Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Xp Professional Popup Issue


  • Please log in to reply
11 replies to this topic

#1 kss

kss

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 28 August 2007 - 05:02 PM

Hello,

I am trying to get rid of an issue with popups in IE. I have scanned the computer with Ad-Aware and Spybot and i think i did clean a couple of Virtumonde related entries. I also ran Panda Antivirus and Mc Afee Avert Stinger programs and they couldnt find anything suspicious. I have attached the HijackThis log below. Let me know if anythine else is required or If i have missed posting something.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:23 PM, on 8/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDCLient\tmcsvc.exe
C:\Program Files\LANDesk\LDCLient\LDIScn32.EXE
C:\PROGRA~1\LANDesk\LDCLient\issuser.exe
C:\WINDOWS\java\JavaIFX\services.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\oracle\ora92\Apache\Apache\apache.exe
C:\WINDOWS\system32\cmd.exe
C:\oracle\ora92\BIN\TNSLSNR.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\radmin\r_server.exe
C:\Program Files\LANDesk\LDCLient\softmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\oracle\ora92\Apache\Apache\apache.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\oracle\ora92\jdk\bin\java.exe
C:\oracle\ora92\jdk\bin\java.exe
c:\oracle\ora92\bin\isqlplus
C:\WINDOWS\system32\MsgSys.EXE
C:\PROGRA~1\LANDesk\LDCLient\rcgui.exe
C:\WINDOWS\TEMP\NO8A57.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\AT&T Global Network Client\NetClient.exe
C:\WINDOWS\System32\svchost.exe
C:\Lotus\Notes\NLNOTES.EXE
C:\Lotus\Notes\ntaskldr.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\PROGRA~1\TEXTPA~1\TextPad.exe
C:\Documents and Settings\CKSHAH\Local Settings\Temporary Internet Files\Content.IE5\6LTU3Y1W\stinger[1].exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36676F51-607E-4971-AB7B-6A7AB6E382BE} - C:\WINDOWS\system32\kmtkfufn.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [American Airlines DealFinder] "C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show
O4 - HKUS\S-1-5-21-283984346-574257919-2545656759-45337\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-283984346-574257919-2545656759-45337\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User '?')
O4 - Global Startup: AT&T Global Network Client Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://extranet.lotus.com/qp2.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://stl-nt-st1.na.dir.bunge.com/sametime/MSJavX86.exe
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://test.ebunge.net/bnaws952e5daa657d28...aws0/iNotes.cab
O16 - DPF: {1E40C477-ECA7-48DC-A9FC-D4F77A365442} (STURLConnection Control) - http://st.dir.bunge.com/sametime/javaconne...rlConLoader.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://stldomino01.perficient.com/iNotes6W.cab
O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://st.dir.bunge.com/sametime/javaconne...oAwayLoader.cab
O16 - DPF: {55E515F7-0FA2-4610-874E-028107E766A3} (eWebEditProLibCtl3.eWebEditPro) - http://bl-nt-iwdev1/iw/ewebeditpro20/ewebeditpro3.cab
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} (LotusDRSControl Class) - http://stldomino02.perficient.com/download/dolcontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186424298716
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186424454923
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - https://www-1.ibm.com/sametime/stmeetingroo...STJNILoader.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://ebunge.net/InternalSite/WhlCompMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://bnastlm03.na.dir.bunge.com/dwa7W.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.dir.bunge.com
O17 - HKLM\Software\..\Telephony: DomainName = na.dir.bunge.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5276177-5FD7-4F36-A62E-91419B71D084}: NameServer = 10.151.10.3,10.151.10.6
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.dir.bunge.com
O20 - Winlogon Notify: kmtkfufn - C:\WINDOWS\SYSTEM32\kmtkfufn.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: LANDesk® Management Agent (CBA8) - Unknown owner - C:\Program Files\LANDesk\Shared Files\residentagent.exe (file missing)
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDCLient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDCLient\issuser.exe
O23 - Service: JavaIFX - Unknown owner - C:\WINDOWS\java\JavaIFX\services.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Lotus Domino Server (ProgramFilesLotusDominodata) - IBM Corp - C:\Program Files\Lotus\Domino\nservice.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceKUNJAL - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\radmin\r_server.exe
O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDCLient\softmon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: WebSphere Embedded Messaging Publish And SubscribeWAS_STL_CMPORTE_server1 (WebSphereEmbeddedMessagingPublishAndSubscribeWAS_STL_CMPORTE_server1) - Unknown owner - C:/Program Files/WebSphere/AppServer/WebSphere MQ/WEMPS/bin/bipservice.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 14462 byte
Thanks.

... forgot to add that my Task Manager link (on Ctrl-alt-del) was diabled and had to remove the Registry entry to enable it again. Also this issue with popups is not occuring on Mozilla browser but it seems to be crashing a lot since this issue started occuring.

Edited by kss, 28 August 2007 - 05:12 PM.


BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 29 August 2007 - 06:16 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum kss :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.exe
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:
C:\WINDOWS\system32\kmtkfufn.dll
Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktopPosted Image
You'll see a black screen flash,thats normal.

@echo off
sc stop JavaIFX

Restart your pc.

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\WINDOWS\java\JavaIFX\services.exe
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply.

If Jotti's too busy,try here:
http://www.virustotal.com/en/virustotalf.html
Click on the 'Analysis' tab.
Using the 'Browse' button,browse to:
C:\WINDOWS\java\JavaIFX\services.exe
Then click on 'Send File'.
Post the results into your next reply.

Also post a new Hijackthis log.
Posted Image
Posted Image

#3 kss

kss
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 29 August 2007 - 10:22 AM

Thanks Richie for your help. I have run the kill box and and fix.bat. Jotti didnt find anything in the Scanner results. this is the initial service results page

Service load: 0% 100%
File: services.exe
Status:
OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: b35d0e5ba5866dc5f76078d35abcdbf1
Packers detected:
PE_PATCH.UPX, UPX
Bit9 reports: No threat detected (more info)

VirusTotal on the other had 4 hits in the results.. heres the link http://www.virustotal.com/resultado.html?6...ab2dae66a9e5e3d

Antivirus Version Last Update Result
AhnLab-V3 2007.8.29.0 2007.08.29 -
AntiVir 7.4.1.63 2007.08.29 -
Authentium 4.93.8 2007.08.28 -
Avast 4.7.1029.0 2007.08.28 -
AVG 7.5.0.484 2007.08.28 -
BitDefender 7.2 2007.08.29 -
CAT-QuickHeal 9.00 2007.08.25 -
ClamAV 0.91.2 2007.08.29 -
DrWeb 4.33 2007.08.29 -
eSafe 7.0.15.0 2007.08.29 suspicious Trojan/Worm
eTrust-Vet 31.1.5093 2007.08.29 -
Ewido 4.0 2007.08.29 -
FileAdvisor 1 2007.08.29 -
Fortinet 3.11.0.0 2007.08.29 -
F-Prot 4.3.2.48 2007.08.29 W32/NewMalware-Rootkit-PX-based!Maximus
F-Secure 6.70.13030.0 2007.08.29 -
Ikarus T3.1.1.12 2007.08.29 -
Kaspersky 4.0.2.24 2007.08.29 -
McAfee 5107 2007.08.28 -
Microsoft 1.2803 2007.08.29 -
NOD32v2 2490 2007.08.29 -
Norman 5.80.02 2007.08.29 -
Panda 9.0.0.4 2007.08.29 -
Prevx1 V2 2007.08.29 Generic.Malware
Rising 19.38.22.00 2007.08.29 -
Sophos 4.21.0 2007.08.29 -
Sunbelt 2.2.907.0 2007.08.25 -
Symantec 10 2007.08.29 -
TheHacker 6.1.9.175 2007.08.29 -
VBA32 3.12.2.3 2007.08.28 -
VirusBuster 4.3.26:9 2007.08.28 -
Webwasher-Gateway 6.0.1 2007.08.29 Win32.ModifiedUPX.gen!90 (suspicious)


Here is the updated HijackThis log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:36 AM, on 8/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDCLient\tmcsvc.exe
C:\Program Files\LANDesk\LDCLient\LDIScn32.EXE
C:\PROGRA~1\LANDesk\LDCLient\issuser.exe
C:\WINDOWS\java\JavaIFX\services.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\oracle\ora92\Apache\Apache\apache.exe
C:\WINDOWS\system32\cmd.exe
C:\oracle\ora92\BIN\TNSLSNR.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\radmin\r_server.exe
C:\Program Files\LANDesk\LDCLient\softmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\oracle\ora92\Apache\Apache\apache.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\oracle\ora92\jdk\bin\java.exe
C:\oracle\ora92\jdk\bin\java.exe
c:\oracle\ora92\bin\isqlplus
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\TEMP\YZ34DC.EXE
C:\PROGRA~1\LANDesk\LDCLient\rcgui.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\LANDesk\LDCLient\vulScan.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36676F51-607E-4971-AB7B-6A7AB6E382BE} - C:\WINDOWS\system32\kmtkfufn.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [American Airlines DealFinder] "C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show
O4 - Global Startup: AT&T Global Network Client Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://extranet.lotus.com/qp2.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://stl-nt-st1.na.dir.bunge.com/sametime/MSJavX86.exe
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://test.ebunge.net/bnaws952e5daa657d28...aws0/iNotes.cab
O16 - DPF: {1E40C477-ECA7-48DC-A9FC-D4F77A365442} (STURLConnection Control) - http://st.dir.bunge.com/sametime/javaconne...rlConLoader.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://stldomino01.perficient.com/iNotes6W.cab
O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://st.dir.bunge.com/sametime/javaconne...oAwayLoader.cab
O16 - DPF: {55E515F7-0FA2-4610-874E-028107E766A3} (eWebEditProLibCtl3.eWebEditPro) - http://bl-nt-iwdev1/iw/ewebeditpro20/ewebeditpro3.cab
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} (LotusDRSControl Class) - http://stldomino02.perficient.com/download/dolcontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186424298716
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186424454923
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - https://www-1.ibm.com/sametime/stmeetingroo...STJNILoader.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://ebunge.net/InternalSite/WhlCompMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://bnastlm03.na.dir.bunge.com/dwa7W.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.dir.bunge.com
O17 - HKLM\Software\..\Telephony: DomainName = na.dir.bunge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.dir.bunge.com
O20 - Winlogon Notify: kmtkfufn - kmtkfufn.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: LANDesk® Management Agent (CBA8) - Unknown owner - C:\Program Files\LANDesk\Shared Files\residentagent.exe (file missing)
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDCLient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDCLient\issuser.exe
O23 - Service: JavaIFX - Unknown owner - C:\WINDOWS\java\JavaIFX\services.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Lotus Domino Server (ProgramFilesLotusDominodata) - IBM Corp - C:\Program Files\Lotus\Domino\nservice.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceKUNJAL - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\radmin\r_server.exe
O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDCLient\softmon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: WebSphere Embedded Messaging Publish And SubscribeWAS_STL_CMPORTE_server1 (WebSphereEmbeddedMessagingPublishAndSubscribeWAS_STL_CMPORTE_server1) - Unknown owner - C:/Program Files/WebSphere/AppServer/WebSphere MQ/WEMPS/bin/bipservice.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 13870 bytes

Thanks

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 29 August 2007 - 02:45 PM

Make sure all hidden files are showing:
* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktopPosted Image
You'll see a black screen flash,thats normal.

@echo off
sc stop JavaIFX
sc delete JavaIFX

Restart your pc.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Find and delete:
C:\WINDOWS\java\JavaIFX

Restart your pc normally.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 kss

kss
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 29 August 2007 - 04:08 PM

I did all the steps in your last reply. This is the combofix log.txt generated.

ComboFix 07-08-30.1 - "CKSHAH" 2007-08-29 15:27:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1362 [GMT -5:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\CKSHAH\APPLIC~1\macromedia\Flash Player\#SharedObjects\NUFUNWDC\www.broadcaster.com
C:\DOCUME~1\CKSHAH\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\gtv_sd.bin


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-30 )))))))))))))))))))))))))))))))


2007-08-29 15:25 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-29 09:45 45 --a------ C:\fix.bat
2007-08-29 09:34 <DIR> d-------- C:\!KillBox
2007-08-28 16:34 <DIR> d-------- C:\DOCUME~1\CKSHAH\APPLIC~1\Ethereal
2007-08-28 16:07 <DIR> d-------- C:\Program Files\WinPcap
2007-08-28 16:05 <DIR> d-------- C:\Program Files\Ethereal
2007-08-28 11:23 <DIR> d-------- C:\DOCUME~1\CKSHAH\.housecall6.6
2007-08-28 08:50 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-08-27 16:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-27 15:17 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-27 15:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-27 15:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-27 10:29 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-26 21:47 21,504 --a------ C:\WINDOWS\system32\oembios32.dll
2007-08-06 13:46 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-06 13:17 53,248 --a------ C:\PowerOptionConfiguer.dll
2007-08-06 13:17 <DIR> d---s---- C:\DOCUME~1\temp\UserData
2007-08-06 13:17 <DIR> d-------- C:\DOCUME~1\temp\WINDOWS
2007-08-06 13:17 <DIR> d-------- C:\DOCUME~1\temp\SapWorkDir
2007-08-06 13:17 <DIR> d-------- C:\DOCUME~1\temp\APPLIC~1\Help
2007-08-06 13:17 <DIR> d-------- C:\DOCUME~1\temp\APPLIC~1\AdobeUM
2007-08-06 13:02 <DIR> d-------- C:\Program Files\LANDesk
2007-08-06 12:13 <DIR> d-------- C:\DOCUME~1\ddsauer\APPLIC~1\American Airlines DealFinder
2007-08-06 12:13 <DIR> d-------- C:\DOCUME~1\ddsauer\APPLIC~1\4200Series
2007-08-06 12:12 <DIR> d---s---- C:\DOCUME~1\ddsauer\UserData
2007-08-06 12:12 <DIR> d-------- C:\DOCUME~1\ddsauer\WINDOWS
2007-08-06 12:12 <DIR> d-------- C:\DOCUME~1\ddsauer\SapWorkDir
2007-08-06 12:12 <DIR> d-------- C:\DOCUME~1\ddsauer\APPLIC~1\Help
2007-08-06 12:12 <DIR> d-------- C:\DOCUME~1\ddsauer\APPLIC~1\AdobeUM
2007-07-19 08:54 <DIR> d-------- C:\DOCUME~1\CKSHAH\SametimeMeetings
2007-07-12 14:46 <DIR> d-------- C:\DOCUME~1\CKSHAH\net
2007-07-12 14:24 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2007-07-12 14:22 <DIR> d-------- C:\Program Files\Research In Motion
2007-07-11 16:18 <DIR> d-------- C:\Program Files\American Airlines DealFinder
2007-07-11 16:18 <DIR> d-------- C:\DOCUME~1\CKSHAH\APPLIC~1\American Airlines DealFinder
2007-07-11 16:11 <DIR> d-------- C:\Nokia
2007-07-11 16:11 <DIR> d-------- C:\DOCUME~1\CKSHAH\.Nokia
2007-07-10 09:52 <DIR> d-------- C:\DOCUME~1\CKSHAH\APPLIC~1\Subversion


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-29 15:17 --------- d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\VMware
2007-08-29 15:17 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\vulScan
2007-08-29 15:17 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\VMware
2007-08-29 14:47 --------- d-------- C:\Program Files\AT&T Global Network Client
2007-08-28 20:27 --------- d-------- C:\Program Files\Apoint
2007-08-28 16:53 --------- d-------- C:\Program Files\QuickTime
2007-08-28 16:49 --------- d-------- C:\Program Files\TextPad 4
2007-08-28 16:49 --------- d-------- C:\Program Files\PSPad editor
2007-08-27 10:44 --------- d-------- C:\Program Files\WinSCP3
2007-08-27 10:10 --------- d-------- C:\Program Files\Trend Micro
2007-08-26 21:44 8852 --a------ C:\WINDOWS\system32\drivers\download_btn.jpg
2007-08-26 21:44 877 --a------ C:\WINDOWS\system32\drivers\header_red_bg.gif
2007-08-26 21:44 838 --a------ C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
2007-08-26 21:44 821 --a------ C:\WINDOWS\system32\drivers\shadow_bg.gif
2007-08-26 21:44 72 --a------ C:\WINDOWS\system32\drivers\bg_bg.gif
2007-08-26 21:44 64 --a------ C:\WINDOWS\system32\drivers\close_ico.gif
2007-08-26 21:44 4448 --a------ C:\WINDOWS\system32\drivers\download_now_btn.gif
2007-08-26 21:44 4008 --a------ C:\WINDOWS\system32\drivers\rating.gif
2007-08-26 21:44 3479 --a------ C:\WINDOWS\system32\drivers\cell_header_scan.gif
2007-08-26 21:44 3216 --a------ C:\WINDOWS\system32\drivers\header_red_free_scan.gif
2007-08-26 21:44 3031 --a------ C:\WINDOWS\system32\drivers\spyware_detected.gif
2007-08-26 21:44 26487 --a------ C:\WINDOWS\system32\drivers\screenshot.jpg
2007-08-26 21:44 1743 --a------ C:\WINDOWS\system32\drivers\remove_spyware_header.gif
2007-08-26 21:44 16977 --a------ C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
2007-08-26 21:44 16941 --a------ C:\WINDOWS\system32\drivers\icon_warning_big.gif
2007-08-26 21:44 1381 --a------ C:\WINDOWS\system32\drivers\warning_ico.gif
2007-08-26 21:44 1014 --a------ C:\WINDOWS\system32\drivers\yellow_warning_ico.gif
2007-08-26 21:43 3552 --a------ C:\WINDOWS\system32\drivers\cell_header_remove.gif
2007-08-26 21:43 3313 --a------ C:\WINDOWS\system32\drivers\cell_header_block.gif
2007-08-26 21:43 1373 --a------ C:\WINDOWS\system32\drivers\cell_footer.gif
2007-08-26 21:42 1342 --a------ C:\WINDOWS\system32\drivers\cell_bg.gif
2007-08-20 16:45 --------- d-------- C:\Program Files\eclipse
2007-08-06 14:19 --------- d-------- C:\DOCUME~1\CKSHAH\APPLIC~1\Sametime
2007-07-22 13:00 --------- d-------- C:\Program Files\Picasa2
2007-07-12 13:04 --------- d-------- C:\DOCUME~1\CKSHAH\APPLIC~1\U3
2007-07-11 16:11 --------- d--h----- C:\Program Files\Zero G Registry
2007-06-06 10:58 389120 --a------ C:\DOCUME~1\CKSHAH\stas75_20060810.0001.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36676F51-607E-4971-AB7B-6A7AB6E382BE}]
C:\WINDOWS\system32\kmtkfufn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 12:33]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-01-11 13:45]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 09:02]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 09:02]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe" [2006-09-01 18:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-20 19:22]
"LogitechVideo[inspector]"="C:\Program Files\Logitech\Video\InstallHelper.exe" []
"Lexmark 4200 Series"="C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 05:04]
"FaxCenterServer4_in_1"="C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" [2004-01-22 11:59]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-11-21 12:38]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 01:12]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 01:13]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 18:15]
"American Airlines DealFinder"="C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe" [2007-07-04 09:45]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 22:49]
"NetSP - restore settings on power failure"="C:\Program Files\AT&T Global Network Client\NetSP.exe" [2006-08-17 09:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LockTaskbar"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"NoBandCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kmtkfufn]
kmtkfufn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\na.dir.bunge.com\netlogon\DST2007Update_Win2k.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-283984346-574257919-2545656759-25606\Scripts\Logon\0\0]
"Script"=\\na.dir.bunge.com\SysVol\na.dir.bunge.com\scripts\stl.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-283984346-574257919-2545656759-45337\Scripts\Logon\0\0]
"Script"=\\na.dir.bunge.com\SysVol\na.dir.bunge.com\scripts\stl.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-283984346-574257919-2545656759-50165\Scripts\Logon\0\0]
"Script"=\\na.dir.bunge.com\SysVol\na.dir.bunge.com\scripts\stl.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-283984346-574257919-2545656759-50315\Scripts\Logon\0\0]
"Script"=\\na.dir.bunge.com\SysVol\na.dir.bunge.com\scripts\stl.bat


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

R2 agnwifi;AT&T Wi-Fi Support Driver;C:\WINDOWS\system32\DRIVERS\agnwifi.sys
R2 ntrtscan;OfficeScanNT RealTime Scan;"C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe"
R2 OracleOraHome92Agent;OracleOraHome92Agent;C:\oracle\ora92\bin\agntsrvc.exe
R2 OracleOraHome92HTTPServer;OracleOraHome92HTTPServer;"C:\oracle\ora92\Apache\Apache\apache.exe" --ntservice
R2 OracleServiceKUNJAL;OracleServiceKUNJAL;c:\oracle\ora92\bin\ORACLE.EXE KUNJAL
R2 r_server;Remote Administrator Service;"C:\radmin\r_server.exe" /service
R2 Softmon;LANDesk® Software Monitoring Service;"C:\Program Files\LANDesk\LDCLient\softmon.exe"
R2 tmlisten;OfficeScanNT Listener;"C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe"
R2 TmPreFilter;Trend Micro PreFilter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys
R3 agnfilt;AGN Filter Interface;C:\WINDOWS\system32\DRIVERS\agnfilt.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys
R3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys
R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys
R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys
S2 CBA8;LANDesk® Management Agent;"C:\Program Files\LANDesk\Shared Files\residentagent.exe"
S3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys
S3 Intel Remote Control Helper;Intel Remote Control Helper;C:\WINDOWS\system32\drivers\rch.sys
S3 Lotus Domino Server (ProgramFilesLotusDominodata);Lotus Domino Server (ProgramFilesLotusDominodata);"C:\Program Files\Lotus\Domino\nservice.exe" "=C:\Program Files\Lotus\Domino\notes.ini"
S3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE
S3 OracleOraHome92SNMPPeerEncapsulator;OracleOraHome92SNMPPeerEncapsulator;C:\oracle\ora92\BIN\ENCSVC.EXE
S3 OracleOraHome92SNMPPeerMasterAgent;OracleOraHome92SNMPPeerMasterAgent;C:\oracle\ora92\BIN\AGNTSVC.EXE
S3 TPPWRIF;TPPWRIF;\??\C:\Documents and Settings\All Users\Application Data\vulScan\TPPWRIF.sys

*Newly Created Service* - CATCHME

Contents of the 'Scheduled Tasks' folder
2007-03-09 15:40:36 C:\WINDOWS\Tasks\Uniblue SpyEraser.job - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-30 16:03:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\WebSphereEmbeddedMessagingPublishAndSubscribeWAS_STL_CMPORTE_server1]
"ImagePath"="C:/Program Files/WebSphere/AppServer/WebSphere MQ/WEMPS/bin/bipservice.exe"

Completion time: 2007-08-30 16:04:14
C:\ComboFix-quarantined-files.txt ... 2007-08-30 16:03

--- E O F ---


Also please see below an updated HijackThis log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:05, on 2007-08-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDCLient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDCLient\issuser.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\oracle\ora92\Apache\Apache\apache.exe
C:\WINDOWS\system32\cmd.exe
C:\oracle\ora92\BIN\TNSLSNR.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\radmin\r_server.exe
C:\Program Files\LANDesk\LDCLient\softmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\oracle\ora92\Apache\Apache\apache.exe
C:\oracle\ora92\jdk\bin\java.exe
C:\oracle\ora92\jdk\bin\java.exe
c:\oracle\ora92\bin\isqlplus
C:\WINDOWS\TEMP\YXED1A.EXE
C:\PROGRA~1\LANDesk\LDCLient\rcgui.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36676F51-607E-4971-AB7B-6A7AB6E382BE} - C:\WINDOWS\system32\kmtkfufn.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [American Airlines DealFinder] "C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show
O4 - Global Startup: AT&T Global Network Client Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://extranet.lotus.com/qp2.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://stl-nt-st1.na.dir.bunge.com/sametime/MSJavX86.exe
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://test.ebunge.net/bnaws952e5daa657d28...aws0/iNotes.cab
O16 - DPF: {1E40C477-ECA7-48DC-A9FC-D4F77A365442} (STURLConnection Control) - http://st.dir.bunge.com/sametime/javaconne...rlConLoader.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://stldomino01.perficient.com/iNotes6W.cab
O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://st.dir.bunge.com/sametime/javaconne...oAwayLoader.cab
O16 - DPF: {55E515F7-0FA2-4610-874E-028107E766A3} (eWebEditProLibCtl3.eWebEditPro) - http://bl-nt-iwdev1/iw/ewebeditpro20/ewebeditpro3.cab
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} (LotusDRSControl Class) - http://stldomino02.perficient.com/download/dolcontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186424298716
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186424454923
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - https://www-1.ibm.com/sametime/stmeetingroo...STJNILoader.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://ebunge.net/InternalSite/WhlCompMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://bnastlm03.na.dir.bunge.com/dwa7W.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.dir.bunge.com
O17 - HKLM\Software\..\Telephony: DomainName = na.dir.bunge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.dir.bunge.com
O20 - Winlogon Notify: kmtkfufn - kmtkfufn.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: LANDesk® Management Agent (CBA8) - Unknown owner - C:\Program Files\LANDesk\Shared Files\residentagent.exe (file missing)
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDCLient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDCLient\issuser.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Lotus Domino Server (ProgramFilesLotusDominodata) - IBM Corp - C:\Program Files\Lotus\Domino\nservice.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceKUNJAL - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\radmin\r_server.exe
O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDCLient\softmon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: WebSphere Embedded Messaging Publish And SubscribeWAS_STL_CMPORTE_server1 (WebSphereEmbeddedMessagingPublishAndSubscribeWAS_STL_CMPORTE_server1) - Unknown owner - C:/Program Files/WebSphere/AppServer/WebSphere MQ/WEMPS/bin/bipservice.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 13476 bytes


Thanks again for all your help.

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 29 August 2007 - 04:21 PM

Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option 1 – Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy and paste the content of that report into your next reply.

*IMPORTANT*
Do NOT run any other options until you are asked to do so!
Posted Image
Posted Image

#7 kss

kss
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 29 August 2007 - 04:33 PM

Here is the report.

SmitFraudFix v2.217

Scan done at 16:32:03.40, 2007-08-30
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDCLient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDCLient\issuser.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\oracle\ora92\Apache\Apache\apache.exe
C:\WINDOWS\system32\cmd.exe
C:\oracle\ora92\BIN\TNSLSNR.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\radmin\r_server.exe
C:\Program Files\LANDesk\LDCLient\softmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\oracle\ora92\Apache\Apache\apache.exe
C:\oracle\ora92\jdk\bin\java.exe
C:\oracle\ora92\jdk\bin\java.exe
c:\oracle\ora92\bin\isqlplus
C:\WINDOWS\TEMP\YXED1A.EXE
C:\PROGRA~1\LANDesk\LDCLient\rcgui.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\CKSHAH


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\CKSHAH\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\CKSHAH\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Dell Wireless 1470 Dual Band WLAN Mini-PCI Card - Packet Scheduler Miniport
DNS Server Search Order: 24.25.5.150
DNS Server Search Order: 24.25.5.149

HKLM\SYSTEM\CCS\Services\Tcpip\..\{28BD9676-35D7-444F-BE9A-9392B2C495AF}: DhcpNameServer=24.25.5.150 24.25.5.149
HKLM\SYSTEM\CS1\Services\Tcpip\..\{28BD9676-35D7-444F-BE9A-9392B2C495AF}: DhcpNameServer=24.25.5.150 24.25.5.149
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.150 24.25.5.149
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.150 24.25.5.149


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Thanks

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 29 August 2007 - 05:02 PM

Copy and paste ALL the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\oembios32.dll
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\bg_bg.gif
C:\WINDOWS\system32\drivers\close_ico.gif
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\spyware_detected.gif
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\remove_spyware_header.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\icon_warning_big.gif
C:\WINDOWS\system32\drivers\warning_ico.gif
C:\WINDOWS\system32\drivers\yellow_warning_ico.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_bg.gif

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36676F51-607E-4971-AB7B-6A7AB6E382BE}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kmtkfufn]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.

Let me know how your pc is running now.
Posted Image
Posted Image

#9 kss

kss
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 29 August 2007 - 08:45 PM

Yup Its much better now :thumbsup: Thanks !! I dont seem to have the IE popup issue since afternoon. Here is the combofix.txt contents...

ComboFix 07-08-30.1 - "CKSHAH" 2007-08-29 18:29:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1471 [GMT -5:00]
Command switches used :: C:\Documents and Settings\CKSHAH\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\oembios32.dll
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\bg_bg.gif
C:\WINDOWS\system32\drivers\close_ico.gif
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\spyware_detected.gif
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\remove_spyware_header.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\icon_warning_big.gif
C:\WINDOWS\system32\drivers\warning_ico.gif
C:\WINDOWS\system32\drivers\yellow_warning_ico.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_bg.gif


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\drivers\bg_bg.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\close_ico.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\icon_warning_big.gif
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\remove_spyware_header.gif
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spyware_detected.gif
C:\WINDOWS\system32\drivers\warning_ico.gif
C:\WINDOWS\system32\drivers\yellow_warning_ico.gif
C:\WINDOWS\system32\oembios32.dll


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-30 )))))))))))))))))))))))))))))))


2007-08-30 16:32 3,668 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-29 15:25 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-29 09:45 45 --a------ C:\fix.bat
2007-08-29 09:34 <DIR> d-------- C:\!KillBox
2007-08-28 16:34 <DIR> d-------- C:\DOCUME~1\CKSHAH\APPLIC~1\Ethereal
2007-08-28 16:07 <DIR> d-------- C:\Program Files\WinPcap
2007-08-28 16:05 <DIR> d-------- C:\Program Files\Ethereal
2007-08-28 11:23 <DIR> d-------- C:\DOCUME~1\CKSHAH\.housecall6.6
2007-08-28 08:50 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-08-27 16:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-27 15:17 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-27 15:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-27 15:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-27 10:29 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-06 13:46 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-06 13:17 53,248 --a------ C:\PowerOptionConfiguer.dll
2007-08-06 13:17 <DIR> d---s---- C:\DOCUME~1\temp\UserData
2007-08-06 13:17 <DIR> d-------- C:\DOCUME~1\temp\WINDOWS
2007-08-06 13:17 <DIR> d-------- C:\DOCUME~1\temp\SapWorkDir
2007-08-06 13:17 <DIR> d-------- C:\DOCUME~1\temp\APPLIC~1\Help
2007-08-06 13:17 <DIR> d-------- C:\DOCUME~1\temp\APPLIC~1\AdobeUM
2007-08-06 13:02 <DIR> d-------- C:\Program Files\LANDesk
2007-08-06 12:13 <DIR> d-------- C:\DOCUME~1\ddsauer\APPLIC~1\American Airlines DealFinder
2007-08-06 12:13 <DIR> d-------- C:\DOCUME~1\ddsauer\APPLIC~1\4200Series
2007-08-06 12:12 <DIR> d---s---- C:\DOCUME~1\ddsauer\UserData
2007-08-06 12:12 <DIR> d-------- C:\DOCUME~1\ddsauer\WINDOWS
2007-08-06 12:12 <DIR> d-------- C:\DOCUME~1\ddsauer\SapWorkDir
2007-08-06 12:12 <DIR> d-------- C:\DOCUME~1\ddsauer\APPLIC~1\Help
2007-08-06 12:12 <DIR> d-------- C:\DOCUME~1\ddsauer\APPLIC~1\AdobeUM
2007-07-19 08:54 <DIR> d-------- C:\DOCUME~1\CKSHAH\SametimeMeetings
2007-07-12 14:46 <DIR> d-------- C:\DOCUME~1\CKSHAH\net
2007-07-12 14:24 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2007-07-12 14:22 <DIR> d-------- C:\Program Files\Research In Motion
2007-07-11 16:18 <DIR> d-------- C:\Program Files\American Airlines DealFinder
2007-07-11 16:18 <DIR> d-------- C:\DOCUME~1\CKSHAH\APPLIC~1\American Airlines DealFinder
2007-07-11 16:11 <DIR> d-------- C:\Nokia
2007-07-11 16:11 <DIR> d-------- C:\DOCUME~1\CKSHAH\.Nokia
2007-07-10 09:52 <DIR> d-------- C:\DOCUME~1\CKSHAH\APPLIC~1\Subversion


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-30 18:52 --------- d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\VMware
2007-08-30 18:52 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\vulScan
2007-08-30 18:52 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\VMware
2007-08-29 16:44 --------- d-------- C:\Program Files\AT&T Global Network Client
2007-08-28 20:27 --------- d-------- C:\Program Files\Apoint
2007-08-28 16:53 --------- d-------- C:\Program Files\QuickTime
2007-08-28 16:49 --------- d-------- C:\Program Files\TextPad 4
2007-08-28 16:49 --------- d-------- C:\Program Files\PSPad editor
2007-08-27 10:44 --------- d-------- C:\Program Files\WinSCP3
2007-08-27 10:10 --------- d-------- C:\Program Files\Trend Micro
2007-08-20 16:45 --------- d-------- C:\Program Files\eclipse
2007-08-06 14:19 --------- d-------- C:\DOCUME~1\CKSHAH\APPLIC~1\Sametime
2007-07-22 13:00 --------- d-------- C:\Program Files\Picasa2
2007-07-12 13:04 --------- d-------- C:\DOCUME~1\CKSHAH\APPLIC~1\U3
2007-07-11 16:11 --------- d--h----- C:\Program Files\Zero G Registry
2007-06-06 10:58 389120 --a------ C:\DOCUME~1\CKSHAH\stas75_20060810.0001.dll


((((((((((((((((((((((((((((( snapshot_2007-08-30_160337.79 )))))))))))))))))))))))))))))))))))))))))

----a-w 176,195 2006-09-01 23:53:28 C:\WINDOWS\Temp\BY58A7.EXE
----atw 16,384 2007-08-30 23:52:33 C:\WINDOWS\Temp\Perflib_Perfdata_9a8.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 12:33]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-01-11 13:45]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 09:02]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 09:02]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe" [2006-09-01 18:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-20 19:22]
"LogitechVideo[inspector]"="C:\Program Files\Logitech\Video\InstallHelper.exe" []
"Lexmark 4200 Series"="C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 05:04]
"FaxCenterServer4_in_1"="C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" [2004-01-22 11:59]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-11-21 12:38]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 01:12]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 01:13]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 18:15]
"American Airlines DealFinder"="C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe" [2007-07-04 09:45]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 22:49]
"NetSP - restore settings on power failure"="C:\Program Files\AT&T Global Network Client\NetSP.exe" [2006-08-17 09:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LockTaskbar"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"NoBandCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\na.dir.bunge.com\netlogon\DST2007Update_Win2k.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-283984346-574257919-2545656759-25606\Scripts\Logon\0\0]
"Script"=\\na.dir.bunge.com\SysVol\na.dir.bunge.com\scripts\stl.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-283984346-574257919-2545656759-45337\Scripts\Logon\0\0]
"Script"=\\na.dir.bunge.com\SysVol\na.dir.bunge.com\scripts\stl.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-283984346-574257919-2545656759-50165\Scripts\Logon\0\0]
"Script"=\\na.dir.bunge.com\SysVol\na.dir.bunge.com\scripts\stl.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-283984346-574257919-2545656759-50315\Scripts\Logon\0\0]
"Script"=\\na.dir.bunge.com\SysVol\na.dir.bunge.com\scripts\stl.bat


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

R2 agnwifi;AT&T Wi-Fi Support Driver;C:\WINDOWS\system32\DRIVERS\agnwifi.sys
R2 ntrtscan;OfficeScanNT RealTime Scan;"C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe"
R2 OracleOraHome92Agent;OracleOraHome92Agent;C:\oracle\ora92\bin\agntsrvc.exe
R2 OracleOraHome92HTTPServer;OracleOraHome92HTTPServer;"C:\oracle\ora92\Apache\Apache\apache.exe" --ntservice
R2 OracleServiceKUNJAL;OracleServiceKUNJAL;c:\oracle\ora92\bin\ORACLE.EXE KUNJAL
R2 r_server;Remote Administrator Service;"C:\radmin\r_server.exe" /service
R2 Softmon;LANDesk® Software Monitoring Service;"C:\Program Files\LANDesk\LDCLient\softmon.exe"
R2 tmlisten;OfficeScanNT Listener;"C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe"
R2 TmPreFilter;Trend Micro PreFilter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys
R3 agnfilt;AGN Filter Interface;C:\WINDOWS\system32\DRIVERS\agnfilt.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys
R3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys
R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys
R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys
S2 CBA8;LANDesk® Management Agent;"C:\Program Files\LANDesk\Shared Files\residentagent.exe"
S3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys
S3 Intel Remote Control Helper;Intel Remote Control Helper;C:\WINDOWS\system32\drivers\rch.sys
S3 Lotus Domino Server (ProgramFilesLotusDominodata);Lotus Domino Server (ProgramFilesLotusDominodata);"C:\Program Files\Lotus\Domino\nservice.exe" "=C:\Program Files\Lotus\Domino\notes.ini"
S3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE
S3 OracleOraHome92SNMPPeerEncapsulator;OracleOraHome92SNMPPeerEncapsulator;C:\oracle\ora92\BIN\ENCSVC.EXE
S3 OracleOraHome92SNMPPeerMasterAgent;OracleOraHome92SNMPPeerMasterAgent;C:\oracle\ora92\BIN\AGNTSVC.EXE
S3 TPPWRIF;TPPWRIF;\??\C:\Documents and Settings\All Users\Application Data\vulScan\TPPWRIF.sys


Contents of the 'Scheduled Tasks' folder
2007-03-09 15:40:36 C:\WINDOWS\Tasks\Uniblue SpyEraser.job - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-30 20:07:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\WebSphereEmbeddedMessagingPublishAndSubscribeWAS_STL_CMPORTE_server1]
"ImagePath"="C:/Program Files/WebSphere/AppServer/WebSphere MQ/WEMPS/bin/bipservice.exe"

Completion time: 2007-08-30 20:10:06 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-30 20:09
C:\ComboFix2.txt ... 2007-08-30 16:04

--- E O F ---
And also the updated HijackThis log..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:43, on 2007-08-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDCLient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDCLient\issuser.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\oracle\ora92\Apache\Apache\apache.exe
C:\WINDOWS\system32\cmd.exe
C:\oracle\ora92\BIN\TNSLSNR.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\radmin\r_server.exe
C:\Program Files\LANDesk\LDCLient\softmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\oracle\ora92\Apache\Apache\apache.exe
C:\WINDOWS\TEMP\PUFDF1.EXE
C:\PROGRA~1\LANDesk\LDCLient\rcgui.exe
C:\oracle\ora92\jdk\bin\java.exe
C:\oracle\ora92\jdk\bin\java.exe
c:\oracle\ora92\bin\isqlplus
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TEXTPA~1\TextPad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [American Airlines DealFinder] "C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show
O4 - Global Startup: AT&T Global Network Client Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://extranet.lotus.com/qp2.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://stl-nt-st1.na.dir.bunge.com/sametime/MSJavX86.exe
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://test.ebunge.net/bnaws952e5daa657d28...aws0/iNotes.cab
O16 - DPF: {1E40C477-ECA7-48DC-A9FC-D4F77A365442} (STURLConnection Control) - http://st.dir.bunge.com/sametime/javaconne...rlConLoader.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://stldomino01.perficient.com/iNotes6W.cab
O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://st.dir.bunge.com/sametime/javaconne...oAwayLoader.cab
O16 - DPF: {55E515F7-0FA2-4610-874E-028107E766A3} (eWebEditProLibCtl3.eWebEditPro) - http://bl-nt-iwdev1/iw/ewebeditpro20/ewebeditpro3.cab
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} (LotusDRSControl Class) - http://stldomino02.perficient.com/download/dolcontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186424298716
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186424454923
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - https://www-1.ibm.com/sametime/stmeetingroo...STJNILoader.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://ebunge.net/InternalSite/WhlCompMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://bnastlm03.na.dir.bunge.com/dwa7W.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.dir.bunge.com
O17 - HKLM\Software\..\Telephony: DomainName = na.dir.bunge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.dir.bunge.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: LANDesk® Management Agent (CBA8) - Unknown owner - C:\Program Files\LANDesk\Shared Files\residentagent.exe (file missing)
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDCLient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDCLient\issuser.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Lotus Domino Server (ProgramFilesLotusDominodata) - IBM Corp - C:\Program Files\Lotus\Domino\nservice.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceKUNJAL - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\radmin\r_server.exe
O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDCLient\softmon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: WebSphere Embedded Messaging Publish And SubscribeWAS_STL_CMPORTE_server1 (WebSphereEmbeddedMessagingPublishAndSubscribeWAS_STL_CMPORTE_server1) - Unknown owner - C:/Program Files/WebSphere/AppServer/WebSphere MQ/WEMPS/bin/bipservice.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 13457 bytes

Thanks.

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 30 August 2007 - 03:41 AM

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#11 kss

kss
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 30 August 2007 - 08:23 PM

Did all the steps from your last reply. Here is the SUPERAntiSpyware log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/30/2007 at 08:01 PM

Application Version : 3.9.1008

Core Rules Database Version : 3297
Trace Rules Database Version: 1306

Scan type : Complete Scan
Total Scan Time : 02:18:30

Memory items scanned : 622
Memory threats detected : 0
Registry items scanned : 6588
Registry threats detected : 0
File items scanned : 122038
File threats detected : 2

Trojan.Downloader-FakeRX
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OEMBIOS32.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E02A8A8C-B0CA-4281-9ED0-DED6F68736C9}\RP409\A0119983.DLL

Also updated HijackThis log..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:21:54 PM, on 2007-08-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDCLient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDCLient\issuser.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\oracle\ora92\Apache\Apache\apache.exe
C:\WINDOWS\system32\cmd.exe
C:\oracle\ora92\BIN\TNSLSNR.exe
C:\oracle\ora92\bin\dbsnmp.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\radmin\r_server.exe
C:\Program Files\LANDesk\LDCLient\softmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\oracle\ora92\Apache\Apache\apache.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\oracle\ora92\jdk\bin\java.exe
C:\oracle\ora92\jdk\bin\java.exe
c:\oracle\ora92\bin\isqlplus
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\OQA2DB.EXE
C:\PROGRA~1\LANDesk\LDCLient\rcgui.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Picasa2\Picasa2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: AT&T Global Network Client Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://extranet.lotus.com/qp2.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://stl-nt-st1.na.dir.bunge.com/sametime/MSJavX86.exe
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://test.ebunge.net/bnaws952e5daa657d28...aws0/iNotes.cab
O16 - DPF: {1E40C477-ECA7-48DC-A9FC-D4F77A365442} (STURLConnection Control) - http://st.dir.bunge.com/sametime/javaconne...rlConLoader.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://stldomino01.perficient.com/iNotes6W.cab
O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://st.dir.bunge.com/sametime/javaconne...oAwayLoader.cab
O16 - DPF: {55E515F7-0FA2-4610-874E-028107E766A3} (eWebEditProLibCtl3.eWebEditPro) - http://bl-nt-iwdev1/iw/ewebeditpro20/ewebeditpro3.cab
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} (LotusDRSControl Class) - http://stldomino02.perficient.com/download/dolcontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186424298716
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186424454923
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - https://www-1.ibm.com/sametime/stmeetingroo...STJNILoader.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://ebunge.net/InternalSite/WhlCompMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://bnastlm03.na.dir.bunge.com/dwa7W.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.dir.bunge.com
O17 - HKLM\Software\..\Telephony: DomainName = na.dir.bunge.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5276177-5FD7-4F36-A62E-91419B71D084}: NameServer = 10.151.10.3,10.151.10.6
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.dir.bunge.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: LANDesk® Management Agent (CBA8) - Unknown owner - C:\Program Files\LANDesk\Shared Files\residentagent.exe (file missing)
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDCLient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDCLient\issuser.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Lotus Domino Server (ProgramFilesLotusDominodata) - IBM Corp - C:\Program Files\Lotus\Domino\nservice.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceKUNJAL - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\radmin\r_server.exe
O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDCLient\softmon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: WebSphere Embedded Messaging Publish And SubscribeWAS_STL_CMPORTE_server1 (WebSphereEmbeddedMessagingPublishAndSubscribeWAS_STL_CMPORTE_server1) - Unknown owner - C:/Program Files/WebSphere/AppServer/WebSphere MQ/WEMPS/bin/bipservice.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 13269 bytes


My laptop is running a lot better now. Dont have the IE popup issue. I see a speed increase also. Thanks for your help.

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 31 August 2007 - 04:21 AM

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
KillBox.exe
fix.bat
Combofix.exe
SmitfraudFix.exe

C:\!KillBox
C:\fix.bat
C:\Qoobox

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading unselect 'Show hidden files and folders'.
* Re-check the 'Hide file extensions for known types' option.
* Re-check the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.


Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users