Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
May 16th, 2008, 2:48am
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   In Dire Need of Help!!		 « Previous topic | Next topic »
Pages: 1 2 3  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: In Dire Need of Help!!  (Read 686 times)
Aprileatlove
Newbie
*





   


Posts: 3
In Dire Need of Help!!
« on: Mar 29th, 2008, 9:57pm »		 Quote Quote  Modify Modify
Okay, this is the first time I've posted.
Today, I discovered that something may be wrong with my computer.
I'm pretty sure it's a Trojan.
 
Whenever I try to access my computer files or use the internet, a system error comes up and says:
 
Your computer was infected by unknown trojan.
It's dangerous for your system (critical files can be lost)!
Click OK to download the antispyware program to clean your system! (Recommended)
 
When I click OK, it leads to Files Secure, which I found out is actually malicious.
If I click the X (exit) button or Cancel, it keep popping back up for a while, which can be very annoying.
 
 
I've downloaded Spyware Doctor and it still won't go away!
And Spyware Doctor happened to find even more spyware, malware, and adware on my system.
 
 
 
 
 
 
Please help!!
I don't know where to turn from here.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: In Dire Need of Help!!
« Reply #1 on: Mar 29th, 2008, 10:52pm »		 Quote Quote  Modify Modify
Welcome to the forum Aprilatlove  Cheesy
 
Yes, you have been infected.  Please do the following.
 
1.  Download/install program Hijackthis per the instructions in the link below.
 
http://www.misec.net/forum/board/FAQ/1163329424
 
2.  Go to the link below and download program Combofix.exe and save it on your desktop.
 
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
 
3.  Temporarily de-Activate all your security programs EXCEPT your software firewall.
 
4.  Close down as many programs as you can (programs in the Notification Tray-  next to the clock).
 
5.  Close your browser.
 
6.  Double click on Combofix.exe to execute it and follow the instructions.
 
Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
 
-  When Combofix.exe is finished, it will save a log on your system.  
 
7.  Post the Combofix log back here  
 
8.  Run Hijackthis and post a HiJackthis scan log back here.  DO NOT fix anything with HJT...just post the scan log.  
« Last Edit: Mar 29th, 2008, 11:06pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Aprileatlove
Newbie
*





   


Posts: 3
Re: In Dire Need of Help!!
« Reply #2 on: Mar 30th, 2008, 1:28pm »		 Quote Quote  Modify Modify
This is the ComboFix log:
 
ComboFix 08-03-30.2 - ~Ape-Err-Uhl 2008-03-30 14:09:21.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.195 [GMT -5:00]
Running from: C:\Documents and Settings\~Ape-Err-Uhl\Desktop\ComboFix.exe
 * Created a new restore point
 
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
 
(((((((((((((((((((((((((   Files Created from 2008-02-28 to 2008-03-30  )))))))))))))))))))))))))))))))
.
 
2008-03-30 14:04 . 2008-03-30 14:04<DIR>d--------C:\Program Files\Trend Micro
2008-03-29 21:34 . 2008-03-29 21:47<DIR>d--------C:\Program Files\Spyware Doctor
2008-03-29 21:34 . 2008-03-30 09:00<DIR>d-a------C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-29 21:34 . 2008-03-29 21:34<DIR>d--------C:\Documents and Settings\~Ape-Err-Uhl\Application Data\PC Tools
2008-03-29 21:34 . 2007-12-10 14:5381,288--a------C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-29 21:34 . 2007-12-10 14:5366,952--a------C:\WINDOWS\system32\drivers\iksysflt.sys
2008-03-29 21:34 . 2008-02-01 12:5542,376--a------C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-03-29 21:34 . 2007-12-10 14:5329,576--a------C:\WINDOWS\system32\drivers\kcom.sys
2008-03-29 18:15 . 2008-03-29 18:15213,504--a------C:\WINDOWS\dsaip32b.dll
2008-03-29 18:15 . 2008-03-29 18:1557--a------C:\smp.bat
2008-03-29 16:01 . 2008-03-29 16:01<DIR>d--------C:\Program Files\NHN USA
2008-03-29 16:01 . 2008-01-16 18:25679,936--a------C:\WINDOWS\system32\ijjiSetup.exe
2008-03-16 20:44 . 2008-03-16 20:52<DIR>d--------C:\Program Files\AviSynth 2.5
2008-03-07 19:05 . 2008-03-29 18:54<DIR>d--------C:\Program Files\Common Files\Symantec Shared
2008-03-07 18:17 . 2008-03-29 18:16<DIR>d--------C:\Program Files\Norton Security Scan
2008-03-07 18:15 . 2008-03-07 18:15<DIR>d--------C:\Program Files\Photo Story 3 for Windows
2008-03-07 18:11 . 2006-10-04 09:061,197,294---------C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-03-07 18:11 . 2006-10-04 09:06764,868---------C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-03-07 18:11 . 2006-10-04 09:06217,118---------C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-03-07 18:10 . 2008-03-07 18:10<DIR>d--------C:\Program Files\Windows Media Connect 2
2008-03-07 18:08 . 2008-03-07 18:09<DIR>d--------C:\WINDOWS\system32\drivers\UMDF
2008-03-02 21:57 . 2008-03-30 14:05<DIR>d--------C:\Documents and Settings\~Ape-Err-Uhl\Application Data\OpenOffice.org2
2008-03-02 21:54 . 2008-03-02 21:54<DIR>d--------C:\Program Files\OpenOffice.org 2.3
2008-03-02 20:11 . 2008-03-02 20:11<DIR>d--------C:\Program Files\iPod
2008-02-26 21:16 . 2008-02-26 21:16<DIR>d--------C:\Documents and Settings\~Ape-Err-Uhl\Application Data\Mozilla
2008-02-17 13:16 . 2008-02-17 13:16<DIR>d--------C:\Documents and Settings\~Ape-Err-Uhl\Application Data\Help
2008-02-17 13:14 . 2008-02-17 13:14<DIR>d--------C:\Program Files\Attach
2008-02-17 12:30 . 2008-02-17 12:30<DIR>d--------C:\Documents and Settings\~Ape-Err-Uhl\WINDOWS
2008-02-17 12:30 . 1996-07-18 14:06297,472--a------C:\WINDOWS\uninst.exe
2008-02-11 23:04 . 2008-02-11 23:04<DIR>d--------C:\Documents and Settings\~Ape-Err-Uhl\Application Data\Yahoo!
2008-02-11 22:39 . 2008-02-11 22:56<DIR>d--------C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-02-11 22:31 . 2008-02-12 09:08<DIR>d--------C:\Program Files\Yahoo!
2008-02-09 17:07 . 2004-08-03 23:585,504--a------C:\WINDOWS\system32\drivers\MSTEE.sys
2008-02-09 17:07 . 2004-08-03 23:585,504--a------C:\WINDOWS\system32\dllcache\mstee.sys
2008-02-03 22:40 . 2008-03-29 21:46<DIR>d--------C:\Documents and Settings\~Ape-Err-Uhl\Incomplete
2008-02-01 00:13 . 2008-02-01 00:1390,112--a------C:\WINDOWS\system32\QuickTimeVR.qtx
2008-02-01 00:13 . 2008-02-01 00:1357,344--a------C:\WINDOWS\system32\QuickTime.qts
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 19:05---------d-----wC:\Documents and Settings\~Ape-Err-Uhl\Application Data\OpenOffice.org2
2008-03-30 03:593,932,160---ha-wC:\Documents and Settings\~Ape-Err-Uhl\NTUSER.DAT
2008-03-30 02:42---------d-----wC:\Documents and Settings\~Ape-Err-Uhl\Application Data\LimeWire
2008-03-30 02:34---------d-----wC:\Documents and Settings\~Ape-Err-Uhl\Application Data\PC Tools
2008-03-29 21:01---------d--h--wC:\Program Files\InstallShield Installation Information
2008-03-20 16:32---------d-----wC:\Program Files\EndlessOnline
2008-03-08 01:21---------d-s---wC:\Documents and Settings\~Ape-Err-Uhl\Application Data\Microsoft
2008-03-03 01:11---------d-----wC:\Program Files\iTunes
2008-03-03 01:09---------d-----wC:\Program Files\QuickTime
2008-02-27 02:16---------d-----wC:\Documents and Settings\~Ape-Err-Uhl\Application Data\Mozilla
2008-02-18 16:28---------d-----wC:\Documents and Settings\~Ape-Err-Uhl\Application Data\Adobe
2008-02-17 18:2026,250---ha-wC:\Program Files\PureVoice.GID
2008-02-17 18:16---------d-----wC:\Documents and Settings\~Ape-Err-Uhl\Application Data\Help
2008-02-12 04:04---------d-----wC:\Documents and Settings\~Ape-Err-Uhl\Application Data\Yahoo!
2008-02-09 05:07---------d-----wC:\Program Files\Common Files\Adobe
2008-02-05 00:32---------d-----wC:\Program Files\AIM6
2008-01-11 05:5344,544----a-wC:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01347,136----a-wC:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51179,584------wC:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-08 05:213,592,192------wC:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 11:01625,664------wC:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:0070,656------wC:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 11:0013,824------wC:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 04:59161,792------wC:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-04 18:38550,912----a-wC:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38550,912------wC:\WINDOWS\system32\dllcache\oleaut32.dll
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown  
REGEDIT4
 
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B65F8A9-BAD5-4261-BB6F-25B2020C3098}]
2008-03-29 18:15213504--a------C:\WINDOWS\dsaip32b.dll
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 02:24 20480]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 21:57 395776]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.911.3380\GoogleToolbarNotifier.ex e" [2008-01-03 15:33 162744]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
"eobar"="C:\Documents and Settings\~Ape-Err-Uhl\Local Settings\Temporary Internet Files\Content.IE5\J25INM6X\eopbar[1].exe" [ ]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-06 23:13 176128]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 02:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 02:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 02:45 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-22 17:35 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 16:30 282624 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2007-02-20 12:29 1191936]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240]
 
C:\Documents and Settings\~Ape-Err-Uhl\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]
 
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-08-25 03:25:09 24576]
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Photo Story 3 for Windows\\PhotoStory3.exe"=
 
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 P1120VID;Creative WebCam NX Ultra;C:\WINDOWS\system32\DRIVERS\P1120Vid.sys [2004-01-12 17:51]
 
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-01-23 00:19:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-28 23:16:26 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
************************************************************************ **
 
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 14:15:13
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ...
 
scanning hidden files ...  
 
scan completed successfully  
hidden files: 0  
 
************************************************************************ **
.
Completion time: 2008-03-30 14:16:36
ComboFix-quarantined-files.txt  2008-03-30 19:16:33
Pre-Run: 40,413,863,936 bytes free
Post-Run: 40,401,956,864 bytes free
.
2008-03-11 21:42:47--- E O F ---  
 
This is the HijackThis log:
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:33 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.911.3380\GoogleToolbarNotifier.ex e
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.misec.net/forum/board/Trojans;action=display;num=1206849473;s tart=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us& ;ibd=6070825  
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Media Player Codec - {8B65F8A9-BAD5-4261-BB6F-25B2020C3098} - C:\WINDOWS\dsaip32b.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.911.3380\GoogleToolbarNotifier.ex e
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [eobar] C:\Documents and Settings\~Ape-Err-Uhl\Local Settings\Temporary Internet Files\Content.IE5\J25INM6X\eopbar[1].exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C56BF45D-4722-4EFD-AA14-9DB1E92661E3} - http://coke.mycokerewards.com/cabs/CocaCola_1_0_0_9.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://coke.mycokerewards.com/cabs/Entriq_3_6_0_15_Silent.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
 
--
End of file - 8220 bytes
« Last Edit: Mar 30th, 2008, 1:28pm by Aprileatlove » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: In Dire Need of Help!!
« Reply #3 on: Mar 30th, 2008, 2:12pm »		 Quote Quote  Modify Modify
Okay, Now please do the following:
 
1.  Run another HiJackthis scan.
 
2.  When the scan is completed, place a checkmark in the box next to the following items.  BE SURE that these are the only items checked.
 

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
 
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
 
O2 - BHO: Media Player Codec - {8B65F8A9-BAD5-4261-BB6F-25B2020C3098} - C:\WINDOWS\dsaip32b.dll
 
O4 - HKCU\..\Run: [eobar] C:\Documents and Settings\~Ape-Err-Uhl\Local Settings\Temporary Internet Files\Content.IE5\J25INM6X\eopbar[1].exe

 
3.  Close your browser window.
 
4.  Then click on Fix Checked located at the lower left of the HiJackthis window.  Confirm that you want HJT to fix these items and let it fix them.
 
5.  Close the HJT window.
 
6.  Reboot your computer
 
7.  Please post a new HJT scan log.
 
Do you still get this crazy message?
 
Quote:
Whenever I try to access my computer files or use the internet, a system error comes up and says:  
 
Your computer was infected by unknown trojan.  
It's dangerous for your system (critical files can be lost)!  
Click OK to download the antispyware program to clean your system! (Recommended)

 
 
 
 
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Aprileatlove
Newbie
*





   


Posts: 3
Re: In Dire Need of Help!!
« Reply #4 on: Mar 30th, 2008, 2:46pm »		 Quote Quote  Modify Modify
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:49 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.911.3380\GoogleToolbarNotifier.ex e
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.misec.net/forum/board/Trojans;action=display;num=1206849473;s tart=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us& ;ibd=6070825  
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.911.3380\GoogleToolbarNotifier.ex e
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C56BF45D-4722-4EFD-AA14-9DB1E92661E3} - http://coke.mycokerewards.com/cabs/CocaCola_1_0_0_9.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://coke.mycokerewards.com/cabs/Entriq_3_6_0_15_Silent.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
 
--
End of file - 8239 bytes
 
 
 
Wow, you're really helpful! Thank you so much!! You're a lifesaver. :)
« Last Edit: Mar 30th, 2008, 2:46pm by Aprileatlove » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: In Dire Need of Help!!
« Reply #5 on: Mar 30th, 2008, 3:08pm »		 Quote Quote  Modify Modify
You are most welcome  Grin
 
Your HJT log looks clean.  I assume the pesky message is no more.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Halcyon
Newbie
*





   


Posts: 4
Re: In Dire Need of Help!!
« Reply #6 on: Apr 2nd, 2008, 10:10pm »		 Quote Quote  Modify Modify
I'm having a very similar problem, same pop up message. I downloaded something a day ago, and now I'm getting a ton of popups. I know the trojan is a Vundo and is located in the file C:\WINDOWS\system32\qoMfeefF.dll.
However, no matter how many times I run Trojan Hunter, this particular trojan cannot be cleaned. (A few others were also found, but those were all cleaned).
 
Should I follow these same directions and post the log?
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: In Dire Need of Help!!
« Reply #7 on: Apr 2nd, 2008, 10:24pm »		 Quote Quote  Modify Modify
Welcome to the forum Halcyon
 
Yes, please follow the same instructions.  When you post back here the Combofix log and HiJackthis log, we'll see what else may need to be done.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Halcyon
Newbie
*





   


Posts: 4
Re: In Dire Need of Help!!
« Reply #8 on: Apr 2nd, 2008, 11:57pm »		 Quote Quote  Modify Modify
ComboFix 08-04-02.1 - Daniel Dix 2008-04-02 22:49:49.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1462 [GMT -7:00]
Running from: C:\My Downloads\Software\Trojan Hunter\ComboFix.exe
 
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\Program Files\update.exe
C:\WINDOWS\BMd7666c43.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\awtrQGAs.dll
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\dmudirwt.dll
C:\WINDOWS\system32\dpfuuajw.dll
C:\WINDOWS\system32\FfeefMoq.ini
C:\WINDOWS\system32\FfeefMoq.ini2
C:\WINDOWS\system32\jkkHXNhh.dll
C:\WINDOWS\system32\jrpdqlbu.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qoMfeefF.dll
C:\WINDOWS\system32\ssqRkkjG.dll
C:\WINDOWS\system32\tuvWpMef.dll
C:\WINDOWS\system32\twridumd.ini
C:\WINDOWS\system32\ublqdprj.dll
C:\WINDOWS\system32\winsys.exe
C:\WINDOWS\system32\xbbitmdh.dll
C:\WINDOWS\system32\yayxwVLC.dll
 
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
-------\Legacy_IPRIP
-------\Service_Iprip
 
 
(((((((((((((((((((((((((   Files Created from 2008-03-03 to 2008-04-03  )))))))))))))))))))))))))))))))
.
 
2008-04-02 20:58 . 2008-04-02 20:58<DIR>d--------C:\Program Files\Trend Micro
2008-04-02 19:11 . 2008-04-02 19:11<DIR>d--------C:\Documents and Settings\Daniel Dix\Application Data\TrojanHunter
2008-04-02 18:54 . 2008-04-02 18:54<DIR>d--------C:\Program Files\TrojanHunter 5.0
2008-04-02 18:42 . 2008-04-02 18:4269--a------C:\WINDOWS\NeroDigital.ini
2008-04-02 17:48 . 2008-04-02 17:49<DIR>d--------C:\Program Files\Windows Defender
2008-04-02 17:18 . 2008-04-02 17:18<DIR>d--------C:\Documents and Settings\Daniel Dix\Application Data\MSN6
2008-04-02 17:18 . 2008-04-02 17:18<DIR>d--------C:\Documents and Settings\All Users\Application Data\MSN6
2008-04-01 21:00 . 2008-04-02 18:491,600,684---hs----C:\WINDOWS\system32\avxeojmf.ini
2008-03-31 17:59 . 2008-03-31 17:59<DIR>d--------C:\Documents and Settings\All Users\Application Data\LightScribe
2008-03-30 13:46 . 1999-07-02 00:19188,928---------C:\WINDOWS\system32\swflash.ocx
2008-03-30 13:46 . 1999-07-02 00:19137,728---------C:\WINDOWS\system32\amn21e.dll
2008-03-30 13:46 . 1999-07-02 00:1997,792---------C:\WINDOWS\system32\am21e.dll
2008-03-30 13:46 . 1999-07-02 00:1913,824---------C:\WINDOWS\system32\dslite.dll
2008-03-30 13:42 . 2008-03-30 13:48<DIR>d--------C:\Program Files\Microsoft Encarta
2008-03-30 13:24 . 2008-03-30 13:24<DIR>d--------C:\Program Files\Viewpoint
2008-03-30 13:24 . 2008-03-30 13:24<DIR>d--------C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-30 13:24 . 2008-03-30 13:2437,027--a------C:\WINDOWS\atmoUn.exe
2008-03-30 13:19 . 2008-03-31 18:20<DIR>d--------C:\Documents and Settings\Daniel Dix\Application Data\AdobeUM
2008-03-30 13:01 . 2008-03-30 13:01<DIR>d--------C:\Program Files\Common Files\LightScribe
2008-03-30 12:58 . 2008-03-30 12:58<DIR>d--------C:\Documents and Settings\Daniel Dix\Application Data\Ahead
2008-03-30 12:57 . 2008-03-30 12:57<DIR>d--------C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-30 12:52 . 2008-03-30 12:52<DIR>d--------C:\Program Files\Nero
2008-03-30 12:52 . 2008-03-30 12:55<DIR>d--------C:\Program Files\Common Files\Ahead
2008-03-30 12:52 . 2008-03-30 12:52<DIR>d--------C:\Documents and Settings\All Users\Application Data\Nero
2008-03-29 21:20 . 2008-03-29 21:20<DIR>d--------C:\Documents and Settings\All Users\Application Data\Age of Empires 3
2008-03-29 20:45 . 2008-03-29 20:45<DIR>d--h-----C:\WINDOWS\PIF
2008-03-29 15:36 . 2008-03-29 15:36<DIR>d--------C:\Program Files\Lavalys
2008-03-29 15:07 . 2008-04-02 19:16<DIR>d--------C:\Program Files\Network Associates
2008-03-29 15:03 . 2008-03-29 15:03<DIR>d--------C:\Program Files\TechSmith
2008-03-29 14:53 . 2008-03-29 14:53379--a------C:\WINDOWS\PowerReg.dat
2008-03-29 14:52 . 2008-03-29 14:52<DIR>d--------C:\Program Files\Executive Software
2008-03-29 14:49 . 2008-03-30 13:19<DIR>d--------C:\Program Files\Common Files\Adobe
2008-03-29 13:19 . 2006-11-24 14:4740,136--a------C:\WINDOWS\system32\drivers\ET5Drv.sys
2008-03-27 21:24 . 2008-03-27 21:24<DIR>d--------C:\Program Files\MSXML 6.0
2008-03-27 21:24 . 2008-03-27 21:24<DIR>d--------C:\Program Files\MSXML 4.0
2008-03-27 21:19 . 2008-03-27 21:19<DIR>d--------C:\Program Files\Microsoft Works
2008-03-27 21:19 . 2006-10-26 19:5632,592--a------C:\WINDOWS\system32\msonpmon.dll
2008-03-27 21:18 . 2008-03-27 21:18<DIR>d--------C:\Program Files\Microsoft.NET
2008-03-27 21:17 . 2008-03-27 21:18<DIR>d--------C:\WINDOWS\SHELLNEW
2008-03-27 21:17 . 2008-03-27 21:17<DIR>d--------C:\Program Files\Microsoft Visual Studio 8
2008-03-27 21:16 . 2008-03-27 21:16<DIR>dr-h-----C:\MSOCache
2008-03-27 21:16 . 2008-04-01 23:59<DIR>d--------C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-27 20:25 . 2008-03-27 20:25<DIR>d--------C:\Documents and Settings\Daniel Dix\Application Data\HP
2008-03-27 20:24 . 2008-03-27 20:24<DIR>d--------C:\Documents and Settings\All Users\Application Data\HP
2008-03-27 20:21 . 2008-03-27 20:21<DIR>d--------C:\Program Files\Common Files\Sonic Shared
2008-03-27 20:21 . 2008-03-27 20:21<DIR>d--------C:\Documents and Settings\All Users\Application Data\Sonic
2008-03-27 20:20 . 2008-03-27 20:20<DIR>d--------C:\Program Files\Common Files\HP
2008-03-27 20:20 . 2008-03-27 20:20<DIR>d--------C:\Documents and Settings\Daniel Dix\Application Data\Logitech
2008-03-27 20:19 . 2008-03-27 20:19<DIR>d--------C:\Program Files\Hewlett-Packard
2008-03-27 20:19 . 2008-03-27 20:19<DIR>d--------C:\Program Files\Common Files\Hewlett-Packard
2008-03-27 20:18 . 2006-04-12 17:02827,392-ra------C:\WINDOWS\system32\hpotiop2.dll
2008-03-27 20:18 . 2006-04-12 17:02659,456-ra------C:\WINDOWS\system32\hpowiax2.dll
2008-03-27 20:18 . 2006-04-12 17:02254,026-ra------C:\WINDOWS\system32\hpovst09.dll
2008-03-27 20:18 . 2006-01-04 02:1277,824-ra------C:\WINDOWS\system32\HPZIDS01.dll
2008-03-27 20:18 . 2006-04-10 14:0338,400--a------C:\WINDOWS\system32\hpz3l054.dll
2008-03-27 20:18 . 2001-08-17 13:536,784--a------C:\WINDOWS\system32\drivers\serscan.sys
2008-03-27 20:18 . 2001-08-17 13:536,784--a--c---C:\WINDOWS\system32\dllcache\serscan.sys
2008-03-27 20:18 . 2008-03-27 20:18162--a------C:\WINDOWS\system32\AddPort.ini
2008-03-27 20:17 . 2008-03-29 21:20<DIR>d--------C:\TEMP
2008-03-27 20:17 . 2006-03-03 21:03282,680--a------C:\WINDOWS\system32\HPZidr12.dll
2008-03-27 20:17 . 2006-03-03 21:02204,800--a------C:\WINDOWS\system32\HPZipr12.dll
2008-03-27 20:17 . 2006-03-03 21:0294,208--a------C:\WINDOWS\system32\HPZipt12.dll
2008-03-27 20:17 . 2006-03-03 21:0369,632--a------C:\WINDOWS\system32\HPZipm12.exe
2008-03-27 20:17 . 2006-03-03 21:0365,536--a------C:\WINDOWS\system32\HPZinw12.exe
2008-03-27 20:17 . 2006-03-03 21:0257,344--a------C:\WINDOWS\system32\HPZisn12.dll
2008-03-27 20:17 . 2008-03-27 20:18815--a------C:\WINDOWS\hpntwksetup.ini
2008-03-27 20:16 . 2008-03-27 20:22<DIR>d--------C:\Program Files\HP
2008-03-27 20:14 . 2008-03-27 20:14<DIR>d--hs----C:\WINDOWS\ftpcache
2008-03-27 20:14 . 2004-08-03 23:0831,616--a------C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-27 20:14 . 2004-08-03 23:0831,616--a--c---C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-27 20:14 . 2004-08-03 23:0826,496--a--c---C:\WINDOWS\system32\dllcache\usbstor.sys
2008-03-27 20:14 . 2004-08-03 23:0125,856--a------C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-27 20:14 . 2004-08-03 23:0125,856--a--c---C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-27 20:13 . 2008-03-27 20:25117,092--a------C:\WINDOWS\hpoins11.dat
2008-03-27 20:11 . 2008-03-27 20:11<DIR>d--------C:\Program Files\Logitech
2008-03-27 20:11 . 2008-03-27 20:11<DIR>d--------C:\Program Files\Common Files\Logitech
2008-03-27 20:11 . 2004-06-08 12:3571,533--a------C:\WINDOWS\system32\drivers\LMouKE.Sys
2008-03-27 20:11 . 2004-06-08 12:3554,817--a------C:\WINDOWS\system32\drivers\L8042mou.Sys
2008-03-27 20:11 . 2004-06-08 12:3613,105--a------C:\WINDOWS\system32\drivers\L8042Kbd.sys
2008-03-27 19:56 . 2008-03-27 21:19<DIR>d--------C:\Program Files\MSBuild
2008-03-27 19:56 . 2008-03-27 19:56<DIR>d--------C:\Program Files\Microsoft Silverlight
2008-03-27 19:54 . 2008-03-27 21:27<DIR>d--------C:\WINDOWS\system32\XPSViewer
2008-03-27 19:54 . 2008-03-27 19:54<DIR>d--------C:\Program Files\Reference Assemblies
2008-03-27 19:54 . 2006-06-29 13:0714,048---------C:\WINDOWS\system32\spmsg2.dll
2008-03-27 19:53 . 2008-03-27 19:53<DIR>d--------C:\Program Files\Windows Media Connect 2
2008-03-27 19:49 . 2008-03-27 19:50<DIR>d--------C:\WINDOWS\system32\URTTemp
2008-03-27 19:42 . 2008-03-27 19:42<DIR>d--------C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-27 19:23 . 2008-03-27 19:23<DIR>d--------C:\Documents and Settings\Daniel Dix\Application Data\teamspeak2
2008-03-27 19:21 . 2008-03-29 21:42<DIR>d--------C:\Program Files\Teamspeak2_Server
2008-03-27 19:20 . 2008-03-27 19:20<DIR>d--------C:\Program Files\Teamspeak2_RC2
2008-03-27 19:20 . 2008-03-27 19:2034,064--a------C:\WINDOWS\system32\lhacm.acm
2008-03-27 19:13 . 2008-03-27 19:58<DIR>d--------C:\Documents and Settings\Daniel Dix\Contacts
2008-03-27 19:11 . 2008-03-27 19:12<DIR>d--------C:\Program Files\Windows Live
2008-03-27 19:11 . 2008-03-27 19:12<DIR>d--hsc---C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-27 19:11 . 2008-03-27 19:11<DIR>d--------C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-26 18:35 . 2008-03-26 19:084--a------C:\WINDOWS\system32\GVTunner.ref
2008-03-26 14:02 . 2008-03-26 14:02262,144--a------C:\WINDOWS\system32\wrap_oal.dll
2008-03-26 14:02 . 2008-03-26 14:0286,016--a------C:\WINDOWS\system32\OpenAL32.dll
2008-03-26 13:45 . 2008-03-26 13:45<DIR>d--------C:\Program Files\Futuremark
2008-03-26 13:26 . 2008-03-26 13:26<DIR>d--------C:\WINDOWS\system32\Futuremark
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 04:00---------d-----wC:\Program Files\Common Files\InstallShield
2008-03-26 21:50278,984----a-wC:\WINDOWS\system32\drivers\atksgt.sys
2008-03-26 21:5025,416----a-wC:\WINDOWS\system32\drivers\lirsgt.sys
2008-03-26 08:06315,392----a-wC:\WINDOWS\HideWin.exe
2008-03-26 07:56---------d-----wC:\Program Files\Intel
2008-03-26 07:37---------d-----wC:\Program Files\microsoft frontpage
2008-03-11 23:256,593,376----a-wC:\WINDOWS\system32\drivers\nv4_mini.sys
2008-02-14 22:2829----a-wC:\Program Files\version.ini
2008-02-14 22:23231,944----a-wC:\Program Files\gwflash.exe
2007-09-22 03:4219,008----a-wC:\Program Files\markfun.a64
2007-08-22 03:4917,912----a-wC:\Program Files\markfun.w32
2007-08-22 03:49125,504----a-wC:\Program Files\MarkFunDrv.dll
2007-04-05 02:35207,680----a-wC:\Program Files\updateutility.exe
2007-03-30 12:36301----a-wC:\Program Files\update.ini
2007-03-02 12:48240,448----a-wC:\Program Files\gwf32.exe
2006-11-24 07:47207,680----a-wC:\Program Files\BIOS_Run.exe
2006-11-24 07:4060,224----a-wC:\Program Files\HUADRV.DLL
2006-11-04 02:09528----a-wC:\Program Files\CONFIG.INI
2005-04-28 03:406,800----a-wC:\Program Files\W95_HUA.vxd
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown  
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 10:21 153136]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinSys2"="C:\WINDOWS\System32\winsys2.exe" [2007-10-30 01:37 208896]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 03:14 16844800 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-03-11 16:25 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-03-11 16:25 86016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-03-11 16:25 13520896]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 08:15 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 08:15 221184]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRkkjG]
ssqRkkjG.dll
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMd7666c43]
C:\WINDOWS\system32\sqroibmh.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d4555fdf]
C:\WINDOWS\system32\fmjoexva.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneV]
--a------ 2007-08-14 14:10 20480 C:\Program Files\Gigabyte\ET5\ETcall.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-07-18 17:55 451872 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"Diskeeper"=2 (0x2)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"=
"C:\\Program Files\\GIGABYTE\\@BIOS\\update.exe"=
"C:\\Program Files\\gwflash.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Teamspeak2_Server\\server_windows.exe"=
"C:\\WINDOWS\\system32\\spoolsv.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"G:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
 
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-04 01:56]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-03-26 01:09]
S3 GVTDrv;GVTDrv;C:\WINDOWS\system32\Drivers\GVTDrv.sys [2008-03-26 19:08]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
 
 
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-04-03 03:52:25 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
************************************************************************ **
 
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-02 22:52:55
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ...
 
scanning hidden files ...  
 
scan completed successfully  
hidden files: 0  
 
************************************************************************ **
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
************************************************************************ **
.
Completion time: 2008-04-02 22:54:11 - machine was rebooted [Daniel Dix]
ComboFix-quarantined-files.txt  2008-04-03 05:54:08
Pre-Run: 117,260,873,728 bytes free
Post-Run: 117,275,336,704 bytes free
.
2008-03-29 03:31:29--- E O F ---  
IP Logged
Halcyon
Newbie
*





   


Posts: 4
Re: In Dire Need of Help!!
« Reply #9 on: Apr 2nd, 2008, 11:59pm »		 Quote Quote  Modify Modify
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:12 PM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.1660Cool
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/news?ned=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\System32\winsys2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: QuickDefine - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\eddefine.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/cli ent/wuweb_site.cab?1206516800546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/cli ent/muweb_site.cab?1206516793092
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: ssqRkkjG - ssqRkkjG.dll (file missing)
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
 
--
End of file - 7238 bytes
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: In Dire Need of Help!!
« Reply #10 on: Apr 3rd, 2008, 12:19am »		 Quote Quote  Modify Modify
Okay, Halcyon
 
ComboFix found and removed several infections.  Please do the following
 
1.  Remove Combofix.exe from your desktop
 
2.  Remove the folder named Qoobox from C:\.  It is the Quarantine folder of Combofix.
 
3.  Remove the Combofix log file from your system.
 
4.  Run another HiJackthis scan.
 
5.  When the scan is completed, place a check mark next to the following item.  BE SURE it is the only item checked.
 
O20 - Winlogon Notify: ssqRkkjG - ssqRkkjG.dll (file missing)
 
6.  Close your browser.
 
7.  Click on Fix Checked located at the lower left of the Hijackthis window.  Confirm that you want HJT to fix this item and let it fix it.
 
8.  Close HiJackthis and reboot.
 
Do you know what the websites below are and did you purposely add them to your Trusted Sites?  
 
http://asia.msi.com.tw
 
http://global.msi.com.tw
 
http://www.msi.com.tw
 
Also, is your computer now running okay and no more popups?
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Halcyon
Newbie
*





   


Posts: 4
Re: In Dire Need of Help!!
« Reply #11 on: Apr 3rd, 2008, 6:59pm »		 Quote Quote  Modify Modify
Thank you very much for the help!
 
Everything is running very smoothly. No more annoying pop ups, no more stalling. I know MSI, but I did not add those to my list. It is possible that installing my video card driver did that automatically, but I didn't place those web sites there.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: In Dire Need of Help!!
« Reply #12 on: Apr 3rd, 2008, 11:29pm »		 Quote Quote  Modify Modify
Quote:
I know MSI, but I did not add those to my list. It is possible that installing my video card driver did that automatically, but I didn't place those web sites there.

 
Okay, as long as you know and trust that site.  If the video driver did put it there, it also unchecked the option that all "trusted" sites have to be https:\\ type sites.  That's okay, but something you should be aware of.
 
This is found in your Internet Options under the Security Tab>Trusted Sites.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
FlightAttendant747
Newbie
*





   


Posts: 7
Re: In Dire Need of Help!!
« Reply #13 on: Apr 6th, 2008, 8:00pm »		 Quote Quote  Modify Modify
Hi,
Im having the same problem. Tried running couple of anti-virus/spyware softwares but the pop-up is still there. Hope you could also help me with this. Thanks a lot. Here are the log files:
==============================================
ComboFix
==============================================
ComboFix 08-04-06.1 - Mike 2008-04-06 20:35:46.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1252.1.1033.18.156 [GMT -4:00]
Running from: E:\Software\ComboFix.exe
 * Created a new restore point
 
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\WINDOWS\system32\Cache
 
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
-------\Legacy_NNSERV
-------\Service_NNServ
 
 
(((((((((((((((((((((((((   Files Created from 2008-03-07 to 2008-04-07  )))))))))))))))))))))))))))))))
.
 
2008-04-06 20:31 . 2008-04-06 20:31<DIR>d--------C:\Program Files\Trend Micro
2008-04-06 11:29 . 2008-04-06 11:29<DIR>d--------C:\Documents and Settings\Aze\Application Data\SUPERAntiSpyware.com
2008-04-06 09:27 . 2008-04-06 09:27<DIR>d--------C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-04-06 09:26 . 2008-04-06 09:26<DIR>d--------C:\Program Files\Malwarebytes' Anti-Malware
2008-04-06 09:26 . 2008-04-06 09:26<DIR>d--------C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-05 23:14 . 2008-04-06 11:334,954--a------C:\WINDOWS\system32\tmp.reg
2008-04-05 22:04 . 2008-04-05 22:04<DIR>d--------C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-05 22:03 . 2008-04-06 09:04<DIR>d--------C:\Program Files\SUPERAntiSpyware
2008-04-05 22:03 . 2008-04-05 22:03<DIR>d--------C:\Documents and Settings\Mike\Application Data\SUPERAntiSpyware.com
2008-04-05 21:25 . 2008-04-05 21:25<DIR>d--------C:\Documents and Settings\Aze\Application Data\PC Tools
2008-04-05 21:25 . 2008-04-05 21:25651,776--a------C:\WINDOWS\is-JSHEP.exe
2008-04-05 21:25 . 2008-04-05 21:25370--a------C:\WINDOWS\is-JSHEP.lst
2008-04-05 20:45 . 2008-04-05 20:45202,752--a------C:\WINDOWS\cndr32a.dll
2008-04-05 20:45 . 2008-04-05 20:4547--a------C:\smp.bat
2008-03-31 16:50 . 2008-03-31 16:50<DIR>d--------C:\Program Files\Common Files\WinCHM
2008-03-31 16:50 . 2000-11-21 11:35837,904--a------C:\WINDOWS\system32\Hha.dll
2008-03-31 16:50 . 2003-10-08 07:38154,352--a------C:\WINDOWS\system32\Itcc.dll
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 00:00---------d-----wC:\Program Files\Mozilla Thunderbird
2008-04-06 16:08---------d-----wC:\Program Files\Yahoo!
2008-04-06 16:08---------d-----wC:\Program Files\videofixer
2008-04-06 02:03---------d-----wC:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 02:02---------d-----wC:\Documents and Settings\All Users\Application Data\avg7
2008-04-06 01:25---------d-----wC:\Program Files\Spyware Doctor
2008-04-04 00:15---------d-----wC:\Documents and Settings\Mike\Application Data\Yahoo!
2008-04-03 18:13---------d-----wC:\Documents and Settings\Aze\Application Data\Image Zone Express
2008-04-02 22:50---------d-----wC:\Documents and Settings\Aze\Application Data\Skype
2008-03-16 01:29---------d-----wC:\Program Files\SopCast
2008-03-09 18:32---------d-----wC:\Documents and Settings\Mike\Application Data\Image Zone Express
2008-03-02 04:07---------d-----wC:\Documents and Settings\Mike\Application Data\Skype
2008-02-23 14:24---------d-----wC:\Program Files\XP Codec Pack
2008-02-21 13:11---------d-----wC:\Documents and Settings\Aze\Application Data\AVG7
2008-02-21 13:00---------d-----wC:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-11 15:18---------d-----wC:\Documents and Settings\Aze\Application Data\GetRightToGo
2008-02-11 15:17---------d-----wC:\Documents and Settings\Aze\Application Data\NJStar
2008-02-08 02:06---------d--h--wC:\Program Files\InstallShield Installation Information
2008-02-08 02:06---------d-----wC:\Documents and Settings\All Users\Application Data\Transparent
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown  
REGEDIT4
 
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38E4618F-E3E4-42E9-925F-6B02C798BD94}]
2008-04-05 20:45202752--a------C:\WINDOWS\cndr32a.dll
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2004-02-04 06:39 32768]
"ATnotes.exe"="C:\Program Files\ATnotes\ATnotes.exe" [2005-01-05 03:45 1015808]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-07 22:28 68856]
"lieshtm"="C:\DOCUME~1\Mike\APPLIC~1\TRUSTF~1\dart idle more.exe" [ ]
"Chikka"="C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\\ChikkaLauncher.exe" [2007-08-28 18:11 36864]
"ChikkaDefault"="C:\Program Files\Chikka Messenger\Chikka v.4\\ChikkaLauncher.exe" [2007-08-28 18:11 36864]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-04-06 09:04 1481968]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4serv.exe" [2005-06-12 15:52 94208 C:\WINDOWS\system32\tp4serv.exe]
"TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-04-04 00:43 94208]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-03-22 14:11 217088]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-19 13:38 20480]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-19 13:38 396288]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-19 13:38 208896]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 04:08 86016]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-11-01 21:03 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-11-01 20:59 126976]
"TP4EX"="tp4ex.exe" [2004-11-11 13:07 40960 C:\WINDOWS\system32\TP4EX.exe]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 06:39 897024]
"TPKBDLED"="C:\WINDOWS\System32\TpScrLk.exe" [2002-10-08 10:28 40960]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-03-31 22:52 1368064]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-05 20:27 860160]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2002-08-28 09:38 208953]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 00:00 44032]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-28 09:39 59392]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.e