Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Help with Trojan needed


  • This topic is locked This topic is locked
13 replies to this topic

#1 Medz

Medz

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 27 January 2008 - 12:25 PM

Logfile of HijackThis v1.99.1
Scan saved at 11:33:52 AM, on 1/27/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\CROSOF~1\javaw.exe
C:\Program Files\Common Files\?ystem\t?skmgr.exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Katie Tuttle\Application Data\Mozilla\Profiles\default\mke67zip.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [44abe178] rundll32.exe "C:\WINDOWS\System32\sjmmmnkq.dll",b
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Iinl] "C:\PROGRA~1\COMMON~1\CROSOF~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Mrlqcnr] "C:\Program Files\Common Files\?ystem\t?skmgr.exe"
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    Advertisements

Register to Remove


#2 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 27 January 2008 - 12:41 PM

Hello Medz and welcome to the What the Tech Forums

My name is Trevuren and I will be helping you with your problem.


First, please disable TeaTimer

SPYBOT TEATIMER
  • Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
  • On the left hand side, click on Tools, then click on the Resident Icon in the list.
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • Click on the "System Startup" icon in the List
  • Uncheck the "TeaTimer" box and "OK" any prompts.
  • If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  • Exit Spybot S&D when done.
  • (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]


Please print out or copy this page to Notepad. Make sure to download all the required tools to your desktop before starting. If there is anything that you do not understand, ask your question(s) before proceeding with the fixes.

A. Tools to download:
  • Right click HERE and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
  • Download SDFix and save it to your Desktop.
  • Download ComboFix and save it to your desktop.

**Note: In the event you already have SDFix and/or ComboFix, these are new versions that I need you to download. It is important that they are saved directly to your desktop**


B. Running the Tools


1. Run DelDomains:

Right click DelDomains.inf and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.


Very Important!

Before running SDFix and ComboFix
:
  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with both SDFix and ComboFix and remove some of their embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Also, make sure you are physically disconnected from the Internet (unplug the cable) after downloading the programs but before running the files.


2. Run SDFix:

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Now reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
  • Instead of Windows loading as normal, the Advanced Options Menu should appear
  • Select the first option, to run Windows in Safe Mode, then press Enter
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  • Finally, copy the content of Report.txt to Notepad and Save it to your Desktop as you will be asked to post it later on.


3. Run ComboFix:

WARNING:
  • IF you have not already done so ComboFix will disconnect your machine from the Internet when it starts.
  • Do not re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection when Combofix has completely finished, just restart your computer to restore the connection.

Double-click on combofix.exe and follow the prompts. When finished, it will produce a report for you.


**Note: Do not mouseclick comboFix's window while it's running. That may cause it to stall**


C. After ComboFix has finished its run:
  • Restart/re-enable all the programs that you disabled before running the tools.
  • Physically reconnect to the internet.

D. Posting Logs/Reports:
  • Report.txt
  • C:\ComboFix.txt
  • A new HijackThis log run after all the tools have been run.

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#3 Medz

Medz

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 27 January 2008 - 04:28 PM

Thanks for the help!!

sdfix report:

SDFix: Version 1.131

Run by Katie Tuttle on Sun 01/27/2008 at 02:44 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\PROGRA~1\MESSEN~1\QUBAQI - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Program Files\Dot1XCfg\Dot1XCfg.exe - Deleted
C:\Program Files\Temporary\kernInst.exe - Deleted
C:\WINDOWS\b122.exe - Deleted
C:\WINDOWS\mrofinu1000106.exe - Deleted
C:\WINDOWS\mrofinu572.exe - Deleted
C:\WINDOWS\system32\pac.txt - Deleted


Could Not Remove C:\WINDOWS\system32\drivers\core.cache.dsk

Folder C:\Program Files\Dot1XCfg - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed


Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\explorer.exe
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 14:51:31
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

Remaining Files:
---------------
C:\WINDOWS\system32\drivers\core.cache.dsk Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sun 27 Jan 2008 29,198 ..SH. --- "C:\WINDOWS\system32\wvpisdrl.dllbox"
Wed 23 Jan 2008 68,608 ..SHR --- "C:\Program Files\Common Files\??crosoft\javaw.exe"
Tue 15 Jan 2008 230,400 ..SHR --- "C:\Program Files\Common Files\?ystem\t?skmgr.exe"
--- 13,859 ...H. --- "C:\WINDOWS\system32\5872\explorer.exe"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Thu 24 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea90a47679441587835c9\BIT6.tmp"

Finished!


Combofix log:

ComboFix 08-01-23.1C - Katie Tuttle 2008-01-27 14:58:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.266 [GMT -6:00]
Running from: C:\Documents and Settings\Katie Tuttle\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\crosof~1\??crosoft\
C:\Program Files\Common Files\crosof~1\javaw.exe
C:\Program Files\Common Files\ystem~1
C:\Program Files\Common Files\ystem~1\t?skmgr.exe
C:\Program Files\outerinfo
C:\temp\tn3
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\system32\bkmheloq.dll
C:\WINDOWS\system32\clyryglu.dll
C:\WINDOWS\system32\cmxhdifk.dll
C:\WINDOWS\system32\fiikonba.dll
C:\WINDOWS\system32\khsyebbx.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljighh.dll
C:\WINDOWS\system32\nnnmp.ini
C:\WINDOWS\system32\nnnmp.ini2
C:\WINDOWS\system32\nwpifhlx.dll
C:\WINDOWS\system32\pmnnn.dll
C:\WINDOWS\system32\pqp.dll
C:\WINDOWS\system32\qknmmmjs.ini
C:\WINDOWS\system32\sjmmmnkq.dll
C:\WINDOWS\system32\ssliuesg.dll
C:\WINDOWS\system32\tbmqplwl.dll
C:\WINDOWS\system32\wvpisdrl.dll
C:\WINDOWS\system32\wvpisdrl.dllbox
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.

2008-01-27 15:09 . 2008-01-27 15:09 <DIR> d-------- C:\Temp\tn3
2008-01-27 14:57 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-27 14:49 . 2008-01-27 15:08 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-27 14:42 . 2008-01-27 14:42 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-27 10:53 . 2008-01-27 10:53 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-27 10:52 . 2008-01-27 10:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-26 23:04 . 2008-01-26 23:04 294 --ahs---- C:\WINDOWS\system32\pprejpgd.ini
2008-01-25 21:31 . 2008-01-25 21:31 1,142,572 --ahs---- C:\WINDOWS\system32\ocjjqdpr.ini
2008-01-25 21:31 . 2008-01-25 21:31 147,520 --a------ C:\WINDOWS\system32\rpdqjjco.dll
2008-01-25 21:28 . 2008-01-25 21:28 1,142,872 --ahs---- C:\WINDOWS\system32\havfkeqx.ini
2008-01-24 21:45 . 2004-03-29 19:48 593,408 --a------ C:\WINDOWS\system32\h323msp.dll
2008-01-24 21:45 . 2004-03-10 11:59 593,408 -----c--- C:\WINDOWS\system32\dllcache\xpsp2res.dll
2008-01-24 21:45 . 2004-03-29 19:48 548,352 --a------ C:\WINDOWS\system32\rtcdll.dll
2008-01-24 21:45 . 2004-03-29 19:48 439,808 --a------ C:\WINDOWS\system32\ipnathlp.dll
2008-01-24 21:45 . 2004-03-29 19:48 253,440 --a------ C:\WINDOWS\system32\h323.tsp
2008-01-24 21:45 . 2004-03-29 19:48 40,960 -----c--- C:\WINDOWS\system32\dllcache\evtgprov.dll
2008-01-24 21:30 . 2008-01-24 21:30 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-24 21:24 . 2008-01-25 21:28 1,142,812 --ahs---- C:\WINDOWS\system32\fssdjcri.ini
2008-01-24 21:20 . 2008-01-24 21:20 1,130,098 --ahs---- C:\WINDOWS\system32\akutglmy.ini
2008-01-24 07:26 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-24 07:26 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-23 22:02 . 2008-01-23 22:02 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-23 20:27 . 2008-01-23 20:27 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files
2008-01-23 20:27 . 2008-01-23 20:28 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-01-23 20:25 . 2008-01-23 20:25 971 --a------ C:\WINDOWS\Active Setup Log.BAK
2008-01-23 19:53 . 2008-01-23 19:53 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-01-23 19:28 . 2008-01-27 11:13 <DIR> d-------- C:\WINDOWS\system32\winzs6
2008-01-23 19:28 . 2008-01-27 11:13 <DIR> d-------- C:\WINDOWS\system32\nui4
2008-01-23 19:28 . 2008-01-23 19:28 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-01-23 19:28 . 2008-01-23 19:28 <DIR> d-------- C:\WINDOWS\system32\extz1
2008-01-23 19:28 . 2008-01-27 11:16 <DIR> d--hs---- C:\WINDOWS\S2F0aWUgVHV0dGxl
2008-01-23 19:28 . 2008-01-23 19:28 <DIR> d-------- C:\Temp\gTiis19
2008-01-23 19:28 . 2008-01-23 19:28 <DIR> d-------- C:\Temp\cXzz9
2008-01-23 19:28 . 2008-01-27 15:09 <DIR> d-------- C:\Temp
2008-01-23 19:28 . 2008-01-23 19:28 86,016 --a------ C:\WINDOWS\system32\drivers\ialmnt55.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-04-18 03:10 21,249,848 ----a-w C:\Program Files\QuickTimeInstaller.exe
2006-04-11 01:23 5,175,696 ----a-w C:\Program Files\Firefox Setup 1.5.0.1.exe
2005-11-16 02:53 2,167,119 ----a-w C:\Program Files\dMC-r11[1].5.exe
2005-09-20 17:53 4,878,136 ----a-w C:\Program Files\Firefox Setup 1.0.7.exe
2005-08-13 15:42 9,000,041 ----a-w C:\Program Files\trillian-v3.1.exe
2005-06-19 14:38 700,120 ----a-w C:\Program Files\flashplayer7installer.exe
2005-06-17 16:46 4,827,968 ----a-w C:\Program Files\Firefox Setup 1.0.4.exe
2005-07-29 22:24 472 --sha-r C:\WINDOWS\S2F0aWUgVHV0dGxl\mZIXuqo0pJpXx3U5.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 15:53 307200]
"Iinl"="C:\PROGRA~1\COMMON~1\CROSOF~1\javaw.exe" [ ]
"Mrlqcnr"="C:\Program Files\Common Files\?ystem\t?skmgr.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-15 23:00 335872]
"CreateCD_Reminder"="C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe" [2003-08-25 11:49 53248]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 12:29 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-23 18:32 1409024]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 01:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 01:07 114688]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-18 19:56 4841472]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 12:43 88363 C:\WINDOWS\AGRSMMSG.exe]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 23:08 28672]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2007-02-11 22:29 380928]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-17 21:11 155648]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-06-27 08:11:13 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2006-03-06 19:08:16 217088]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-10-02 16:08:08 57344]

R1 ialmnt55;ialmnt55;C:\WINDOWS\System32\drivers\ialmnt55.sys [2008-01-23 19:28]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 19:43:22 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 15:09:34
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 15:11:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-27 21:11:51
.
2008-01-27 04:50:44 --- E O F ---


new log of hijackthis scan after all of that:

Logfile of HijackThis v1.99.1
Scan saved at 3:23:14 PM, on 1/27/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Katie Tuttle\Application Data\Mozilla\Profiles\default\mke67zip.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Iinl] "C:\PROGRA~1\COMMON~1\CROSOF~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Mrlqcnr] "C:\Program Files\Common Files\?ystem\t?skmgr.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

#4 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 27 January 2008 - 07:44 PM

A. Using the Add/Remove Programs module in your Control Panel, I STRONGLY recommend that you uninstall the following program:

Viewpoint Manager

Justification for this action can be found here, if needed: http://www.bleepingc...nt-Manager.html


B.
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::


File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\pprejpgd.ini
C:\WINDOWS\system32\ocjjqdpr.ini
C:\WINDOWS\system32\rpdqjjco.dll
C:\WINDOWS\system32\havfkeqx.ini
C:\WINDOWS\system32\rtcdll.dll
C:\WINDOWS\msdownld.tmp
C:\WINDOWS\system32\fssdjcri.ini
C:\WINDOWS\system32\akutglmy.ini
C:\WINDOWS\system32\drivers\ialmnt55.sys

Folder::
C:\Temp\tn3
C:\WINDOWS\system32\winzs6
C:\WINDOWS\system32\nui4
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\extz1
C:\WINDOWS\S2F0aWUgVHV0dGxl
C:\Temp
C:\WINDOWS\S2F0aWUgVHV0dGxl

Driver::
ialmnt55

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Iinl"=-
"Mrlqcnr"=-
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

6. ComboFix will automatically REBOOT your machine when the KillAll:: switch is used..

7. Next, re-enable all the programs that you disabled prior to running ComboFix.

8. Post the following logs/Reports:
  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#5 Medz

Medz

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 27 January 2008 - 09:53 PM

combofix log:

ComboFix 08-01-23.1C - Katie Tuttle 2008-01-27 20:57:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.298 [GMT -6:00]
Running from: C:\Documents and Settings\Katie Tuttle\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Katie Tuttle\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\msdownld.tmp

C:\WINDOWS\system32\akutglmy.ini

C:\WINDOWS\system32\drivers\core.cache.dsk

C:\WINDOWS\system32\drivers\ialmnt55.sys

C:\WINDOWS\system32\fssdjcri.ini

C:\WINDOWS\system32\havfkeqx.ini

C:\WINDOWS\system32\ocjjqdpr.ini
C:\WINDOWS\system32\pprejpgd.ini

C:\WINDOWS\system32\rpdqjjco.dll

C:\WINDOWS\system32\rtcdll.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp
C:\Temp\gTiis19\lTig.log
C:\temp\tn3
C:\WINDOWS\S2F0aWUgVHV0dGxl
C:\WINDOWS\S2F0aWUgVHV0dGxl\mZIXuqo0pJpXx3U5.vbs

C:\WINDOWS\system32\akutglmy.ini

C:\WINDOWS\system32\drivers\core.cache.dsk

C:\WINDOWS\system32\drivers\ialmnt55.sys
C:\WINDOWS\system32\extz1
C:\WINDOWS\system32\extz1\lovstadcom2.exe

C:\WINDOWS\system32\fssdjcri.ini

C:\WINDOWS\system32\havfkeqx.ini

C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\nui4

C:\WINDOWS\system32\ocjjqdpr.ini
C:\WINDOWS\system32\pprejpgd.ini

C:\WINDOWS\system32\rpdqjjco.dll

C:\WINDOWS\system32\rtcdll.dll
C:\WINDOWS\system32\winzs6

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_IALMNT55
-------\ialmnt55


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-28 )))))))))))))))))))))))))))))))
.

2008-01-27 14:57 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-27 14:42 . 2008-01-27 14:42 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-27 10:53 . 2008-01-27 10:53 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-27 10:52 . 2008-01-27 10:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-24 21:45 . 2004-03-29 19:48 593,408 --a------ C:\WINDOWS\system32\h323msp.dll
2008-01-24 21:45 . 2004-03-10 11:59 593,408 -----c--- C:\WINDOWS\system32\dllcache\xpsp2res.dll
2008-01-24 21:45 . 2003-03-31 06:00 548,864 --a--c--- C:\WINDOWS\system32\dllcache\rtcdll.dll
2008-01-24 21:45 . 2004-03-29 19:48 439,808 --a------ C:\WINDOWS\system32\ipnathlp.dll
2008-01-24 21:45 . 2004-03-29 19:48 253,440 --a------ C:\WINDOWS\system32\h323.tsp
2008-01-24 21:45 . 2004-03-29 19:48 40,960 -----c--- C:\WINDOWS\system32\dllcache\evtgprov.dll
2008-01-24 21:30 . 2008-01-24 21:30 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-24 07:26 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-24 07:26 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-23 22:02 . 2008-01-23 22:02 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-23 20:27 . 2008-01-23 20:27 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files
2008-01-23 20:27 . 2008-01-23 20:28 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-01-23 20:25 . 2008-01-23 20:25 971 --a------ C:\WINDOWS\Active Setup Log.BAK
2008-01-23 19:53 . 2008-01-23 19:53 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-04-18 03:10 21,249,848 ----a-w C:\Program Files\QuickTimeInstaller.exe
2006-04-11 01:23 5,175,696 ----a-w C:\Program Files\Firefox Setup 1.5.0.1.exe
2005-11-16 02:53 2,167,119 ----a-w C:\Program Files\dMC-r11[1].5.exe
2005-09-20 17:53 4,878,136 ----a-w C:\Program Files\Firefox Setup 1.0.7.exe
2005-08-13 15:42 9,000,041 ----a-w C:\Program Files\trillian-v3.1.exe
2005-06-19 14:38 700,120 ----a-w C:\Program Files\flashplayer7installer.exe
2005-06-17 16:46 4,827,968 ----a-w C:\Program Files\Firefox Setup 1.0.4.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-27_15.11.23.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-27 20:57:54 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-28 02:57:27 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-27 20:57:54 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-28 02:57:27 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-27 20:57:54 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-28 02:57:27 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-27 20:57:54 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-28 02:57:27 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-27 20:57:55 5,459,968 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-28 02:57:27 5,459,968 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-27 20:57:55 86,016 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-28 02:57:27 86,016 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-27 19:43:12 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-28 03:01:23 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-27 19:43:12 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-28 03:01:23 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-27 19:43:12 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-28 03:01:23 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Yahoo! Pager"="1" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 15:53 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-15 23:00 335872]
"CreateCD_Reminder"="C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe" [2003-08-25 11:49 53248]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 12:29 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-23 18:32 1409024]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 01:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 01:07 114688]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-18 19:56 4841472]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 12:43 88363 C:\WINDOWS\AGRSMMSG.exe]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 23:08 28672]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2007-02-11 22:29 380928]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-17 21:11 155648]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-06-27 08:11:13 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2006-03-06 19:08:16 217088]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-10-02 16:08:08 57344]


.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 19:43:22 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 21:01:53
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 21:04:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-28 03:04:13
ComboFix2.txt 2008-01-27 21:11:54
.
2008-01-27 04:50:44 --- E O F ---

hijackthis log:


Logfile of HijackThis v1.99.1

Scan saved at 9:08:37 PM, on 1/27/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe

C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Katie Tuttle\Application Data\Mozilla\Profiles\default\mke67zip.slt\prefs.js)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

#6 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 28 January 2008 - 09:08 AM

Your logs are looking really good. Now we should have a look at your entire system to make sure that no "baddies" are still lurking ready to pounce.

A. I need you to run the following scan: Eset Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

B. In addition, please tell me how your system is now running. If all is well, we will proceed with the final cleanup procedures.
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#7 Medz

Medz

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 28 January 2008 - 08:26 PM

It's been running great so far, here's the latest log: # version=4 # OnlineScanner.ocx=1.0.0.56 # OnlineScannerDLLA.dll=1, 0, 0, 51 # OnlineScannerDLLW.dll=1, 0, 0, 51 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=2830 (20080129) # vers_arch_module=1.063 (20080117) # vers_adv_heur_module=1.060 (20070601) # EOSSerial=9c11b917415f254da4501ef2f480a810 # end=finished # remove_checked=false # unwanted_checked=false # utc_time=2008-01-29 02:12:01 # local_time=2008-01-28 08:12:01 (-0600, Central America Standard Time) # country="United States" # osver=5.1.2600 NT Service Pack 1 # scanned=248832 # found=18 # scan_time=1418 C:\QooBox\Quarantine\catchme2008-01-27_150924.23.zip multiple infiltrations C3DF0AD19D5ADC001421F5F7A7202B89 C:\QooBox\Quarantine\catchme2008-01-27_150924.23.zip »ZIP »mljighh.dll Win32/Adware.Virtumonde application 00000000000000000000000000000000 C:\QooBox\Quarantine\catchme2008-01-27_150924.23.zip »ZIP »wvpisdrl.dll Win32/Adware.SecToolbar application 00000000000000000000000000000000 C:\QooBox\Quarantine\C\Program Files\Common Files\CROSOF~1\javaw.exe.vir a variant of Win32/TrojanDownloader.PurityScan trojan 44E5B6B539F2C010A2CF178A5EE13D99 C:\QooBox\Quarantine\C\Program Files\Common Files\YSTEM~1\t?skmgr.exe.vir probably a variant of Win32/Adware.PurityScan application 9BA518468CD9E71D7E20625EC336E1D3 C:\QooBox\Quarantine\C\WINDOWS\system32\cmxhdifk.dll.vir Win32/Adware.SecToolbar application C14E5F50A699875EE450D728FAC70C63 C:\QooBox\Quarantine\C\WINDOWS\system32\fiikonba.dll.vir Win32/BHO.G trojan B8D6DCE30808595008D506B6FD13031B C:\QooBox\Quarantine\C\WINDOWS\system32\nwpifhlx.dll.vir Win32/BHO.G trojan B8D6DCE30808595008D506B6FD13031B C:\QooBox\Quarantine\C\WINDOWS\system32\pqp.dll.vir probably a variant of Win32/Adware.PurityScan application 41C9EB67231E159328F4B573FC065EAB C:\QooBox\Quarantine\C\WINDOWS\system32\ssliuesg.dll.vir Win32/Adware.SecToolbar application C14E5F50A699875EE450D728FAC70C63 C:\QooBox\Quarantine\C\WINDOWS\system32\tbmqplwl.dll.vir Win32/BHO.G trojan B8D6DCE30808595008D506B6FD13031B C:\QooBox\Quarantine\C\WINDOWS\system32\wvpisdrl.dll.vir Win32/Adware.SecToolbar application C14E5F50A699875EE450D728FAC70C63 C:\QooBox\Quarantine\C\WINDOWS\system32\nGpxx01\nGpxx011065.exe.vir a variant of Win32/TrojanDownloader.VB.AW trojan 904286C18D25DEA106779C616A1EDF22 C:\SDFix\backups\backups.zip Win32/TrojanDownloader.Agent.BLS trojan F44413B57EEADC4930AF9BE7A8206E81 C:\SDFix\backups\backups.zip »ZIP »backups/mrofinu1000106.exe Win32/TrojanDownloader.Agent.BLS trojan 00000000000000000000000000000000 C:\SDFix\backups\backups.zip »ZIP »backups/mrofinu572.exe Win32/TrojanDownloader.Agent.BLS trojan 00000000000000000000000000000000 C:\WINDOWS\system\ctldlg32.dll a variant of Win32/Agent.MF trojan 37B6A2A056A259E29A3A930FE96C374B C:\WINDOWS\system32\5872\explorer.exe Win32/TrojanProxy.Agent.NBE trojan 6476079EAD4E1B30A0A3B961152E85B7

#8 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 28 January 2008 - 08:44 PM

These should be the last deletions before the final cleanup procedures:



1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system\ctldlg32.dll

Folder::
C:\SDFix
C:\WINDOWS\system32\5872 

KillAll::
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

6. ComboFix will automatically REBOOT your machine when the KillAll:: switch is used..

7. Next, re-enable all the programs that you disabled prior to running ComboFix.

8. Post the following logs/Reports:
  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#9 Medz

Medz

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 28 January 2008 - 11:03 PM

ComboFix 08-01-23.1C - Katie Tuttle 2008-01-28 21:57:23.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.243 [GMT -6:00]

Running from: C:\Documents and Settings\Katie Tuttle\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Katie Tuttle\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE

C:\WINDOWS\system\ctldlg32.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\SDFix
C:\SDFix\apps\assosfix.reg
C:\SDFix\apps\cliptext.exe
C:\SDFix\apps\download.exe
C:\SDFix\apps\dummy.exe
C:\SDFix\apps\dummy.sys
C:\SDFix\apps\Enable_Command_Prompt.reg
C:\SDFix\apps\ERDNT.E_E
C:\SDFix\apps\ERDNTDOS.LOC
C:\SDFix\apps\ERDNTWIN.LOC
C:\SDFix\apps\ERUNT.EXE
C:\SDFix\apps\ERUNT.LOC
C:\SDFix\apps\fix.reg
C:\SDFix\apps\FixBH.reg
C:\SDFix\apps\FIXCU.reg
C:\SDFix\apps\FIXLM.reg
C:\SDFix\apps\FixPath.exe
C:\SDFix\apps\FixRedir.reg
C:\SDFix\apps\FixSchedule.reg
C:\SDFix\apps\FixWebCheck.reg
C:\SDFix\apps\fixXP.reg
C:\SDFix\apps\FixXPsp2.reg
C:\SDFix\apps\HPFix.reg
C:\SDFix\apps\HPFix2.reg
C:\SDFix\apps\HPFix3.reg
C:\SDFix\apps\HPFix4.reg
C:\SDFix\apps\isadmin.exe
C:\SDFix\apps\leg2.txt
C:\SDFix\apps\legacy.txt
C:\SDFix\apps\legacybk.txt
C:\SDFix\apps\locate.com
C:\SDFix\apps\LS.exe
C:\SDFix\apps\MD5File.exe
C:\SDFix\apps\MyGcpvFix.reg
C:\SDFix\apps\MyGkFix2.reg
C:\SDFix\apps\Process.exe
C:\SDFix\apps\procs.exe
C:\SDFix\apps\psservice.exe
C:\SDFix\apps\RegDACL.exe
C:\SDFix\apps\regedit.exe
C:\SDFix\apps\Rem.txt
C:\SDFix\apps\Rem2.txt
C:\SDFix\apps\Replace\W2K.exe
C:\SDFix\apps\Replace\w2k\beep.sys
C:\SDFix\apps\Replace\w2k\null.sys
C:\SDFix\apps\Replace\XP.exe
C:\SDFix\apps\Replace\xp\beep.sys
C:\SDFix\apps\Replace\xp\null.sys
C:\SDFix\apps\Reset_AppInit_DLLs.reg
C:\SDFix\apps\RestartIt!.exe
C:\SDFix\apps\Restore_SecurityCenter.reg
C:\SDFix\apps\Restore_SharedAccess.reg
C:\SDFix\apps\sc.exe
C:\SDFix\apps\SecPro1.reg
C:\SDFix\apps\SecPro2.reg
C:\SDFix\apps\SecPro3.reg
C:\SDFix\apps\SecPro4.reg
C:\SDFix\apps\SecurityProviders.reg
C:\SDFix\apps\SF.exe
C:\SDFix\apps\shutdown.exe
C:\SDFix\apps\srv2.txt
C:\SDFix\apps\srv2bk.txt
C:\SDFix\apps\svc.txt
C:\SDFix\apps\svcbk.txt
C:\SDFix\apps\swreg.exe
C:\SDFix\apps\swsc.exe
C:\SDFix\apps\unzip.exe
C:\SDFix\apps\WINMSG.EXE
C:\SDFix\apps\winsec.reg
C:\SDFix\apps\zip.exe
C:\SDFix\backups\attrib.exe
C:\SDFix\backups\backupreg.zip

C:\SDFix\backups\backups.zip

C:\SDFix\backups\catchme.zip
C:\SDFix\backups\find.exe
C:\SDFix\backups\findstr.exe
C:\SDFix\backups\HOSTS
C:\SDFix\backups\regedit.exe
C:\SDFix\catchme.exe
C:\SDFix\dummy.exe
C:\SDFix\dummy.sys
C:\SDFix\Report.txt
C:\SDFix\RunThis.bat
C:\SDFix\SDFIX_ReadMe_Online.url

C:\WINDOWS\system\ctldlg32.dll

C:\WINDOWS\system32\5872

C:\WINDOWS\system32\5872\explorer.exe


.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-28 21:01 . 2008-01-28 21:01 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-01-28 19:47 . 2008-01-28 20:12 <DIR> d-------- C:\Program Files\EsetOnlineScanner

2008-01-27 14:57 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-27 14:42 . 2008-01-27 14:42 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-27 10:53 . 2008-01-27 10:53 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-27 10:52 . 2008-01-27 10:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-24 21:45 . 2004-03-29 19:48 593,408 --a------ C:\WINDOWS\system32\h323msp.dll
2008-01-24 21:45 . 2004-03-10 11:59 593,408 -----c--- C:\WINDOWS\system32\dllcache\xpsp2res.dll

2008-01-24 21:45 . 2003-03-31 06:00 548,864 --a------ C:\WINDOWS\system32\rtcdll.dll

2008-01-24 21:45 . 2003-03-31 06:00 548,864 --a--c--- C:\WINDOWS\system32\dllcache\rtcdll.dll
2008-01-24 21:45 . 2004-03-29 19:48 439,808 --a------ C:\WINDOWS\system32\ipnathlp.dll
2008-01-24 21:45 . 2004-03-29 19:48 253,440 --a------ C:\WINDOWS\system32\h323.tsp
2008-01-24 21:45 . 2004-03-29 19:48 40,960 -----c--- C:\WINDOWS\system32\dllcache\evtgprov.dll
2008-01-24 21:30 . 2008-01-24 21:30 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-24 07:26 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-24 07:26 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-23 22:02 . 2008-01-23 22:02 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-23 20:27 . 2008-01-23 20:27 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files
2008-01-23 20:27 . 2008-01-23 20:28 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-01-23 20:25 . 2008-01-23 20:25 971 --a------ C:\WINDOWS\Active Setup Log.BAK
2008-01-23 19:53 . 2008-01-23 19:53 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-04-18 03:10 21,249,848 ----a-w C:\Program Files\QuickTimeInstaller.exe
2006-04-11 01:23 5,175,696 ----a-w C:\Program Files\Firefox Setup 1.5.0.1.exe
2005-11-16 02:53 2,167,119 ----a-w C:\Program Files\dMC-r11[1].5.exe
2005-09-20 17:53 4,878,136 ----a-w C:\Program Files\Firefox Setup 1.0.7.exe
2005-08-13 15:42 9,000,041 ----a-w C:\Program Files\trillian-v3.1.exe
2005-06-19 14:38 700,120 ----a-w C:\Program Files\flashplayer7installer.exe
2005-06-17 16:46 4,827,968 ----a-w C:\Program Files\Firefox Setup 1.0.4.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-27_15.11.23.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-27 20:57:54 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT

+ 2008-01-29 03:57:12 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT

- 2008-01-27 20:57:54 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat

+ 2008-01-29 03:57:12 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat

- 2008-01-27 20:57:54 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT

+ 2008-01-29 03:57:12 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT

- 2008-01-27 20:57:54 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat

+ 2008-01-29 03:57:12 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat

- 2008-01-27 20:57:55 5,459,968 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT

+ 2008-01-29 03:57:12 5,595,136 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT

- 2008-01-27 20:57:55 86,016 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat

+ 2008-01-29 03:57:12 86,016 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat

- 2008-01-27 19:43:12 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

+ 2008-01-29 04:01:04 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

- 2008-01-27 19:43:12 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2008-01-29 04:01:04 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2008-01-27 19:43:12 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2008-01-29 04:01:04 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-07-27 21:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 21:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-06 02:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 19:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2007-08-03 00:11:28 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2007-08-03 00:11:14 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2007-08-08 22:30:12 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2007-06-13 17:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
+ 2004-12-07 17:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll
- Show quoted text -

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 15:53 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-15 23:00 335872]
"CreateCD_Reminder"="C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe" [2003-08-25 11:49 53248]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 12:29 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-23 18:32 1409024]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 01:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 01:07 114688]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-18 19:56 4841472]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 12:43 88363 C:\WINDOWS\AGRSMMSG.exe]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 23:08 28672]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2007-02-11 22:29 380928]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-17 21:11 155648]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-06-27 08:11:13 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2006-03-06 19:08:16 217088]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-10-02 16:08:08 57344]


.
Contents of the 'Scheduled Tasks' folder

"2008-01-28 03:43:18 C:\WINDOWS\Tasks\Symantec NetDetect.job"

- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-28 22:01:30

Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

Completion time: 2008-01-28 22:04:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 04:04:09
ComboFix2.txt 2008-01-28 03:04:16
ComboFix3.txt 2008-01-27 21:11:54
.
2008-01-29 03:01:30 --- E O F ---


hjt:


Logfile of HijackThis v1.99.1

Scan saved at 10:17:35 PM, on 1/28/2008
- Show quoted text -

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Katie Tuttle\Application Data\Mozilla\Profiles\default\mke67zip.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

#10 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 28 January 2008 - 11:15 PM

Your log looks clean. If you have no more malware-related problems that you are aware of, just give me the OK and we can start the final but essential cleanup procedures and recommendations.

Trevuren
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#11 Medz

Medz

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 28 January 2008 - 11:23 PM

Nothing I am aware of, everything looks clean on my end.

#12 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 29 January 2008 - 10:11 AM

Congratulations, your logs look CLEAN

There are a few things you must do once you system is completely clean:

Time for some housekeeping
  • A. Please DELETE the following folder and all its content from your system: C:\SDFix

    B. Go to Posted Image -> Run -> copy/paste in the following single line command & click OK


    combofix /u


    Posted Image

    This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

    Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and use the following free programs:

    • Microsoft Windows Update - http://www.windowsupdate.com
      Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
    • SpywareBlaster to help prevent spyware from installing in the first place.[list]Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • IE-SpyAd - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. An installation tutorial is available here.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
    • Download Host.zip to your desktop.
    • From your Desktop right-click (hosts.zip) and select:
      Extract All from the menu.
    • Click Next, click Next, select the option:
      "Show Extracted files", click Finish
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    Do not install more than one AntiVirus program because they will conflict with each other.

  • FIREWALL
    Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here

    Do not install more than one firewall program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.
  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.mozilla.o...oducts/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • http://www.aumha.org...erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#13 Medz

Medz

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 29 January 2008 - 10:30 AM

Awesome, thank you SO MUCH for your time Trevuren, you are a life saver!

#14 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 29 January 2008 - 11:37 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users