Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Any Information Is Appreciated-need Help


  • Please log in to reply
8 replies to this topic

#1 CARE101

CARE101

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:03:13 PM

Posted 28 July 2007 - 07:07 PM

Any ideas of how or where to go to get a hijack this log looked at and advice. I have removed a malware or several and they keep coming back? Any advice would be appreciated- as a new business I really need help and will be glad to help anyone I could in return with any real estate issues?? I attached it below- from hijack this.

Thank you so much!!

CARE101

Attached Files



BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 29 July 2007 - 05:29 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum CARE101 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

I don't see anything at all malicious in your log,lets try the following:

Clear your 'System Restore' points by doing the following:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Restart your pc.

Turn 'System Restore' back on:
Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.

-----------------------------------------------

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

----------------------------------------------

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log.

*Note*
Post all replies directly into this topic,not as attachments,thanks.
Posted Image
Posted Image

#3 CARE101

CARE101
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:03:13 PM

Posted 29 July 2007 - 09:53 AM

Bless you Richie!! I am here if you ever need anything too.

I have attached both logs and you should know that while teh scans were running- spybot cetected 8 or 9 attempts to change my registry- during both scans.

What ever this is- I get infected files and exe files that say as an example- KillWind.exe or HPSummer2005.exe and many more- shell ext. I have seen many trojans. I had a paid deal with trend micro and it did not even detect them- then tried every scanner and trial you can think of- none worked- Kaspersky detected a few and I found the file and deleted. I have done a complete system recovery 3 times and this keeps coming back- I used to see the files on hijack this but it is like the trojan or whatever is learning or I have not found it and it continues to open the door for more nasty things.

Is it true that the anti virus makers create these mean things?

I await your reply!

Attached Files



#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 29 July 2007 - 10:11 AM

KillWind.exe and HPSummer2005.exe are both legitimate files,nothing at all to be concerned about.
Your Hijackthis log is clean,as is Combofix.txt
Hows your pc running,any problems.
Posted Image
Posted Image

#5 CARE101

CARE101
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:03:13 PM

Posted 06 August 2007 - 09:42 AM

Hi RichieUK,

I wanted to wait a bit and see what happens- teh screen still gets little static looking things going on as before when something was changing my registry and it is getting slower and slower again. I am still concerned, my computer was fast before as I have a 16 meg connection. Any thoughts??

CARE101

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 06 August 2007 - 02:04 PM

Double click on combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Also post a new Hijackthis log.

Please don't post any more replies as attachments.
Copy then paste all reports/logs directly into the body of this topic.
Posted Image
Posted Image

#7 CARE101

CARE101
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:03:13 PM

Posted 10 August 2007 - 10:08 AM

you can hear a little noise like chomp chomp- trojan deleteing files?? AVG just found and healed Generic5.PIO, I knqwo there is something else here- I hear it and no I am not crazy. HA HA

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48, on 2007-08-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\PROGRA~1\Grisoft\AVG7\avgvv.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Owner\My Documents\Downloads\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://aerial.leepa.org/ecwplugins/NCS.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8309 bytes


combofix=


ComboFix 07-07-28.5 - "Owner" 2007-08-10 10:44:35.2 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True


((((((((((((((((((((((((( Files Created from 2007-07-10 to 2007-08-10 )))))))))))))))))))))))))))))))


2007-08-08 21:28 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Roxio
2007-08-08 21:05 <DIR> d-------- C:\Program Files\Windows Defender
2007-08-08 13:04 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Template
2007-08-07 23:41 <DIR> d-------- C:\Program Files\FastStone Photo Resizer
2007-08-07 23:31 1,706,800 --a------ C:\WINDOWS\system32\gdiplus.dll
2007-07-31 22:51 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Google
2007-07-29 10:34 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-26 12:01 202 --a------ C:\DOCUME~1\Owner\APPLIC~1\wklnhst.dat
2007-07-26 10:27 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\OfficeUpdate12
2007-07-25 22:31 <DIR> d--h----- C:\WINDOWS\PIF
2007-07-25 20:23 <DIR> d-------- C:\Program Files\Citrix
2007-07-25 20:22 56,912 --a------ C:\DOCUME~1\Owner\g2mdlhlpx.exe
2007-07-25 19:18 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-25 19:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-24 07:55 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Apple Computer
2007-07-24 07:54 <DIR> d-------- C:\Program Files\QuickTime
2007-07-24 07:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-24 07:53 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-07-24 07:52 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-24 07:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-22 18:28 <DIR> dr------- C:\DOCUME~1\Owner\APPLIC~1\Brother
2007-07-22 11:46 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-07-22 11:46 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-07-22 11:46 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-07-21 20:12 <DIR> d-------- C:\Program Files\IPIX
2007-07-21 20:12 <DIR> d-------- C:\Program Files\Common Files\IPIX
2007-07-21 09:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-19 21:10 <DIR> d-------- C:\Program Files\TweakNow PowerPack 2006
2007-07-19 10:10 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\ScanSoft
2007-07-19 09:54 99,328 --a------ C:\WINDOWS\system32\srusd.dll
2007-07-19 09:54 71,680 --a------ C:\WINDOWS\system32\fnfilter.dll
2007-07-18 21:32 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\ieSpell
2007-07-18 21:27 <DIR> d-------- C:\Program Files\ieSpell
2007-07-18 18:39 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-07-18 18:25 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-07-18 18:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-07-18 18:24 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-07-18 18:24 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-07-18 18:24 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-07-18 18:24 141,527,072 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-18 18:24 110,360 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2007-07-18 18:24 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-07-18 18:24 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-07-18 18:24 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-07-18 18:23 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-07-18 17:40 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-07-18 17:34 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2007-07-18 17:33 81,920 --------- C:\WINDOWS\system32\BrWebIns.dll
2007-07-18 17:33 65,536 --------- C:\WINDOWS\system32\Brwebup.exe
2007-07-18 17:33 52,224 --a------ C:\WINDOWS\system32\BrNetSti.dll
2007-07-18 17:33 51,200 --------- C:\WINDOWS\system32\brinsstr.dll
2007-07-18 17:33 50 --a------ C:\WINDOWS\system32\BRIDF04A.dat
2007-07-18 17:33 33,792 --a------ C:\WINDOWS\system32\BrWiaNCp.dll
2007-07-18 17:33 31,232 --a------ C:\WINDOWS\system32\Brnsplg.dll
2007-07-18 17:33 176,128 --------- C:\WINDOWS\system32\Pdrvinst.dll
2007-07-18 17:33 155,648 --a------ C:\WINDOWS\system32\NSSearch.dll
2007-07-18 17:33 120,832 --a------ C:\WINDOWS\system32\BrWia04a.dll
2007-07-18 17:33 106,496 --a------ C:\WINDOWS\system32\BrMuSNMP.dll
2007-07-18 17:32 147,456 --a------ C:\WINDOWS\brunin03.dll
2007-07-18 17:32 126,976 --------- C:\WINDOWS\system32\BrfxD04a.dll
2007-07-18 17:32 0 --a------ C:\WINDOWS\brdfxspd.dat
2007-07-18 17:32 <DIR> d-------- C:\Program Files\Brother
2007-07-18 17:32 <DIR> d-------- C:\Brother
2007-07-18 17:30 <DIR> d-------- C:\Program Files\ScanSoft
2007-07-18 17:30 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2007-07-18 17:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ScanSoft
2007-07-18 17:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Brother
2007-07-18 17:05 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-07-18 16:22 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-07-18 16:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-07-18 16:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-07-18 16:00 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-07-18 16:00 <DIR> d-------- C:\Program Files\Common Files\L&H
2007-07-18 15:59 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-07-18 15:58 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-07-18 15:56 <DIR> dr-h----- C:\MSOCache
2007-07-18 15:52 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-07-18 15:50 <DIR> d--hs---- C:\DOCUME~1\Owner\UserData
2007-07-18 14:54 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-07-18 14:42 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2007-07-18 14:42 <DIR> d-------- C:\Intel
2007-07-18 14:41 2,621,440 --ah----- C:\DOCUME~1\Owner\NTUSER.DAT
2007-07-18 14:41 <DIR> d-------- C:\DOCUME~1\Owner\WINDOWS
2007-07-18 14:41 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\You've Got Pictures Screensaver
2007-07-18 14:41 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SampleView
2007-07-18 14:40 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\You've Got Pictures Screensaver
2007-07-18 14:40 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\SampleView
2007-07-18 14:29 <DIR> d--hs---- C:\RECYCLER
2007-07-18 14:22 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-07-18 14:20 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-07-18 14:17 67,072 --a------ C:\WINDOWS\POWERCFG.EXE
2007-07-18 14:17 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-07-18 14:17 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-07-18 14:16 <DIR> d-------- C:\Program Files\MSN Encarta Plus
2007-07-18 14:16 <DIR> d-------- C:\Program Files\CyberLink
2007-07-18 14:15 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-07-18 14:15 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-07-18 14:15 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-07-18 14:15 61,440 --a------ C:\WINDOWS\system32\SFIDLOCK.dll
2007-07-18 14:15 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 16:39 444608 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-07-18 17:27 --------- d-------- C:\Program Files\Messenger
2007-07-18 13:40 --------- d-------- C:\Program Files\Windows NT
2007-07-18 13:39 --------- d-------- C:\Program Files\Movie Maker
2007-07-18 13:35 --------- d-------- C:\Program Files\Windows Plus
2007-07-18 13:35 --------- d-------- C:\Program Files\Online Services
2007-07-18 13:35 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-07-18 13:35 --------- d-------- C:\Program Files\microsoft frontpage
2007-07-18 13:35 --------- d-------- C:\Program Files\Common Files\SpeechEngines
2007-07-18 13:35 --------- d-------- C:\Program Files\Common Files\ODBC
2007-07-18 13:35 --------- d-------- C:\Program Files\Common Files\MSSoap
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 18:04]
"@"="" []
"CHotkey"="zHotkey.exe" [2005-05-03 17:02 C:\WINDOWS\zHotkey.exe]
"SigmatelSysTrayApp"="sttray.exe" []
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 03:55]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 23:24]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-18 18:20]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 09:34]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2005-05-31 01:04]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2007-07-18 13:58:00]
Install Pending Files.LNK - C:\Program Files\SIFXINST\SIFXINST.EXE [2007-07-18 14:11:23]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2007-07-18 17:33:14]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

R0 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\system32\drivers\Cdralw2k.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\system32\drivers\ASCTRM.sys
R2 ehRecvr;Media Center Receiver Service;C:\WINDOWS\eHome\ehRecvr.exe
R2 ehSched;Media Center Scheduler Service;C:\WINDOWS\eHome\ehSched.exe
R3 E100B;Intel® PRO Network Connection Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 sfng32;Sonic Focus Plugin for Sigmatel HDA;C:\WINDOWS\system32\drivers\sfng32.sys
R3 STHDA;SigmaTel High Definition Audio CODEC;C:\WINDOWS\system32\drivers\sthda.sys
R3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys
R3 SunkFilt;Alcor Micro Corp Reader;\??\C:\WINDOWS\System32\Drivers\sunkfilt.sys
S3 MHN;MHN;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 MHNDRV;MHN driver;C:\WINDOWS\system32\DRIVERS\mhndrv.sys
S3 mxnic;Macronix MX987xx Family Fast Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\mxnic.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - WINDEFEND

Contents of the 'Scheduled Tasks' folder
2007-08-09 01:09:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-10 11:00:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-10 11:01:37
C:\ComboFix2.txt ... 2007-07-29 10:41

--- E O F ---


during comfix run I had a spybot change tell me

catagory System Startup Global Entry
Value Deleted
entry ehTray
deleted c:\Windows\ehome\ehTray.exe

I have not said yes or no to allow that yet- what should I do??

This thing keeps coming back.

Thanks for your help. I am so tired of getting what I think is rid of this and then right back it is.

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 10 August 2007 - 11:16 AM

during comfix run I had a spybot change tell me

catagory System Startup Global Entry
Value Deleted
entry ehTray
deleted c:\Windows\ehome\ehTray.exe

I have not said yes or no to allow that yet- what should I do??

Reply 'No',don't delete it.

ehtray.exe is a process in the tray bar process for the Microsoft Media Center.
It gives you easy access to the digital media manager.

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.exe
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:
C:\Documents and Settings\Owner\g2mdlhlpx.exe
Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

---------------------------------------------------------

Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed,disable your current antivirus program,then click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.
*Note*
Don't forget to re-enable your antivirus program.

Also post a new Hijackthis log.
Let me know how your pc is running now.
Posted Image
Posted Image

#9 CARE101

CARE101
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:03:13 PM

Posted 10 August 2007 - 01:12 PM

after I said no to allowing the delete file- 10 other thinsg came up that wanted to add or delete- shells, new winlogin, new search assistants, etc. I said no to all- this has been happeneing at least once per week.

I am doing as you say now.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users