Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91736 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Trojan:Win32/Conhook.D Infection


  • This topic is locked This topic is locked
5 replies to this topic

#1 MarkedMan

MarkedMan

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 24 April 2008 - 01:17 PM

Hi,
I ran accross several topics for removing Trojan:Win32/Conhook.D infections.

I have Windows Defender installed and it identified the bug in the first place but would not remove it. After reading the posts I followed the instructions, so this is what I have sone so far:

Booted to Safe mode
Ran ATF and cleaned everything
Installed Hyjack this
Installed Combofix
Ran Combofix (log below)
Combofix rebooted into Normal mode
Ran Hyjack this (log below)

The Combofix found 'Anti Spyware Master' that was identified by Windows Defender and removed what appears to be the associated files. I am looking for further analysis of the log files to validate if the machine is clean. IE7 is running much better at this point.
Thanks in advance,
MarkedMan

ComboFix 08-04-22.5 - Administrator 2008-04-24 11:48:45.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.772 [GMT -7:00]
Running from: C:\MIS\Spyware Clean\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\AntiSpywareMaster
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\geBtQijj.dll
C:\WINDOWS\system32\gjyemltk.dll
C:\WINDOWS\system32\khfDsRHX.dll
C:\WINDOWS\system32\ktlmeyjg.ini
C:\WINDOWS\system32\misfwpkp.ini
C:\WINDOWS\system32\piqnvrfp.dll
C:\WINDOWS\system32\pkpwfsim.dll
C:\WINDOWS\system32\wvUnMeBR.dll
C:\WINDOWS\system32\wvUonnMc.dll
C:\WINDOWS\system32\XHRsDfhk.ini
C:\WINDOWS\system32\XHRsDfhk.ini2
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-24 11:43 . 2008-04-24 11:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-24 11:43 . 2008-04-24 11:43 <DIR> d-------- C:\MIS
2008-04-23 14:55 . 2007-06-28 08:43 <DIR> d--h----- C:\Documents and Settings\mark.levy\Application Data\Gtek
2008-04-23 14:55 . 2007-05-17 12:49 <DIR> d-------- C:\Documents and Settings\mark.levy\Application Data\ATI
2008-04-23 14:55 . 2008-04-24 11:57 1,024 --ah----- C:\Documents and Settings\mark.levy\ntuser.dat.LOG
2008-04-23 14:54 . 2008-04-23 14:55 <DIR> d-------- C:\Documents and Settings\mark.levy
2008-04-22 15:40 . 2008-04-22 15:40 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-22 13:21 . 2008-04-23 14:56 109,738 --a------ C:\WINDOWS\BM4f11da52.xml
2008-04-22 13:08 . 2008-04-22 13:08 41,723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2008-04-22 13:08 . 2008-04-22 13:08 37,376 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-04-22 13:08 . 2008-04-22 13:12 37,376 --a------ C:\WINDOWS\mrofinu572.exe
2008-04-22 13:07 . 2008-04-22 13:10 <DIR> d-------- C:\Quarantine
2008-04-03 09:34 . 2008-04-03 09:34 88,475 --a------ C:\2008 Cell_phone_FAQ[1].pdf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 22:53 --------- d-----w C:\Program Files\Yahoo!
2008-04-22 22:50 --------- d-----w C:\Documents and Settings\Lisa.Milanes\Application Data\Yahoo!
2008-04-22 22:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-07 18:36 --------- d-----w C:\Program Files\Windows Media Connect 2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 08:12 90112]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2007-10-10 18:07 136768]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49 49152]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2008-01-24 20:50 111952]
"basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 17:21 169328]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-11-12 09:57 245760]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtQijj]
geBtQijj.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4c22e9ce]
C:\WINDOWS\system32\pkpwfsim.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM4f11da52]
C:\WINDOWS\system32\piqnvrfp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a------ 2007-05-17 12:13 61440 c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2005-09-08 03:20 122940 C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 18:29 49152 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 14:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 14:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
--a------ 2008-04-22 13:12 37376 C:\WINDOWS\mrofinu572.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2006-05-01 00:07 843776 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 17:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2006-09-14 01:45]
R2 Basics Service;Basics Service;"C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe" [2007-10-09 17:21]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-24 18:59:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 11:58:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Network Associates\Common Framework\Mctray.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2008-04-24 12:01:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 19:01:25

Pre-Run: 63,449,313,280 bytes free
Post-Run: 62,563,069,952 bytes free

140 --- E O F --- 2008-04-24 17:43:20







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:35 PM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070517
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070517
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00C7C2A0-8B82-11D1-8B57-00A0C98CD92B} (ActiveReports Viewer) - http://misnts18.dals...W2/arviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1183045324281
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = it.maxim-ic.internal
O17 - HKLM\Software\..\Telephony: DomainName = it.maxim-ic.internal
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = it.maxim-ic.internal
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = it.maxim-ic.internal,maxim-ic.internal,maximhq.com,mxim.com,dalsemi.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = it.maxim-ic.internal,maxim-ic.internal,maximhq.com,mxim.com,dalsemi.com
O20 - Winlogon Notify: geBtQijj - geBtQijj.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6399 bytes

    Advertisements

Register to Remove


#2 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 28 April 2008 - 04:53 AM

Hi MarkedMan,

It looks like ComboFix has stopped the infection from running, but your machine is not yet clean. For future reference, it's very dangerous to run tools like ComboFix without supervision, because if used incorrectly it can cause major system problems.

Before continuing, can you tell me if this is a work computer? If so, I need to confirm whether it's OK to fix the machine - in many organizations the IT Department are the only people authorized to make system changes. If the answer is no or you aren't sure then please do not proceed with the instructions.

------------------------------------------------------------------------

Temporarily disable Windows Defender:
  • Right-click on the Windows Defender icon in the system tray and select Open
  • Click on Tools from the top menu, then press Options
  • Scroll down to Real-time protection options, uncheck Use real-time protection and press Save
  • Close Windows Defender

------------------------------------------------------------------------

Backup Your Registry:
  • Download ERUNT to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Double-click erunt-setup.exe and follow the prompts to install the program
  • When asked if you wish to Create an ERUNT entry in the Startup folder say No
  • ERUNT should start automatically, if it does not then click Start->All Programs->ERUNT->ERUNT
  • OK all the prompts to back up your registry to the default location.
Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

------------------------------------------------------------------------

Please download OTMoveIt2 by OldTimer to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Double-click OTMoveIt2.exe to start the program.
  • Copy the lines in the OTMoveIt file list below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    OTMoveIt File List:
    C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
    C:\WINDOWS\mrofinu572.exe.tmp
    C:\WINDOWS\mrofinu572.exe
    purity
    EmptyTemp
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4c22e9ce
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM4f11da52
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtQijj
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Then click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • If OTMoveIt asks to reboot your computer, allow it to do so. The report will appear in Notepad after the reboot.
  • Close OTMoveIt2
------------------------------------------------------------------------

Clean with MalwareBytes' Anti-Malware
  • Please download the Installer to your Desktop from here:
    http://www.besttechi.../mbam-setup.exe
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to both of these options:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure everything is checked, and click Remove Selected.
  • When finished, a log will open in Notepad. Please save it to your Desktop, and post the contents in your reply.
  • The log can also be found here if you need it:
    • Start->All Programs->Malwarebytes' Anti-Malware->Logs

------------------------------------------------------------------------

Now open HijackThis, select Open the Misc Tools section
Press the Open Uninstall Manager... button, then press Save list...
Save the Uninstall log to your Desktop and include a copy in your next response.
Now press Back and Scan and then Save log to create and save a new HijackThis log.

------------------------------------------------------------------------

Once complete, please post the OTMoveIt report, the MalwareBytes Antimalware report, the uninstall list and a new HijackThis log.
ASAP & UNITE Member

#3 MarkedMan

MarkedMan

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 28 April 2008 - 11:28 AM

Silver,
Thanks for the advice about ComboFix. I am with the IT department here, I am fixing this for a users. None of our stock tools would take care of it so I went searching on the web and found you guys. I have used ComboFix once before but am by no means an expert. Below are the logs you asked for.
Thanks for the help, you guys are great for doing this kind of stuff. Where can I get more info on getting some training on how to use ComboFix?
Thanks,
MarkedMan

*******************************************************************************

OTMoveIT Log:
File/Folder C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe not found.
File/Folder C:\WINDOWS\mrofinu572.exe.tmp not found.
File/Folder C:\WINDOWS\mrofinu572.exe not found.
< purity >
< EmptyTemp >
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11153.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11154.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11155.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11156.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11157.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11158.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11159.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11160.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11161.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11162.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11163.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11164.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11165.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11167.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11168.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11169.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\newtb1handler.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\Perflib_Perfdata_798.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\Perflib_Perfdata_8e4.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\Perflib_Perfdata_db4.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\proxystop-tblauncher.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\tblauncher.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\toolbox_healer11166.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\~DFF211.tmp scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4c22e9ce >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4c22e9ce\\ not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM4f11da52 >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM4f11da52\\ not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1 >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1\\ not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched\\ not found.
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtQijj >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtQijj\\ not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04282008_094746

Files moved on Reboot...
File C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11153.tmp not found!
File C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11154.tmp not found!
File C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11155.tmp not found!
File C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11156.tmp not found!
File C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11157.tmp not found!
File C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11158.tmp not found!
File C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11159.tmp not found!
File C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11160.tmp not found!
File C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11161.tmp not found!
File C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11162.tmp not found!
File C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11163.tmp not found!
File C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11164.tmp not found!
File C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11165.tmp not found!
File C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11167.tmp not found!
File C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11168.tmp not found!
File C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\jar_cache11169.tmp not found!
C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\newtb1handler.log moved successfully.
File C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\Perflib_Perfdata_798.dat not found!
File C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\Perflib_Perfdata_8e4.dat not found!
File C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\Perflib_Perfdata_db4.dat not found!
C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\proxystop-tblauncher.log moved successfully.
C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\tblauncher.log moved successfully.
C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\toolbox_healer11166.log moved successfully.
File C:\DOCUME~1\LISA~1.MIL\LOCALS~1\Temp\~DFF211.tmp not found!

*******************************************************************************

Malware Bytes Log:
Malwarebytes' Anti-Malware 1.11
Database version: 693

Scan type: Quick Scan
Objects scanned: 41168
Time elapsed: 8 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

*******************************************************************************

Uninstall List:
Adobe Flash Player ActiveX
Adobe Reader 7.0.9
ATI Catalyst Control Center
ATI Display Driver
Broadcom Management Programs
Drive Manager
Drive Manager
ERUNT 1.1j
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
HP Color LaserJet 2820/2830/2840 2.0
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP Software Update
Java 2 Runtime Environment, SE v1.4.2_03
Malwarebytes' Anti-Malware
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2003 Web Components
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
PowerDVD 5.7
Roxio DLA
Roxio Express Labeler
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Sonic Update Manager
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
VNC 4.0
Windows Defender
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WinZip
Yahoo! Internet Mail
Yahoo! Messenger

*******************************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:51 AM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070517
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://maximnet.maxim-ic.internal/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070517
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O1 - Hosts: 172.18.45.165 NPIA1D648
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00C7C2A0-8B82-11D1-8B57-00A0C98CD92B} (ActiveReports Viewer) - http://misnts18.dals...W2/arviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1183045324281
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = it.maxim-ic.internal
O17 - HKLM\Software\..\Telephony: DomainName = it.maxim-ic.internal
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = it.maxim-ic.internal
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = it.maxim-ic.internal,maxim-ic.internal,maximhq.com,mxim.com,dalsemi.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = it.maxim-ic.internal,maxim-ic.internal,maximhq.com,mxim.com,dalsemi.com
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7016 bytes

#4 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 28 April 2008 - 07:35 PM

Hi MarkedMan,

Information on ComboFix is restricted to authorized helpers in the security community. The developer has done this with users' safety in mind, because it is a very powerful tool which is dangerous if misused. If you complete the training course here at the WhatTheTech Classroom, or one of the other schools, you will be trained in and be given information on ComboFix. However, the training course is not intended for commercial purposes, it is for those wishing to volunteer to help others on security forums like this one. If this is something you have the time and the inclination to become involved in, we would welcome your help.

Please open Start->Control Panel->Add/Remove Programs, and remove the following:

Java 2 Runtime Environment, SE v1.4.2_03

This is out of date and now a security risk, you can get the latest update (version 6 update 6) from here

Next press Start->Run, copy/paste the following command (it's one long command) into the box and press OK:

reg export "HKLM\software\microsoft\shared tools\msconfig" "%userprofile%\desktop\look.txt"

A file named look.txt should appear on your Desktop, please post the contents with your next response.

Please do an online scan with Kaspersky:
Open Kaspersky Online Scanner in Internet Explorer using this link:
http://www.kaspersky...kavwebscan.html
  • Click Accept and the web scanner will begin to load
  • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
  • You will be prompted to install an ActiveX component from Kaspersky, click Install
  • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on Next and then Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • The program will start to scan your system.
  • Once the scan is complete, click on the Save Report As... button, change Save as type: to Text file and save the file to your desktop as Kaspersky.txt
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Once complete, please post the look.txt output, the Kaspersky report and a new HijackThis log.
Also, let me know how your computer is running now.
ASAP & UNITE Member

#5 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 01 May 2008 - 08:08 PM

How are you getting on? If the instructions are unclear or something isn't working, please let me know before proceeding.
ASAP & UNITE Member

#6 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 04 May 2008 - 08:43 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
ASAP & UNITE Member

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users