Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91703 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] NEED Hijack log help PLEASE ANDTHANK YOU.


  • This topic is locked This topic is locked
47 replies to this topic

#1 steve1147

steve1147

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 02 April 2008 - 01:37 PM

Hello and thanks! I've run Spybot, Adaware and Stinger, and removed many programs already, still has issues. Here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 2:24:08 PM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\PPATCH~1\dvdplay.exe
C:\Documents and Settings\Barney\My Documents\?ystem32\cmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Hijackthis\Analyze.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.messenger...orum/portal.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {4C49BDB9-0427-0BAE-061B-2800B6C98CB2} - C:\WINDOWS\system32\bkhm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Tbsa] "C:\WINDOWS\PPATCH~1\dvdplay.exe" -vt ndrv
O4 - HKCU\..\Run: [Wgxrz] "C:\Documents and Settings\Barney\Application Data\?icrosoft\winlogon.exe"
O4 - HKCU\..\Run: [Pilswqh] C:\WINDOWS\F?nts\spool32.exe
O4 - HKCU\..\Run: [Qwvmocbd] "C:\Documents and Settings\Barney\My Documents\?ystem32\cmd.exe"
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...p;noreloadredir
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish...fishActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...ck/bjattack.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1165524748756
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinn...be/wordcube.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinn...v45/sol/sol.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinn...v46/wof/wof.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinn...apit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinn...man/hangman.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinn...paint/paint.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://www.worldwinn...sol/golfsol.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinn...es/wwspades.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    Advertisements

Register to Remove


#2 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 02 April 2008 - 06:31 PM

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!

  • Save and quit any work your doing before beginning the fix.
  • All hijackthis logs I ask for should be done in normal mode ( not safe mode)
  • These logs should be done last after you have followed my instructions in the previous post.


Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!



____________________________________________________-
It looks like you have been infected by a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits. While we can attempt to clean what we see in your logs, we can't guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. It may be prudent to backup your information, reformat, and reinstall.

More information on Remote Access Trojans can be found
here

I suggest you do the following immediately:
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
  • Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

If, however, you decide that the computer is not used for any sensitive work, or if you do not wish to reformat at this time, I can help you clean your computer to the best of my abilities.

Should you have any questions, please feel free to ask.

Should you decide to clean this machine start by doing the following.





______________________________
RUN HJT

HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...p;noreloadredir
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 (file missing)


Close that.

__________________________________




1. Download Combo fix from one of these locations.
* IMPORTANT !!! Place combofix.exe on your Desktop

http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

2. Click start/run and copy and Paste this in exactly using the picture below for reference:

"%userprofile%\desktop\combofix.exe" /killall


Posted Image

3. Combo will begin to run DO NOTHING while this is happeneing.
  • It will kill a few processes and disconnect you from the internet.
  • If by chance it stops prematurly you can re-establish your internet connection by restarting your computer.
  • This needs to be done so the program can work most efficiently for you.
Do not attempt to use the internet or anything else while it's doing its job for you.

If when it's completed you can not get on the internet just reboot the computer

Post the log from comboFix for me located in
c:\comboFix.txt




_____________________________
Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste these filepaths: 1 at a time.


C:\WINDOWS\system32\bkhm.dll


Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustota...l/index_en.html

_________________________________




You need to update SunJava for security reasons.
Updating Java:
Download the latest version of
Java Runtime Environment (JRE) 6 Update5

  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 5
    ... allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the Posted Image icon next to it.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u5-windows-i586-p.exe
    to install the newest version.



_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from ComboFix
  • The report from Jottis/virus total

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#3 steve1147

steve1147

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 02 April 2008 - 07:23 PM

OK, deleted the stuff in HJT you said, downloaded and ran combofix from a disc, now I get NO shortcuts on the desktop, nor any toolbars. I'm doing this on a laptop that's not connected to the internet, writing from my desktop. I still get the wallpaper, but no icons, can't do anything with it. Thanks, Steve W.

#4 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 03 April 2008 - 05:32 AM

downloaded and ran combofix from a disc,


I'm not 100% that this was the cause, but you must follow directions as I write them. Nothing was said about running combofix from a disk.



_____________________________
Task Manager
I would like you to open the task manager by pressing simeltaniously
Ctrl+Shift+Esc or cntrl /alt/delete
then go to the Applications tab and click on New Task

type in exactly

explorer.exe

click OK.

If that works place comboFix on the desktop from what ever disk you saved it on.

Please try this again.



_________________________________________________
1. Download Combo fix from one of these locations.
* IMPORTANT !!! Place combofix.exe on your Desktop

http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

2. Click start/run and copy and Paste this in exactly using the picture below for reference:

"%userprofile%\desktop\combofix.exe" /killall


Posted Image

3. Combo will begin to run DO NOTHING while this is happeneing.
  • It will kill a few processes and disconnect you from the internet.
  • If by chance it stops prematurly you can re-establish your internet connection by restarting your computer.
  • This needs to be done so the program can work most efficiently for you.
Do not attempt to use the internet or anything else while it's doing its job for you.

If when it's completed you can not get on the internet just reboot the computer

Post the log from comboFix for me located in
c:\comboFix.txt

________________________________-

If that work please continue with the rest of the fix.

Edited by bob4, 03 April 2008 - 05:42 AM.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#5 steve1147

steve1147

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 03 April 2008 - 10:28 AM

Sorry, the laptop has been useless on the internet, so I've had to dowload on this computer and transfer programs over there.
Got the normal desktop back. Now it contains a "catchme.zip" file that wasn't there before. Anyway, here's the new logs:

Logfile of HijackThis v1.99.1
Scan saved at 11:07, on 2008-04-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Hijackthis\Analyze.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.messenger...orum/portal.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Wgxrz] "C:\Documents and Settings\Barney\Application Data\?icrosoft\winlogon.exe"
O4 - HKCU\..\Run: [Tbsa] "C:\WINDOWS\PPATCH~1\dvdplay.exe" -vt ndrv
O4 - HKCU\..\Run: [Qwvmocbd] "C:\Documents and Settings\Barney\My Documents\?ystem32\cmd.exe"
O4 - HKCU\..\Run: [Pilswqh] C:\WINDOWS\F?nts\spool32.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish...fishActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...ck/bjattack.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1165524748756
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinn...be/wordcube.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinn...v45/sol/sol.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinn...v46/wof/wof.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinn...apit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinn...man/hangman.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinn...paint/paint.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://www.worldwinn...sol/golfsol.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinn...es/wwspades.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe


ComboFix 08-04-02.1 - Barney 2008-04-02 20:09:00.1 - NTFSx86

Running from: C:\Documents and Settings\Barney\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Barney\Application Data\CURITY~1
C:\Documents and Settings\Barney\Application Data\DOBE~1
C:\Documents and Settings\Barney\Application Data\FNTS~1
C:\Documents and Settings\Barney\Application Data\ICROSO~1
C:\Documents and Settings\Barney\Application Data\WNSXS~1
C:\Documents and Settings\Barney\Application Data\YSTEM~1
C:\Documents and Settings\Barney\My Documents\APPATC~1
C:\Documents and Settings\Barney\My Documents\MCROSO~1.NET
C:\Documents and Settings\Barney\My Documents\YSTEM3~1
C:\Documents and Settings\Barney\My Documents\YSTEM3~1\cmd.exe
C:\Program Files\Common Files\{2DEC7~1
C:\Program Files\Common Files\{2DEC7~1\system.dll
C:\Program Files\Common Files\{2DEC7~2
C:\Program Files\Common Files\{2DEC7~2\system.dll
C:\Program Files\Common Files\{3DEC7~1
C:\Program Files\Common Files\{3DEC7~1\Bar888.dll
C:\Program Files\Common Files\sstem~1
C:\Program Files\Common Files\ystem3~1
C:\Program Files\ecurit~1
C:\temp\tn3
C:\WINDOWS\b136.exe
C:\WINDOWS\crosof~1
C:\WINDOWS\fnts~1
C:\WINDOWS\ppatch~1
C:\WINDOWS\ppatch~1\??pPatch\
C:\WINDOWS\ppatch~1\dvdplay.exe
C:\WINDOWS\ppatch~2
C:\WINDOWS\system32\_000026_.tmp.dll
C:\WINDOWS\system32\_003132_.tmp.dll
C:\WINDOWS\system32\_003133_.tmp.dll
C:\WINDOWS\system32\_003134_.tmp.dll
C:\WINDOWS\system32\_003135_.tmp.dll
C:\WINDOWS\system32\_003142_.tmp.dll
C:\WINDOWS\system32\_003143_.tmp.dll
C:\WINDOWS\system32\_003144_.tmp.dll
C:\WINDOWS\system32\_003145_.tmp.dll
C:\WINDOWS\system32\_003147_.tmp.dll
C:\WINDOWS\system32\_003148_.tmp.dll
C:\WINDOWS\system32\_003151_.tmp.dll
C:\WINDOWS\system32\_003152_.tmp.dll
C:\WINDOWS\system32\_003154_.tmp.dll
C:\WINDOWS\system32\_003155_.tmp.dll
C:\WINDOWS\system32\_003156_.tmp.dll
C:\WINDOWS\system32\_003158_.tmp.dll
C:\WINDOWS\system32\_003159_.tmp.dll
C:\WINDOWS\system32\_003161_.tmp.dll
C:\WINDOWS\system32\_003165_.tmp.dll
C:\WINDOWS\system32\_003166_.tmp.dll
C:\WINDOWS\system32\_003168_.tmp.dll
C:\WINDOWS\system32\_003171_.tmp.dll
C:\WINDOWS\system32\_003173_.tmp.dll
C:\WINDOWS\system32\_003174_.tmp.dll
C:\WINDOWS\system32\_003175_.tmp.dll
C:\WINDOWS\system32\_003176_.tmp.dll
C:\WINDOWS\system32\_003177_.tmp.dll
C:\WINDOWS\system32\_003180_.tmp.dll
C:\WINDOWS\system32\_003182_.tmp.dll
C:\WINDOWS\system32\_003183_.tmp.dll
C:\WINDOWS\system32\_003184_.tmp.dll
C:\WINDOWS\system32\_003188_.tmp.dll
C:\WINDOWS\system32\_003190_.tmp.dll
C:\WINDOWS\system32\bkhm.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\scurit~1
C:\WINDOWS\system32\wtsisvit32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLIENT_IP-IPX
-------\Legacy_CMDSERVICE
-------\Legacy_CORE
-------\Legacy_NETWORK_MONITOR
-------\Service_Client IP-IPX
-------\Service_core


((((((((((((((((((((((((( Files Created from 2008-03-03 to 2008-04-03 )))))))))))))))))))))))))))))))
.

#6 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 03 April 2008 - 12:04 PM

Good job. :thumbup:
Just a heads up anythime your computer does what it had done last time .(no icons /toolbars on the desktop] try starting explorer.exe using task manager or just reboot the machine. :popcorn:

Catchme.zip is part of comboFix. Don't worry about it right now.

Please repost the combofix log as it looks like it has got cut off a bunch.

Please don't run combofix again for the log. I need the first one before we move on.

Location: c:combofix.txt.





______________________________
RUN HJT

HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked

O4 - HKCU\..\Run: [Wgxrz] "C:\Documents and Settings\Barney\Application Data\?icrosoft\winlogon.exe"
O4 - HKCU\..\Run: [Tbsa] "C:\WINDOWS\PPATCH~1\dvdplay.exe" -vt ndrv
O4 - HKCU\..\Run: [Qwvmocbd] "C:\Documents and Settings\Barney\My Documents\?ystem32\cmd.exe"
O4 - HKCU\..\Run: [Pilswqh] C:\WINDOWS\F?nts\spool32.exe

Close that.






_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from ComboFix

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#7 steve1147

steve1147

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 03 April 2008 - 02:06 PM

Hey, and Thanks, here's the info:

Logfile of HijackThis v1.99.1
Scan saved at 14:49, on 2008-04-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Hijackthis\Analyze.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.messenger...orum/portal.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish...fishActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...ck/bjattack.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1165524748756
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinn...be/wordcube.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinn...v45/sol/sol.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinn...v46/wof/wof.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinn...apit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinn...man/hangman.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinn...paint/paint.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://www.worldwinn...sol/golfsol.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinn...es/wwspades.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe



ComboFix 08-04-02.1 - Barney 2008-04-02 20:09:00.1 - NTFSx86

Running from: C:\Documents and Settings\Barney\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Barney\Application Data\CURITY~1
C:\Documents and Settings\Barney\Application Data\DOBE~1
C:\Documents and Settings\Barney\Application Data\FNTS~1
C:\Documents and Settings\Barney\Application Data\ICROSO~1
C:\Documents and Settings\Barney\Application Data\WNSXS~1
C:\Documents and Settings\Barney\Application Data\YSTEM~1
C:\Documents and Settings\Barney\My Documents\APPATC~1
C:\Documents and Settings\Barney\My Documents\MCROSO~1.NET
C:\Documents and Settings\Barney\My Documents\YSTEM3~1
C:\Documents and Settings\Barney\My Documents\YSTEM3~1\cmd.exe
C:\Program Files\Common Files\{2DEC7~1
C:\Program Files\Common Files\{2DEC7~1\system.dll
C:\Program Files\Common Files\{2DEC7~2
C:\Program Files\Common Files\{2DEC7~2\system.dll
C:\Program Files\Common Files\{3DEC7~1
C:\Program Files\Common Files\{3DEC7~1\Bar888.dll
C:\Program Files\Common Files\sstem~1
C:\Program Files\Common Files\ystem3~1
C:\Program Files\ecurit~1
C:\temp\tn3
C:\WINDOWS\b136.exe
C:\WINDOWS\crosof~1
C:\WINDOWS\fnts~1
C:\WINDOWS\ppatch~1
C:\WINDOWS\ppatch~1\??pPatch\
C:\WINDOWS\ppatch~1\dvdplay.exe
C:\WINDOWS\ppatch~2
C:\WINDOWS\system32\_000026_.tmp.dll
C:\WINDOWS\system32\_003132_.tmp.dll
C:\WINDOWS\system32\_003133_.tmp.dll
C:\WINDOWS\system32\_003134_.tmp.dll
C:\WINDOWS\system32\_003135_.tmp.dll
C:\WINDOWS\system32\_003142_.tmp.dll
C:\WINDOWS\system32\_003143_.tmp.dll
C:\WINDOWS\system32\_003144_.tmp.dll
C:\WINDOWS\system32\_003145_.tmp.dll
C:\WINDOWS\system32\_003147_.tmp.dll
C:\WINDOWS\system32\_003148_.tmp.dll
C:\WINDOWS\system32\_003151_.tmp.dll
C:\WINDOWS\system32\_003152_.tmp.dll
C:\WINDOWS\system32\_003154_.tmp.dll
C:\WINDOWS\system32\_003155_.tmp.dll
C:\WINDOWS\system32\_003156_.tmp.dll
C:\WINDOWS\system32\_003158_.tmp.dll
C:\WINDOWS\system32\_003159_.tmp.dll
C:\WINDOWS\system32\_003161_.tmp.dll
C:\WINDOWS\system32\_003165_.tmp.dll
C:\WINDOWS\system32\_003166_.tmp.dll
C:\WINDOWS\system32\_003168_.tmp.dll
C:\WINDOWS\system32\_003171_.tmp.dll
C:\WINDOWS\system32\_003173_.tmp.dll
C:\WINDOWS\system32\_003174_.tmp.dll
C:\WINDOWS\system32\_003175_.tmp.dll
C:\WINDOWS\system32\_003176_.tmp.dll
C:\WINDOWS\system32\_003177_.tmp.dll
C:\WINDOWS\system32\_003180_.tmp.dll
C:\WINDOWS\system32\_003182_.tmp.dll
C:\WINDOWS\system32\_003183_.tmp.dll
C:\WINDOWS\system32\_003184_.tmp.dll
C:\WINDOWS\system32\_003188_.tmp.dll
C:\WINDOWS\system32\_003190_.tmp.dll
C:\WINDOWS\system32\bkhm.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\scurit~1
C:\WINDOWS\system32\wtsisvit32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLIENT_IP-IPX
-------\Legacy_CMDSERVICE
-------\Legacy_CORE
-------\Legacy_NETWORK_MONITOR
-------\Service_Client IP-IPX
-------\Service_core


((((((((((((((((((((((((( Files Created from 2008-03-03 to 2008-04-03 )))))))))))))))))))))))))))))))
.

#8 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 03 April 2008 - 05:54 PM

Well something went south with combo if that's all the log it has.

Let's try again.




1. Click start/run and copy and Paste this in exactly using the picture below for reference:

"%userprofile%\desktop\combofix.exe" /killall


Posted Image

2. Combo will begin to run DO NOTHING while this is happeneing.
  • It will kill a few processes and disconnect you from the internet.
  • If by chance it stops prematurly you can re-establish your internet connection by restarting your computer.
  • This needs to be done so the program can work most efficiently for you.
Do not attempt to use the internet or anything else while it's doing its job for you.

If when it's completed you can not get on the internet just reboot the computer

Post the log from comboFix for me located in
c:\comboFix.txt
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#9 steve1147

steve1147

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 04 April 2008 - 05:59 AM

OK, this looks a little longer:

ComboFix 08-04-02.1 - Barney 2008-04-04 6:37:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.294 [GMT -5:00]
Running from: C:\Documents and Settings\Barney\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Barney\Application Data\CURITY~1
C:\Documents and Settings\Barney\Application Data\DOBE~1
C:\Documents and Settings\Barney\Application Data\FNTS~1
C:\Documents and Settings\Barney\Application Data\ICROSO~1
C:\Documents and Settings\Barney\Application Data\WNSXS~1
C:\Documents and Settings\Barney\Application Data\YSTEM~1
C:\Documents and Settings\Barney\My Documents\APPATC~1
C:\Documents and Settings\Barney\My Documents\MCROSO~1.NET
C:\Documents and Settings\Barney\My Documents\YSTEM3~1
C:\Documents and Settings\Barney\My Documents\YSTEM3~1\cmd.exe
C:\Program Files\Common Files\{2DEC7~1
C:\Program Files\Common Files\{2DEC7~1\system.dll
C:\Program Files\Common Files\{2DEC7~2
C:\Program Files\Common Files\{2DEC7~2\system.dll
C:\Program Files\Common Files\{3DEC7~1
C:\Program Files\Common Files\{3DEC7~1\Bar888.dll
C:\Program Files\Common Files\sstem~1
C:\Program Files\Common Files\ystem3~1
C:\Program Files\ecurit~1
C:\temp\tn3
C:\WINDOWS\b136.exe
C:\WINDOWS\crosof~1
C:\WINDOWS\fnts~1
C:\WINDOWS\ppatch~1
C:\WINDOWS\ppatch~1\??pPatch\
C:\WINDOWS\ppatch~1\dvdplay.exe
C:\WINDOWS\ppatch~2
C:\WINDOWS\system32\_000026_.tmp.dll
C:\WINDOWS\system32\_003132_.tmp.dll
C:\WINDOWS\system32\_003133_.tmp.dll
C:\WINDOWS\system32\_003134_.tmp.dll
C:\WINDOWS\system32\_003135_.tmp.dll
C:\WINDOWS\system32\_003142_.tmp.dll
C:\WINDOWS\system32\_003143_.tmp.dll
C:\WINDOWS\system32\_003144_.tmp.dll
C:\WINDOWS\system32\_003145_.tmp.dll
C:\WINDOWS\system32\_003147_.tmp.dll
C:\WINDOWS\system32\_003148_.tmp.dll
C:\WINDOWS\system32\_003151_.tmp.dll
C:\WINDOWS\system32\_003152_.tmp.dll
C:\WINDOWS\system32\_003154_.tmp.dll
C:\WINDOWS\system32\_003155_.tmp.dll
C:\WINDOWS\system32\_003156_.tmp.dll
C:\WINDOWS\system32\_003158_.tmp.dll
C:\WINDOWS\system32\_003159_.tmp.dll
C:\WINDOWS\system32\_003161_.tmp.dll
C:\WINDOWS\system32\_003165_.tmp.dll
C:\WINDOWS\system32\_003166_.tmp.dll
C:\WINDOWS\system32\_003168_.tmp.dll
C:\WINDOWS\system32\_003171_.tmp.dll
C:\WINDOWS\system32\_003173_.tmp.dll
C:\WINDOWS\system32\_003174_.tmp.dll
C:\WINDOWS\system32\_003175_.tmp.dll
C:\WINDOWS\system32\_003176_.tmp.dll
C:\WINDOWS\system32\_003177_.tmp.dll
C:\WINDOWS\system32\_003180_.tmp.dll
C:\WINDOWS\system32\_003182_.tmp.dll
C:\WINDOWS\system32\_003183_.tmp.dll
C:\WINDOWS\system32\_003184_.tmp.dll
C:\WINDOWS\system32\_003188_.tmp.dll
C:\WINDOWS\system32\_003190_.tmp.dll
C:\WINDOWS\system32\bkhm.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\scurit~1
C:\WINDOWS\system32\wtsisvit32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLIENT_IP-IPX
-------\Legacy_CMDSERVICE
-------\Legacy_CORE
-------\Legacy_NETWORK_MONITOR
-------\Service_Client IP-IPX
-------\Service_core


((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-04 )))))))))))))))))))))))))))))))
.

2008-04-03 16:40 . 2008-04-03 16:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-03 16:40 . 2008-04-03 16:40 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-02 20:13 . 2008-04-04 06:47 <DIR> d-------- C:\TEMP
2008-04-02 18:42 . 2008-04-02 18:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-04-01 17:35 . 2008-04-01 17:35 <DIR> d-------- C:\Documents and Settings\Barney\Application Data\Lavasoft
2008-04-01 16:58 . 2008-04-01 17:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-03 17:00 --------- d-----w C:\Documents and Settings\Barney\Application Data\AVG7
2008-04-01 21:42 --------- d-----w C:\Program Files\GameHouse
2008-04-01 21:35 --------- d-----w C:\Program Files\Yahoo! Games
2008-04-01 21:22 --------- d-----w C:\Program Files\ACT
2008-03-06 16:33 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2005-11-02 21:56 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-07-29 21:24 472 --sha-r C:\WINDOWS\QmFybmV5\kAIVvApc.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2003-08-07 05:00 196096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03 49263]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-17 23:29 155648]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-05 10:07 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-12-05 10:07 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPager.exe"=
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;C:\WINDOWS\system32\Drivers\WBSD.SYS [2003-05-06 14:46]
S3 2WIREPCP;2Wire USB;C:\WINDOWS\system32\DRIVERS\2WirePCP.sys [2005-05-12 11:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d240440-b6ce-11db-b19b-0004238b97ff}]
\Shell\AutoRun\command - F:\Installer.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-04 06:47:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-04-04 6:50:52 - machine was rebooted [Barney]
ComboFix-quarantined-files.txt 2008-04-04 11:50:47
Pre-Run: 45,619,863,552 bytes free
Post-Run: 45,639,770,112 bytes free
.
2008-02-23 09:06:10 --- E O F ---

#10 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 04 April 2008 - 09:27 AM

Looking much better.


[*] It doesn't look as if you updated Java as posted before. We probably got side tracked .


You need to update SunJava for security reasons.
Updating Java:
Download the latest version of
Java Runtime Environment (JRE) 6 Update5

  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 5
    ... allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the Posted Image icon next to it.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u5-windows-i586-p.exe
    to install the newest version.




___________________________________________
We now suggest that you install the Windows Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you
in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it.
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
When complete, a log named CF_RC.txt will open. Please post the contents of that log.







________________________________________
Open notepad and copy/paste the text in the quotebox below into it:




DirLook:: 
C:\WINDOWS\QmFybmV5


NOTE: This script was done for this user specifically.
DO NOT ATTEMPT TO USE IT IF YOU ARE NOT THIS USER
YOU WILL HURT THE WORKINGS OF YOUR COMPUTER !!
.

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt which I will need in your next reply.







______________________________________________
Download and install CCleaner from here


If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.

  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Reset Temp File Removal for Regular Use.
    Click on the Options block on the left. Select the Advanced button.
    Check "Only delete files in Windows Temp folders older than 48 hours".


    Now run the program and click on Run Cleaner
    ( Do not use the Registry function to clean anything with this program. Having anything auto clean your regisrty is risky).


_________________________________

Using Internet Explorer, please do a Kaspersky Online Scan

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure as follows: [list]
  • Scan using the following Anti-Virus database:
    [list]
  • Extended
    [list]
  • Scan Options:[list]
  • Scan Archives
  • Scan Mail Bases

  • Click OK & have it scan My Computer
  • Once the scan is complete, it will provide a report if your system is infected. It does not provide an option to clean/disinfect. We only require a report from it.

Click save report as

Posted Image

[*] Click the Save as Text button to save the file to your desktop and post it in your next reply
Posted Image


Turn off the real time scanner of any existing antivirus program while performing the online scan





_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from ComboFix
  • The report from CF_RC.txt
  • The report from Kasperskys

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

    Advertisements

Register to Remove


#11 steve1147

steve1147

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 04 April 2008 - 11:43 AM

Wow, another problem. Ran Ccleaner, but now I can't dial-out to internet after restart. Pops open "Can't dial now error 0", also can't open the modem properties in control panel. Says can't open, may have problems with connection.

#12 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 04 April 2008 - 12:35 PM

Let's try the simple thing first. Reboot the computer and check the connection again.

Was there a password for the dial up connection that maybe ccleaner removed ?

If not:


Check this:

right click My computer choose properties/hardware/device manager

Look to see that your modem is listed in there and that it is working correctly. It will be listed under Modems.

Do you have a drivers disk that may have come with the computer/modem ?

Let me know please.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#13 steve1147

steve1147

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 04 April 2008 - 02:32 PM

Worse than I thought. The Device manager is blank, shows nothing and the modem won't dialout. I rebooted and it has reverted to the original (I guess) windows background and all my picture files, links, etc. don't show-up on the desktop, only a handful of icons that were probably original. I've tried multiple restarts, diagnostic and safe restarts and still it's the same. Might try restore next....... Thanks, Steve W.

#14 steve1147

steve1147

    Authentic Member

  • Authentic Member
  • PipPip
  • 59 posts

Posted 04 April 2008 - 02:32 PM

PS, and no I don't have any of the original discs.

#15 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 04 April 2008 - 03:40 PM

Oh boy, this isn't sounding good at all Steve. :pullhair: Please try system restore. Go back 1 day at a time if you can. I know that combofix has set a new restore point as it does this as a safety measure.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users