Privacy Protector, Error Cleaner, Spyware&malware Protection - Just Finished Using Sdfix.exe

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Privacy Protector, Error Cleaner, Spyware&malware Protection - Just Finished Using Sdfix.exe - Someone Let Me Know If I'm Alright?, Someone let me know if I'm alright now..

Options

Dingerz View Member Profile	Jul 15 2008, 05:48 AM Post #1
New Member Group: Members Posts: 11 Joined: 18-January 05 Member No.: 9,898	Alright, I posted earlier but now I found the real problem. I had malware installed on my computer and it was the Privacy Protector, Error Cleaner, Spyware&malware Protection problem. I just ran SD fix.exe and it found a lot but now that my computer is up, I am still getting the attack messages. I followed the instructions here: http://www.bleepingcomputer.com/forums/topic105116.html These are the results of my fix: SDFix: Version 1.205 Run by Administrator on Tue 07/15/2008 at 06:26 AM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Restoring Windows ProductId To Remove Fake Virus Alert Rebooting Checking Files : Trojan Files Found: C:\Documents and Settings\user\Desktop\Error Cleaner.url - Deleted C:\Documents and Settings\user\Favorites\Error Cleaner.url - Deleted C:\Documents and Settings\user\Desktop\Privacy Protector.url - Deleted C:\Documents and Settings\user\Favorites\Privacy Protector.url - Deleted C:\Documents and Settings\user\Desktop\Spyware&Malware Protection.url - Deleted C:\Documents and Settings\user\Favorites\Spyware&Malware Protection.url - Deleted C:\WINDOWS\system32\s.bat - Deleted C:\WINDOWS\EPEB.EXE - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-15 06:39:03 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Direct Connect\\Direct Connect.exe"="C:\\Program Files\\Direct Connect\\Direct Connect.exe::Enabled:File Sharing over TCP/IP" "C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe::Enabled:Trillian" "C:\\Program Files\\TorrentStorm\\Downloader\\Tor032\\tor032.exe"="C:\\Program Files\\TorrentStorm\\Downloader\\Tor032\\tor032.exe::Enabled:tor032" "C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"="C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp::Enabled:KazaaLite" "C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE::Disabled:LEXPPS.EXE" "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe::Disabled:RealPlayer" "C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe::Disabled:AOL Instant Messenger" "C:\\Program Files\\DC++\\DCPlusPlus.exe"="C:\\Program Files\\DC++\\DCPlusPlus.exe::Enabled:DC++" "C:\\Documents and Settings\\user\\Desktop\\DCPlusPlus.exe"="C:\\Documents and Settings\\user\\Desktop\\DCPlusPlus.exe::Enabled:DC++" "C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe::Enabled:BitTorrent" "C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe::Enabled:btdownloadgui" "C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe::Enabled:BitLord" "C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe::Enabled:QuickTime Player" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe::Enabled:avginet.exe" "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe::Enabled:avgamsvr.exe" "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe::Enabled:avgcc.exe" "C:\\WINDOWS\\system32\\mphmjuvf.exe"="C:\\WINDOWS\\system32\\mph" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe::Enabled:Windows Messenger" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe::Enabled:iTunes" "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe::Enabled:avgupd.exe" "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe::Enabled:avgemc.exe" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Mon 12 Dec 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Sat 13 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp" Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT3.tmp" Wed 11 Aug 2004 39,424 ...H. --- "C:\Documents and Settings\user\Application Data\Microsoft\Word\~WRL1042.tmp" Mon 12 Dec 2005 4,348 A..H. --- "C:\Documents and Settings\user\My Documents\My Music\iTunes\iTunes Music\License Backup\drmv1key.bak" Mon 12 Dec 2005 20 A..H. --- "C:\Documents and Settings\user\My Documents\My Music\iTunes\iTunes Music\License Backup\drmv1lic.bak" Mon 12 Dec 2005 400 A.SH. --- "C:\Documents and Settings\user\My Documents\My Music\iTunes\iTunes Music\License Backup\drmv2key.bak" Finished! Tara

Dingerz View Member Profile	Jul 15 2008, 06:03 AM Post #2
New Member Group: Members Posts: 11 Joined: 18-January 05 Member No.: 9,898	My ComboFix log: ComboFix 08-07-13.11 - user 2008-07-15 6:56:27.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.616 [GMT -4:00] Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\user\Application Data\inst.exe C:\Documents and Settings\user\Desktop\Error Cleaner.url C:\Documents and Settings\user\Desktop\Privacy Protector.url C:\Documents and Settings\user\Desktop\Spyware&Malware Protection.url C:\Documents and Settings\user\Favorites\Error Cleaner.url C:\Documents and Settings\user\Favorites\Privacy Protector.url C:\Documents and Settings\user\Favorites\Spyware&Malware Protection.url C:\WINDOWS\system32\mcrh.tmp . ((((((((((((((((((((((((( Files Created from 2008-06-15 to 2008-07-15 ))))))))))))))))))))))))))))))) . 2008-07-15 06:19 . 2008-07-15 06:20 <DIR> d-------- C:\WINDOWS\ERUNT 2008-07-15 06:18 . 2004-04-08 01:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust 2008-07-15 06:18 . 2008-07-15 06:18 <DIR> d-------- C:\Documents and Settings\Administrator 2008-07-15 06:10 . 2008-07-15 06:42 <DIR> d-------- C:\SDFix 2008-07-15 05:17 . 2008-07-15 05:17 <DIR> d-------- C:\Deckard 2008-07-15 03:36 . 2008-07-15 03:36 <DIR> d-------- C:\Program Files\Trend Micro 2008-07-15 00:41 . 2008-07-15 05:52 <DIR> d-------- C:\Program Files\Exterminate It! 2008-07-15 00:32 . 2008-07-14 18:43 516,096 --a------ C:\WINDOWS\kgxmotaptvw.dll 2008-07-15 00:32 . 2008-07-14 18:43 356,352 --a------ C:\WINDOWS\evgratsm.dll 2008-07-15 00:32 . 2008-07-14 18:43 311,296 --a------ C:\WINDOWS\kvxqmtre.dll 2008-07-15 00:32 . 2008-07-14 18:43 159,744 --a------ C:\WINDOWS\qndsfmao.dll 2008-07-02 13:00 . 2008-07-15 01:27 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-07-02 11:13 . 2008-07-15 05:58 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg 2008-07-02 11:13 . 2008-07-02 11:13 <DIR> d-------- C:\Documents and Settings\JaneGuy\Application Data\AVG7 2008-07-02 11:13 . 2008-07-02 11:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVG7 2008-07-02 11:13 . 2008-07-04 12:33 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys 2008-07-02 11:13 . 2008-07-04 12:34 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys 2008-07-02 11:13 . 2008-07-04 12:33 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll 2008-07-02 11:12 . 2008-07-15 04:44 <DIR> d-------- C:\Program Files\AVG 2008-07-02 11:12 . 2008-07-02 11:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8 2008-06-20 13:41 . 2008-06-20 13:41 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll 2008-06-20 06:44 . 2008-06-20 06:44 138,368 -----c--- C:\WINDOWS\system32\dllcache\afd.sys 2008-06-19 00:32 . 2008-06-19 00:32 <DIR> d-------- C:\Documents and Settings\user\Application Data\Ableton 2008-06-19 00:32 . 2008-06-19 00:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ableton 2008-06-19 00:31 . 2008-06-19 00:31 <DIR> d-------- C:\Program Files\Ableton 2008-06-19 00:31 . 2007-09-03 14:03 368,640 --a------ C:\WINDOWS\system32\ReWire.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-15 09:58 --------- d-----w C:\Program Files\BitLord 2008-07-15 08:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-07-15 06:56 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-07-15 06:56 --------- d-----w C:\Program Files\Trillian 2008-07-15 06:52 --------- d-----w C:\Program Files\SpywareBlaster 2008-07-15 06:42 --------- d-----w C:\Program Files\DC++ 2008-07-11 02:42 --------- d-----w C:\Program Files\Lavasoft 2008-07-11 02:42 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-07-11 02:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-07-09 19:53 9,626 ----a-w C:\Documents and Settings\JaneGuy\Application Data\wklnhst.dat 2008-07-09 06:52 --------- d-----w C:\Program Files\Amazon 2008-07-02 17:00 --------- d-----w C:\Program Files\DIGStream 2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-12 16:08 --------- d-----w C:\Documents and Settings\JaneGuy\Application Data\InterVideo 2008-06-07 15:42 52,228 ----a-w C:\Documents and Settings\user\Application Data\wklnhst.dat 2008-06-02 07:20 --------- d-----w C:\Documents and Settings\JaneGuy\Application Data\Search Settings 2008-06-02 06:22 --------- d-----w C:\Documents and Settings\user\Application Data\DivX 2008-06-02 03:32 --------- d-----w C:\Program Files\Dealio 2008-06-02 02:31 --------- d-----w C:\Documents and Settings\user\Application Data\Search Settings 2008-06-02 02:29 --------- d-----w C:\Program Files\Search Settings 2008-06-02 02:22 --------- d-----w C:\Program Files\The KMPlayer 2008-05-26 08:40 --------- d-----w C:\Documents and Settings\JaneGuy\Application Data\vlc 2008-05-24 02:48 --------- d-----w C:\Program Files\Google 2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2007-07-30 05:54 3,836,577 ----a-w C:\Program Files\DCPlusPlus-0.698.exe 2007-07-08 22:54 47,360 ----a-w C:\Documents and Settings\user\Application Data\pcouffin.sys 2005-12-12 03:05 79,952 ----a-w C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT 2005-05-31 06:56 2,576,384 ----a-w C:\Program Files\Transcoder.exe 2004-10-11 23:23 150 ---ha-w C:\Documents and Settings\user\hpothb07.dat 2004-10-01 19:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe 2005-01-01 05:38 4,402 --sha-w C:\WINDOWS\dblat.dat 2005-01-08 06:37 4,402 --sha-w C:\WINDOWS\zxwrv.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05721FB0-2C8D-41A1-BEF7-0957168A3502}] 2008-07-14 18:43 516096 --a------ C:\WINDOWS\kgxmotaptvw.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{9A3D91FB-FCF6-46A4-A0C2-B4865D8D05DC}"= "C:\WINDOWS\qndsfmao.dll" [2008-07-14 18:43 159744] [HKEY_CLASSES_ROOT\clsid\{9a3d91fb-fcf6-46a4-a0c2-b4865d8d05dc}] [HKEY_CLASSES_ROOT\qndsfmao.1] [HKEY_CLASSES_ROOT\TypeLib\{1CA3FDCA-2340-4DD0-80E3-68EC677CD140}] [HKEY_CLASSES_ROOT\qndsfmao] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208] "MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 12:00 200704] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 01:31 208952] "PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 08:00 455168] "PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 08:00 455168] "SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 11:24 155648] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 11:11 114688] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-25 15:30 335872] "Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 07:32 50688] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975] "InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-07-12 05:58 1397760] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] "SearchSettings"="C:\Program Files\Search Settings\SearchSettings.exe" [2008-02-06 17:47 1036640] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-04 12:34 1232152] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-04-08 01:39:00 114688] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "evgratsm"= {1B25B29D-4C71-4306-8DDD-4DA6FA910B99} - C:\WINDOWS\evgratsm.dll [2008-07-14 18:43 356352] "kvxqmtre"= {38D6D4BE-706C-493F-A42A-7CAD1794F3D4} - C:\WINDOWS\kvxqmtre.dll [2008-07-14 18:43 311296] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.ac3filter"= ac3filter.acm "vidc.hfyu"= huffyuv.dll "msacm.divxa32"= DivXa32.acm [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax DllCmd 4.0.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax DllCmd 4.0.lnk backup=C:\WINDOWS\pss\eFax DllCmd 4.0.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu 4.0.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax Tray Menu 4.0.lnk backup=C:\WINDOWS\pss\eFax Tray Menu 4.0.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Finding Notes Easy.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Finding Notes Easy.lnk backup=C:\WINDOWS\pss\Finding Notes Easy.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] --a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices] --a------ 2005-05-19 13:55 101888 C:\Program Files\ESPNRunTime\DIGServices.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar] --------- 2004-04-21 10:26 86016 C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer] --a------ 2006-05-25 21:24 1003520 C:\Program Files\Real\RealPlayer\realplay.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] --------- 2004-11-02 20:24 32768 C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] --a------ 2002-04-17 10:42 69632 c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] -ra------ 2005-10-26 16:17 159744 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "ATI Smart"=2 (0x2) "Ati HotKey Poller"=2 (0x2) "WMPNetworkSvc"=3 (0x3) "TapiSrv"=3 (0x3) "iPod Service"=3 (0x3) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Trillian\\trillian.exe"= "C:\\Program Files\\TorrentStorm\\Downloader\\Tor032\\tor032.exe"= "C:\\WINDOWS\\system32\\LEXPPS.EXE"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "C:\\Program Files\\AIM95\\aim.exe"= "C:\\Program Files\\DC++\\DCPlusPlus.exe"= "C:\\Program Files\\BitLord\\BitLord.exe"= "C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"= R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-04 12:33] R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-04 12:33] R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 12:33] R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-04 12:34] R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2005-05-04 08:58] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a699bfe6-2c23-11dc-9fc9-806d6172696f}] \Shell\AutoRun\command - D:\AutoRun\Demo.exe . Contents of the 'Scheduled Tasks' folder "2008-07-02 00:37:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . - - - - ORPHANS REMOVED - - - - BHO-{0AEBF16C-963C-4CA2-8673-E4F0650D6DA9} - C:\WINDOWS\system32\pmkhg.dll HKCU-Run-PowerBar - (no file) MSConfigStartUp-DIGStream - C:\Program Files\DIGStream\digstream.exe MSConfigStartUp-TkBellExe - C:\Program Files\Common Files\Real\Update_OB\realsched.exe MSConfigStartUp-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-15 06:59:53 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKCU\Software\Microsoft\Windows\CurrentVersion\Run PowerBar = ????????????l?@?l?@?D?????A~??????????????A~l?@?l?@????? ???????????W?D~??A~??????A~K?A~x???????[?A~???????? ??????????????\|x???0?????????????st??A~????????????????`8??????R???????l?@?l?@?????Q?B~????t?@?????l?@?8?@?l?@?3??s????????????????????8?@?_??s8?@?8?@ scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-07-15 7:02:11 ComboFix-quarantined-files.txt 2008-07-15 11:01:52 Pre-Run: 67,084,783,616 bytes free Post-Run: 67,858,534,400 bytes free 217 --- E O F --- 2008-07-09 07:26:02 Tara

Dingerz View Member Profile	Jul 15 2008, 06:06 AM Post #3
New Member Group: Members Posts: 11 Joined: 18-January 05 Member No.: 9,898	I am STILL getting a popup saying my computer is compromised. The three icons for the privacy cleaner, error cleaner and spyware and malware are still on my desktop. Should I just delete them? My Hijack Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 07:05: VIRUS ALERT!, on 7/15/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Analog Devices\SoundMAX\smax4.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file) O2 - BHO: QXK Olive - {05721FB0-2C8D-41A1-BEF7-0957168A3502} - C:\WINDOWS\kgxmotaptvw.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll O3 - Toolbar: qndsfmao - {9A3D91FB-FCF6-46A4-A0C2-B4865D8D05DC} - C:\WINDOWS\qndsfmao.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://www.viidoo.tv/TVUAx.dll O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://www.cogeco.ca/en/ols21/fscax.cab O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.walmartphotocentre.ca/activex/PCAXSetup.cab? O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex...tupv2.0.0.9.cab? O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex...upv2.0.0.10.cab? O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O21 - SSODL: evgratsm - {1B25B29D-4C71-4306-8DDD-4DA6FA910B99} - C:\WINDOWS\evgratsm.dll O21 - SSODL: kvxqmtre - {38D6D4BE-706C-493F-A42A-7CAD1794F3D4} - C:\WINDOWS\kvxqmtre.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 9166 bytes Tara This post has been edited by Dingerz: Jul 15 2008, 06:14 AM

Dingerz View Member Profile	Jul 15 2008, 10:54 AM Post #4
New Member Group: Members Posts: 11 Joined: 18-January 05 Member No.: 9,898	Someone help?? It's so bad.. I ran all that and it all came back. Tara

Thunder View Member Profile	Jul 16 2008, 03:58 AM Post #5
Forum Addict Group: HJT Team Posts: 2,096 Joined: 12-December 05 From: Belgium Member No.: 44,294	Hello Tara, Please do not open more than one thread for the same problem. Let's continue here : http://www.bleepingcomputer.com/forums/topic157807.html I'll close this topic. Greetings, Thunder -------------------- Whatever happens, make believe it was intended to ... ----------------------------------------------------------------------- - If I have helped you in any way, please consider a donation to help me continue the fight against malware. ----------------------------------------------------------------------- Stand Up & Be Counted --> <-- And make a difference

« Next Oldest · HijackThis Logs and Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 28th August 2008 - 01:39 PM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides