Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91736 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Infected help would be greatly appreciated


  • This topic is locked This topic is locked
6 replies to this topic

#1 Angels_Pride

Angels_Pride

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 30 May 2008 - 08:15 PM

My computer started acting up last Saturday so I assume that's when it was infected most likely by the numerous porn sites my friend went to... Anyways I'm getting a weird error message every time I open an app. Then I get an rear-load of random pop-ups on top of that.

Windows xp sp2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:40 PM, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\yt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\yt.dll
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\HP_Owner\cftmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [28fb7642] rundll32.exe "C:\WINDOWS\system32\grlapdii.dll",b
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\HP_Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\HP_Owner\cftmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9563.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 6178 bytes

    Advertisements

Register to Remove


#2 Gary R

Gary R

    MRU Administrator

  • MRU Teachers
  • 1,461 posts

Posted 31 May 2008 - 02:19 AM

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.


Hi Angels Pride

I'm Gary R, I'll be glad to help you with your computer problems.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
If you can do these things, everything should go smoothly.
  • If you're using XP, you'll need Administrator privileges to perform the fixes. (XP accounts are Administrator by default)
  • If you're using Vista, it will be necessary to right click all tools we use and select ----> Run as Admistrator

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


OK, you've got a couple of infections showing in your log, we'll tackle them one at a time.

For the first one.

Download SDFix and save it to your Desktop.
  • Double click SDFix.exe
  • Accept default location and click Install button.
  • It will now extract the files to C:\SDFix
Reboot your computer into Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
Note: if you cannot boot into safe mode using this method, DO NOT attempt to do so by using MSConfig, this could result in your computer becoming unbootable. Just let me know.

Once in safe mode.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste me the contents of Report.txt along with a new HijackThis log.

Edited by Gary R, 31 May 2008 - 02:24 AM.

Gary R

Posted Image

#3 Angels_Pride

Angels_Pride

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 31 May 2008 - 03:44 PM

SDFix log:

SDFix: Version 1.187
Run by HP_Owner on Sat 05/31/2008 at 04:56 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Schedule Service Path

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\HP_Owner\cftmon.exe - Deleted
C:\Documents and Settings\LocalService\cftmon.exe - Deleted
C:\Documents and Settings\HP_Owner\Application Data\Install.dat - Deleted
C:\WINDOWS\system32\~.exe - Deleted
C:\winlogon.exe - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\tcb.pmw - Deleted
C:\WINDOWS\system32\drivers\spools.exe - Deleted



Folder C:\Temp\gbRve12 - Removed
Folder C:\WINDOWS\system32\aqVreo05 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 17:08:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe:*:Enabled:BackWeb for Pavilion"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\mIRC(2)\\mirc.exe"="C:\\Program Files\\mIRC(2)\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Wesnoth 1.3.19\\wesnothd.exe"="C:\\Program Files\\Wesnoth 1.3.19\\wesnothd.exe:*:Enabled:wesnothd"
"C:\\Program Files\\IEPro\\MiniDM.exe"="C:\\Program Files\\IEPro\\MiniDM.exe:*:Enabled:MiniDM"
"C:\\Sierra\\GC\\gc.exe"="C:\\Sierra\\GC\\gc.exe:*:Enabled:Ground Control executable"
"C:\\Documents and Settings\\HP_Owner\\Local Settings\\Temp\\14488.exe"="C:\\Documents and Settings\\HP_Owner\\Local Settings\\Temp\\14488.exe:*:Enabled:14488"
"C:\\Documents and Settings\\HP_Owner\\cftmon.exe"="C:\\Documents and Settings\\HP_Owner\\cftmon.exe:*:Disabled:cftmon"
"C:\\WINDOWS\\system32\\drivers\\spools.exe"="C:\\WINDOWS\\system32\\drivers\\spools.exe:*:Enabled:spools"
"C:\\Documents and Settings\\HP_Owner\\Application Data\\mjusbsp\\magicJack.exe"="C:\\Documents and Settings\\HP_Owner\\Application Data\\mjusbsp\\magicJack.exe:*:Enabled:magicJack"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 22 Nov 2007 213 A.SHR --- "C:\BOOT.BAK"
Thu 23 Dec 2004 196 A.SHR --- "C:\BOOTNXX.BAK"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 13 Sep 2005 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Mon 30 Oct 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 24 Dec 2004 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv11.bak"
Fri 24 Dec 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.key.bak"
Fri 30 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BITB.tmp"
Fri 21 Dec 2007 873,704 A..H. --- "C:\Documents and Settings\HP_Owner\Application Data\mjusbsp\ar00000\install.exe"
Fri 21 Dec 2007 6,157,296 A..H. --- "C:\Documents and Settings\HP_Owner\Application Data\mjusbsp\in00000\setup.exe"
Fri 21 Dec 2007 873,704 A..H. --- "C:\Documents and Settings\HP_Owner\Application Data\mjusbsp\Upgrade\install1.exe"
Fri 21 Dec 2007 6,157,296 A..H. --- "C:\Documents and Settings\HP_Owner\Application Data\mjusbsp\Upgrade\setup1.exe"

Finished!



HiJackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:45:27 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Application Data\mjusbsp\magicJack.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\yt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [28fb7642] rundll32.exe "C:\WINDOWS\system32\grlapdii.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\HP_Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9563.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 5902 bytes

#4 Gary R

Gary R

    MRU Administrator

  • MRU Teachers
  • 1,461 posts

Posted 01 June 2008 - 12:54 AM

OK, first stage looks to have gone well, time to move onto your second infection. It's likely we won't get this one out in one pass, and I'll need to see the log produced by Combofix so that I can write a custom fix to remove what remains.

There are some new infections that damage your ability to boot if they are removed. So before we go any further, I need you to install Recovery Console to your computer. This is purely a precautionary measure, I don't see signs of them on your computer, but it's better to be a little cautious now than regretful later.

Recovery Console gives us the ability to recover your computer if things go wrong.

  • Download combofix.exe by sUBs to your Desktop (it must be in this location).
  • Alternate Download
  • If you already have a previous version, delete it and download a new version.
  • Go to Microsoft's website
  • Select the download that's appropriate for your Operating System (if you have XP Media Centre, use download for XP Pro)

Posted Image

  • Download the file & save it as it's originally named, to your Desktop.
  • Next
  • Disconnect from the Internet.
  • Important! Temporarily disable your anti-virus, and anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its files which may cause unpredictable results.
  • Click here to see a list of programs that should be disabled (ignore the firewalls). The list is not all inclusive. If yours are not listed and you don't know how to disable them, please ask.

Posted Image

  • Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix.
  • When prompted, agree to the End-User License Agreement to install Microsoft Recovery Console.
  • When complete a mesage will pop up asking if you want to continue scanning for Malware.
    • Click Yes
    • Combofix will now run a scan. (Usually takes 15-20 mins, but could be slightly longer)
    • When finished, it will
    • Produce a log for you. (it can also be found at C:\Combofix.txt)
  • Post the log in your next reply please.
  • Now run a new HJT scan and send me the log from that as well please.
[*]Don't forget to re-enable your anti-virus and anti-malware protection before re-connecting to the Internet.
[/list]IMPORTANT
  • Do not use your computer while Combofix is running.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.
If you have any problems with these instructions, a detailed Tutorial for how to use Combofix is available here.
Gary R

Posted Image

#5 Angels_Pride

Angels_Pride

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 01 June 2008 - 02:38 PM

ComboFix 08-06-01.3 - HP_Owner 2008-06-01 16:23:55.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.623 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\My Stuff\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\302.exe
C:\deskbar_e34.exe
C:\Documents and Settings\HP_Owner\Application Data\apphash.dat
C:\WINDOWS\Duce6.exe
C:\WINDOWS\keyboard41.dat
C:\WINDOWS\system32\__c008070E.exe
C:\WINDOWS\system32\__c00D96D9.exe
C:\WINDOWS\system32\__c00DA288.exe
C:\WINDOWS\system32\__c00E52F7.dat

.
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-05-31 16:48 . 2008-05-31 16:48 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-31 16:40 . 2008-05-31 17:13 <DIR> d-------- C:\SDFix
2008-05-30 22:15 . 2008-05-30 22:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-27 22:44 . 2008-05-31 16:40 5,120 --a------ C:\Documents and Settings\HP_Owner\ftp34.dll
2008-05-27 22:40 . 2008-05-31 16:40 5,120 --a------ C:\WINDOWS\system32\ftp34.dll
2008-05-27 22:40 . 2008-05-31 16:24 5,120 --a------ C:\Documents and Settings\LocalService\ftp34.dll
2008-05-27 21:42 . 2008-05-29 11:54 34,329 --ahs---- C:\WINDOWS\system32\iewmainx.ini
2008-05-23 20:47 . 2008-05-25 16:17 <DIR> d-------- C:\Program Files\LiveAntispy
2008-05-17 20:50 . 2008-05-17 20:50 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-11 21:29 . 2001-06-20 10:04 21 --a------ C:\WINDOWS\VI_setup.ini
2008-05-11 21:28 . 2001-10-16 10:23 163,840 --a------ C:\WINDOWS\system32\PhotoImpression Screen Saver.scr
2008-05-11 21:27 . 2008-05-11 21:29 <DIR> d-------- C:\Program Files\ArcSoft
2008-05-11 21:27 . 1999-05-26 09:46 212,480 --a------ C:\WINDOWS\pcdlib32.dll
2008-05-11 21:27 . 2002-03-25 10:12 21 --a------ C:\WINDOWS\PI4_setup.ini
2008-05-11 21:05 . 2005-07-13 11:08 33,890 --a------ C:\WINDOWS\system32\drivers\Capt905c.sys
2008-05-11 21:05 . 2005-04-13 15:21 24,605 --a------ C:\WINDOWS\system32\drivers\Camd905c.sys
2008-05-03 16:16 . 2008-01-14 16:58 19,840 --a------ C:\WINDOWS\system32\drivers\StMp3Rec.sys
2008-05-03 16:15 . 2008-05-03 16:16 <DIR> d-------- C:\Program Files\Philips
2008-05-03 16:14 . 2008-05-03 16:14 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\InstallShield
2008-05-02 18:26 . 2008-06-01 16:29 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\mjusbsp
2008-05-02 18:18 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-05-02 18:18 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-05-02 18:18 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-05-02 18:18 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 11:05 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Azureus
2008-05-28 04:32 --------- d-----w C:\Program Files\SpeedFan
2008-05-28 04:15 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-05-28 00:19 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AVG7
2008-05-24 19:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-23 12:47 --------- d-----w C:\Program Files\IEPro
2008-05-23 12:46 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\IEPro
2008-05-23 00:38 --------- d-----w C:\Program Files\Diablo II
2008-05-15 10:54 --------- d-----w C:\Program Files\Microsoft Games
2008-05-12 01:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-08 07:51 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\LimeWire
2008-04-28 16:55 --------- d-----w C:\Program Files\Microsoft Works
2008-04-27 04:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2008-04-21 04:18 --------- d-----w C:\Program Files\Azureus
2008-04-09 02:29 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\InterVideo
2008-04-02 02:43 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\DivX
2008-04-02 00:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-01 23:12 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-04-01 02:23 --------- d-----w C:\Program Files\DivX
2008-04-01 02:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\DFX
2008-04-01 02:22 --------- d-----w C:\Program Files\DFX
2008-04-01 02:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 01:21 --------- d-----w C:\Program Files\LimeWire
2006-07-27 12:43 22 ----a-w C:\Program Files\AOL Compressed (zipped) Folder.zip
2005-09-13 18:02 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-01_16.13.19.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 20:06:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 20:26:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2004-08-04 12:00:00 294,400 -c--a-w C:\WINDOWS\system32\dllcache\msctf.dll
+ 2008-02-26 11:59:50 294,912 -c--a-w C:\WINDOWS\system32\dllcache\msctf.dll
- 2004-08-04 12:00:00 294,400 ----a-w C:\WINDOWS\system32\MSCTF.dll
+ 2008-02-26 11:59:50 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"cdloader"="C:\Documents and Settings\HP_Owner\Application Data\mjusbsp\cdloader2.exe" [2007-12-21 10:39 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 16:45 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 08:31:38 241664]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2004-08-12 00:20:09 16423]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlliji]
pmnlliji.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00E52F7]
C:\WINDOWS\system32\__c00E52F7.dat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\mIRC(2)\\mirc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Wesnoth 1.3.19\\wesnothd.exe"=
"C:\\Program Files\\IEPro\\MiniDM.exe"=
"C:\\Documents and Settings\\HP_Owner\\Application Data\\mjusbsp\\magicJack.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autorun.exe
\Shell\directx\command - E:\DirectX9\dxsetup.exe
\Shell\setup\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\autorun.exe
\Shell\phone\command - J:\autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-01 20:00:00 C:\WINDOWS\Tasks\AC2BF16091846440.job"
- c:\docume~1\hp_owner\applic~1\helpth~1\holdcreativedrv.exe
"2008-05-19 01:23:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-01 20:14:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2004-08-12 06:16:38 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 16:27:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Documents and Settings\HP_Owner\Application Data\mjusbsp\ar00000\mjsetup.exe
C:\Documents and Settings\HP_Owner\Application Data\mjusbsp\magicJack.exe
.
**************************************************************************
.
Completion time: 2008-06-01 16:33:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-01 20:33:03
ComboFix2.txt 2008-06-01 20:13:41

Pre-Run: 3,143,061,504 bytes free
Post-Run: 3,115,077,632 bytes free

166 --- E O F --- 2008-06-01 20:23:21


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:39:08 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Documents and Settings\HP_Owner\Application Data\mjusbsp\magicJack.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\yt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\HP_Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9563.cab
O20 - Winlogon Notify: pmnlliji - pmnlliji.dll (file missing)
O20 - Winlogon Notify: __c00E52F7 - C:\WINDOWS\system32\__c00E52F7.dat (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 5568 bytes

#6 Gary R

Gary R

    MRU Administrator

  • MRU Teachers
  • 1,461 posts

Posted 01 June 2008 - 03:46 PM

OK, still some work to do.

  • Click Start > Run type Notepad click OK.
  • This will open an empty Notepad file.
  • Copy/Paste the contents of the box below into Notepad.
File::
C:\Documents and Settings\HP_Owner\ftp34.dll
C:\WINDOWS\system32\ftp34.dll
C:\Documents and Settings\LocalService\ftp34.dll
C:\WINDOWS\system32\iewmainx.ini

Folder::
C:\Program Files\LiveAntispy

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlliji]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00E52F7]
  • Click Format and ensure Wordwrap is unchecked.
  • Save as CFScript.txt to your Desktop.
Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Combofix will now process that file.

When finished, it will produce a log for you. Post that log in your next reply please. (it can also be found at C:\Combofix.txt)

Next

Please download Malwarebytes' Anti-Malware to your Desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.

  • Click on the Malwarebytes' Anti-Malware icon to launch the programme.
    • Click the Updates tab.
    • Click Check for Updates and allow the programme to download the latest definitions.
  • Click the Scanner tab.
    • Check Perform Full Scan.
    • Click Scan and wait for the scan to complete.
    • When the scan is complete, click OK, then Show Results.
    • Ensure all items are checked then click Remove Selected.
    • A box will pop-up telling you that files have been quarantined.
    • A log will pop-up.
  • Post the log in your next reply please.
[/list]
You can also access the log by doing the following
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open

Next

Run a new scan with HJT and post me the log please.

Summary of the logs I need from you in your next post:
  • Latest Combofix log
  • MBAM log
  • New HJT log


Please post each log separately to prevent them being cut off by the forum post size limiter.

Edited by Gary R, 01 June 2008 - 03:47 PM.

Gary R

Posted Image

#7 Gary R

Gary R

    MRU Administrator

  • MRU Teachers
  • 1,461 posts

Posted 05 June 2008 - 12:09 AM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
Gary R

Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users