Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Many Pop Ups, And Desktop Icons Will Disappear Suddenly


  • Please log in to reply
3 replies to this topic

#1 livi

livi

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 31 July 2007 - 02:42 PM

Hello!
I have followed your Preparation Guide, done all the scans it suggests (some more than once), I have Windows firewall, and am running Windows XP. I am still getting excessive pop-ups-many are pushing antivirus softwares, and occassionally my desktop will be my screensaver only-no icons, start, nothing.

I would appreciate any help you can offer. Thanks so much in advance!!

Following is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:11 PM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\tnwkwydo.dll",forkonce
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Autoup.lnk = C:\AutoUp\Autoup.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Popup Eliminator - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.adxgate.net
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.snipenet.net
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adxgate.net (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.snipenet.net (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/PEInstaller.exe
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - http://imikimi.com/download/imikimi_plugin.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DBISAM Database Server - DBSRVR (DBSRVR) - Unknown owner - C:\CCWIN\dbsrvr.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\end user\My Documents\My Pictures\Mom33.JPG
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\end user\My Documents\My Pictures\stairwaytoHeavenv.JPG
O24 - Desktop Component 10: (no name) - C:\Documents and Settings\end user\My Documents\plaid.html
O24 - Desktop Component 11: (no name) - C:\Documents and Settings\end user\My Documents\lily.html
O24 - Desktop Component 12: (no name) - C:\Documents and Settings\end user\My Documents\daisy.html
O24 - Desktop Component 13: (no name) - C:\Documents and Settings\end user\My Documents\baby.html
O24 - Desktop Component 3: (no name) - C:\Documents and Settings\end user\My Documents\two.html
O24 - Desktop Component 4: (no name) - C:\Documents and Settings\end user\My Documents\bd.html
O24 - Desktop Component 5: (no name) - C:\Documents and Settings\end user\My Documents\grpa.html
O24 - Desktop Component 6: (no name) - C:\Documents and Settings\end user\My Documents\job.html
O24 - Desktop Component 7: (no name) - C:\Documents and Settings\end user\My Documents\sue.html
O24 - Desktop Component 8: (no name) - C:\Documents and Settings\end user\My Documents\april.html
O24 - Desktop Component 9: (no name) - C:\Documents and Settings\end user\My Documents\august.html.html

--
End of file - 10278 bytes


Thanks again,
Livi

BC AdBot (Login to Remove)

 


#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 02 August 2007 - 11:57 AM

livi

Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.
Thanks
Posted Image
Microsoft MVP - Windows Security

#3 livi

livi
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 03 August 2007 - 10:07 AM

Hi! Thanks for your help!! Here is the Combofix log:

ComboFix 07-08-03.5 - "end user" 2007-08-03 9:22:00.1 [GMT -5:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ENDUSE~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\779BW3B4\www.broadcaster.com
C:\DOCUME~1\ENDUSE~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\779BW3B4\www.broadcaster.com\played_list.sol
C:\DOCUME~1\ENDUSE~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\779BW3B4\www.broadcaster.com\video_queue.sol
C:\DOCUME~1\ENDUSE~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\ENDUSE~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\DOWNLO~1.\Workspace
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\awtqnkk.dll
C:\WINDOWS\system32\bbeeg.bak1
C:\WINDOWS\system32\bbeeg.bak2
C:\WINDOWS\system32\bbeeg.ini
C:\WINDOWS\system32\bbeeg.ini2
C:\WINDOWS\system32\bbeeg.tmp
C:\WINDOWS\system32\cvcamynj.dll
C:\WINDOWS\system32\geebb.dll
C:\WINDOWS\system32\llwowqle.dll
C:\WINDOWS\system32\mljgefc.dll
C:\WINDOWS\system32\vmss
C:\WINDOWS\system32\yayxwur.dll


((((((((((((((((((((((((( Files Created from 2007-07-03 to 2007-08-03 )))))))))))))))))))))))))))))))


2007-08-03 09:18 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-03 09:15 125,504 --a------ C:\WINDOWS\system32\vnkrslgu.dll
2007-08-03 08:14 125,504 --a------ C:\WINDOWS\system32\ifhbclqe.dll
2007-08-02 14:28 125,504 --a------ C:\WINDOWS\system32\fxnitqix.dll
2007-08-01 13:24 125,504 --a------ C:\WINDOWS\system32\enhtviuo.dll
2007-08-01 10:34 125,504 --a------ C:\WINDOWS\system32\moekrbgk.dll
2007-08-01 10:00 125,504 --a------ C:\WINDOWS\system32\rcnxhgju.dll
2007-08-01 09:28 125,504 --a------ C:\WINDOWS\system32\rxrdvieh.dll
2007-08-01 09:16 125,504 --a------ C:\WINDOWS\system32\xebixkbl.dll
2007-07-31 15:38 125,504 --a------ C:\WINDOWS\system32\gdaaclyt.dll
2007-07-31 15:06 125,504 --a------ C:\WINDOWS\system32\ghxwqkpl.dll
2007-07-31 14:31 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-31 14:29 125,504 --a------ C:\WINDOWS\system32\tnwkwydo.dll
2007-07-31 11:53 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-07-31 11:53 <DIR> d-------- C:\DOCUME~1\ENDUSE~1\.housecall6.6
2007-07-31 09:29 125,504 --a------ C:\WINDOWS\system32\jkdcxvhm.dll
2007-07-30 13:58 125,504 --a------ C:\WINDOWS\system32\mwqfcxbi.dll
2007-07-30 13:34 125,504 --a------ C:\WINDOWS\system32\hqcvflxc.dll
2007-07-30 13:09 125,504 --a------ C:\WINDOWS\system32\dwsaiwqw.dll
2007-07-30 12:40 125,504 --a------ C:\WINDOWS\system32\jalbmnxd.dll
2007-07-30 10:45 126,016 --a------ C:\WINDOWS\system32\vhwjnjwk.dll
2007-07-24 09:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-02 18:05 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-06-28 16:04 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-28 16:04 --------- d-------- C:\Program Files\Mag-Tek
2007-06-28 15:48 --------- d-------- C:\Program Files\Common Files\logishrd
2007-06-28 15:47 --------- d-------- C:\Program Files\Logitech
2007-06-26 18:00 --------- d-------- C:\Program Files\QuickTime
2007-06-26 17:57 --------- d-------- C:\Program Files\pdf995
2007-06-26 17:56 --------- d-------- C:\Program Files\omniformat
2007-06-26 17:50 --------- d-------- C:\Program Files\BigFix
2007-06-26 17:42 --------- d-------- C:\Program Files\eBay
2007-06-26 17:42 --------- d-------- C:\DOCUME~1\ENDUSE~1\APPLIC~1\Yahoo!
2007-06-26 17:39 --------- d-------- C:\Program Files\Skype
2007-06-26 17:38 --------- d-------- C:\Program Files\NoteTab Light
2007-06-26 17:37 --------- d--h----- C:\DOCUME~1\ENDUSE~1\APPLIC~1\Move Networks
2007-06-26 17:35 --------- d-------- C:\Program Files\Flock
2007-06-26 17:35 --------- d-------- C:\DOCUME~1\ENDUSE~1\APPLIC~1\Flock
2007-06-26 17:34 --------- d-------- C:\Program Files\GenSmarts
2007-06-18 17:56 --------- d-------- C:\DOCUME~1\ENDUSE~1\APPLIC~1\Skype
2007-06-13 03:12 --------- d-------- C:\Program Files\Norton AntiVirus
2007-06-06 12:03 1728 --a------ C:\WINDOWS\system32\har31qwDKS.dll
2007-06-06 11:41 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2007-06-06 11:41 249856 --a------ C:\WINDOWS\system32\pdfmona.dll
2007-05-17 10:25 323624 --a------ C:\WINDOWS\system32\wiaaut.dll
2007-05-16 10:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-09 21:51 490272 --a------ C:\WINDOWS\system32\LVUI2.dll
2007-05-09 21:51 465696 --a------ C:\WINDOWS\system32\LVUI2RC.dll
2007-05-09 21:48 416544 --a------ C:\WINDOWS\system32\lvcodec2.dll
2007-05-09 21:48 195360 --a------ C:\WINDOWS\system32\lvci1100.dll
2007-05-09 20:37 15558 --a------ C:\WINDOWS\system32\Repository.reg
2007-05-04 07:29 3058688 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2005-01-29 12:21 2084888 --a------ C:\Program Files\reglite.exe
2004-01-27 14:23 3149 --a------ C:\Program Files\Common Files\remove_tools.html


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-05-17 10:52]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-05-17 10:53]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 02:56]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Documents and Settings\end user\My Documents\My Pictures\Mom33.JPG
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\Documents and Settings\end user\My Documents\My Pictures\stairwaytoHeavenv.JPG
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\10]
Source= C:\Documents and Settings\end user\My Documents\plaid.html
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\11]
Source= C:\Documents and Settings\end user\My Documents\lily.html
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\12]
Source= C:\Documents and Settings\end user\My Documents\daisy.html
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\13]
Source= C:\Documents and Settings\end user\My Documents\baby.html
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
Source= C:\Documents and Settings\end user\My Documents\two.html
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
Source= C:\Documents and Settings\end user\My Documents\bd.html
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\5]
Source= C:\Documents and Settings\end user\My Documents\grpa.html
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\6]
Source= C:\Documents and Settings\end user\My Documents\job.html
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\7]
Source= C:\Documents and Settings\end user\My Documents\sue.html
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\8]
Source= C:\Documents and Settings\end user\My Documents\april.html
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\9]
Source= C:\Documents and Settings\end user\My Documents\august.html.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digimax Viewer 2.0.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digimax Viewer 2.0.lnk
backup=C:\WINDOWS\pss\Digimax Viewer 2.0.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^end user^Start Menu^Programs^Startup^AbsoluteShield Internet Eraser.lnk]
path=C:\Documents and Settings\end user\Start Menu\Programs\Startup\AbsoluteShield Internet Eraser.lnk
backup=C:\WINDOWS\pss\AbsoluteShield Internet Eraser.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
mHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dit]
Dit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pop up Blocker]
"C:\Program Files\Pop up Blocker\pd.exe" Minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopupEliminator]
C:\Program Files\SurfSecret\Popup Eliminator\Popup Eliminator TRIAL.exe /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
"C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware-Cop]
"C:\PROGRA~1\SPYWAR~1\Spyware-Cop.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINDOWS\system32\jalbmnxd.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp3\winampa.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KodakCCS"=2 (0x2)

R3 Mtlmnt5;Mtlmnt5;C:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys
R3 PID_PEPI;Logitech QuickCam IM(PID_PEPI);C:\WINDOWS\system32\DRIVERS\LV302V32.SYS
R3 Slntamr;SmartLink AMR_PCI Driver;C:\WINDOWS\system32\DRIVERS\slntamr.sys
R3 SlWdmSup;SlWdmSup;C:\WINDOWS\system32\DRIVERS\SlWdmSup.sys
S2 DBSRVR;DBISAM Database Server - DBSRVR;C:\CCWIN\dbsrvr.exe
S3 Mtlstrm;Mtlstrm;C:\WINDOWS\system32\DRIVERS\Mtlstrm.sys
S3 NtMtlFax;NtMtlFax;C:\WINDOWS\system32\DRIVERS\NtMtlFax.sys
S3 SlNtHal;SlNtHal;C:\WINDOWS\system32\DRIVERS\Slnthal.sys


Contents of the 'Scheduled Tasks' folder
2007-07-28 01:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - end user.job - C:\PROGRA~1\NORTON~2\Navw32.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-03 09:36:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000136

scanning hidden files ...

C:\WINDOWS\SchedLgU.Txt:pnhae 11534 bytes executable
C:\WINDOWS\wiaservc.log:cjwih 10105 bytes executable
C:\WINDOWS\wiaservc.log:coaiev 11534 bytes executable
C:\WINDOWS\wiaservc.log:kunzk 10752 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************

Completion time: 2007-08-03 9:39:08 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-03 09:38

--- E O F ---



I will be watching for your response. Thank you so much.

#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 05 August 2007 - 08:04 PM

livi

Sorry for the delay in responding.

1. Open NotePad (not wordpad). Copy and paste the following into Notepad
File::
C:\WINDOWS\system32\vnkrslgu.dll
C:\WINDOWS\system32\ifhbclqe.dll
C:\WINDOWS\system32\fxnitqix.dll
C:\WINDOWS\system32\enhtviuo.dll
C:\WINDOWS\system32\moekrbgk.dll
C:\WINDOWS\system32\rcnxhgju.dll
C:\WINDOWS\system32\rxrdvieh.dll
C:\WINDOWS\system32\xebixkbl.dll
C:\WINDOWS\system32\gdaaclyt.dll
C:\WINDOWS\system32\ghxwqkpl.dll
C:\WINDOWS\system32\tnwkwydo.dll
C:\WINDOWS\system32\jkdcxvhm.dll
C:\WINDOWS\system32\mwqfcxbi.dll
C:\WINDOWS\system32\hqcvflxc.dll
C:\WINDOWS\system32\dwsaiwqw.dll
C:\WINDOWS\system32\jalbmnxd.dll
C:\WINDOWS\system32\vhwjnjwk.dll
C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
C:\PROGRA~1\SPYWAR~1\Spyware-Cop.exe

Folder::
C:\PROGRA~1\Spyware-Cop
C:\PROGRA~1\AWS

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware-Cop]
Save the File as CFScript ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply

Posted Image
Microsoft MVP - Windows Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users