Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Security Center Balloon On My Toolbar


  • This topic is locked This topic is locked
28 replies to this topic

#1 gordonla

gordonla

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 28 September 2007 - 11:46 AM

Hi, I'm new to this. I have a bogus Windows balloon on my toolbar that says "integrity threats detected," then goes on to tell me that it has detected corrupt files, etc, that could cause my computer to crash. I clicked on it thinking it was real, and have now found that it is not. I have ad-aware, spybot, and sophos antivirus, and from doing some research I have downloaded Hijack This. From what I've found this is not a new problem people are having. Please let me know what I should do next, the last time I had something like this it took over my desktop and eventually completely crashed my system.


Thanks so much!!

BC AdBot (Login to Remove)

 


m

#2 gordonla

gordonla
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 28 September 2007 - 07:53 PM

Here's the Hijack This print out. Haven't had a chance to run it until now.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:28 PM, on 9/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\AOL\1131211868\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {791cec24-1dd2-11b2-bc12-c200e6bb7cd0} - C:\WINDOWS\vetqfqpo.dll
O2 - BHO: (no name) - {ee6b3712-1dd1-11b2-a44e-b22b684a7182} - C:\WINDOWS\grodwhcx.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131211868\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunesHelper.exe"
O4 - HKLM\..\Run: [mvofubyl] rundll32.exe "C:\Program Files\mvofubyl\azunqnot.dll",Init
O4 - HKLM\..\Run: [SC2] C:\Program Files\SCSoft\scsft2.exe
O4 - HKLM\..\Run: [wrqfyduh] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\wrqfyduh.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://cdn.digitalcity.com/video/kdx.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejewele...ploader_v10.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6343 bytes

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:22 AM

Posted 29 September 2007 - 04:21 PM

Hello gordonla,


NOTE: If you have downloaded SmitfraudFix previously please delete that version and download it again!

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of the SmitfraudFix report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


***********************

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Edited by SifuMike, 29 September 2007 - 04:34 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 gordonla

gordonla
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 29 September 2007 - 04:57 PM

Hi, Thanks for your response. I downloaded the SmitfraudFix from the link in your response, installed it and extracted the folder to my desktop. However, there is not a "runthis.bat" option. Did I do something wrong?

Thank you!

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:22 AM

Posted 29 September 2007 - 05:11 PM

I downloaded the SmitfraudFix from the link in your response, installed it and extracted the folder to my desktop. However, there is not a "runthis.bat"



Yes, you are mixing the instructions for the two programs, SmitfraudFix and SDFix.
Runthis.bat is for SDFix not for SmitfraudFix.

SmitfraudFix had two options. Select option #1 - Search by typing 1

Please read the instructions and follow them.

Edited by SifuMike, 29 September 2007 - 05:15 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 gordonla

gordonla
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 29 September 2007 - 05:23 PM

Sorry about that.

SmitFraudFix v2.233

Scan done at 18:21:15.69, Sat 09/29/2007
Run from C:\Documents and Settings\user\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\AOL\1131211868\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\iTunesHelper.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\user


C:\Documents and Settings\user\Application Data


Start Menu


C:\DOCUME~1\user\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: Linksys LNE100TX Fast Ethernet Adapter(LNE100TX v4) - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{E0751C3F-B0C8-41B7-966C-F7F01BB6344C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E0751C3F-B0C8-41B7-966C-F7F01BB6344C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E0751C3F-B0C8-41B7-966C-F7F01BB6344C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


Scanning for wininet.dll infection


End

#7 gordonla

gordonla
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 29 September 2007 - 05:58 PM

SDFix: Version 1.107

Run by user on Sat 09/29/2007 at 06:45 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\user\Desktop\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\NSPRS.DLL - Deleted
C:\WINDOWS\SYSTEM32\SERAUTH1.DLL - Deleted
C:\WINDOWS\SYSTEM32\SERAUTH2.DLL - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:RealPlayer"
"D:\\LimeWire\\LimeWire.exe"="D:\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire"
"D:\\StubInstaller.exe"="D:\\StubInstaller.exe:*:Disabled:LimeWire swarmed installer"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\WINDOWS\\kdx\\khost.exe"="C:\\WINDOWS\\kdx\\khost.exe:*:Enabled:Delivery Manager"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL Connectivity Service Dialer"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL Connectivity Service"
"C:\\Program Files\\Common Files\\AOL\\1131211868\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1131211868\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"D:\\eMule\\emule.exe"="D:\\eMule\\emule.exe:*:Enabled:eMule"
"D:\\iTunes.exe"="D:\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\DOCUME~1\user\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 7 May 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Fri 7 May 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Fri 7 May 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Sat 6 May 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 16 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 16 Oct 2006 39,936 A..H. --- "C:\Documents and Settings\user\My Documents\Chez 301\~WRL2529.tmp"
Mon 16 Oct 2006 41,472 A..H. --- "C:\Documents and Settings\user\My Documents\Chez 301\~WRL3158.tmp"

Finished!




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:29 PM, on 9/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1131211868\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
D:\iTunesHelper.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {791cec24-1dd2-11b2-bc12-c200e6bb7cd0} - C:\WINDOWS\vetqfqpo.dll
O2 - BHO: (no name) - {e1df3eb0-1dd1-11b2-89cb-cf5379a411fb} - C:\WINDOWS\dulgrkhi.dll
O2 - BHO: (no name) - {ee6b3712-1dd1-11b2-a44e-b22b684a7182} - C:\WINDOWS\grodwhcx.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131211868\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunesHelper.exe"
O4 - HKLM\..\Run: [mvofubyl] rundll32.exe "C:\Program Files\mvofubyl\azunqnot.dll",Init
O4 - HKLM\..\Run: [SC2] C:\Program Files\SCSoft\scsft2.exe
O4 - HKLM\..\Run: [wrqfyduh] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\wrqfyduh.dll"
O4 - HKLM\..\Run: [ejmjidyh] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ejmjidyh.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://cdn.digitalcity.com/video/kdx.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejewele...ploader_v10.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6884 bytes

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:22 AM

Posted 29 September 2007 - 06:57 PM

Hello gordonla,

Looks like you have been compromised. Very Bad. :thumbsup:
That means after we are finished cleaning your computer, you will need to change all your passwords.


Read this link:
http://www.sophos.com/security/analyses/w32tilebotjp.html

Allows others to access the computer
Downloads code from the internet
Installs itself in the Registry
Exploits system or software vulnerabilities




Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"


O2 - BHO: (no name) - {791cec24-1dd2-11b2-bc12-c200e6bb7cd0} - C:\WINDOWS\vetqfqpo.dll
O2 - BHO: (no name) - {e1df3eb0-1dd1-11b2-89cb-cf5379a411fb} - C:\WINDOWS\dulgrkhi.dll
O2 - BHO: (no name) - {ee6b3712-1dd1-11b2-a44e-b22b684a7182} - C:\WINDOWS\grodwhcx.dll
O4 - HKLM\..\Run: [mvofubyl] rundll32.exe "C:\Program Files\mvofubyl\azunqnot.dll",Init
O4 - HKLM\..\Run: [SC2] C:\Program Files\SCSoft\scsft2.exe
O4 - HKLM\..\Run: [wrqfyduh] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\wrqfyduh.dll"
O4 - HKLM\..\Run: [ejmjidyh] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ejmjidyh.dll"


These are optinal fixes. The following are not necessarily spyware/malware, but I suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
(Description: AOL system tray icon. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
(Description: Microsoft Office startup assistant. Not necessary. Removing this entry will free up a significant amount of system resources.)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
(Description: Apple's QuickTime Tray Icon which enables you to start QuickTime from the System Tray (from version 5 onward). Given the extremely simple functionality of this Tray icon, it is in our view an unreasonable resource hog - it has been measured to use as much as 1.5Mb of memory at times in earlier versions, and in version 7 it uses as much as 3.4Mb of memory on our test systems. Yet, on Windows PCs hardly anyone starts QuickTime manually, whether from the System Tray or otherwise - what usually happens is that the end-user opens a QuickTime movie file or email attachment and Windows then automatically opens QuickTime to enable the end-user to view the movie or video. There is therefore almost never a need for the end-user to start QuickTime manually from the System Tray.)

O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunesHelper.exe"
(Description: Background task installed by Apple's iTunes music player and also by version 7 of QuickTime which now comes inseparably bundled with iTunes. This task does not actually need to be installed as a startup since iTunes starts it up anyway when it needs it. Let iTunes start it up whenever it needs to, particularly since it has a history of occasionally conflicting with other software and it uses nearly 6Mb of memory.)

*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\Program Files\mvofubyl\ <==folder
C:\Program Files\SCSoft\ <==folder
C:\Documents and Settings\All Users\Application Data\wrqfyduh.dll <==file
C:\Documents and Settings\All Users\Application Data\ejmjidyh.dll <==file


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Menu Shortcuts.
Clean all entries in the "Advanced" section.
Clean any others that you choose.

In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Reboot your computer, post a new Hijackthis log and tell me how your computer is running.

Edited by SifuMike, 29 September 2007 - 06:57 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 gordonla

gordonla
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 29 September 2007 - 07:19 PM

Using Windows explorer I am not able to delete C:\Documents and Settings\All Users\Application Data\ejmjidyh.dll.

A box comes up saying access denied.

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:22 AM

Posted 29 September 2007 - 07:45 PM

That is OK, just proceed with the rest of the fix. We will delete it another way.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 gordonla

gordonla
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 29 September 2007 - 08:06 PM

Here it is... :thumbsup:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:22 PM, on 9/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1131211868\ee\AOLSoftware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131211868\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://cdn.digitalcity.com/video/kdx.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejewele...ploader_v10.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5974 bytes

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:22 AM

Posted 29 September 2007 - 08:11 PM

Hi gordonla,

Looks much better. :thumbsup: Is the balloon gone?

Now we will use ComboFix.

If you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

If your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Edited by SifuMike, 29 September 2007 - 08:12 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 gordonla

gordonla
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 29 September 2007 - 08:27 PM

I didn't see anything that said combofix-quarantined files.txt. Hopefully I didn't miss it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:14 PM, on 9/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1131211868\ee\AOLSoftware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131211868\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://cdn.digitalcity.com/video/kdx.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejewele...ploader_v10.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6053 bytes





ComboFix 07-09-21.2 - "user" 2007-09-29 21:15:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.120 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\ejmjidyh.dll
C:\WINDOWS\system32\tiglcsac
C:\WINDOWS\system32\tiglcsac\bg1.gif
C:\WINDOWS\system32\tiglcsac\bgtop.gif
C:\WINDOWS\system32\tiglcsac\bottom1.gif
C:\WINDOWS\system32\tiglcsac\essentials.gif
C:\WINDOWS\system32\tiglcsac\icon1.ico
C:\WINDOWS\system32\tiglcsac\install1.gif
C:\WINDOWS\system32\tiglcsac\left1.gif
C:\WINDOWS\system32\tiglcsac\li.gif
C:\WINDOWS\system32\tiglcsac\logo.gif
C:\WINDOWS\system32\tiglcsac\main.htm
C:\WINDOWS\system32\tiglcsac\mainframe.htm
C:\WINDOWS\system32\tiglcsac\reinstall1.gif
C:\WINDOWS\system32\tiglcsac\right1.gif
C:\WINDOWS\system32\tiglcsac\s1.htm
C:\WINDOWS\system32\tiglcsac\s2.htm
C:\WINDOWS\system32\tiglcsac\s3.htm
C:\WINDOWS\system32\tiglcsac\SMTop1.gif
C:\WINDOWS\system32\tiglcsac\SMTop2.gif
C:\WINDOWS\system32\tiglcsac\SMTop3.gif
C:\WINDOWS\system32\tiglcsac\SMTop4.gif
C:\WINDOWS\system32\tiglcsac\soft1_off.gif
C:\WINDOWS\system32\tiglcsac\soft1_off_ext.gif
C:\WINDOWS\system32\tiglcsac\soft1_on.gif
C:\WINDOWS\system32\tiglcsac\soft1_on_ext.gif
C:\WINDOWS\system32\tiglcsac\soft2_off.gif
C:\WINDOWS\system32\tiglcsac\soft2_off_ext.gif
C:\WINDOWS\system32\tiglcsac\soft2_on.gif
C:\WINDOWS\system32\tiglcsac\soft2_on_ext.gif
C:\WINDOWS\system32\tiglcsac\soft3_off.gif
C:\WINDOWS\system32\tiglcsac\soft3_off_ext.gif
C:\WINDOWS\system32\tiglcsac\soft3_on.gif
C:\WINDOWS\system32\tiglcsac\soft3_on_ext.gif
C:\WINDOWS\system32\tiglcsac\softbottom_off.gif
C:\WINDOWS\system32\tiglcsac\softbottom_on.gif
C:\WINDOWS\system32\tiglcsac\softleft_off.gif
C:\WINDOWS\system32\tiglcsac\softleft_on.gif
C:\WINDOWS\system32\tiglcsac\Thumbs.db
C:\WINDOWS\system32\tiglcsac\tiglcsac1.exe
C:\WINDOWS\system32\tiglcsac\top1.gif
C:\WINDOWS\system32\tiglcsac\top2.gif
C:\WINDOWS\system32\tiglcsac\turnoff1.gif
C:\WINDOWS\system32\tiglcsac\turnon1.gif

.
((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-30 )))))))))))))))))))))))))))))))
.

2007-09-29 21:14 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-29 20:08 <DIR> d-------- C:\Program Files\Yahoo!
2007-09-29 20:08 <DIR> d-------- C:\Program Files\CCleaner
2007-09-29 18:43 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-29 18:21 2,808 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-29 17:42 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-29 17:42 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-29 17:42 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-29 17:42 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-29 17:42 25,088 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-09-28 23:37 98,304 --a------ C:\WINDOWS\dulgrkhi.dll
2007-09-28 13:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-28 13:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-28 13:00 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-28 12:59 <DIR> d-------- C:\DOCUME~1\user\.housecall6.6
2007-09-28 00:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-27 21:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-22 06:19 <DIR> d-------- C:\WINDOWS\PerfInfo
2007-09-20 17:45 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Talkback
2007-09-11 10:20 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-28 13:21 --------- d-------- C:\Program Files\Lavasoft
2007-09-28 13:21 --------- d-------- C:\DOCUME~1\user\APPLIC~1\Lavasoft
2007-09-27 18:36 --------- d-------- C:\DOCUME~1\user\APPLIC~1\Ahead
2007-09-26 22:44 --------- d-------- C:\Program Files\Symantec
2007-09-21 22:22 --------- d-------- C:\DOCUME~1\user\APPLIC~1\LimeWire
2007-09-11 10:14 --------- d-------- C:\Program Files\Apple Software Update
2007-09-11 10:13 --------- d-------- C:\Program Files\QuickTime
2007-08-28 18:28 --------- d-------- C:\Program Files\LimeWire
2007-08-17 22:19 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-08-09 18:27 --------- d-------- C:\DOCUME~1\user\APPLIC~1\Apple Computer
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-06 20:36 --------- d-------- C:\Program Files\Common Files\AOL
2007-08-03 16:53 --------- d-------- C:\Program Files\Netflix
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50]
"HostManager"="C:\Program Files\Common Files\AOL\1131211868\ee\AOLSoftware.exe" [2006-09-25 20:52]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [2007-08-02 19:45:21]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

R1 SAVOnAccess Control;SAVOnAccess Control;C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys
R1 SAVOnAccess Filter;SAVOnAccess Filter;C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys
S1 nvport;NVIDIA PORT IO Control Driver;\??\C:\WINDOWS\system32\Drivers\nvport.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-25 00:06:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-28 22:00:02 C:\WINDOWS\Tasks\Scan for Potentially Unwanted Applications 12pm and 6pm.job"
- C:\Program Files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-29 21:20:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"C:\Program Files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ATWPKT2]
"ImagePath"="\??\C:\WINDOWS\system32\drivers\ATWPKT2.SYS"
.
Completion time: 2007-09-29 21:22:12 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-29 21:22
.
--- E O F ---

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:22 AM

Posted 29 September 2007 - 08:42 PM

Hello gordonla,

Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\Documents and Settings\All Users\Application Data\ejmjidyh.dll
C:\WINDOWS\dulgrkhi.dll



Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt, a new HijackThis log and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 gordonla

gordonla
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 29 September 2007 - 08:56 PM

The computer is acting like it's been reset. No sign of the annoying popup and no error messages :thumbsup:
You'd mentioned I'd have to change my passwords...will I have to do that manually or will they just all be erased from Mozilla?

Here are the log files:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:33 PM, on 9/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\AOL\1131211868\ee\AOLSoftware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131211868\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://cdn.digitalcity.com/video/kdx.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejewele...ploader_v10.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5866 bytes




ComboFix 07-09-21.2 - "user" 2007-09-29 21:50:42.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.116 [GMT -4:00]
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-30 )))))))))))))))))))))))))))))))
.

2007-09-29 21:14 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-29 20:08 <DIR> d-------- C:\Program Files\Yahoo!
2007-09-29 20:08 <DIR> d-------- C:\Program Files\CCleaner
2007-09-29 18:43 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-29 18:21 2,808 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-29 17:42 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-29 17:42 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-29 17:42 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-29 17:42 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-29 17:42 25,088 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-09-28 23:37 98,304 --a------ C:\WINDOWS\dulgrkhi.dll
2007-09-28 13:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-28 13:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-28 13:00 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-28 12:59 <DIR> d-------- C:\DOCUME~1\user\.housecall6.6
2007-09-28 00:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-27 21:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-22 06:19 <DIR> d-------- C:\WINDOWS\PerfInfo
2007-09-20 17:45 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Talkback
2007-09-11 10:20 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-28 13:21 --------- d-------- C:\Program Files\Lavasoft
2007-09-28 13:21 --------- d-------- C:\DOCUME~1\user\APPLIC~1\Lavasoft
2007-09-27 18:36 --------- d-------- C:\DOCUME~1\user\APPLIC~1\Ahead
2007-09-26 22:44 --------- d-------- C:\Program Files\Symantec
2007-09-21 22:22 --------- d-------- C:\DOCUME~1\user\APPLIC~1\LimeWire
2007-09-11 10:14 --------- d-------- C:\Program Files\Apple Software Update
2007-09-11 10:13 --------- d-------- C:\Program Files\QuickTime
2007-08-28 18:28 --------- d-------- C:\Program Files\LimeWire
2007-08-17 22:19 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-08-09 18:27 --------- d-------- C:\DOCUME~1\user\APPLIC~1\Apple Computer
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-06 20:36 --------- d-------- C:\Program Files\Common Files\AOL
2007-08-03 16:53 --------- d-------- C:\Program Files\Netflix
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50]
"HostManager"="C:\Program Files\Common Files\AOL\1131211868\ee\AOLSoftware.exe" [2006-09-25 20:52]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [2007-08-02 19:45:21]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

R1 SAVOnAccess Control;SAVOnAccess Control;C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys
R1 SAVOnAccess Filter;SAVOnAccess Filter;C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys
S1 nvport;NVIDIA PORT IO Control Driver;\??\C:\WINDOWS\system32\Drivers\nvport.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-25 00:06:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-28 22:00:02 C:\WINDOWS\Tasks\Scan for Potentially Unwanted Applications 12pm and 6pm.job"
- C:\Program Files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-29 21:52:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"C:\Program Files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
Completion time: 2007-09-29 21:53:39
C:\ComboFix-quarantined-files.txt ... 2007-09-29 21:53
C:\ComboFix2.txt ... 2007-09-29 21:22
.
--- E O F ---




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users