Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] I believe I have the HTepo .com virus?


  • This topic is locked This topic is locked
8 replies to this topic

#1 robertwagner

robertwagner

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 07 November 2007 - 10:13 AM

My company computer is being bombarded with pop-ups, adware, etc... The computer is installing icons titled "live safety center" and "online security guide".

I have tried norton, trend micro, and nothing is picking it up. whatever I have is also preventing the computer settings from adjusting the cookies.

my computer is also cutting out so the monitor goes black and I have to reboot. I don;t know if it is a symptom.

Please help.

Logfile of HijackThis v1.99.1
Scan saved at 11:05:08 AM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...r/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\ozecdmej.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [@BackupScheduler] C:\Program Files\Online Backup\OnlineBackup.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [d8fc5d11] rundll32.exe "C:\WINDOWS\system32\xgbxambo.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1194304080125
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = metropolitanfundinggroup.local
O17 - HKLM\Software\..\Telephony: DomainName = metropolitanfundinggroup.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = metropolitanfundinggroup.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = metropolitanfundinggroup.local
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\qvufkdug.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    Advertisements

Register to Remove


#2 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 07 November 2007 - 11:23 AM

Hi! Welcome to the WTT forums.
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.
Please be patient.

Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.


Download and Save ComboFix
  • Download this file from below:

    Here
  • Save it to your Desktop.
  • Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
  • Then double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.
Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.


If this computer is on a network, I strongly advise you disconnect from it until you are cleaned up, and have the other computers checked out.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#3 robertwagner

robertwagner

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 07 November 2007 - 12:08 PM

Hi Scotty I appreciate you assisting me. When I started HijackThis and proceeded to step #5 (save list), the program does not bring up a notepad to save anything on. Please advise...

#4 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 07 November 2007 - 12:22 PM

Hi Skip that for now and do the Combofix.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#5 robertwagner

robertwagner

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 07 November 2007 - 01:16 PM

ComboFix 07-11-08.1 - Administrator 2007-11-07 13:47:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.647 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\AdminJack\Desktop\Live Safety Center.lnk
C:\Documents and Settings\AdminJack\Desktop\Online Security Guide.lnk
C:\Documents and Settings\AdminJack\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Program Files\Temporary
C:\WINDOWS\b147.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\mqssadzv.dllbox
C:\WINDOWS\system32\ozecdmej.dllbox
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qabosefc.dll
C:\WINDOWS\SYSTEM32\qqstv.bak1
C:\WINDOWS\SYSTEM32\qqstv.bak2
C:\WINDOWS\SYSTEM32\qqstv.ini
C:\WINDOWS\SYSTEM32\qqstv.ini2
C:\WINDOWS\SYSTEM32\qqstv.tmp
C:\WINDOWS\system32\vtsqq.dll
C:\WINDOWS\system32\ymante~1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-07 13:45 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-07 13:38 66,591 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\el90xbc5.sys
2007-11-07 13:38 66,591 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\el90xbc5.sys
2007-11-07 13:38 6,656 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cmdide.sys
2007-11-07 13:38 6,656 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\cmdide.sys
2007-11-07 13:38 5,248 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aliide.sys
2007-11-07 13:38 5,248 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\aliide.sys
2007-11-07 13:32 71,232 --a------ C:\WINDOWS\SYSTEM32\dpqwjqsr.exe
2007-11-07 12:48 71,232 --a------ C:\WINDOWS\SYSTEM32\edhpkakm.exe
2007-11-07 12:41 79,936 --------- C:\WINDOWS\SYSTEM32\ylxmwxlh.dll
2007-11-07 12:39 71,232 --a------ C:\WINDOWS\SYSTEM32\ngpysnrh.exe
2007-11-07 12:32 71,232 --a------ C:\WINDOWS\SYSTEM32\imgmpreo.exe
2007-11-07 12:20 79,936 --a------ C:\WINDOWS\SYSTEM32\jcnqgcnl.dll
2007-11-07 12:17 71,232 --a------ C:\WINDOWS\SYSTEM32\xoomrjho.exe
2007-11-07 12:12 79,936 --a------ C:\WINDOWS\SYSTEM32\pywbvply.dll
2007-11-07 12:09 71,232 --a------ C:\WINDOWS\SYSTEM32\olvcrmng.exe
2007-11-07 11:12 79,936 --a------ C:\WINDOWS\SYSTEM32\iastpymw.dll
2007-11-07 11:03 86,080 --a------ C:\WINDOWS\SYSTEM32\xgbxambo.dll
2007-11-07 11:01 71,232 --a------ C:\WINDOWS\SYSTEM32\ibviiufk.exe
2007-11-07 10:54 71,232 --a------ C:\WINDOWS\SYSTEM32\raeuurgb.exe
2007-11-07 10:41 79,936 --a------ C:\WINDOWS\SYSTEM32\jvlyirrp.dll
2007-11-07 10:38 71,232 --a------ C:\WINDOWS\SYSTEM32\sssjnidi.exe
2007-11-07 10:32 71,232 --a------ C:\WINDOWS\SYSTEM32\sqqyhwvs.exe
2007-11-06 19:44 71,232 --a------ C:\WINDOWS\SYSTEM32\pydhequu.exe
2007-11-06 19:34 87,104 --a------ C:\WINDOWS\SYSTEM32\aceluysq.dll
2007-11-06 18:54 71,232 --a------ C:\WINDOWS\SYSTEM32\ceonardr.exe
2007-11-06 18:45 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-06 18:24 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-11-06 18:24 1,156 --a------ C:\WINDOWS\mozver.dat
2007-11-06 18:22 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-11-06 18:22 81,472 --a------ C:\WINDOWS\SYSTEM32\vxylwiml.dll
2007-11-06 18:21 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-06 18:17 71,232 --a------ C:\WINDOWS\SYSTEM32\dbuisrks.exe
2007-11-06 17:46 81,472 --a------ C:\WINDOWS\SYSTEM32\bmtfwgos.dll
2007-11-06 17:43 87,104 --a------ C:\WINDOWS\SYSTEM32\ivlgavdn.dll
2007-11-06 17:38 71,232 --a------ C:\WINDOWS\SYSTEM32\plgivwoy.exe
2007-11-06 17:22 81,472 --a------ C:\WINDOWS\SYSTEM32\jiskgncs.dll
2007-11-06 17:08 <DIR> d-------- C:\WINDOWS\pss
2007-11-06 15:09 87,104 --a------ C:\WINDOWS\SYSTEM32\etodofgm.dll
2007-11-06 15:06 81,472 --a------ C:\WINDOWS\SYSTEM32\qmcwywoe.dll
2007-11-06 15:00 145,984 --a------ C:\WINDOWS\SYSTEM32\tvsisnus.dll
2007-11-06 09:59 81,472 --a------ C:\WINDOWS\SYSTEM32\ealnbfaj.dll
2007-11-06 09:34 81,472 --a------ C:\WINDOWS\SYSTEM32\gnmmxosf.dll
2007-11-06 09:26 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-11-05 18:28 83,008 --a------ C:\WINDOWS\SYSTEM32\ievhtpej.dll
2007-11-05 18:14 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-05 18:02 <DIR> d-------- C:\Documents and Settings\AdminJack\SecurityScans
2007-11-05 18:01 <DIR> d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2007-11-05 17:29 48,156 --a------ C:\ESUGLPDU.zip
2007-11-05 16:44 83,008 --a------ C:\WINDOWS\SYSTEM32\fdmsfdor.dll
2007-11-05 15:31 110,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2007-11-05 15:31 48,768 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-11-05 15:24 83,008 --a------ C:\WINDOWS\SYSTEM32\eejtrbfo.dll
2007-11-05 14:17 83,008 --a------ C:\WINDOWS\SYSTEM32\mwfuidrj.dll
2007-11-05 13:16 83,008 --a------ C:\WINDOWS\SYSTEM32\hgmqbamr.dll
2007-11-05 12:54 83,008 --a------ C:\WINDOWS\SYSTEM32\tulewaya.dll
2007-11-05 11:53 83,008 --a------ C:\WINDOWS\SYSTEM32\vuxfrdpv.dll
2007-11-05 11:13 85,568 --a------ C:\WINDOWS\SYSTEM32\fotoeodh.dll
2007-11-05 11:07 83,008 --a------ C:\WINDOWS\SYSTEM32\claaqtsm.dll
2007-11-02 15:07 55,352,398 --a------ C:\SYM_REGISTRY_BACKUP.reg
2007-11-02 10:03 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-11-01 09:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\Mz02r
2007-10-31 13:09 <DIR> d-------- C:\WINDOWS\Sun
2007-10-30 14:59 <DIR> d-------- C:\olb
2007-10-30 13:57 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2007-10-30 13:06 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2007-10-30 13:06 <DIR> d-------- C:\Documents and Settings\AdminJack\Application Data\Intuit
2007-10-30 13:06 1,933,312 --a------ C:\WINDOWS\SYSTEM32\cdintf251.dll
2007-10-30 13:02 <DIR> d-------- C:\Program Files\Intuit
2007-10-30 13:02 <DIR> d-------- C:\Program Files\Common Files\Intuit
2007-10-30 13:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2007-10-30 13:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\COMMON FILES
2007-10-29 15:54 421,888 --a------ C:\WINDOWS\SYSTEM32\novamnp2.dll
2007-10-29 15:54 9,728 --a------ C:\WINDOWS\SYSTEM32\novamip2.dll
2007-10-29 15:38 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-10-29 15:38 <DIR> d-------- C:\Program Files\Softland
2007-10-29 15:38 <DIR> d-------- C:\Program Files\a la mode
2007-10-29 13:24 <DIR> d-------- C:\Program Files\Kyocera
2007-10-29 12:25 33,792 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\custsat.dll
2007-10-29 12:21 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-29 12:02 <DIR> d--hs---- C:\Documents and Settings\AdminJack\UserData
2007-10-29 12:00 <DIR> d-------- C:\Program Files\Microsoft WSE
2007-10-29 12:00 348,160 --a------ C:\WINDOWS\SYSTEM32\cdintf250.dll
2007-10-29 11:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\URTTemp
2007-10-29 11:47 582,656 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-05 23:17 --------- d-----w C:\Program Files\Microsoft Works
2007-11-05 20:32 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-05 20:32 8,014 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-05 20:32 --------- d-----w C:\Program Files\Symantec
2007-11-05 20:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-05 20:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-02 15:15 --------- d-----w C:\Program Files\Symantec_Client_Security
2007-10-31 19:04 --------- d-----w C:\Documents and Settings\AdminJack\Application Data\AdobeUM
2007-10-29 20:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-29 16:52 --------- d-----w C:\Program Files\Common Files\InstallShield
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 01:19]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 01:07]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 17:38]
"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2007-03-14 19:49]
"d8fc5d11"="C:\WINDOWS\system32\xgbxambo.dll" [2007-11-07 11:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Trend Micro Anti-Spyware.lnk - C:\Program Files\Trend Micro\Tmasy\Tmasy.exe [2007-11-06 18:45:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-06-10 03:09:14]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ozecdmej]
ozecdmej.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtsqq.dll

R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe
R2 AsfAlrt;AsfAlrt;\??\C:\WINDOWS\System32\drivers\AsfAlrt.sys

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 13:55:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-08 13:57:42 - machine was rebooted
.
--- E O F ---


here is the new hijack log

Logfile of HijackThis v1.99.1
Scan saved at 2:17:00 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...r/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [d8fc5d11] rundll32.exe "C:\WINDOWS\system32\xgbxambo.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1194304080125
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = metropolitanfundinggroup.local
O17 - HKLM\Software\..\Telephony: DomainName = metropolitanfundinggroup.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = metropolitanfundinggroup.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = metropolitanfundinggroup.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: ozecdmej - ozecdmej.dll (file missing)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#6 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 07 November 2007 - 02:05 PM

Hi

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

File::
C:\WINDOWS\SYSTEM32\dpqwjqsr.exe 
C:\WINDOWS\SYSTEM32\edhpkakm.exe
C:\WINDOWS\SYSTEM32\ylxmwxlh.dll
C:\WINDOWS\SYSTEM32\ngpysnrh.exe
C:\WINDOWS\SYSTEM32\imgmpreo.exe
C:\WINDOWS\SYSTEM32\jcnqgcnl.dll
C:\WINDOWS\SYSTEM32\xoomrjho.exe
C:\WINDOWS\SYSTEM32\pywbvply.dll
C:\WINDOWS\SYSTEM32\olvcrmng.exe
C:\WINDOWS\SYSTEM32\iastpymw.dll
C:\WINDOWS\SYSTEM32\xgbxambo.dll
C:\WINDOWS\SYSTEM32\ibviiufk.exe
C:\WINDOWS\SYSTEM32\raeuurgb.exe
C:\WINDOWS\SYSTEM32\jvlyirrp.dll
C:\WINDOWS\SYSTEM32\sssjnidi.exe
C:\WINDOWS\SYSTEM32\sqqyhwvs.exe
C:\WINDOWS\SYSTEM32\pydhequu.exe
C:\WINDOWS\SYSTEM32\aceluysq.dll
C:\WINDOWS\SYSTEM32\ceonardr.exe
C:\WINDOWS\SYSTEM32\vxylwiml.dll
C:\WINDOWS\SYSTEM32\dbuisrks.exe
C:\WINDOWS\SYSTEM32\bmtfwgos.dll
C:\WINDOWS\SYSTEM32\ivlgavdn.dll
C:\WINDOWS\SYSTEM32\plgivwoy.exe
C:\WINDOWS\SYSTEM32\jiskgncs.dll
C:\WINDOWS\SYSTEM32\etodofgm.dll
C:\WINDOWS\SYSTEM32\qmcwywoe.dll
C:\WINDOWS\SYSTEM32\tvsisnus.dll
C:\WINDOWS\SYSTEM32\ealnbfaj.dll
C:\WINDOWS\SYSTEM32\gnmmxosf.dll
C:\WINDOWS\SYSTEM32\mucltui.dll
C:\WINDOWS\SYSTEM32\ievhtpej.dll
C:\WINDOWS\SYSTEM32\fdmsfdor.dll
C:\WINDOWS\SYSTEM32\eejtrbfo.dll
C:\WINDOWS\SYSTEM32\mwfuidrj.dll
C:\WINDOWS\SYSTEM32\hgmqbamr.dll
C:\WINDOWS\SYSTEM32\tulewaya.dll
C:\WINDOWS\SYSTEM32\vuxfrdpv.dll
C:\WINDOWS\SYSTEM32\fotoeodh.dll
C:\WINDOWS\SYSTEM32\claaqtsm.dll
C:\WINDOWS\system32\vtsqq.dll

Folder::
C:\ESUGLPDU.zip
C:\WINDOWS\SYSTEM32\Mz02r

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"d8fc5d11"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=dword:00000000
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ozecdmej] 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log with a new HijackThis log.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#7 robertwagner

robertwagner

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 07 November 2007 - 02:50 PM

ComboFix 07-11-08.1 - Administrator 2007-11-08 15:42:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.609 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\SYSTEM32\aceluysq.dll
C:\WINDOWS\SYSTEM32\bmtfwgos.dll
C:\WINDOWS\SYSTEM32\ceonardr.exe
C:\WINDOWS\SYSTEM32\claaqtsm.dll
C:\WINDOWS\SYSTEM32\dbuisrks.exe
C:\WINDOWS\SYSTEM32\dpqwjqsr.exe
C:\WINDOWS\SYSTEM32\ealnbfaj.dll
C:\WINDOWS\SYSTEM32\edhpkakm.exe
C:\WINDOWS\SYSTEM32\eejtrbfo.dll
C:\WINDOWS\SYSTEM32\etodofgm.dll
C:\WINDOWS\SYSTEM32\fdmsfdor.dll
C:\WINDOWS\SYSTEM32\fotoeodh.dll
C:\WINDOWS\SYSTEM32\gnmmxosf.dll
C:\WINDOWS\SYSTEM32\hgmqbamr.dll
C:\WINDOWS\SYSTEM32\iastpymw.dll
C:\WINDOWS\SYSTEM32\ibviiufk.exe
C:\WINDOWS\SYSTEM32\ievhtpej.dll
C:\WINDOWS\SYSTEM32\imgmpreo.exe
C:\WINDOWS\SYSTEM32\ivlgavdn.dll
C:\WINDOWS\SYSTEM32\jcnqgcnl.dll
C:\WINDOWS\SYSTEM32\jiskgncs.dll
C:\WINDOWS\SYSTEM32\jvlyirrp.dll
C:\WINDOWS\SYSTEM32\mucltui.dll
C:\WINDOWS\SYSTEM32\mwfuidrj.dll
C:\WINDOWS\SYSTEM32\ngpysnrh.exe
C:\WINDOWS\SYSTEM32\olvcrmng.exe
C:\WINDOWS\SYSTEM32\plgivwoy.exe
C:\WINDOWS\SYSTEM32\pydhequu.exe
C:\WINDOWS\SYSTEM32\pywbvply.dll
C:\WINDOWS\SYSTEM32\qmcwywoe.dll
C:\WINDOWS\SYSTEM32\raeuurgb.exe
C:\WINDOWS\SYSTEM32\sqqyhwvs.exe
C:\WINDOWS\SYSTEM32\sssjnidi.exe
C:\WINDOWS\SYSTEM32\tulewaya.dll
C:\WINDOWS\SYSTEM32\tvsisnus.dll
C:\WINDOWS\system32\vtsqq.dll
C:\WINDOWS\SYSTEM32\vuxfrdpv.dll
C:\WINDOWS\SYSTEM32\vxylwiml.dll
C:\WINDOWS\SYSTEM32\xgbxambo.dll
C:\WINDOWS\SYSTEM32\xoomrjho.exe
C:\WINDOWS\SYSTEM32\ylxmwxlh.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ESUGLPDU.zip\
C:\WINDOWS\SYSTEM32\aceluysq.dll
C:\WINDOWS\SYSTEM32\bmtfwgos.dll
C:\WINDOWS\SYSTEM32\ceonardr.exe
C:\WINDOWS\SYSTEM32\claaqtsm.dll
C:\WINDOWS\SYSTEM32\dbuisrks.exe
C:\WINDOWS\SYSTEM32\dpqwjqsr.exe
C:\WINDOWS\SYSTEM32\ealnbfaj.dll
C:\WINDOWS\SYSTEM32\edhpkakm.exe
C:\WINDOWS\SYSTEM32\eejtrbfo.dll
C:\WINDOWS\SYSTEM32\etodofgm.dll
C:\WINDOWS\SYSTEM32\fdmsfdor.dll
C:\WINDOWS\SYSTEM32\fotoeodh.dll
C:\WINDOWS\SYSTEM32\gnmmxosf.dll
C:\WINDOWS\SYSTEM32\hgmqbamr.dll
C:\WINDOWS\SYSTEM32\iastpymw.dll
C:\WINDOWS\SYSTEM32\ibviiufk.exe
C:\WINDOWS\SYSTEM32\ievhtpej.dll
C:\WINDOWS\SYSTEM32\imgmpreo.exe
C:\WINDOWS\SYSTEM32\ivlgavdn.dll
C:\WINDOWS\SYSTEM32\jcnqgcnl.dll
C:\WINDOWS\SYSTEM32\jiskgncs.dll
C:\WINDOWS\SYSTEM32\jvlyirrp.dll
C:\WINDOWS\SYSTEM32\mucltui.dll
C:\WINDOWS\SYSTEM32\mwfuidrj.dll
C:\WINDOWS\SYSTEM32\Mz02r
C:\WINDOWS\SYSTEM32\ngpysnrh.exe
C:\WINDOWS\SYSTEM32\olvcrmng.exe
C:\WINDOWS\SYSTEM32\plgivwoy.exe
C:\WINDOWS\SYSTEM32\pydhequu.exe
C:\WINDOWS\SYSTEM32\pywbvply.dll
C:\WINDOWS\SYSTEM32\qmcwywoe.dll
C:\WINDOWS\SYSTEM32\raeuurgb.exe
C:\WINDOWS\SYSTEM32\sqqyhwvs.exe
C:\WINDOWS\SYSTEM32\sssjnidi.exe
C:\WINDOWS\SYSTEM32\tulewaya.dll
C:\WINDOWS\SYSTEM32\tvsisnus.dll
C:\WINDOWS\SYSTEM32\vuxfrdpv.dll
C:\WINDOWS\SYSTEM32\vxylwiml.dll
C:\WINDOWS\SYSTEM32\xgbxambo.dll
C:\WINDOWS\SYSTEM32\xoomrjho.exe
C:\WINDOWS\SYSTEM32\ylxmwxlh.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-07 13:45 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-07 13:38 66,591 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\el90xbc5.sys
2007-11-07 13:38 66,591 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\el90xbc5.sys
2007-11-07 13:38 6,656 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cmdide.sys
2007-11-07 13:38 6,656 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\cmdide.sys
2007-11-07 13:38 5,248 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aliide.sys
2007-11-07 13:38 5,248 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\aliide.sys
2007-11-06 18:45 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-06 18:24 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-11-06 18:24 1,156 --a------ C:\WINDOWS\mozver.dat
2007-11-06 18:22 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-11-06 18:21 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-06 17:08 <DIR> d-------- C:\WINDOWS\pss
2007-11-05 18:14 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-05 18:02 <DIR> d-------- C:\Documents and Settings\AdminJack\SecurityScans
2007-11-05 18:01 <DIR> d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2007-11-05 17:29 48,156 --a------ C:\ESUGLPDU.zip
2007-11-05 15:31 110,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2007-11-05 15:31 48,768 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-11-02 15:07 55,352,398 --a------ C:\SYM_REGISTRY_BACKUP.reg
2007-11-02 10:03 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-10-31 13:09 <DIR> d-------- C:\WINDOWS\Sun
2007-10-30 14:59 <DIR> d-------- C:\olb
2007-10-30 13:57 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2007-10-30 13:06 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2007-10-30 13:06 <DIR> d-------- C:\Documents and Settings\AdminJack\Application Data\Intuit
2007-10-30 13:06 1,933,312 --a------ C:\WINDOWS\SYSTEM32\cdintf251.dll
2007-10-30 13:02 <DIR> d-------- C:\Program Files\Intuit
2007-10-30 13:02 <DIR> d-------- C:\Program Files\Common Files\Intuit
2007-10-30 13:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2007-10-30 13:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\COMMON FILES
2007-10-29 15:54 421,888 --a------ C:\WINDOWS\SYSTEM32\novamnp2.dll
2007-10-29 15:54 9,728 --a------ C:\WINDOWS\SYSTEM32\novamip2.dll
2007-10-29 15:38 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-10-29 15:38 <DIR> d-------- C:\Program Files\Softland
2007-10-29 15:38 <DIR> d-------- C:\Program Files\a la mode
2007-10-29 13:24 <DIR> d-------- C:\Program Files\Kyocera
2007-10-29 12:25 33,792 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\custsat.dll
2007-10-29 12:21 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-29 12:02 <DIR> d--hs---- C:\Documents and Settings\AdminJack\UserData
2007-10-29 12:00 <DIR> d-------- C:\Program Files\Microsoft WSE
2007-10-29 12:00 348,160 --a------ C:\WINDOWS\SYSTEM32\cdintf250.dll
2007-10-29 11:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\URTTemp
2007-10-29 11:47 582,656 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-05 23:17 --------- d-----w C:\Program Files\Microsoft Works
2007-11-05 20:32 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-05 20:32 8,014 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-05 20:32 --------- d-----w C:\Program Files\Symantec
2007-11-05 20:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-05 20:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-02 15:15 --------- d-----w C:\Program Files\Symantec_Client_Security
2007-10-31 19:04 --------- d-----w C:\Documents and Settings\AdminJack\Application Data\AdobeUM
2007-10-29 20:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-29 16:52 --------- d-----w C:\Program Files\Common Files\InstallShield
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 01:19]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 01:07]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 17:38]
"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2007-03-14 19:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Trend Micro Anti-Spyware.lnk - C:\Program Files\Trend Micro\Tmasy\Tmasy.exe [2007-11-06 18:45:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-06-10 03:09:14]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=0 (0x0)

R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe
R2 AsfAlrt;AsfAlrt;\??\C:\WINDOWS\System32\drivers\AsfAlrt.sys

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 15:45:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-08 15:48:17 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-08 13:57
.
--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 3:50:31 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...r/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1194304080125
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = metropolitanfundinggroup.local
O17 - HKLM\Software\..\Telephony: DomainName = metropolitanfundinggroup.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = metropolitanfundinggroup.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = metropolitanfundinggroup.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#8 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 07 November 2007 - 03:13 PM

Hi

Download AVG Anti-Spyware.
  • Install AVG Anti-Spyware.
  • Launch AVG by double-clicking on the icon.
  • The program will now open to the main screen.
  • You will need to update AVG to the latest definition files.
  • At the top of the main screen click Update.
  • Then in the Manual Update section, click on Start Update.
[*]The update will start and a progress bar will show the updates being installed.
[*]When updates are completed, close AVG.
[/list]If you are having problems with the updater, you can use this link to manually update AVG.
AVG manual updates



Please read the following instructions carefully and follow them, even if they look wrong. There is a bug in this program and to get the report you have to set it NOT to generate one!


Run a scan with AVG.
  • Click on Scanner
    • Click on the Settings tab, and set the following settings.
      • How to act
      • Click on Recommended actions, and set to Quarantine.
    • How to scan
      • Check all options.
    • Possibly unwanted software.
      • Check all options.
    • Reports
      • Check Do not automatically generate reports after every scan.
    • What to scan
      • Check Scan every file.
  • Click on the Scan tab.
    • Click on Complete System Scan and the scan will begin.
    • When the scan has finished
    • Make sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
    • At the bottom of the window click on the Apply all Actions button.
Note: Don't save the report before you hit the Apply action button.

Close AVG Anti-Spyware.

AVG will save a report in the following location C:\Program Files\Grisoft\AVG anti-spyware 7.5\Reports

Please post the report in your next reply with a new HijackThis log.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#9 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 18 November 2007 - 07:22 AM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users