Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Popup Somes Internet Explorer Brower


  • This topic is locked This topic is locked
9 replies to this topic

#1 Hien Bui

Hien Bui

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 10 August 2007 - 02:58 PM

Hi all
I really need help to get out of this problem
my computer sometime it popup somes internet explorer brower, i have scan with some software but it found nothing
here is my log file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:58:03 PM, on 8/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinRAR\mecery22011.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\Kientran\LOCALS~1\Temp\RarSFX1\IDMan.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 216.231.47.17:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\DOCUME~1\Kientran\LOCALS~1\Temp\RarSFX1\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: 0 - {C599AB1A-18C1-4E9B-638F-E37AE3AB6A5E} - C:\Program Files\InstallShield Installation Information\quga.dll (file missing)
O2 - BHO: (no name) - {CC330CDA-104C-42ED-9A0F-49B8C98B0FDB} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\toolbar.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mecery] C:\Program Files\WinRAR\mecery22011.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [IDMan] C:\DOCUME~1\Kientran\LOCALS~1\Temp\RarSFX1\IDMan.exe /onboot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: Download All Links with IDM - C:\DOCUME~1\Kientran\LOCALS~1\Temp\RarSFX1\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\DOCUME~1\Kientran\LOCALS~1\Temp\RarSFX1\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1130210285653
O16 - DPF: {C87A3AD5-DE8E-4a2e-BF7B-D6BCD419DED1} (EnvivioTV MPEG-4 Source Filter) - http://www.envivio.tv/downloads/EnvivioTV/...ntInstaller.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: vtutrsr - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\InstallShield Installation Information\rtepre.html

--
End of file - 7667 bytes

Thank you very much for your help

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 10 August 2007 - 04:49 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Hien Bui :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

You are using Download Accelerator Plus - DAP.
Be informed that it delivers popup/popunder ads,and tracks your internet usage.
You can find safer alternatives here:
http://www.spywareinfo.com/downloads.php?cat=dlman#dlman
I strongly suggest you remove this program.
If you agree, go to Start > Control Panel > Add/Remove Programs and remove 'Download Accelerator Plus' if present,then reboot.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 Hien Bui

Hien Bui
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 11 August 2007 - 12:25 AM

Thank you very much for your help, here is my ComboFix.txt infor

ComboFix 07-08-10.8 - "Kientran" 2007-08-10 15:15:11.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1201 [GMT -5:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Kientran\APPLIC~1.\asembl~1
C:\Program Files\InstallShield Installation Information\rtepre.html
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\system32\A1
C:\WINDOWS\system32\A1\kq22011.exe
C:\WINDOWS\system32\B1
C:\WINDOWS\system32\configs
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\win
C:\WINDOWS\system32\win\w7q.exe
C:\WINDOWS\system32\X2
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\tk58.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NET_AGENT
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-07-10 to 2007-08-10 )))))))))))))))))))))))))))))))


2007-08-10 15:14 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-10 15:07 <DIR> d-------- C:\VundoFix Backups
2007-08-10 14:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-10 13:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-10 13:21 <DIR> d-------- C:\DOCUME~1\Kientran\APPLIC~1\SUPERAntiSpyware.com
2007-08-10 13:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-10 11:22 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-10 11:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-10 10:44 <DIR> d-------- C:\DOCUME~1\Kientran\APPLIC~1\IDM
2007-08-10 10:38 <DIR> d-------- C:\Temp
2007-08-10 10:06 <DIR> d-------- C:\DOCUME~1\Kientran\APPLIC~1\Apple Computer
2007-08-10 07:14 <DIR> d-------- C:\Program Files\QuickTime
2007-08-10 07:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-10 07:08 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-08-10 07:08 1,645,320 --a------ C:\WINDOWS\system32\gdiplus.dll
2007-08-10 07:08 <DIR> d-------- C:\Program Files\SanDisk
2007-08-10 07:08 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2007-08-07 18:23 <DIR> d-------- C:\DOCUME~1\Kientran\APPLIC~1\U3
2007-07-29 16:55 202,424 --a------ C:\WINDOWS\system32\idmmbc.dll
2007-07-14 14:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-10 15:16 6440 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-10 15:16 5152 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-08-10 15:16 3644 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-10 15:16 166688 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-06 14:52 --------- d-------- C:\Program Files\XoftSpySE
2007-07-04 14:19 82258 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-07-04 14:19 82258 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-05-28 16:58 206352 --a------ C:\WINDOWS\system32\klogon.dll
2006-12-16 17:54 81920 --a------ C:\DOCUME~1\Kientran\APPLIC~1\ezpinst.exe
2006-12-16 17:54 47360 --a------ C:\DOCUME~1\Kientran\APPLIC~1\pcouffin.sys
2005-05-12 03:34 76 --ah----- C:\Program Files\Desktop.ini
2005-06-02 20:26:48 14 --sh--w C:\WINDOWS\dpwtpdxp.dll
2005-06-07 18:37:10 21 --sh--w C:\WINDOWS\dpwtddxp.dll
2007-01-21 22:17:24 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2005-06-07 18:37:08 12 --sh--w C:\WINDOWS\system32\spwtpaxp.dll
2005-06-02 20:26:48 14 --sh--w C:\WINDOWS\system32\dpwtpaxp.dll
2005-06-02 20:26:48 21 --sh--w C:\WINDOWS\system32\dpwtdaxp.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C599AB1A-18C1-4E9B-638F-E37AE3AB6A5E}]
C:\Program Files\InstallShield Installation Information\quga.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC330CDA-104C-42ED-9A0F-49B8C98B0FDB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-08-10 07:22]
"mecery"="C:\Program Files\WinRAR\mecery22011.exe" [2007-08-07 15:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 03:41]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2004-10-04 11:35]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2005-04-28 11:42]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-09-16 19:44:55]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2004-09-29 20:12:49]
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50]
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-04-15 00:12:20]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\InstallShield Installation Information\rtepre.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\Program Files\DVD Region+CSS Free\DVDShell.dll [2004-10-09 15:18 49152]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutrsr]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R1 Cinemsup;Cinemsup;C:\WINDOWS\System32\drivers\Cinemsup.sys
R1 PQNTDrv;PQNTDrv;C:\WINDOWS\System32\drivers\PQNTDrv.sys
R2 ONSIO;ONSIO;\??\C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS
R2 Sentinel;Sentinel;C:\WINDOWS\System32\Drivers\SENTINEL.SYS
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys
R3 ATITUNEP;ATI WDM TV Tuner;C:\WINDOWS\System32\DRIVERS\atineuxx.sys
R3 ativraxx;ATI WDM Rage Theater Audio;C:\WINDOWS\System32\DRIVERS\atinraxx.sys
R3 ATIXSAudio;ATI WDM TV Audio Crossbar;C:\WINDOWS\System32\DRIVERS\atinesxx.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\System32\DRIVERS\klim5.sys
R3 PCDCODEC;ATI WDM Specialized PCD Codec;C:\WINDOWS\System32\DRIVERS\atinpdxx.sys
S0 SMPLSCSI;SMPLSCSI;C:\WINDOWS\System32\drivers\SMPLSCSI.SYS
S2 WinDriver;WinDriver;C:\WINDOWS\System32\drivers\windrvr.sys
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\System32\Drivers\Icam3.sys
S3 iComp;Hauppauge WinTV PVR USB2 Encoder;C:\WINDOWS\System32\DRIVERS\HCWUSB2.sys
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\System32\DRIVERS\scsiscan.sys
S3 TUWinStylerThemeSvc;TuneUp WinStyler Theme Service;C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


Contents of the 'Scheduled Tasks' folder
2007-08-07 10:56:34 C:\WINDOWS\Tasks\XoftSpySE.job - C:\Program Files\XoftSpySE\XoftSpy.exe
2007-08-10 20:17:40 C:\WINDOWS\Tasks\XoftSpySE 2.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-10 15:17:51
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-10 15:18:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-10 15:18

--- E O F ---

#4 Hien Bui

Hien Bui
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 11 August 2007 - 12:29 AM

One more thing is i used Download Accelerator Plus - DAP for a long time already, and it's a register program (never popup/popunder ads or whatever before) My computer start poping up ads just today when i visit one website
due to Logfile of Trend Micro HijackThis v2.0.2

this line C:\Program Files\WinRAR\mecery22011.exe, the process mecery2201.exe is never runing before (when i open the task manager) but today when i open my task manager is see this proccess is running whenever i start my computer.
Here is my new HijackThis log file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:13 AM, on 8/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinRAR\mecery22011.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 216.231.47.17:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\DOCUME~1\Kientran\LOCALS~1\Temp\RarSFX1\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: 0 - {C599AB1A-18C1-4E9B-638F-E37AE3AB6A5E} - C:\Program Files\InstallShield Installation Information\quga.dll (file missing)
O2 - BHO: (no name) - {CC330CDA-104C-42ED-9A0F-49B8C98B0FDB} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\toolbar.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mecery] C:\Program Files\WinRAR\mecery22011.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: Download All Links with IDM - C:\DOCUME~1\Kientran\LOCALS~1\Temp\RarSFX1\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\DOCUME~1\Kientran\LOCALS~1\Temp\RarSFX1\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1130210285653
O16 - DPF: {C87A3AD5-DE8E-4a2e-BF7B-D6BCD419DED1} (EnvivioTV MPEG-4 Source Filter) - http://www.envivio.tv/downloads/EnvivioTV/...ntInstaller.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: vtutrsr - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\InstallShield Installation Information\rtepre.html

--
End of file - 7292 bytes

Edited by Hien Bui, 11 August 2007 - 12:39 AM.


#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 11 August 2007 - 04:19 AM

Copy and paste ALL the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\Program Files\WinRAR\mecery22011.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C599AB1A-18C1-4E9B-638F-E37AE3AB6A5E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC330CDA-104C-42ED-9A0F-49B8C98B0FDB}]
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutrsr]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mecery"=-

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Let me know how your pc is running now.
Posted Image
Posted Image

#6 Hien Bui

Hien Bui
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 11 August 2007 - 06:45 AM

Thank You for your help
Could you please explain more details of my log file, because i want to learn more for next time
here is my fog file
ComboFix 07-08-10.8 - "Kientran" 2007-08-11 6:39:19.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1174 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Kientran\Desktop\CFScript.txt

FILE::
C:\Program Files\WinRAR\mecery22011.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\WinRAR\mecery22011.exe


((((((((((((((((((((((((( Files Created from 2007-07-11 to 2007-08-11 )))))))))))))))))))))))))))))))


2007-08-11 02:35 1,612 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-10 15:43 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-10 15:14 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-10 14:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-10 13:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-10 13:21 <DIR> d-------- C:\DOCUME~1\Kientran\APPLIC~1\SUPERAntiSpyware.com
2007-08-10 13:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-10 11:22 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-10 11:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-10 10:44 <DIR> d-------- C:\DOCUME~1\Kientran\APPLIC~1\IDM
2007-08-10 10:06 <DIR> d-------- C:\DOCUME~1\Kientran\APPLIC~1\Apple Computer
2007-08-10 07:14 <DIR> d-------- C:\Program Files\QuickTime
2007-08-10 07:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-10 07:08 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-08-10 07:08 1,645,320 --a------ C:\WINDOWS\system32\gdiplus.dll
2007-08-10 07:08 <DIR> d-------- C:\Program Files\SanDisk
2007-08-10 07:08 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2007-08-07 18:23 <DIR> d-------- C:\DOCUME~1\Kientran\APPLIC~1\U3
2007-07-29 16:55 202,424 --a------ C:\WINDOWS\system32\idmmbc.dll
2007-07-14 14:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-11 03:38 6464 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-11 03:38 5152 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-08-11 03:38 3644 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-11 03:38 168480 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-06 14:52 --------- d-------- C:\Program Files\XoftSpySE
2007-07-04 14:19 82258 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-07-04 14:19 82258 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-05-28 16:58 206352 --a------ C:\WINDOWS\system32\klogon.dll
2006-12-16 17:54 81920 --a------ C:\DOCUME~1\Kientran\APPLIC~1\ezpinst.exe
2006-12-16 17:54 47360 --a------ C:\DOCUME~1\Kientran\APPLIC~1\pcouffin.sys
2005-05-12 03:34 76 --ah----- C:\Program Files\Desktop.ini
2005-06-02 20:26:48 14 --sh--w C:\WINDOWS\dpwtpdxp.dll
2005-06-07 18:37:10 21 --sh--w C:\WINDOWS\dpwtddxp.dll
2007-01-21 22:17:24 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2005-06-07 18:37:08 12 --sh--w C:\WINDOWS\system32\spwtpaxp.dll
2005-06-02 20:26:48 14 --sh--w C:\WINDOWS\system32\dpwtpaxp.dll
2005-06-02 20:26:48 21 --sh--w C:\WINDOWS\system32\dpwtdaxp.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-08-10 07:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 03:41]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2004-10-04 11:35]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2005-04-28 11:42]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-09-16 19:44:55]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2004-09-29 20:12:49]
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50]
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-04-15 00:12:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\Program Files\DVD Region+CSS Free\DVDShell.dll [2004-10-09 15:18 49152]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R1 Cinemsup;Cinemsup;C:\WINDOWS\System32\drivers\Cinemsup.sys
R1 PQNTDrv;PQNTDrv;C:\WINDOWS\System32\drivers\PQNTDrv.sys
R2 ONSIO;ONSIO;\??\C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS
R2 Sentinel;Sentinel;C:\WINDOWS\System32\Drivers\SENTINEL.SYS
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys
R3 ATITUNEP;ATI WDM TV Tuner;C:\WINDOWS\System32\DRIVERS\atineuxx.sys
R3 ativraxx;ATI WDM Rage Theater Audio;C:\WINDOWS\System32\DRIVERS\atinraxx.sys
R3 ATIXSAudio;ATI WDM TV Audio Crossbar;C:\WINDOWS\System32\DRIVERS\atinesxx.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\System32\DRIVERS\klim5.sys
R3 PCDCODEC;ATI WDM Specialized PCD Codec;C:\WINDOWS\System32\DRIVERS\atinpdxx.sys
S0 SMPLSCSI;SMPLSCSI;C:\WINDOWS\System32\drivers\SMPLSCSI.SYS
S2 WinDriver;WinDriver;C:\WINDOWS\System32\drivers\windrvr.sys
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\System32\Drivers\Icam3.sys
S3 iComp;Hauppauge WinTV PVR USB2 Encoder;C:\WINDOWS\System32\DRIVERS\HCWUSB2.sys
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\System32\DRIVERS\scsiscan.sys
S3 TUWinStylerThemeSvc;TuneUp WinStyler Theme Service;C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-11 06:39:54
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-11 6:40:23
C:\ComboFix-quarantined-files.txt ... 2007-08-11 06:40

--- E O F ---


HijackThis log file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:19 AM, on 8/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 216.231.47.17:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\DOCUME~1\Kientran\LOCALS~1\Temp\RarSFX1\IDMIECC.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\toolbar.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1130210285653
O16 - DPF: {C87A3AD5-DE8E-4a2e-BF7B-D6BCD419DED1} (EnvivioTV MPEG-4 Source Filter) - http://www.envivio.tv/downloads/EnvivioTV/...ntInstaller.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

--
End of file - 6692 bytes

Edited by Hien Bui, 11 August 2007 - 06:46 AM.


#7 Hien Bui

Hien Bui
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 11 August 2007 - 06:57 AM

After i reboot my computer (i reboot myseft, the program not ask me for a reboot) i don't see "mecery22011.exe" process is runing, so i think my computer is okies now. So any thing i can do to make sure my computer is out of adware or anything ?
One again thank you for your help
so, now i can delete combofix and anything related to combofix right? how can i remove them
Thanks

Edited by Hien Bui, 11 August 2007 - 06:59 AM.


#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 11 August 2007 - 07:02 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\DOCUME~1\Kientran\LOCALS~1\Temp\RarSFX1\IDMIECC.dll (file missing)

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
Combofix.exe
C:\QOOBOX
C:\VundoFix Backups

Download Ccleaner to clear your temporary files.
Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
Uncheck "Cookies" under "Internet Explorer".
If you are running Firefox: , then click on the "Applications" tab and uncheck "Cookies" under "Firefox".
Click Run Cleaner to run the program.
Caution : It is not recommended to use the 'Issues' tab as it is known to find legitimate items.
After it has completed it's process, click Exit.

----------------------------------------------------

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

----------------------------------------------------

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#9 Hien Bui

Hien Bui
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 11 August 2007 - 10:28 PM

Thank you very much for your help i think my pc is okies for now

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 12 August 2007 - 04:56 AM

You're welcome.

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users