Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log Help Needed


  • This topic is locked This topic is locked
9 replies to this topic

#1 some12

some12

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 06 October 2007 - 03:14 PM

I just started getting virus alerts.

Please help me urgently.


also random internet explorer windows keep popping up

i am now getting lots of random pop ups mainly i think i have wiped the virus/ trojan away

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:48:01 PM, on 10/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\Quick Shell.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\?racle\w?nlogon.exe
C:\Program Files\ISM\ISMModule6.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\GameSpot\DownloadManager_Win32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch...DTP&M=T3418
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T3418
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T3418
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...DTP&M=T3418
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6CF27E11-E381-9D28-A440-EE2B5A9182BA} - C:\WINDOWS\system32\zpekz.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: BndDrive2 BHO Class - {8C6D5A56-791E-4fe8-9D64-81781FA15D68} - C:\Program Files\ISM\BndDrive6.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Quick Shell] "C:\WINDOWS\Quick Shell.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Mdqytxb] "C:\Program Files\?racle\w?nlogon.exe"
O4 - HKCU\..\Run: [ISMModule6] "C:\Program Files\ISM\ISMModule6.exe"
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktank...ownloadCtrl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DNADownloader - CNET Networks - C:\Program Files\GameSpot\DownloadManager_Win32.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6979 bytes

Edited by some12, 06 October 2007 - 04:48 PM.


BC AdBot (Login to Remove)

 


#2 some12

some12
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 06 October 2007 - 04:36 PM

posting combofix log because most likely you guys will ask me to


ComboFix 07-08-04.3 - "Owner" 2007-10-06 17:29:19.6 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\sembly~1
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\racle~1
C:\Program Files\racle~1\w?nlogon.exe
C:\WINDOWS\system32\wcpicom32.exe


((((((((((((((((((((((((( Files Created from 2007-09-06 to 2007-10-06 )))))))))))))))))))))))))))))))


2007-10-06 15:38 60,928 --a------ C:\WINDOWS\system32\zpekz.dll
2007-10-06 15:38 35,840 --a------ C:\WINDOWS\tsitra72.exe
2007-10-06 15:38 <DIR> d-------- C:\Program Files\ISM
2007-10-06 11:12 <DIR> d-------- C:\Program Files\PC Wizard 2008
2007-09-30 19:56 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\InstallShield
2007-09-27 16:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-09-27 16:36 <DIR> d-------- C:\Program Files\AIM6
2007-09-18 20:57 <DIR> d-------- C:\Program Files\Dobermann
2007-09-11 16:30 22,328 --a------ C:\DOCUME~1\Owner\APPLIC~1\PnkBstrK.sys
2007-09-09 04:58 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Xfire
2007-09-08 20:52 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Xfire
2007-09-08 20:50 <DIR> d-------- C:\Program Files\Xfire
2007-09-08 20:50 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Xfire


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-10-06 14:55 22328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-10-06 14:55 103736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-10-06 10:36 --------- d-------- C:\Program Files\WarRock
2007-10-05 14:23 --------- d-------- C:\Program Files\mIRC
2007-10-01 18:55 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\teamspeak2
2007-09-27 16:36 --------- d-------- C:\Program Files\Common Files\AOL
2007-09-21 21:10 --------- d-------- C:\Program Files\LimeWire
2007-09-21 21:10 --------- d-------- C:\Program Files\Incomplete
2007-09-21 20:55 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\LimeWire
2007-09-18 20:49 --------- d-------- C:\Program Files\GameSpot
2007-09-15 11:16 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-13 16:04 66872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-09-12 20:03 --------- d-------- C:\Program Files\Microsoft Games
2007-09-12 18:53 --------- d-------- C:\Program Files\GameSpy Arcade
2007-09-09 19:49 --------- d-------- C:\Program Files\SwiftSwitch
2007-09-08 15:47 --------- d-------- C:\Program Files\Common Files\aolshare
2007-09-08 15:46 --------- d-------- C:\Program Files\Common Files\Roxio Shared
2007-09-08 15:42 --------- d-------- C:\Program Files\BigFix
2007-08-25 19:11 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\ZoomBrowser EX
2007-08-24 15:13 --------- d-------- C:\Program Files\EA GAMES
2007-08-22 18:34 --------- d-------- C:\Program Files\Electronic Arts
2007-08-22 11:39 --------- d-------- C:\Program Files\Canon
2007-08-22 11:35 --------- d-------- C:\Program Files\Common Files\Canon
2007-08-21 13:51 --------- d-------- C:\Program Files\Viewpoint
2007-08-15 11:32 --------- d-------- C:\Program Files\MSXML 4.0
2007-08-05 20:50 --------- d-------- C:\Program Files\MSN Encarta Plus
2007-07-30 19:19 92504 --a--c--- C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a--c--- C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a--c--- C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a--c--- C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a--c--- C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a--c--- C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a--c--- C:\WINDOWS\system32\dllcache\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-20 12:59 0 --a------ C:\DOCUME~1\Owner\APPLIC~1\wklnhst.dat
2007-07-20 00:57 267112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2007-07-20 00:54 18280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-07-19 18:14 444776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2007-07-19 18:14 3727720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-07-19 18:14 1358192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2004-07-22 10:51 3432656 --a------ C:\Program Files\ManagedDX.CAB
2004-07-19 22:58 1156363 --a------ C:\Program Files\BDANT.cab
2004-07-19 22:53 976020 --a------ C:\Program Files\BDAXP.cab
2004-07-09 14:17 13265040 --a------ C:\Program Files\dxnt.cab
2004-07-09 09:13 703080 --a------ C:\Program Files\BDA.cab
2004-07-09 09:13 15493481 --a------ C:\Program Files\DirectX.cab
2004-07-09 04:08 472576 --a------ C:\Program Files\dxsetup.exe
2004-07-09 04:08 2242560 --a------ C:\Program Files\dsetup32.dll
2004-07-09 03:03 62976 --a------ C:\Program Files\DSETUP.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6CF27E11-E381-9D28-A440-EE2B5A9182BA}]
2007-10-03 11:07 60928 --a------ C:\WINDOWS\system32\zpekz.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C6D5A56-791E-4fe8-9D64-81781FA15D68}]
2007-10-01 05:12 663552 --a------ C:\Program Files\ISM\BndDrive6.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 06:01]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 18:07 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 15:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-09-18 11:32 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 15:00 C:\WINDOWS\system32\rundll32.exe]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 08:09]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-07-07 17:16]
"pccguide.exe"="C:\Program Files\Trend Micro\Antivirus\pccguide.exe" [2004-02-17 18:51]
"PCClient.exe"="C:\Program Files\Trend Micro\Antivirus\PCClient.exe" [2004-02-17 18:51]
"TM Outbreak Agent"="C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" [2004-02-17 18:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Quick Shell"="C:\WINDOWS\Quick Shell.exe" [2006-04-10 23:56]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-28 17:19]
"ZangoOE"="C:\Program Files\Zango\bin\10.0.314.0\OEAddOn.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mdqytxb"="C:\Program Files\?racle\w?nlogon.exe" []
"ISMModule6"="C:\Program Files\ISM\ISMModule6.exe" [2007-10-05 15:36]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

R0 SSFS041A;Spy Sweeper File System Filer Driver: 041A;C:\WINDOWS\system32\Drivers\SSFS041A.SYS
R0 SSHRMD;Spy Sweeper Hookrack MiniDriver;C:\WINDOWS\system32\Drivers\SSHRMD.SYS
R0 SSIDRV;Spy Sweeper Interdiction Driver;C:\WINDOWS\system32\Drivers\SSIDRV.SYS
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 tmtdi;Trend Micro TDI Driver;C:\WINDOWS\system32\Drivers\tmtdi.sys
R2 DNADownloader;DNADownloader;C:\Program Files\GameSpot\DownloadManager_Win32.exe
R2 Tmfilter;Tmfilter;C:\WINDOWS\system32\drivers\TmXPFlt.sys
R2 Tmpreflt;Tmpreflt;C:\WINDOWS\system32\drivers\Tmpreflt.sys
R2 Vsapint;Vsapint;C:\WINDOWS\system32\drivers\Vsapint.sys
R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter;C:\WINDOWS\system32\Drivers\sskbfd.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S3 mxnic;Macronix MX987xx Family Fast Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\mxnic.sys


Contents of the 'Scheduled Tasks' folder
2007-10-06 21:33:00 C:\WINDOWS\Tasks\McAfee.com Update Check (NT AUTHORITY-SYSTEM).job - c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-10-06 21:33:00 C:\WINDOWS\Tasks\McAfee.com Update Check (YOUR-5E2704140D-Administrator).job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-06 17:32:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-10-06 17:33:54
C:\ComboFix-quarantined-files.txt ... 2007-10-06 17:33
C:\ComboFix2.txt ... 2007-08-06 11:00
C:\ComboFix3.txt ... 2007-08-06 09:43

--- E O F ---

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:22 PM

Posted 07 October 2007 - 03:13 AM

Hi,

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\Program Files\ISM\BndDrive6.dll

Select it and click ok:
Then click the Send File button below.

Then, AFTER you performed above step.... delete the version of Combofix you are having, because that version is way outdated.

* Download Combofix to your desktop.


In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.


* Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 some12

some12
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 07 October 2007 - 08:00 AM

Yesterday i thought i fixed the pop ups by starting the computer while not connected to the vinterent and deleting some of the process

* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\ISM
C:\Program Files\ISM\BndDrive6.dll
C:\Program Files\ISM\BndDrive6.dll
C:\Program Files\ISM\bndloader.exe
C:\Program Files\ISM\bndloader.exe
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\ISMModule6.exe
C:\Program Files\ISM\ISMModule6.exe
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\ISM\Uninstall.exe
C:\WINDOWS\system32\zpekz.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-07 to 2007-10-07 )))))))))))))))))))))))))))))))
.

2007-10-06 15:38 35,840 --a------ C:\WINDOWS\tsitra72.exe
2007-10-06 11:12 <DIR> d-------- C:\Program Files\PC Wizard 2008
2007-09-30 19:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2007-09-30 19:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2007-09-27 16:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-27 16:36 <DIR> d-------- C:\Program Files\AIM6
2007-09-18 20:57 <DIR> d-------- C:\Program Files\Dobermann
2007-09-11 16:30 22,328 --a------ C:\Documents and Settings\Owner\Application Data\PnkBstrK.sys
2007-09-11 16:30 22,328 --a------ C:\Documents and Settings\Owner\Application Data\PnkBstrK.sys
2007-09-09 04:58 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2007-09-09 04:58 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2007-09-09 04:58 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2007-09-08 20:52 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2007-09-08 20:50 <DIR> d-------- C:\Program Files\Xfire
2007-09-08 20:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Xfire
2007-09-08 20:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Xfire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-06 18:48 22328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-10-06 10:36 --------- d-------- C:\Program Files\WarRock
2007-10-05 14:23 --------- d-------- C:\Program Files\mIRC
2007-10-01 18:55 --------- d-------- C:\Documents and Settings\Owner\Application Data\teamspeak2
2007-10-01 18:55 --------- d-------- C:\Documents and Settings\Owner\Application Data\teamspeak2
2007-09-27 16:36 --------- d-------- C:\Program Files\Common Files\AOL
2007-09-27 16:36 --------- d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-21 21:10 --------- d-------- C:\Program Files\LimeWire
2007-09-21 21:10 --------- d-------- C:\Program Files\Incomplete
2007-09-21 20:55 --------- d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2007-09-21 20:55 --------- d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2007-09-18 20:49 --------- d-------- C:\Program Files\GameSpot
2007-09-15 11:16 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-12 20:03 --------- d-------- C:\Program Files\Microsoft Games
2007-09-12 18:53 --------- d-------- C:\Program Files\GameSpy Arcade
2007-09-09 19:49 --------- d-------- C:\Program Files\SwiftSwitch
2007-09-09 19:39 --------- d-------- C:\Documents and Settings\All Users\Application Data\SwiftSwitch
2007-09-08 15:49 --------- d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-09-08 15:47 --------- d-------- C:\Program Files\Common Files\aolshare
2007-09-08 15:46 --------- d-------- C:\Program Files\Common Files\Roxio Shared
2007-09-08 15:42 --------- d-------- C:\Program Files\BigFix
2007-08-25 19:11 --------- d-------- C:\Documents and Settings\Owner\Application Data\ZoomBrowser EX
2007-08-25 19:11 --------- d-------- C:\Documents and Settings\Owner\Application Data\ZoomBrowser EX
2007-08-24 15:13 --------- d-------- C:\Program Files\EA GAMES
2007-08-22 18:34 --------- d-------- C:\Program Files\Electronic Arts
2007-08-22 11:39 --------- d-------- C:\Program Files\Canon
2007-08-22 11:37 --------- d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-08-22 11:35 --------- d-------- C:\Program Files\Common Files\Canon
2007-08-21 13:51 --------- d-------- C:\Program Files\Viewpoint
2007-08-15 11:32 --------- d-------- C:\Program Files\MSXML 4.0
2004-07-22 10:51 3432656 --a------ C:\Program Files\ManagedDX.CAB
2004-07-19 22:58 1156363 --a------ C:\Program Files\BDANT.cab
2004-07-19 22:53 976020 --a------ C:\Program Files\BDAXP.cab
2004-07-09 14:17 13265040 --a------ C:\Program Files\dxnt.cab
2004-07-09 09:13 703080 --a------ C:\Program Files\BDA.cab
2004-07-09 09:13 15493481 --a------ C:\Program Files\DirectX.cab
2004-07-09 04:08 472576 --a------ C:\Program Files\dxsetup.exe
2004-07-09 04:08 472576 --a------ C:\Documents and Settings\Owner\dxsetup.exe
2004-07-09 04:08 2242560 --a------ C:\Program Files\dsetup32.dll
2004-07-09 04:08 2242560 --a------ C:\Documents and Settings\Owner\dsetup32.dll
2004-07-09 03:03 62976 --a------ C:\Program Files\DSETUP.dll
2004-07-09 03:03 62976 --a------ C:\Documents and Settings\Owner\DSETUP.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 06:01]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 18:07 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 15:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-09-18 11:32 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 15:00 C:\WINDOWS\system32\rundll32.exe]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 08:09]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-07-07 17:16]
"pccguide.exe"="C:\Program Files\Trend Micro\Antivirus\pccguide.exe" [2004-02-17 18:51]
"PCClient.exe"="C:\Program Files\Trend Micro\Antivirus\PCClient.exe" [2004-02-17 18:51]
"TM Outbreak Agent"="C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" [2004-02-17 18:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Quick Shell"="C:\WINDOWS\Quick Shell.exe" [2006-04-10 23:56]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-28 17:19]
"ZangoOE"="C:\Program Files\Zango\bin\10.0.314.0\OEAddOn.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mdqytxb"="C:\Program Files\?racle\w?nlogon.exe" []
"ISMModule6"="C:\Program Files\ISM\ISMModule6.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

R0 SSFS041A;Spy Sweeper File System Filer Driver: 041A;C:\WINDOWS\system32\Drivers\SSFS041A.SYS
R2 DNADownloader;DNADownloader;C:\Program Files\GameSpot\DownloadManager_Win32.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-07 12:53:00 C:\WINDOWS\Tasks\McAfee.com Update Check (NT AUTHORITY-SYSTEM).job"
- c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-10-07 12:53:00 C:\WINDOWS\Tasks\McAfee.com Update Check (YOUR-5E2704140D-Administrator).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-07 08:48:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-07 8:57:29 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-07 08:57
C:\ComboFix2.txt ... 2007-10-06 17:33
C:\ComboFix3.txt ... 2007-08-06 11:00
.
--- E O F ---

_____________________________________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:36 AM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\GameSpot\DownloadManager_Win32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\Quick Shell.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T3418
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T3418
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...DTP&M=T3418
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Quick Shell] "C:\WINDOWS\Quick Shell.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZangoOE] C:\Program Files\Zango\bin\10.0.314.0\OEAddOn.exe
O4 - HKCU\..\Run: [Mdqytxb] "C:\Program Files\?racle\w?nlogon.exe"
O4 - HKCU\..\Run: [ISMModule6] "C:\Program Files\ISM\ISMModule6.exe"
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktank...ownloadCtrl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DNADownloader - CNET Networks - C:\Program Files\GameSpot\DownloadManager_Win32.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6526 bytes

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:22 PM

Posted 08 October 2007 - 01:09 AM

Hi,

Thanks for the file.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKLM\..\Run: [ZangoOE] C:\Program Files\Zango\bin\10.0.314.0\OEAddOn.exe
O4 - HKCU\..\Run: [Mdqytxb] "C:\Program Files\?racle\w?nlogon.exe"
O4 - HKCU\..\Run: [ISMModule6] "C:\Program Files\ISM\ISMModule6.exe"


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

navigate to and delete next file:

C:\WINDOWS\tsitra72.exe

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\Quick Shell.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 some12

some12
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 08 October 2007 - 07:52 AM

Btw i know what this file is it is a always on top progam.
Also i think most of the pop ups have stopped, because i deleted that Ism file before you told me to.

Antivirus Version Last Update Result
AhnLab-V3 2007.10.8.0 2007.10.08 -
AntiVir 7.6.0.20 2007.10.08 -
Authentium 4.93.8 2007.10.05 -
Avast 4.7.1051.0 2007.10.08 -
AVG 7.5.0.488 2007.10.08 -
BitDefender 7.2 2007.10.08 -
CAT-QuickHeal 9.00 2007.10.06 -
ClamAV 0.91.2 2007.10.08 -
DrWeb 4.44.0.09170 2007.10.08 -
eSafe 7.0.15.0 2007.10.07 -
eTrust-Vet 31.2.5190 2007.10.06 -
Ewido 4.0 2007.10.08 -
FileAdvisor 1 2007.10.08 -
Fortinet 3.11.0.0 2007.10.08 -
F-Prot 4.3.2.48 2007.10.06 -
F-Secure 6.70.13030.0 2007.10.08 -
Ikarus T3.1.1.12 2007.10.08 -
Kaspersky 7.0.0.125 2007.10.08 -
McAfee 5135 2007.10.05 -
Microsoft 1.2908 2007.10.08 -
NOD32v2 2577 2007.10.08 -
Norman 5.80.02 2007.10.08 -
Panda 9.0.0.4 2007.10.08 -
Prevx1 V2 2007.10.08 -
Rising 19.44.02.00 2007.10.08 -
Sophos 4.22.0 2007.10.08 -
Sunbelt 2.2.907.0 2007.10.06 -
Symantec 10 2007.10.08 -
TheHacker 6.2.6.079 2007.10.07 -
VBA32 3.12.2.4 2007.10.08 -
VirusBuster 4.3.26:9 2007.10.07 -
Webwasher-Gateway 6.0.1 2007.10.08 -
Additional information
File size: 872448 bytes
MD5: 26e8ebfb0297c67c44adac7654dbeef1
SHA1: 21efb581e6694a7c0bee78f972f214fc2c410b97




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:29 AM, on 10/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\Quick Shell.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\GameSpot\DownloadManager_Win32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T3418
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T3418
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...DTP&M=T3418
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Quick Shell] "C:\WINDOWS\Quick Shell.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktank...ownloadCtrl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DNADownloader - CNET Networks - C:\Program Files\GameSpot\DownloadManager_Win32.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6245 bytes

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:22 PM

Posted 08 October 2007 - 07:56 AM

Hi,

Btw i know what this file is it is a always on top progam.

In that case, since you know it, it's ok. Scanners don't find anything malicious in it either.

Your log looks ok again, so I guess we're done here.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!

Edited by miekiemoes, 08 October 2007 - 07:56 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 some12

some12
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 08 October 2007 - 08:33 AM

thank you for helping

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:22 PM

Posted 08 October 2007 - 08:45 AM

You're most welcome :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:22 PM

Posted 09 October 2007 - 06:21 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users