Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop Up Pest


  • This topic is locked This topic is locked
13 replies to this topic

#1 slatey

slatey

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 12 August 2007 - 06:57 AM

hi everyone, i have read the sticky and tried everything adaware spybot nod32 and finally hijack this i hope someone can help here is my log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:58, on 12/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
K:\WINDOWS\System32\smss.exe
K:\WINDOWS\system32\winlogon.exe
K:\WINDOWS\system32\services.exe
K:\WINDOWS\system32\lsass.exe
K:\WINDOWS\system32\Ati2evxx.exe
K:\WINDOWS\system32\svchost.exe
K:\Program Files\Windows Defender\MsMpEng.exe
K:\WINDOWS\System32\svchost.exe
K:\WINDOWS\system32\Ati2evxx.exe
K:\WINDOWS\system32\spoolsv.exe
K:\WINDOWS\Explorer.EXE
K:\Program Files\Eset\nod32kui.exe
K:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
K:\Program Files\Windows Defender\MSASCui.exe
K:\WINDOWS\system32\rundll32.exe
K:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
K:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
K:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
K:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
K:\WINDOWS\CTHELPER.EXE
K:\Program Files\Microsoft ActiveSync\wcescomm.exe
K:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
K:\PROGRA~1\MICROS~2\rapimgr.exe
K:\WINDOWS\system32\ctfmon.exe
K:\Program Files\Azureus Installer\Azureus-Installer.exe
K:\Program Files\Registry Clean Expert\RCHelper.exe
K:\Program Files\Creative\MediaSource\RemoteControl\OSDMenu.EXE
K:\WINDOWS\system32\CTsvcCDA.EXE
K:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
K:\Program Files\Eset\nod32krn.exe
K:\Program Files\Raxco\PerfectDisk\PDAgent.exe
K:\Program Files\CyberLink\Shared files\RichVideo.exe
K:\WINDOWS\System32\svchost.exe
K:\WINDOWS\system32\MsPMSPSv.exe
K:\Program Files\Raxco\PerfectDisk\PDEngine.exe
K:\Program Files\ATI Technologies\ATI.ACE\cli.exe
K:\Program Files\ATI Technologies\ATI.ACE\cli.exe
K:\WINDOWS\System32\svchost.exe
K:\Program Files\MSN Messenger\msnmsgr.exe
K:\Program Files\Raxco\PerfectDisk\PerfectDisk.exe
K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
K:\Program Files\Internet Explorer\iexplore.exe
K:\Program Files\Google\Gmail Notifier\gnotify.exe
K:\Program Files\Internet Explorer\iexplore.exe
K:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - K:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - K:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - K:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - K:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - K:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - k:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - K:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: (no name) - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - k:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nod32kui] "K:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "K:\Program Files\Google\Gmail Notifier\gnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "K:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "K:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATICCC] "K:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ISUSPM] "K:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [RemoteControl] "K:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "K:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] "K:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE" /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] K:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Photo Downloader] "K:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "K:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "K:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [RemoteCenter] "K:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe"
O4 - HKCU\..\Run: [igndlm.exe] "K:\Program Files\IGN\Download Manager\DLM.exe" /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] K:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Azureus Installer] "K:\Program Files\Azureus Installer\Azureus-Installer.exe" hmw
O4 - HKCU\..\Run: [RegClean Expert Scheduler] "K:\Program Files\Registry Clean Expert\RCHelper.exe" /startup
O4 - HKLM\..\Policies\Explorer\Run: [none] K:\Program Files\Video ActiveX Object\pmsngr.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] K:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] K:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] K:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] K:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stickies.lnk = K:\Program Files\stickies\stickies.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = K:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = K:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight Pro - K:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://K:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - K:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: SEAGULL J Walk Java Client 3_2C9 - http://instructor.rac.co.uk/jwalk/jwalk_ie.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///K:/Program%20Files/Jigsaw%20Puzzle%20Platinum/Images/stg_drm.ocx
O16 - DPF: {245637BB-3A58-49A2-A7AB-F4A63B67652E} (PrinterDetector40.PrinterDetector) - http://www.mymemory.co.uk/detector/PrinterDetector40.ocx
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1164236499624
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///K:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - K:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - K:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - K:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - K:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - K:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IviRegMgr - InterVideo - K:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - K:\Program Files\Eset\nod32krn.exe
O23 - Service: PDAgent - Raxco Software, Inc. - K:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - K:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - K:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 9745 bytes
many thanks in advance...

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 12 August 2007 - 07:07 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum slatey :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download SmitfraudFix (by S!Ri),to your desktop.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Double click on Smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt

Post the smitfraudfix report into your next reply.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 slatey

slatey
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 12 August 2007 - 08:47 AM

ComboFix 07-08-12.3 - "slatey" 2007-08-12 14:32:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1467 [GMT 1:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


K:\DOCUME~1\slatey\Desktop.\internet explorer.lnk
K:\Documents and Settings\All Users.\documents\setup.exe
K:\setup.exe
K:\WINDOWS\system32\abbnoidvwq.dat
K:\WINDOWS\system32\abbnoidvwq.exe
K:\WINDOWS\system32\abbnoidvwq_nav.dat
K:\WINDOWS\system32\abbnoidvwq_navps.dat
K:\WINDOWS\system32\drivers\npf.sys
K:\WINDOWS\system32\fo-remove.exe
K:\WINDOWS\system32\nvs2.inf
K:\WINDOWS\system32\packet.dll
K:\WINDOWS\system32\pthreadVC.dll
K:\WINDOWS\system32\UpMedia
K:\WINDOWS\system32\WanPacket.dll
K:\WINDOWS\system32\wpcap.dll
L:\Autorun.inf


((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))


2007-08-12 14:32 51,200 --a------ K:\WINDOWS\nircmd.exe
2007-08-12 14:21 3,826 --a------ K:\WINDOWS\system32\tmp.reg
2007-08-12 14:17 53,248 --a------ K:\WINDOWS\system32\Process.exe
2007-08-12 14:17 51,200 --a------ K:\WINDOWS\system32\dumphive.exe
2007-08-12 14:17 288,417 --a------ K:\WINDOWS\system32\SrchSTS.exe
2007-08-12 10:03 401,720 --a------ K:\HiJackThis.exe
2007-08-11 19:07 <DIR> d-------- K:\Program Files\Innovative Solutions
2007-08-11 19:07 <DIR> d-------- K:\DOCUME~1\ALLUSE~1\APPLIC~1\Innovative Solutions
2007-08-11 19:06 16,802,408 --a------ K:\Advanced_Uninstaller8.exe
2007-08-11 13:58 <DIR> d-------- K:\Program Files\XoftSpySE
2007-08-11 11:27 235,008 --a------ K:\WINDOWS\UNBOC.EXE
2007-08-11 11:27 208,896 --a------ K:\WINDOWS\CMDLIC.DLL
2007-08-11 11:27 <DIR> d-------- K:\Program Files\Comodo
2007-08-11 11:17 <DIR> d-------- K:\Program Files\Reasonable NoClone 2007 Home
2007-08-11 11:17 <DIR> d-------- K:\DOCUME~1\slatey\APPLIC~1\Reasonable Software House Ltd
2007-08-10 22:01 <DIR> d-------- K:\Program Files\Microsoft.NET
2007-08-08 03:53 <DIR> d-------- K:\DOCUME~1\Sonyah\APPLIC~1\Creative
2007-08-08 03:51 <DIR> d-------- K:\DOCUME~1\Sonyah\APPLIC~1\GetRight Pro
2007-08-05 23:41 <DIR> d-------- K:\WINDOWS\system32\appmgmt
2007-08-05 19:22 <DIR> d-------- K:\Program Files\Lavasoft
2007-08-05 19:22 <DIR> d-------- K:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-29 23:15 <DIR> d-------- K:\Lokiwiz03
2007-07-26 02:38 <DIR> d-------- K:\DOCUME~1\slatey\APPLIC~1\MSN6
2007-07-26 02:38 <DIR> d-------- K:\DOCUME~1\ALLUSE~1\APPLIC~1\MSN6
2007-07-23 04:07 21,168 --a------ K:\DOCUME~1\slatey\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-07-21 21:47 <DIR> d-------- K:\Program Files\Ares
2007-07-16 19:42 <DIR> d-------- K:\Program Files\File Shredder
2007-07-13 14:43 <DIR> d-------- K:\Program Files\Common Files\DirectX
2007-07-13 14:40 <DIR> d-------- K:\Program Files\gPotato


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-12 14:36 --------- d-------- K:\DOCUME~1\slatey\APPLIC~1\stickies
2007-08-12 14:33 --------- d-------- K:\Program Files\GetRight
2007-08-11 10:38 9344 --a------ K:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-11 10:38 8320 --a------ K:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-10 21:53 --------- d-------- K:\Program Files\Microsoft ActiveSync
2007-08-08 15:43 --------- d-------- K:\Program Files\LimeWire
2007-08-05 19:21 --------- d-------- K:\Program Files\Common Files\Wise Installation Wizard
2007-07-25 06:29 --------- d-------- K:\Program Files\Picasa2
2007-07-17 08:24 2015 -r-h----- K:\WINDOWS\system32\drivers\hosts
2007-07-17 08:24 --------- d-------- K:\Program Files\Common Files\Download Manager
2007-07-14 22:29 --------- d-------- K:\Program Files\Google
2007-07-14 09:47 --------- d--h----- K:\Program Files\InstallShield Installation Information
2007-07-13 08:52 --------- d-------- K:\DOCUME~1\slatey\APPLIC~1\IGN_DLM
2007-07-11 04:24 --------- d-------- K:\DOCUME~1\slatey\APPLIC~1\Help
2007-07-11 03:20 --------- d-------- K:\Program Files\Jigsaw Puzzle Platinum
2007-07-08 23:30 --------- d-------- K:\Program Files\BrainSchoolSP
2007-07-08 09:46 23 --ahs---- K:\WINDOWS\system32\debdcfdebd1_r.dll
2007-07-08 09:46 --------- d-------- K:\Program Files\jv16 PowerTools 2007
2007-07-04 21:51 1052032 --a------ K:\setuponecare.exe
2007-07-04 21:14 --------- d-------- K:\Program Files\Games
2007-07-04 21:13 6953052 --a------ K:\GoldMinerSESetup.exe
2007-07-04 08:18 --------- d-------- K:\Program Files\Monopoly Here and Now
2007-07-04 08:10 --------- d-------- K:\DOCUME~1\slatey\APPLIC~1\SpinTop
2007-07-04 08:09 15580736 --a------ K:\MonopolyHNSetup.exe
2007-07-03 22:43 --------- d-------- K:\Program Files\GetRight Arcade
2007-07-03 07:45 --------- d-------- K:\Program Files\Yahoo! Games
2007-07-02 12:28 --------- d-------- K:\Program Files\AOL Games
2007-07-02 12:19 --------- d-------- K:\Program Files\Atari-Infogrames
2007-06-24 09:56 7684392 --a------ K:\spybotsd15.exe
2007-06-23 17:01 544768 --a------ K:\PocketManSetup.exe
2007-06-23 16:58 2043447 --a------ K:\framework.compact.arm.exe
2007-06-23 16:56 150016 --a------ K:\mooregamessetup1.0.exe
2007-06-22 21:42 12463877 --a------ K:\tweakvi-basic-sfx.exe
2007-06-13 22:45 --------- d-------- K:\Program Files\Creative
2007-06-13 22:44 --------- d-------- K:\DOCUME~1\slatey\APPLIC~1\Creative
2007-06-09 15:22 3199488 --a------ K:\epson19737eu.exe
2007-05-24 07:40 227856 --a------ K:\WINDOWS\system32\PDBoot.exe
2007-05-16 16:12 86528 -----c--- K:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 16:12 85504 -----c--- K:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 16:12 683520 --a------ K:\WINDOWS\system32\inetcomm.dll
2007-05-16 16:12 683520 -----c--- K:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 16:12 510976 -----c--- K:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 16:12 1314816 -----c--- K:\WINDOWS\system32\dllcache\msoe.dll
2007-05-15 16:39 87608 --a------ K:\DOCUME~1\slatey\APPLIC~1\inst.exe
2007-05-15 16:39 47360 --a------ K:\DOCUME~1\slatey\APPLIC~1\pcouffin.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="K:\Program Files\Eset\nod32kui.exe" [2006-11-22 23:38]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="K:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 22:48]
"SunJavaUpdateSched"="K:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Windows Defender"="K:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"BluetoothAuthenticationAgent"="rundll32.exe" [2004-08-04 08:56 K:\WINDOWS\system32\rundll32.exe]
"ATICCC"="K:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 10:12]
"ISUSPM"="K:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34]
"RemoteControl"="K:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 16:24]
"LanguageShortcut"="K:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 16:21]
"EPSON Stylus Photo R200 Series"="K:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.exe" [2003-09-11 03:00]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 K:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 K:\WINDOWS\system32\CTXFIHLP.EXE]
"Adobe Photo Downloader"="K:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="K:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="K:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 17:13]
"RemoteCenter"="K:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe" [2004-08-17 16:07]
"igndlm.exe"="K:\Program Files\IGN\Download Manager\DLM.exe" [2007-03-05 13:57]
"ctfmon.exe"="K:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"Azureus Installer"="K:\Program Files\Azureus Installer\Azureus-Installer.exe" [2007-03-15 15:45]
"RegClean Expert Scheduler"="K:\Program Files\Registry Clean Expert\RCHelper.exe" [2007-05-21 21:50]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="K:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

K:\Documents and Settings\slatey\Start Menu\Programs\Startup\
Stickies.lnk - K:\Program Files\stickies\stickies.exe [2007-01-22 01:05:19]

K:\Documents and Settings\All Users\Start Menu\Programs\Startup\
GetRight - Tray Icon.lnk - K:\Program Files\GetRight\getright.exe [2007-06-24 09:49:00]
Microsoft Office.lnk - K:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

R1 oreans32;oreans32;\??\K:\WINDOWS\system32\drivers\oreans32.sys
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\K:\Program Files\CyberLink\PowerDVD\000.fcl
R2 UxTuneUp;TuneUp Design Expansion;K:\WINDOWS\System32\svchost.exe -k netsvcs
R3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver;K:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
S3 BOCDRIVE;BOClean Kernel Monitor.;\??\K:\Program Files\Comodo\CBOClean\BOCDRIVE.sys
S3 camvid20;Philips ToUcam Camera; Video;K:\WINDOWS\system32\DRIVERS\camdrv21.sys
S3 DSDrv4;DSDrv4;\??\K:\PROGRA~1\K!TV\Plugins\S_Bt8x8\DSDrv4.sys
S3 GMSIPCI;GMSIPCI;\??\I:\INSTALL\GMSIPCI.SYS
S3 hap17v2k;Creative P17V HAL Driver;K:\WINDOWS\system32\drivers\hap17v2k.sys
S3 M2500;802.11g Wireless Network Driver;K:\WINDOWS\system32\DRIVERS\M2500.sys
S3 NTACCESS;NTACCESS;\??\I:\NTACCESS.sys
S3 wceusbsh;Windows CE USB Serial Host Driver;K:\WINDOWS\system32\DRIVERS\wceusbsh.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp


Contents of the 'Scheduled Tasks' folder
2007-08-10 19:41:43 K:\WINDOWS\Tasks\1-Click Maintenance.job
2007-08-12 13:33:18 K:\WINDOWS\Tasks\MP Scheduled Scan.job - K:\Program Files\Windows Defender\MpCmdRun.exe
2007-08-12 02:00:00 K:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job - K:\Program Files\SpywareBot\SpywareBot.exe
2007-08-11 23:19:02 K:\WINDOWS\Tasks\User_Feed_Synchronization-{F7A6833A-7F0A-499B-8FC6-9B7A4243C39F}.job - K:\WINDOWS\system32\msfeedssync.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 14:36:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-12 14:36:52 - machine was rebooted
K:\ComboFix-quarantined-files.txt ... 2007-08-12 14:36

--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:44:25, on 12/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
K:\WINDOWS\System32\smss.exe
K:\WINDOWS\system32\winlogon.exe
K:\WINDOWS\system32\services.exe
K:\WINDOWS\system32\lsass.exe
K:\WINDOWS\system32\Ati2evxx.exe
K:\WINDOWS\system32\svchost.exe
K:\Program Files\Windows Defender\MsMpEng.exe
K:\WINDOWS\System32\svchost.exe
K:\WINDOWS\system32\Ati2evxx.exe
K:\WINDOWS\system32\spoolsv.exe
K:\WINDOWS\Explorer.EXE
K:\Program Files\Eset\nod32kui.exe
K:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
K:\Program Files\Windows Defender\MSASCui.exe
K:\WINDOWS\system32\rundll32.exe
K:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
K:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
K:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
K:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
K:\WINDOWS\CTHELPER.EXE
K:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
K:\Program Files\Microsoft ActiveSync\wcescomm.exe
K:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
K:\PROGRA~1\MICROS~2\rapimgr.exe
K:\WINDOWS\system32\ctfmon.exe
K:\Program Files\Azureus Installer\Azureus-Installer.exe
K:\Program Files\Registry Clean Expert\RCHelper.exe
K:\WINDOWS\system32\CTsvcCDA.EXE
K:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
K:\Program Files\GetRight\getright.exe
K:\Program Files\Eset\nod32krn.exe
K:\Program Files\Raxco\PerfectDisk\PDAgent.exe
K:\Program Files\Creative\MediaSource\RemoteControl\OSDMenu.EXE
K:\Program Files\CyberLink\Shared files\RichVideo.exe
K:\WINDOWS\System32\svchost.exe
K:\WINDOWS\system32\MsPMSPSv.exe
K:\Program Files\Raxco\PerfectDisk\PDEngine.exe
K:\Program Files\ATI Technologies\ATI.ACE\cli.exe
K:\Program Files\ATI Technologies\ATI.ACE\cli.exe
K:\WINDOWS\System32\svchost.exe
K:\WINDOWS\system32\notepad.exe
K:\Program Files\Google\Gmail Notifier\gnotify.exe
K:\Program Files\Internet Explorer\iexplore.exe
K:\WINDOWS\system32\NOTEPAD.EXE
K:\WINDOWS\system32\NOTEPAD.EXE
K:\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - K:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - K:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - K:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - K:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - K:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - k:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - K:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - k:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nod32kui] "K:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "K:\Program Files\Google\Gmail Notifier\gnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "K:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "K:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATICCC] "K:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ISUSPM] "K:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [RemoteControl] "K:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "K:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] "K:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE" /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "K:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "K:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "K:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [RemoteCenter] "K:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe"
O4 - HKCU\..\Run: [igndlm.exe] "K:\Program Files\IGN\Download Manager\DLM.exe" /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] K:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Azureus Installer] "K:\Program Files\Azureus Installer\Azureus-Installer.exe" hmw
O4 - HKCU\..\Run: [RegClean Expert Scheduler] "K:\Program Files\Registry Clean Expert\RCHelper.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] K:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] K:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] K:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] K:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stickies.lnk = K:\Program Files\stickies\stickies.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = K:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = K:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight Pro - K:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://K:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - K:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: SEAGULL J Walk Java Client 3_2C9 - http://instructor.rac.co.uk/jwalk/jwalk_ie.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///K:/Program%20Files/Jigsaw%20Puzzle%20Platinum/Images/stg_drm.ocx
O16 - DPF: {245637BB-3A58-49A2-A7AB-F4A63B67652E} (PrinterDetector40.PrinterDetector) - http://www.mymemory.co.uk/detector/PrinterDetector40.ocx
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1164236499624
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///K:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - K:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - K:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - K:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - K:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - K:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IviRegMgr - InterVideo - K:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - K:\Program Files\Eset\nod32krn.exe
O23 - Service: PDAgent - Raxco Software, Inc. - K:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - K:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - K:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 9047 bytes
SmitFraudFix v2.211

Scan done at 14:21:25.89, 12/08/2007
Run from K:\Documents and Settings\slatey\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

K:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
K:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
K:\DOCUME~1\slatey\FAVORI~1\Antivirus Test Online.url Deleted
K:\DOCUME~1\slatey\FAVORI~1\Online Security Test.url Deleted

DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4081BD97-67F7-48B6-AAAB-D34A3E89E534}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4081BD97-67F7-48B6-AAAB-D34A3E89E534}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{4081BD97-67F7-48B6-AAAB-D34A3E89E534}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 12 August 2007 - 11:02 AM

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
K:\WINDOWS\system32\debdcfdebd1_r.dll
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply.

If Jotti's too busy,try here:
http://www.virustotal.com/en/virustotalf.html
Click on the 'Analysis' tab.
Using the 'Browse' button,browse to:
K:\WINDOWS\system32\debdcfdebd1_r.dll
Then click on 'Send File'.
Post the results into your next reply.
Posted Image
Posted Image

#5 slatey

slatey
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 12 August 2007 - 03:14 PM

Last file scanned at least one scanner reported something about: Install.exe (MD5: f9fc12420e0ed9cdd4686ecc939d46c5, size: 533971 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir SPR/Ardamax.K.Gen
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 13 August 2007 - 02:22 AM

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.exe
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:
K:\WINDOWS\system32\debdcfdebd1_r.dll
Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

-----------------------------------------------------------------

Please download Navilog1 by IL-MAFIOSO:
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip

* Extract its contents to the desktop.
* Double click on navilog1.exe to install it on your computer.
* When the installation is complete, the tool will start automatically.
* If it doesn't start automatically, please double click on Navilog1 shortcut on your desktop to run it.
* Press E for English from the language Menu.
* Type 1 in the next Menu to select Search and press Enter.
* Wait for the Scan to finish (It may take a reasonable amount of time)
* Press any key as requested .
* A new document will be produced: fixnavi.txt.
* Please copy/paste the contents of this report in your next reply.


The report is also saved in the root of the directory, "%SystemDrive%\fixnavi.txt". (usually C:\fixnavi.txt)

Edited by RichieUK, 13 August 2007 - 02:23 AM.

Posted Image
Posted Image

#7 slatey

slatey
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 13 August 2007 - 02:44 AM

Search Navipromo version 2.0.7 began on 13/08/2007 at 8:36:56.79

!!! Warning, this report may include legitimate files/programs !!!
!!! Post this report on the forum you are being helped !!!
!!! Don't continue with removal unless instructed by an authorized helper !!!

Fix running from K:\Program Files\navilog1
Updated on 11.08.2007 at 18h00 by IL-MAFIOSO

Done in normal mode

*** Searching for installed Software ***


SudoPlanet


*** Search folders in K:\WINDOWS ***




*** Search folders in K:\Program Files ***




*** Search folders in K:\Documents and Settings\All Users\Application Data ***




*** Search folders in K:\Documents and Settings\slatey\Application Data ***



*** Search with BlackLight Engine/F-secure ***
BlackLight Engine is a product of F-secure, for more info:
http://www.f-secure.com/blacklight/blacklight_help.html


F-SECURE BLACKLIGHT ROOTKIT ELIMINATOR
======================================

Copyright 2005-2006 F-Secure Corporation. All rights reserved.
This is a beta version. It will expire on 1st of October, 2007.
Version information: 2.2.1064.

[+] Started on 08/13/07 at 08:36:57.
[+] Initializing ...
[+] Starting scan, press Ctrl-C to abort.
[+] Scanning for hidden items ......................................................................
[+] Scan complete.
[+] Summary: 0 hidden item(s) found, 0 scheduled for renaming.
[+] Exited on 08/13/07 at 08:43:28 (return code = 0).


*** Search files ***


K:\DOCUME~1\slatey\Desktop\SudoPlanet.lnk found !
K:\WINDOWS\pack.epk found !


*** Search registry keys ***


Search in [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs]



Search in [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage]



Search Magic Control Key



*** Complementary Search ***
(Search specifics files)

1)Search known files:


2)Heuristic Search :
*
**
***
****
*****
******
*******
********


3)Certificates Search :

Certificate Egroup found !


*** Search with GenericNaviSearch Beta ***
!!! Possibility of legitims files in the result !!!
!!! To be always checked before manually deleting !!!

Files found :

No File found !

Suspicious Files :

No Suspicious File found !


*** Search completed on 13/08/2007 at 8:43:47.04 ***

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 13 August 2007 - 03:53 AM

* Double click on Navilog1 shortcut icon on your desktop to run it.
* Press E for English from the language Menu.
* Type 3 in the next Menu and press Enter.
* The tool will then advise you that it will restart your computer.
* Close all open windows and save personnal documents, if open, too.
* If your computer doesn't restart automatically, restart it manually.
* Choose your usual session.
* Wait for the *** Clean finished the ... *** message (It may take some time so please be patient).
* A new document will be produced.
* Please copy/paste the contents of this report in your next reply.
* Your desktop will now appear.


Note : In the event you lose your desktop, press CTRL+ALT+Delete and run Explorer.exe as a new task.

The report is also saved in the root directory, %SystemDrive%\cleannavi.txt.. (usually C:\cleannavi.txt)
Also, please post a fres HijackThis log.

Let me know how your pc is running now.
Posted Image
Posted Image

#9 slatey

slatey
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 13 August 2007 - 01:26 PM

Navipromo Removal version 2.0.7 started on 13/08/2007 at 19:22:29.76

Fix running from K:\Program Files\navilog1
Updated on 11.08.2007 at 18h00 by IL-MAFIOSO

Automatic removal
without Blacklight results



*** Deleting folders in K:\WINDOWS ***


*** Deleting folders in K:\Program Files ***


*** Deleting folders in K:\Documents and Settings\All Users\Application Data ***


*** Deleting folders in K:\Documents and Settings\slatey\Application Data ***



*** Deleting files ***

K:\DOCUME~1\slatey\Desktop\SudoPlanet.lnk deleted !
K:\WINDOWS\pack.epk deleted !

*** Deleting temporary files ***

Cleanning K:\WINDOWS\Temp done !
Cleanning K:\Documents and Settings\slatey\Local Settings\Temp done !


*** Copy registry to Backupnavi folder ***


Backing up registry done !


*** Clean registry ***


Registry cleaned

*** Complementary Search ***
(Search specifics files)

1)Search known files:


2)Searching and deleting Heuristics :

*
**
***
****
*****
******
*******
********

3)Check registry for others bad keys :

No new bad keys found in registry !

4)Certificates :

Egroup Certificate deleted !


*** Search with GenericNaviSearch Beta ***
!!! Possibility of legitims files in the result !!!
!!! To be always checked before manually deleting !!!

Files found not deleted :

No File found !

Suspicious Files not deleted :

No Suspicious File found !



*** Cleaning finished on 13/08/2007 at 19:24:51.64 ***

many thanks for your help so far.....

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 13 August 2007 - 03:05 PM

Could you post the new Hijackthis log.
Let me know how your pc is running now.
Posted Image
Posted Image

#11 slatey

slatey
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 13 August 2007 - 04:18 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:09:21, on 13/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
K:\WINDOWS\System32\smss.exe
K:\WINDOWS\system32\winlogon.exe
K:\WINDOWS\system32\services.exe
K:\WINDOWS\system32\lsass.exe
K:\WINDOWS\system32\Ati2evxx.exe
K:\WINDOWS\system32\svchost.exe
K:\Program Files\Windows Defender\MsMpEng.exe
K:\WINDOWS\System32\svchost.exe
K:\WINDOWS\system32\Ati2evxx.exe
K:\WINDOWS\system32\spoolsv.exe
K:\WINDOWS\Explorer.EXE
K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
K:\WINDOWS\system32\CTsvcCDA.EXE
K:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
K:\Program Files\Eset\nod32krn.exe
K:\Program Files\Raxco\PerfectDisk\PDAgent.exe
K:\Program Files\CyberLink\Shared files\RichVideo.exe
K:\WINDOWS\System32\svchost.exe
K:\WINDOWS\system32\MsPMSPSv.exe
K:\Program Files\Raxco\PerfectDisk\PDEngine.exe
K:\WINDOWS\notepad.exe
K:\Program Files\Eset\nod32kui.exe
K:\Program Files\Google\Gmail Notifier\gnotify.exe
K:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
K:\Program Files\Windows Defender\MSASCui.exe
K:\WINDOWS\system32\rundll32.exe
K:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
K:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
K:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
K:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
K:\WINDOWS\CTHELPER.EXE
K:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
K:\Program Files\Microsoft ActiveSync\wcescomm.exe
K:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
K:\PROGRA~1\MICROS~2\rapimgr.exe
K:\WINDOWS\System32\svchost.exe
K:\WINDOWS\system32\ctfmon.exe
K:\Program Files\Azureus Installer\Azureus-Installer.exe
K:\Program Files\Registry Clean Expert\RCHelper.exe
K:\Program Files\GetRight\getright.exe
K:\Program Files\stickies\stickies.exe
K:\Program Files\Creative\MediaSource\RemoteControl\OSDMenu.EXE
K:\Program Files\ATI Technologies\ATI.ACE\cli.exe
K:\Program Files\ATI Technologies\ATI.ACE\cli.exe
K:\Program Files\Internet Explorer\iexplore.exe
K:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - K:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - K:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - K:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - K:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - K:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - k:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - K:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - k:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nod32kui] "K:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "K:\Program Files\Google\Gmail Notifier\gnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "K:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "K:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATICCC] "K:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ISUSPM] "K:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [RemoteControl] "K:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "K:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] "K:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE" /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "K:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "K:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "K:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [RemoteCenter] "K:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe"
O4 - HKCU\..\Run: [igndlm.exe] "K:\Program Files\IGN\Download Manager\DLM.exe" /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] K:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Azureus Installer] "K:\Program Files\Azureus Installer\Azureus-Installer.exe" hmw
O4 - HKCU\..\Run: [RegClean Expert Scheduler] "K:\Program Files\Registry Clean Expert\RCHelper.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] K:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] K:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] K:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] K:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stickies.lnk = K:\Program Files\stickies\stickies.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = K:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = K:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight Pro - K:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://K:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - K:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: SEAGULL J Walk Java Client 3_2C9 - http://instructor.rac.co.uk/jwalk/jwalk_ie.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///K:/Program%20Files/Jigsaw%20Puzzle%20Platinum/Images/stg_drm.ocx
O16 - DPF: {245637BB-3A58-49A2-A7AB-F4A63B67652E} (PrinterDetector40.PrinterDetector) - http://www.mymemory.co.uk/detector/PrinterDetector40.ocx
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1164236499624
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///K:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - K:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - K:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - K:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - K:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - K:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - K:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IviRegMgr - InterVideo - K:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - K:\Program Files\Eset\nod32krn.exe
O23 - Service: PDAgent - Raxco Software, Inc. - K:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - K:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - K:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 9103 bytes


the pc is running fine so far there are no pop ups ....

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 14 August 2007 - 07:37 AM

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
navilog1.exe
Combofix.exe
Killbox.exe

c:\cleannavi.txt
c:\qoobox
c:\!Killbox
c:\rapport

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

--------------------------------------------

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#13 slatey

slatey
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 15 August 2007 - 02:50 PM

many thanks for your help it is very much appreciated....

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 15 August 2007 - 03:01 PM

You're most welcome.

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users