Ad-Aware, and haven't been able to clear it out. It's very tenacious. I've gone through my Add/Remove programs list, as well as the tool included in SBS&D and fixed a bunch of prior problems with it. But I'm out of ideas at this point. Any help would be nice.

~Matt.

    Advertisements

Register to Remove


#2 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 05 July 2007 - 08:44 PM

Hello txman and welcome to the TomCoyote Forums

My name is Trevuren and I will be helping you with your problem.


A. Some trojans have a way of masking their presence from the HijackThis program when they recognize the name. I think that this is the case here because there are no 02 or 020 entries visible in your log.

Please locate the following file: C:\Documents and Settings\Matt\Desktop\General carp**\General Downloads\anti-spyware\hijackthis\HijackThis.exe
Next, right click on the file and from the popup menu that appears, chose the RENAME option and rename the file Killer.exe.

From now on, when I ask you to start HijackThis, just click on the Killer.exe file.


B. Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Edited by Trevuren, 05 July 2007 - 08:47 PM.

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#3 txman

txman

    Authentic Member

  • Authentic Member
  • PipPip
  • 30 posts

Posted 06 July 2007 - 07:56 PM

Wow. Vundofix seems to have worked for the most part. Here's the vundofix log.



VundoFix V6.5.4

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 8:47:29 PM 7/6/2007

Listing files found while scanning....

C:\windows\system32\cubjchke.ini
C:\WINDOWS\system32\ekhcjbuc.dll
C:\WINDOWS\system32\gebyyxu.dll
C:\windows\system32\hjkmp.bak1
C:\windows\system32\hjkmp.bak2
C:\windows\system32\hjkmp.ini
C:\windows\system32\hjkmp.ini2
C:\windows\system32\hjkmp.tmp
C:\windows\system32\iifdbcd.dll
C:\windows\system32\itjsigko.ini
C:\WINDOWS\system32\iuidmgkl.dll
C:\windows\system32\mpmeyaxw.dll
C:\windows\system32\okgisjti.dll
C:\WINDOWS\system32\pmkjh.dll
C:\windows\system32\wxayempm.ini

Beginning removal...

Attempting to delete C:\windows\system32\cubjchke.ini
C:\windows\system32\cubjchke.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ekhcjbuc.dll
C:\WINDOWS\system32\ekhcjbuc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebyyxu.dll
C:\WINDOWS\system32\gebyyxu.dll Has been deleted!

Attempting to delete C:\windows\system32\hjkmp.bak1
C:\windows\system32\hjkmp.bak1 Has been deleted!

Attempting to delete C:\windows\system32\hjkmp.bak2
C:\windows\system32\hjkmp.bak2 Has been deleted!

Attempting to delete C:\windows\system32\hjkmp.ini
C:\windows\system32\hjkmp.ini Has been deleted!

Attempting to delete C:\windows\system32\hjkmp.ini2
C:\windows\system32\hjkmp.ini2 Has been deleted!

Attempting to delete C:\windows\system32\hjkmp.tmp
C:\windows\system32\hjkmp.tmp Has been deleted!

Attempting to delete C:\windows\system32\iifdbcd.dll
C:\windows\system32\iifdbcd.dll Has been deleted!

Attempting to delete C:\windows\system32\itjsigko.ini
C:\windows\system32\itjsigko.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\iuidmgkl.dll
C:\WINDOWS\system32\iuidmgkl.dll Has been deleted!

Attempting to delete C:\windows\system32\mpmeyaxw.dll
C:\windows\system32\mpmeyaxw.dll Has been deleted!

Attempting to delete C:\windows\system32\okgisjti.dll
C:\windows\system32\okgisjti.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pmkjh.dll Has been deleted!

Attempting to delete C:\windows\system32\wxayempm.ini
C:\windows\system32\wxayempm.ini Has been deleted!

Performing Repairs to the registry.
Done!







Aaaaand the HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 8:54:30 PM, on 7/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Matt\Desktop\General carp**\General Downloads\anti-spyware\hijackthis\Killer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wtfcomics.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {139AFFE6-3A81-44C2-ADC6-6919DABA78FB} - C:\WINDOWS\system32\pmkjh.dll (file missing)
O2 - BHO: (no name) - {2E9D45EB-8AC8-461C-A77E-2371EB6A566A} - C:\Program Files\Online Services\hoke83122.dll
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {dad25e00-f3c9-4bfa-a96e-34abc81ba017} - C:\WINDOWS\system32\augprnd.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe




It worked *for the most part*. Still get a popup every once in awhile from websites I shouldn't be getting them from. But holy carp**, vundo made it so that browsing the internet was possible again!

#4 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 06 July 2007 - 08:03 PM

Please download this file - combofix.exe by sUBs
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

Regards,

Trevuren

Edited by Trevuren, 06 July 2007 - 08:05 PM.

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#5 txman

txman

    Authentic Member

  • Authentic Member
  • PipPip
  • 30 posts

Posted 06 July 2007 - 09:00 PM

Alright, here's my combofix log

"Matt" - 2007-07-06 21:35:28 - ComboFix 07-07-07 - Service Pack 2


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\Online Services\hoke83122.dll
C:\tempb9
C:\tempb9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\system32\augprnd.dll
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe
C:\WINDOWS\system32\stera.exe
C:\WINDOWS\system32\win
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_SFSYNC02
-------\sfsync02


((((((((((((((((((((((((( Files Created from 2007-06-07 to 2007-07-07 )))))))))))))))))))))))))))))))


2007-07-06 21:40 0 --a------ C:\WINDOWS\system32\sfsync02.dll
2007-07-06 21:34 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-06 20:49 4,672 --a------ C:\WINDOWS\system32\ljjtphhg.exe
2007-07-06 20:47 <DIR> d-------- C:\VundoFix Backups
2007-07-05 19:51 4,672 --a------ C:\WINDOWS\system32\deabjuip.exe
2007-07-05 19:45 135,168 --a------ C:\WINDOWS\tk58.exe
2007-07-03 23:54 4,672 --a------ C:\WINDOWS\system32\gkbtoavu.exe
2007-07-03 23:45 <DIR> d-------- C:\Program Files\Windows Defender
2007-07-03 23:25 <DIR> d-------- C:\WINDOWS\pchealth
2007-07-02 00:49 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-02 00:49 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Gtek
2007-07-02 00:49 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Creative
2007-06-27 12:19 <DIR> d---s---- C:\DOCUME~1\Guest\UserData
2007-06-26 19:20 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\MySpace
2007-06-26 16:12 4,672 --a------ C:\WINDOWS\system32\wnsuugvk.exe
2007-06-26 04:04 18,432 --a------ C:\WINDOWS\system32\drivers\ApiMon.sys
2007-06-26 04:01 <DIR> d-------- C:\WINDOWS\system32\W5
2007-06-26 04:01 <DIR> d-------- C:\WINDOWS\system32\W4
2007-06-26 04:01 <DIR> d-------- C:\WINDOWS\system32\W3
2007-06-26 04:01 <DIR> d-------- C:\WINDOWS\system32\W2
2007-06-26 04:01 <DIR> d-------- C:\WINDOWS\system32\W1
2007-06-24 16:25 61,440 --a------ C:\WINDOWS\MIDIDEF.EXE
2007-06-24 16:25 39,936 --a------ C:\WINDOWS\system32\P16X.DLL
2007-06-24 16:25 33,792 --a------ C:\WINDOWS\system32\P16XRES.DLL
2007-06-24 16:25 24,576 --a------ C:\WINDOWS\MIXERDEF.EXE
2007-06-24 16:25 1,293,440 --a------ C:\WINDOWS\system32\drivers\P16X.SYS
2007-06-13 14:14 1,310,720 --ah----- C:\DOCUME~1\Guest\NTUSER.DAT
2007-06-13 14:14 <DIR> d--h----- C:\DOCUME~1\Guest\APPLIC~1\Gtek
2007-06-13 14:14 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Creative
2007-06-12 01:16 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-12 01:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-12 00:28 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-06-07 15:04 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\Google
2007-06-07 15:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-07 02:41:10 384 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000005-00000000-00000003-00001102-00000004-20061102}.dat
2007-07-07 02:41:10 384 ----a-w C:\WINDOWS\system32\DVCState-{00000005-00000000-00000003-00001102-00000004-20061102}.dat
2007-07-07 02:40:15 -------- d-----w C:\Program Files\Online Services
2007-07-04 04:37:19 -------- d-----w C:\Program Files\Messenger
2007-06-26 17:34:27 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-24 21:25:55 -------- d-----w C:\Program Files\Creative
2007-06-24 05:53:58 56 --sh--r C:\WINDOWS\system32D1C653681.sys
2007-06-24 05:53:58 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-24 05:46:38 -------- d-----w C:\Program Files\Starcraft
2007-06-15 01:40:15 -------- d-----w C:\Program Files\World of Warcraft
2007-06-14 13:37:56 -------- d-----w C:\Program Files\Common Files\AOL
2007-06-08 22:03:13 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-06-07 21:30:07 -------- d-----w C:\Program Files\Google
2007-06-04 20:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 20:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 20:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-01 22:14:07 -------- d-----w C:\Program Files\NAMCO BANDAI Games
2007-06-01 22:14:05 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-31 02:02:00 22,584 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-05-31 02:01:47 99,904 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-05-31 02:01:39 63,040 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-05-28 18:05:00 -------- d-----w C:\DOCUME~1\Matt\APPLIC~1\AdobeUM
2007-05-21 05:29:16 -------- d-----w C:\DOCUME~1\Matt\APPLIC~1\Sonic
2007-04-13 20:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-04-13 17:31:03 103,984 ----a-w C:\WINDOWS\system32\AOLDial.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2004-12-14 01:56 63136 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{139AFFE6-3A81-44C2-ADC6-6919DABA78FB}]
C:\WINDOWS\system32\pmkjh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F}]
C:\Program Files\Outerinfo\Outerinfo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
2004-12-06 01:05 118842 --a------ C:\WINDOWS\system32\dla\tfswshx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"H:\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"C:\Program Files\AOL 9.0\AOL.EXE" -b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
"C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
"C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
"C:\Program Files\Lexmark 4300 Series\ezprint.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1167366576\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcemon.exe]
"C:\Program Files\Lexmark 4300 Series\lxcemon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBInstall]
C:\DOCUME~1\Matt\LOCALS~1\Temp\MBDownloader_876919.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo]
"C:\Program Files\Outerinfo\Outerinfo.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate]
"C:\Program Files\Outerinfo\OuterinfoUpdate.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
"C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
"C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uwas7cw]
"C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.7.4\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiSpyware 2007 Free]
"C:\Program Files\WinAntiSpyware 2007\was7.exe" /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
"C:\Program Files\Zune\ZuneLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVGEMS"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"aawservice"=2 (0x2)
"ZuneNetworkSvc"=2 (0x2)
"IDriverT"=3 (0x3)
"Hinsorort"=3 (0x3)
"AOL ACS"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8863296-28ca-11da-9ba2-00123f6c3e1b}]
AutoRun\command- G:\JDSecure\Windows\JDSecure31.exe


Contents of the 'Scheduled Tasks' folder
2007-07-07 02:44:57 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-06 21:49:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-06 21:50:58 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-06 21:50

--- E O F ---












And my new HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 9:57:10 PM, on 7/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matt\Desktop\General carp**\General Downloads\anti-spyware\hijackthis\Killer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wtfcomics.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {139AFFE6-3A81-44C2-ADC6-6919DABA78FB} - C:\WINDOWS\system32\pmkjh.dll (file missing)
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe




Looks like that fixed the problem... but if you see anything else that needs fixing, I would love to get it out of the way. Thank you SO MUCH. I've been completely lost without my beloved computer.

~Matt.

#6 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 06 July 2007 - 09:46 PM

File Submission:
  • Please open Notepad
  • Copy/Paste the text in the code box below into the Notepad file:

    @echo off
    ::http://forums.tomcoyote.org/Ie_Problems_Msconfig_Gone_t80972.html&gopid=384870#entry384870
    @echo off
    For %%g in (
    C:\WINDOWS\system32\sfsync02.dll
    C:\WINDOWS\system32\ljjtphhg.exe
    C:\WINDOWS\system32\deabjuip.exe
    C:\WINDOWS\tk58.exe
    C:\WINDOWS\system32\gkbtoavu.exe
    C:\WINDOWS\system32\wnsuugvk.exe
    C:\WINDOWS\system32D1C653681.sys
    C:\DOCUME~1\Matt\LOCALS~1\Temp\MBDownloader_876919.exe
    ) do %systemroot%\catchme.exe -l nul -k %%g >nul
    @echo off
    catchme -l nul -k %0 >nul
    nircmd execmd move /y "~$folder.desktop$\catchme.zip" "Submit [%date:/=-% %time::=.%].zip"
    echo.Please submit the file - Submit [%date:/=-% %time::=.%].zip
    nircmd wait 7000
    del %0
  • Save this as Submit.bat Choose to "Save type as - All Files". It should look like this: Posted Image
  • Double click on Submit.bat & allow it to generate a zipped file on your Desktop called Submit [Date Time].zip
  • Please submit Submit [Date Time].zip to this site ? http://www.bleepingc...e.php?channel=4
  • Please include a link to this topic in the message.
The file(s) must be uploaded before proceeding to the next step.



We must disable the Real-Time Protection feature of Windows Defender for it may interfere with the changes we need to make.

To disable Real-Time Protection:
  • Go to "Tools" | "General Settings"
  • Scroll down to "Real-time protection options"
  • Uncheck "Turn on real-time protection (recommended)"
  • Remember to reactivate this feature when we have finished all our work.
Now to Remove some malware:

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the code box below into the Notepad window:

File::
C:\WINDOWS\system32\sfsync02.dll
C:\WINDOWS\system32\ljjtphhg.exe
C:\WINDOWS\system32\deabjuip.exe
C:\WINDOWS\tk58.exe
C:\WINDOWS\system32\gkbtoavu.exe
C:\WINDOWS\system32\wnsuugvk.exe
C:\WINDOWS\system32D1C653681.sys
C:\DOCUME~1\Matt\LOCALS~1\Temp\MBDownloader_876919.exe

Folder::
C:\WINDOWS\system32\W5
C:\WINDOWS\system32\W4
C:\WINDOWS\system32\W3
C:\WINDOWS\system32\W2
C:\WINDOWS\system32\W1
C:\VundoFix Backups
C:\Program Files\Web Buying

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{139AFFE6-3A81-44C2-ADC6-6919DABA78FB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBInstall]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uwas7cw]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiSpyware 2007 Free]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. If the tool does not initiate a reboot of your system, please restart your system yourself and then post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Edited by Trevuren, 06 July 2007 - 10:02 PM.

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#7 txman

txman

    Authentic Member

  • Authentic Member
  • PipPip
  • 30 posts

Posted 08 July 2007 - 10:21 AM

Combofix Log

"Matt" - 2007-07-07 20:15:06 - ComboFix 07-07-07 - Service Pack 2
Command switches used :: C:\Documents and Settings\Matt\Desktop\General carp**\General Downloads\anti-spyware\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\cubjchke.ini.bad
C:\VundoFix Backups\ekhcjbuc.dll.bad
C:\VundoFix Backups\gebyyxu.dll.bad
C:\VundoFix Backups\hjkmp.bak1.bad
C:\VundoFix Backups\hjkmp.bak2.bad
C:\VundoFix Backups\hjkmp.ini.bad
C:\VundoFix Backups\hjkmp.ini2.bad
C:\VundoFix Backups\hjkmp.tmp.bad
C:\VundoFix Backups\iifdbcd.dll.bad
C:\VundoFix Backups\itjsigko.ini.bad
C:\VundoFix Backups\iuidmgkl.dll.bad
C:\VundoFix Backups\mpmeyaxw.dll.bad
C:\VundoFix Backups\okgisjti.dll.bad
C:\VundoFix Backups\pmkjh.dll.bad
C:\VundoFix Backups\wxayempm.ini.bad
C:\WINDOWS\system32\deabjuip.exe
C:\WINDOWS\system32\gkbtoavu.exe
C:\WINDOWS\system32\ljjtphhg.exe
C:\WINDOWS\system32\sfsync02.dll
C:\WINDOWS\system32\W1
C:\WINDOWS\system32\W2
C:\WINDOWS\system32\W2\mwspasrt83122.exe
C:\WINDOWS\system32\W3
C:\WINDOWS\system32\W3\626wr.exe
C:\WINDOWS\system32\W4
C:\WINDOWS\system32\W4\wen2.exe
C:\WINDOWS\system32\W5
C:\WINDOWS\system32\W5\wbb22.exe
C:\WINDOWS\system32\wnsuugvk.exe
C:\WINDOWS\tk58.exe


((((((((((((((((((((((((( Files Created from 2007-06-08 to 2007-07-08 )))))))))))))))))))))))))))))))


2007-07-06 21:34 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-03 23:45 <DIR> d-------- C:\Program Files\Windows Defender
2007-07-03 23:25 <DIR> d-------- C:\WINDOWS\pchealth
2007-07-02 00:49 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-02 00:49 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Gtek
2007-07-02 00:49 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Creative
2007-06-27 12:19 <DIR> d---s---- C:\DOCUME~1\Guest\UserData
2007-06-26 19:20 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\MySpace
2007-06-26 04:04 18,432 --a------ C:\WINDOWS\system32\drivers\ApiMon.sys
2007-06-24 16:25 61,440 --a------ C:\WINDOWS\MIDIDEF.EXE
2007-06-24 16:25 39,936 --a------ C:\WINDOWS\system32\P16X.DLL
2007-06-24 16:25 33,792 --a------ C:\WINDOWS\system32\P16XRES.DLL
2007-06-24 16:25 24,576 --a------ C:\WINDOWS\MIXERDEF.EXE
2007-06-24 16:25 1,293,440 --a------ C:\WINDOWS\system32\drivers\P16X.SYS
2007-06-13 14:14 1,310,720 --ah----- C:\DOCUME~1\Guest\NTUSER.DAT
2007-06-13 14:14 <DIR> d--h----- C:\DOCUME~1\Guest\APPLIC~1\Gtek
2007-06-13 14:14 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Creative
2007-06-12 01:16 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-12 01:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-12 00:28 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-06-07 15:04 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\Google
2007-06-07 15:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-07 02:41:10 384 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000005-00000000-00000003-00001102-00000004-20061102}.dat
2007-07-07 02:41:10 384 ----a-w C:\WINDOWS\system32\DVCState-{00000005-00000000-00000003-00001102-00000004-20061102}.dat
2007-07-07 02:40:15 -------- d-----w C:\Program Files\Online Services
2007-07-04 04:37:19 -------- d-----w C:\Program Files\Messenger
2007-06-26 17:34:27 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-24 21:25:55 -------- d-----w C:\Program Files\Creative
2007-06-24 05:53:58 56 --sh--r C:\WINDOWS\system32D1C653681.sys
2007-06-24 05:53:58 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-24 05:46:38 -------- d-----w C:\Program Files\Starcraft
2007-06-15 01:40:15 -------- d-----w C:\Program Files\World of Warcraft
2007-06-14 13:37:56 -------- d-----w C:\Program Files\Common Files\AOL
2007-06-08 22:03:13 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-06-07 21:30:07 -------- d-----w C:\Program Files\Google
2007-06-04 20:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 20:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 20:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-01 22:14:07 -------- d-----w C:\Program Files\NAMCO BANDAI Games
2007-06-01 22:14:05 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-31 02:02:00 22,584 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-05-31 02:01:47 99,904 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-05-31 02:01:39 63,040 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-05-28 18:05:00 -------- d-----w C:\DOCUME~1\Matt\APPLIC~1\AdobeUM
2007-05-21 05:29:16 -------- d-----w C:\DOCUME~1\Matt\APPLIC~1\Sonic
2007-04-13 20:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-04-13 17:31:03 103,984 ----a-w C:\WINDOWS\system32\AOLDial.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2004-12-14 01:56 63136 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
2004-12-06 01:05 118842 --a------ C:\WINDOWS\system32\dla\tfswshx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"H:\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"C:\Program Files\AOL 9.0\AOL.EXE" -b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
"C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
"C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
"C:\Program Files\Lexmark 4300 Series\ezprint.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1167366576\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcemon.exe]
"C:\Program Files\Lexmark 4300 Series\lxcemon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate]
"C:\Program Files\Outerinfo\OuterinfoUpdate.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
"C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
"C:\Program Files\Zune\ZuneLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVGEMS"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"aawservice"=2 (0x2)
"ZuneNetworkSvc"=2 (0x2)
"IDriverT"=3 (0x3)
"Hinsorort"=3 (0x3)
"AOL ACS"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8863296-28ca-11da-9ba2-00123f6c3e1b}]
AutoRun\command- G:\JDSecure\Windows\JDSecure31.exe

*Newly Created Service* - CATCHME

Contents of the 'Scheduled Tasks' folder
2007-07-07 02:44:57 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-07 20:18:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-07 20:19:09
C:\ComboFix-quarantined-files.txt ... 2007-07-07 20:19
C:\ComboFix2.txt ... 2007-07-06 21:50

--- E O F ---









and HJT

Logfile of HijackThis v1.99.1
Scan saved at 11:20:21 AM, on 7/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matt\Desktop\General carp**\General Downloads\anti-spyware\hijackthis\Killer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wtfcomics.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#8 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 08 July 2007 - 11:52 AM

We must disable the Real-Time Protection feature of Windows Defender for it may interfere with the changes we need to make.

To disable Real-Time Protection:
  • Go to "Tools" | "General Settings"
  • Scroll down to "Real-time protection options"
  • Uncheck "Turn on real-time protection (recommended)"
  • Remember to reactivate this feature when we have finished all our work.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Folder::
C:\Program Files\Outerinfo

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#9 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 20 July 2007 - 10:05 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users