Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Won't Stay Away


  • This topic is locked This topic is locked
20 replies to this topic

#1 keebee

keebee

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 03 November 2007 - 05:36 PM

Hi all,

Below are the ComboFix and HiJackThis logs for some malware that won't STAY away. I've exhausted my resources on the forums and now I need your help. Thanks!

ComboFix 07-10-22.7 - paul 2007-11-03 14:57:45.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.572 [GMT -7:00]
Running from: C:\Documents and Settings\paul\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cplxlntd.dll
C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\jlkkj.bak1
C:\WINDOWS\system32\jlkkj.bak2
C:\WINDOWS\system32\jlkkj.ini
.
---- Previous Run -------
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\awvtu.dll
C:\WINDOWS\system32\fesasqvt.dll
C:\WINDOWS\system32\utvwa.bak1
C:\WINDOWS\system32\utvwa.ini

.
((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.

2007-11-02 07:17 85,568 --a------ C:\WINDOWS\system32\xmeqxtkt.dll
2007-10-29 19:18 85,568 --a------ C:\WINDOWS\system32\bbqxovyd.dll
2007-10-25 16:12 218,112 --a------ C:\HijackThis.exe
2007-10-22 14:09 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-22 13:25 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-22 12:02 <DIR> d-------- C:\WINDOWS\pss
2007-10-19 00:23 8,191 --a------ C:\WINDOWS\b111.exe.bin
2007-10-18 07:16 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-17 18:28 <DIR> d-------- C:\WINDOWS\system32\pod2
2007-10-17 18:28 <DIR> d-------- C:\WINDOWS\system32\cap1
2007-10-17 18:28 <DIR> d-------- C:\WINDOWS\system32\bib1
2007-10-17 18:28 <DIR> d-------- C:\WINDOWS\system32\bco2
2007-10-17 18:28 35,840 --a------ C:\WINDOWS\system32\urqqqpn.dll
2007-10-17 18:28 35,840 --a------ C:\WINDOWS\system32\opnooom.dll
2007-10-17 18:27 35,840 --a------ C:\WINDOWS\system32\wvuuurq.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-02 22:00 --------- d-----w C:\Documents and Settings\paul\Application Data\AdobeUM
2007-10-29 22:01 --------- d-----w C:\Program Files\Land Desktop 2004
2007-10-22 20:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-22 18:18 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-08 19:33 --------- d-----w C:\Program Files\Plancenter.com
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
1997-07-22 02:30:54 1,045,776 --sha-w C:\WINDOWS\system32\Msjet35.dll
1997-06-23 10:00:00 123,664 --sha-w C:\WINDOWS\system32\Msjint35.dll
1997-06-23 19:06:50 24,848 --sha-w C:\WINDOWS\system32\Msjter35.dll
1997-06-23 19:06:50 252,176 --sha-w C:\WINDOWS\system32\Msrd2x35.dll
1997-06-23 19:06:50 287,504 --sha-w C:\WINDOWS\system32\Msxbse35.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-22_14.21.07.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-03 22:02:03 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_788.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C92B957B-4767-4E53-A63C-1E547C35F0C6}]
2007-10-17 18:27 35840 --a------ C:\WINDOWS\system32\wvuuurq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acronis True Image Monitor"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-09-13 19:21]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-09-13 19:21]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 22:05]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2003-11-06 20:27]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-27 06:37]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 18:20 C:\WINDOWS\stsystra.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-06 08:35]
"4ca10fde"="C:\WINDOWS\system32\xmeqxtkt.dll" [2007-11-02 07:17]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C92B957B-4767-4E53-A63C-1E547C35F0C6}"= C:\WINDOWS\system32\wvuuurq.dll [2007-10-17 18:27 35840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMGNA.DLL]
PRISMGNA.DLL 2004-12-08 12:41 229465 C:\WINDOWS\system32\PRISMGNA.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuuurq]
wvuuurq.dll 2007-10-17 18:27 35840 C:\WINDOWS\system32\wvuuurq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Words]
C:\Program Files\Words\Words.exe

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis TrueImage Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R2 PRISMSVC;PRISMSVC;C:\WINDOWS\System32\PRISMSVC.EXE
R2 tifsfilter;Acronis TrueImage FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
S3 DELL_A02;Dell TrueMobile 1300 USB2.0 WLAN Card Driver;C:\WINDOWS\system32\DRIVERS\PRISMA02.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 15:03:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acronis True Image Monitor"="\"C:\\Program Files\\Acronis\\TrueImage\\TrueImageMonitor.exe\""
.
Completion time: 2007-11-03 15:04:53 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-24 13:40
C:\ComboFix3.txt ... 2007-10-24 12:40
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:29, on 2007-11-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\PRISMSVC.EXE
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
\Nas-01-48-1d\NAS01-1\Setup\Trend Micro\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [4ca10fde] rundll32.exe "C:\WINDOWS\system32\xmeqxtkt.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.isqft.com
O15 - Trusted Zone: http://plso.wadnr.gov
O16 - DPF: Autodesk MapGuide Viewer, Java Edition - http://www.autodesk.com/us/mapguide/viewer..._win/mgjava.cab
O16 - DPF: {0BCADE60-1E93-11D8-ABDA-0004759647B3} (FastBid1 Class) - http://www.bxwa.com/fastbid/fastbidx1.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {2D752DD2-5BDD-4ADA-900A-F916E5B13BA6} (CompositeView Control) - http://plso.wadnr.gov/wx/Client/IrcViewer.cab
O16 - DPF: {32322460-3E7D-11D7-ABD8-0001029A9BA6} (FastBid2 Class) - http://www.bxwa.com/fastbid/fastbidx2.cab
O16 - DPF: {5BB05153-D3D2-4370-97A3-8715519FF81F} (Interactive Client Result Set Control) - http://plso.wadnr.gov/wx/Client/IrcResultSet.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EncompassES.local
O17 - HKLM\Software\..\Telephony: DomainName = EncompassES.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EncompassES.local
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\System32\PRISMSVC.EXE
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O24 - Desktop Component 0: (no name) - http://us.js2.yimg.com/us.js.yimg.com/lib/...542adb0cb1_1.js
O24 - Desktop Component 1: (no name) - http://i11.ebayimg.com/04/i/000/ac/d5/aa96_1.JPG
O24 - Desktop Component 2: (no name) - http://www.wwessc.hunting-ess.com/gallery2..._serialNumber=1

--
End of file - 7850 bytes

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:24 AM

Posted 09 November 2007 - 11:12 PM

Hello keebee,

ComboFix is NOT a tool that you run on you own! It needs to be run with expert guidance.

Now we will have to start over. :thumbsup:

First, uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Next, download ComobFix again.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 keebee

keebee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 14 November 2007 - 06:01 PM

Sorry about that, I was just trying to save you some time. I appreciate all of the help. I did as you asked (uninstall and re-install then run disconnected from internet). Attached are the new combofix and hijackthis logs. Thanks!

ComboFix 07-11-08.1 - paul 2007-11-14 14:36:15.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.515 [GMT -8:00]
Running from: C:\Documents and Settings\paul\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\All Users\Application Data\Starware322
C:\Documents and Settings\All Users\Application Data\Starware322\buttons\FindIt.bmp
C:\Documents and Settings\All Users\Application Data\Starware322\buttons\FindItHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware322\buttons\findithotxp.png
C:\Documents and Settings\All Users\Application Data\Starware322\buttons\finditxp.png
C:\Documents and Settings\All Users\Application Data\Starware322\buttons\Highlight.bmp
C:\Documents and Settings\All Users\Application Data\Starware322\buttons\HighlightHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware322\buttons\highlighthotxp.png
C:\Documents and Settings\All Users\Application Data\Starware322\buttons\highlightxp.png
C:\Documents and Settings\All Users\Application Data\Starware322\buttons\logo.bmp
C:\Documents and Settings\All Users\Application Data\Starware322\buttons\logoxp.bmp
C:\Documents and Settings\All Users\Application Data\Starware322\buttons\Reference.bmp
C:\Documents and Settings\All Users\Application Data\Starware322\buttons\ReferenceHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware322\buttons\referencehotxp.png
C:\Documents and Settings\All Users\Application Data\Starware322\buttons\referencexp.png
C:\Documents and Settings\All Users\Application Data\Starware322\buttons\screensaver.bmp
C:\Documents and Settings\All Users\Application Data\Starware322\buttons\Screensavers0.bmp
C:\Documents and Settings\All Users\Application Data\Starware322\buttons\Weather.bmp
C:\Documents and Settings\All Users\Application Data\Starware322\buttons\weatherhotxp.png
C:\Documents and Settings\All Users\Application Data\Starware322\buttons\weatherxp.png
C:\Documents and Settings\All Users\Application Data\Starware322\contexts\error.xml
C:\Documents and Settings\All Users\Application Data\Starware322\contexts\Related.xml
C:\Documents and Settings\All Users\Application Data\Starware322\contexts\Travel.xml
C:\Documents and Settings\All Users\Application Data\Starware322\Games\images\active\Games0.bmp
C:\Documents and Settings\All Users\Application Data\Starware322\images\walert.bmp
C:\Documents and Settings\All Users\Application Data\Starware322\images\walertXP.bmp
C:\Documents and Settings\All Users\Application Data\Starware322\Movies\images\active\Movies0.bmp
C:\Documents and Settings\All Users\Application Data\Starware322\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp
C:\Documents and Settings\All Users\Application Data\Starware322\SimpleUpdate\ProductMessagingConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware322\SimpleUpdate\ProductMessagingConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware322\SimpleUpdate\SimpleUpdateConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware322\SimpleUpdate\SimpleUpdateConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware322\SimpleUpdate\TimerManagerConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware322\SimpleUpdate\TimerManagerConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware322\U579D2331.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bbqxovyd.dll
C:\WINDOWS\system32\dyvoxqbb.ini
C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\opnooom.dll
C:\WINDOWS\system32\urqqqpn.dll
C:\WINDOWS\system32\yybeg.bak1
C:\WINDOWS\system32\yybeg.bak2
C:\WINDOWS\system32\yybeg.ini
C:\WINDOWS\system32\yybeg.ini2
C:\WINDOWS\system32\yybeg.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

2007-11-14 07:15 85,056 --a------ C:\WINDOWS\system32\trqruent.dll
2007-11-14 07:09 79,424 --a------ C:\WINDOWS\system32\qqbqesku.dll
2007-11-14 07:07 71,232 --a------ C:\WINDOWS\system32\bfswuaet.exe
2007-11-13 11:25 80,448 --a------ C:\WINDOWS\system32\tyjctmxc.dll
2007-11-13 11:16 71,232 --a------ C:\WINDOWS\system32\bfgoglpg.exe
2007-11-13 08:46 88,128 --a------ C:\WINDOWS\system32\vkjvdmep.dll
2007-11-13 08:40 80,448 --a------ C:\WINDOWS\system32\dmxvslrd.dll
2007-11-13 08:37 71,232 --a------ C:\WINDOWS\system32\qexvtsoq.exe
2007-11-13 07:56 80,448 --a------ C:\WINDOWS\system32\oytljdqp.dll
2007-11-13 07:50 88,128 --a------ C:\WINDOWS\system32\utknafuq.dll
2007-11-13 07:48 71,232 --a------ C:\WINDOWS\system32\drfcaovb.exe
2007-11-12 14:33 89,664 --a------ C:\WINDOWS\system32\qhvbhyid.dll
2007-11-12 14:30 81,472 --a------ C:\WINDOWS\system32\yafuilws.dll
2007-11-12 14:27 71,232 --a------ C:\WINDOWS\system32\vxghfngn.exe
2007-11-12 13:47 81,472 --a------ C:\WINDOWS\system32\yktmayre.dll
2007-11-12 13:44 89,664 --a------ C:\WINDOWS\system32\mroxjbvx.dll
2007-11-12 13:41 71,232 --a------ C:\WINDOWS\system32\eqohoisl.exe
2007-11-12 10:14 89,664 --a------ C:\WINDOWS\system32\ywbgpedy.dll
2007-11-12 10:11 81,472 --a------ C:\WINDOWS\system32\nfwpasmq.dll
2007-11-12 10:08 71,232 --a------ C:\WINDOWS\system32\wefpwlyr.exe
2007-11-12 07:32 89,664 --a------ C:\WINDOWS\system32\rgbchosq.dll
2007-11-12 07:32 81,472 --a------ C:\WINDOWS\system32\cmjljgfn.dll
2007-11-12 07:30 71,232 --a------ C:\WINDOWS\system32\cwvwcaoy.exe
2007-11-12 07:26 89,664 --a------ C:\WINDOWS\system32\fsxgklet.dll
2007-11-12 07:24 71,232 --a------ C:\WINDOWS\system32\mwqrexmb.exe
2007-11-11 09:38 79,936 --a------ C:\WINDOWS\system32\toiqudwd.dll
2007-11-11 09:29 71,232 --a------ C:\WINDOWS\system32\iibsxjhx.exe
2007-11-10 09:32 81,472 --a------ C:\WINDOWS\system32\mluyvmgi.dll
2007-11-10 09:29 71,232 --a------ C:\WINDOWS\system32\evslvbkk.exe
2007-11-09 09:32 77,888 --a------ C:\WINDOWS\system32\briqkvaf.dll
2007-11-09 09:27 71,232 --a------ C:\WINDOWS\system32\sgyvikmm.exe
2007-11-09 09:05 88,128 --a------ C:\WINDOWS\system32\aopounru.dll
2007-11-09 09:02 77,888 --a------ C:\WINDOWS\system32\shqghvra.dll
2007-11-09 08:56 71,232 --a------ C:\WINDOWS\system32\umepraau.exe
2007-11-09 08:48 88,128 --a------ C:\WINDOWS\system32\csglabfr.dll
2007-11-09 08:45 77,888 --a------ C:\WINDOWS\system32\icicnumc.dll
2007-11-09 08:43 71,232 --a------ C:\WINDOWS\system32\sjxsyurp.exe
2007-11-09 08:37 88,128 --a------ C:\WINDOWS\system32\tkqpouyr.dll
2007-11-09 08:37 71,232 --a------ C:\WINDOWS\system32\jacbbfqa.exe
2007-11-08 15:37 80,448 --a------ C:\WINDOWS\system32\llnhkafa.dll
2007-11-08 15:31 86,080 --a------ C:\WINDOWS\system32\watisbsx.dll
2007-11-08 15:29 71,232 --a------ C:\WINDOWS\system32\iskespqa.exe
2007-11-08 13:51 80,448 --a------ C:\WINDOWS\system32\whmsckei.dll
2007-11-08 13:48 86,080 --a------ C:\WINDOWS\system32\nnijytbh.dll
2007-11-08 13:42 71,232 --a------ C:\WINDOWS\system32\sirjgxac.exe
2007-11-08 13:26 86,080 --a------ C:\WINDOWS\system32\ffnuhygq.dll
2007-11-08 13:23 80,448 --a------ C:\WINDOWS\system32\jcsnbaqg.dll
2007-11-08 13:17 71,232 --a------ C:\WINDOWS\system32\lkxwmcnm.exe
2007-11-08 11:05 86,080 --a------ C:\WINDOWS\system32\ggrkjgmb.dll
2007-11-08 11:01 80,448 --a------ C:\WINDOWS\system32\biaoibem.dll
2007-11-08 10:59 71,232 --a------ C:\WINDOWS\system32\bqffhlxv.exe
2007-11-08 07:20 80,448 --a------ C:\WINDOWS\system32\fkfwucfj.dll
2007-11-08 07:14 71,232 --a------ C:\WINDOWS\system32\lawymhja.exe
2007-11-07 07:22 79,936 --a------ C:\WINDOWS\system32\nktermsk.dll
2007-11-07 07:16 86,080 --a------ C:\WINDOWS\system32\oajfaftl.dll
2007-11-07 07:13 71,232 --a------ C:\WINDOWS\system32\evejjpfk.exe
2007-11-06 07:23 87,104 --a------ C:\WINDOWS\system32\cjhtavxq.dll
2007-11-06 07:20 81,472 --a------ C:\WINDOWS\system32\cbhrtpne.dll
2007-11-05 07:17 83,008 --a------ C:\WINDOWS\system32\goysqnkp.dll
2007-10-25 15:12 218,112 --a------ C:\HijackThis.exe
2007-10-22 13:09 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-22 12:25 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-22 12:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-22 11:02 <DIR> d-------- C:\WINDOWS\pss
2007-10-18 23:23 8,191 --a------ C:\WINDOWS\b111.exe.bin
2007-10-18 06:16 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-17 17:28 <DIR> d-------- C:\WINDOWS\system32\pod2
2007-10-17 17:28 <DIR> d-------- C:\WINDOWS\system32\cap1
2007-10-17 17:28 <DIR> d-------- C:\WINDOWS\system32\bib1
2007-10-17 17:28 <DIR> d-------- C:\WINDOWS\system32\bco2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 16:29 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-11-14 16:29 --------- d-----w C:\Program Files\Autodesk Land Desktop 2006
2007-11-14 16:29 --------- d-----w C:\Program Files\Autodesk Civil 3D 2006
2007-11-14 16:16 --------- d-----w C:\Program Files\Land Desktop 2004
2007-11-12 16:47 --------- d-----w C:\Documents and Settings\paul\Application Data\AdobeUM
2007-10-22 20:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-22 18:18 --------- d-----w C:\Program Files\Windows Media Connect 2
1997-07-22 02:30:54 1,045,776 --sha-w C:\WINDOWS\system32\Msjet35.dll
1997-06-23 10:00:00 123,664 --sha-w C:\WINDOWS\system32\Msjint35.dll
1997-06-23 19:06:50 24,848 --sha-w C:\WINDOWS\system32\Msjter35.dll
1997-06-23 19:06:50 252,176 --sha-w C:\WINDOWS\system32\Msrd2x35.dll
1997-06-23 19:06:50 287,504 --sha-w C:\WINDOWS\system32\Msxbse35.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9b906613-0d87-4385-9ae1-2d946258c03e}]
2007-11-14 07:09 79424 --a------ C:\WINDOWS\system32\qqbqesku.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acronis True Image Monitor"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-09-13 18:21]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-09-13 18:21]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 13:42]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 21:05]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2003-11-06 19:27]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-27 05:37]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 17:20 C:\WINDOWS\stsystra.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-06 07:35]
"4ca10fde"="C:\WINDOWS\system32\trqruent.dll" [2007-11-14 07:15]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 20:37:56]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 05:18:22]
Wireless USB 2.0 WLAN Card Utility.lnk - C:\Program Files\Dell Wireless\PRISMCFG.exe [2005-07-08 13:05:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMGNA.DLL]
PRISMGNA.DLL 2004-12-08 11:41 229465 C:\WINDOWS\system32\PRISMGNA.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuuurq]
wvuuurq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Words]
C:\Program Files\Words\Words.exe

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis TrueImage Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R2 PRISMSVC;PRISMSVC;C:\WINDOWS\System32\PRISMSVC.EXE
R2 tifsfilter;Acronis TrueImage FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
S3 DELL_A02;Dell TrueMobile 1300 USB2.0 WLAN Card Driver;C:\WINDOWS\system32\DRIVERS\PRISMA02.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 14:55:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\tneurqrt.tmp 1134592 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"Acronis True Image Monitor"="\"C:\\Program Files\\Acronis\\TrueImage\\TrueImageMonitor.exe\""
.
Completion time: 2007-11-14 14:57:15 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-03 14:04
C:\ComboFix3.txt ... 2007-10-24 12:40
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:03, on 2007-11-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\PRISMSVC.EXE
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
\Nas-01-48-1d\NAS01-1\Setup\Trend Micro\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: {e30c8526-49d2-1ea9-5834-78d0316609b9} - {9b906613-0d87-4385-9ae1-2d946258c03e} - C:\WINDOWS\system32\qqbqesku.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [4ca10fde] rundll32.exe "C:\WINDOWS\system32\trqruent.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.isqft.com
O15 - Trusted Zone: http://plso.wadnr.gov
O16 - DPF: Autodesk MapGuide Viewer, Java Edition - http://www.autodesk.com/us/mapguide/viewer..._win/mgjava.cab
O16 - DPF: {0BCADE60-1E93-11D8-ABDA-0004759647B3} (FastBid1 Class) - http://www.bxwa.com/fastbid/fastbidx1.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {2D752DD2-5BDD-4ADA-900A-F916E5B13BA6} (CompositeView Control) - http://plso.wadnr.gov/wx/Client/IrcViewer.cab
O16 - DPF: {32322460-3E7D-11D7-ABD8-0001029A9BA6} (FastBid2 Class) - http://www.bxwa.com/fastbid/fastbidx2.cab
O16 - DPF: {5BB05153-D3D2-4370-97A3-8715519FF81F} (Interactive Client Result Set Control) - http://plso.wadnr.gov/wx/Client/IrcResultSet.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EncompassES.local
O17 - HKLM\Software\..\Telephony: DomainName = EncompassES.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EncompassES.local
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: wvuuurq - wvuuurq.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\System32\PRISMSVC.EXE
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O24 - Desktop Component 0: (no name) - http://us.js2.yimg.com/us.js.yimg.com/lib/...542adb0cb1_1.js
O24 - Desktop Component 1: (no name) - http://i11.ebayimg.com/04/i/000/ac/d5/aa96_1.JPG
O24 - Desktop Component 2: (no name) - http://www.wwessc.hunting-ess.com/gallery2..._serialNumber=1

--
End of file - 8587 bytes

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:24 AM

Posted 14 November 2007 - 07:35 PM

Hello keebee,

This computer is really infected. :thumbsup:

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

R3 - URLSearchHook: (no name) - - (no file)
O4 - HKLM\..\Run: [4ca10fde] rundll32.exe "C:\WINDOWS\system32\trqruent.dll",b


If you did not add these to your IE Trusted Zone, then Fix them.
O15 - Trusted Zone: *.isqft.com
O15 - Trusted Zone: http://plso.wadnr.gov


O20 - Winlogon Notify: wvuuurq - wvuuurq.dll (file missing)


If you did not add these to your desktop, then fix them.
O24 - Desktop Component 0: (no name) - http://us.js2.yimg.com/us.js.yimg.com/lib/...542adb0cb1_1.js
O24 - Desktop Component 1: (no name) - http://i11.ebayimg.com/04/i/000/ac/d5/aa96_1.JPG
O24 - Desktop Component 2: (no name) - http://www.wwessc.hunting-ess.com/gallery2..._serialNumber=1


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
• Clean any others that you choose.

In the Applications Tab:
• Clean all including cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************




Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\trqruent.dll
C:\WINDOWS\system32\qqbqesku.dll
C:\WINDOWS\system32\bfswuaet.exe
C:\WINDOWS\system32\tyjctmxc.dll
C:\WINDOWS\system32\bfgoglpg.exe
C:\WINDOWS\system32\vkjvdmep.dll
C:\WINDOWS\system32\dmxvslrd.dll
C:\WINDOWS\system32\qexvtsoq.exe
C:\WINDOWS\system32\oytljdqp.dll
C:\WINDOWS\system32\utknafuq.dll
C:\WINDOWS\system32\drfcaovb.exe
C:\WINDOWS\system32\qhvbhyid.dll
C:\WINDOWS\system32\yafuilws.dll
C:\WINDOWS\system32\vxghfngn.exe
C:\WINDOWS\system32\yktmayre.dll
C:\WINDOWS\system32\mroxjbvx.dll
C:\WINDOWS\system32\eqohoisl.exe
C:\WINDOWS\system32\ywbgpedy.dll
C:\WINDOWS\system32\nfwpasmq.dll
C:\WINDOWS\system32\wefpwlyr.exe
C:\WINDOWS\system32\rgbchosq.dll
C:\WINDOWS\system32\cmjljgfn.dll
C:\WINDOWS\system32\cwvwcaoy.exe
C:\WINDOWS\system32\fsxgklet.dll
C:\WINDOWS\system32\mwqrexmb.exe
C:\WINDOWS\system32\toiqudwd.dll
C:\WINDOWS\system32\iibsxjhx.exe
C:\WINDOWS\system32\mluyvmgi.dll
C:\WINDOWS\system32\evslvbkk.exe
C:\WINDOWS\system32\briqkvaf.dll
C:\WINDOWS\system32\sgyvikmm.exe
C:\WINDOWS\system32\aopounru.dll
C:\WINDOWS\system32\shqghvra.dll
C:\WINDOWS\system32\umepraau.exe
C:\WINDOWS\system32\csglabfr.dll
C:\WINDOWS\system32\icicnumc.dll
C:\WINDOWS\system32\sjxsyurp.exe
C:\WINDOWS\system32\tkqpouyr.dll
C:\WINDOWS\system32\jacbbfqa.exe
C:\WINDOWS\system32\llnhkafa.dll
C:\WINDOWS\system32\watisbsx.dll
C:\WINDOWS\system32\iskespqa.exe
C:\WINDOWS\system32\whmsckei.dll
C:\WINDOWS\system32\nnijytbh.dll
C:\WINDOWS\system32\sirjgxac.exe
C:\WINDOWS\system32\ffnuhygq.dll
C:\WINDOWS\system32\jcsnbaqg.dll
C:\WINDOWS\system32\lkxwmcnm.exe
C:\WINDOWS\system32\ggrkjgmb.dll
C:\WINDOWS\system32\biaoibem.dll
C:\WINDOWS\system32\bqffhlxv.exe
C:\WINDOWS\system32\fkfwucfj.dll
C:\WINDOWS\system32\lawymhja.exe
C:\WINDOWS\system32\nktermsk.dll
C:\WINDOWS\system32\oajfaftl.dll
C:\WINDOWS\system32\evejjpfk.exe
C:\WINDOWS\system32\cjhtavxq.dll
C:\WINDOWS\system32\cbhrtpne.dll
C:\WINDOWS\system32\goysqnkp.dll


Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9b906613-0d87-4385-9ae1-2d946258c03e}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuuurq]


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 keebee

keebee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 15 November 2007 - 04:02 PM

I did as you asked. Below are the new logs. I should add that, when turned on, Trend Micro OfficeScan is popping up with the following virus:

C:\DOCUME~1\paul\LOCALS~1\Temp\feoslgqt.dll
Virus Name: TROJ_INJECT.JT
Successfully detected but not cleaned. File will be quarantined.

I'm sure you probably see this but I just wanted you to know.

Thanks again!



ComboFix 07-11-08.1 - paul 2007-11-15 12:37:36.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.491 [GMT -8:00]
Running from: C:\Documents and Settings\paul\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\paul\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\aopounru.dll
C:\WINDOWS\system32\bfgoglpg.exe
C:\WINDOWS\system32\bfswuaet.exe
C:\WINDOWS\system32\biaoibem.dll
C:\WINDOWS\system32\bqffhlxv.exe
C:\WINDOWS\system32\briqkvaf.dll
C:\WINDOWS\system32\cbhrtpne.dll
C:\WINDOWS\system32\cjhtavxq.dll
C:\WINDOWS\system32\cmjljgfn.dll
C:\WINDOWS\system32\csglabfr.dll
C:\WINDOWS\system32\cwvwcaoy.exe
C:\WINDOWS\system32\dmxvslrd.dll
C:\WINDOWS\system32\drfcaovb.exe
C:\WINDOWS\system32\eqohoisl.exe
C:\WINDOWS\system32\evejjpfk.exe
C:\WINDOWS\system32\evslvbkk.exe
C:\WINDOWS\system32\ffnuhygq.dll
C:\WINDOWS\system32\fkfwucfj.dll
C:\WINDOWS\system32\fsxgklet.dll
C:\WINDOWS\system32\ggrkjgmb.dll
C:\WINDOWS\system32\goysqnkp.dll
C:\WINDOWS\system32\icicnumc.dll
C:\WINDOWS\system32\iibsxjhx.exe
C:\WINDOWS\system32\iskespqa.exe
C:\WINDOWS\system32\jacbbfqa.exe
C:\WINDOWS\system32\jcsnbaqg.dll
C:\WINDOWS\system32\lawymhja.exe
C:\WINDOWS\system32\lkxwmcnm.exe
C:\WINDOWS\system32\llnhkafa.dll
C:\WINDOWS\system32\mluyvmgi.dll
C:\WINDOWS\system32\mroxjbvx.dll
C:\WINDOWS\system32\mwqrexmb.exe
C:\WINDOWS\system32\nfwpasmq.dll
C:\WINDOWS\system32\nktermsk.dll
C:\WINDOWS\system32\nnijytbh.dll
C:\WINDOWS\system32\oajfaftl.dll
C:\WINDOWS\system32\oytljdqp.dll
C:\WINDOWS\system32\qexvtsoq.exe
C:\WINDOWS\system32\qhvbhyid.dll
C:\WINDOWS\system32\qqbqesku.dll
C:\WINDOWS\system32\rgbchosq.dll
C:\WINDOWS\system32\sgyvikmm.exe
C:\WINDOWS\system32\shqghvra.dll
C:\WINDOWS\system32\sirjgxac.exe
C:\WINDOWS\system32\sjxsyurp.exe
C:\WINDOWS\system32\tkqpouyr.dll
C:\WINDOWS\system32\toiqudwd.dll
C:\WINDOWS\system32\trqruent.dll
C:\WINDOWS\system32\tyjctmxc.dll
C:\WINDOWS\system32\umepraau.exe
C:\WINDOWS\system32\utknafuq.dll
C:\WINDOWS\system32\vkjvdmep.dll
C:\WINDOWS\system32\vxghfngn.exe
C:\WINDOWS\system32\watisbsx.dll
C:\WINDOWS\system32\wefpwlyr.exe
C:\WINDOWS\system32\whmsckei.dll
C:\WINDOWS\system32\yafuilws.dll
C:\WINDOWS\system32\yktmayre.dll
C:\WINDOWS\system32\ywbgpedy.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\aopounru.dll
C:\WINDOWS\system32\bfgoglpg.exe
C:\WINDOWS\system32\bfswuaet.exe
C:\WINDOWS\system32\biaoibem.dll
C:\WINDOWS\system32\bqffhlxv.exe
C:\WINDOWS\system32\briqkvaf.dll
C:\WINDOWS\system32\cbhrtpne.dll
C:\WINDOWS\system32\cjhtavxq.dll
C:\WINDOWS\system32\cmjljgfn.dll
C:\WINDOWS\system32\csglabfr.dll
C:\WINDOWS\system32\cwvwcaoy.exe
C:\WINDOWS\system32\dmxvslrd.dll
C:\WINDOWS\system32\drfcaovb.exe
C:\WINDOWS\system32\eqohoisl.exe
C:\WINDOWS\system32\evejjpfk.exe
C:\WINDOWS\system32\evslvbkk.exe
C:\WINDOWS\system32\ffnuhygq.dll
C:\WINDOWS\system32\fkfwucfj.dll
C:\WINDOWS\system32\fsxgklet.dll
C:\WINDOWS\system32\ggrkjgmb.dll
C:\WINDOWS\system32\goysqnkp.dll
C:\WINDOWS\system32\icicnumc.dll
C:\WINDOWS\system32\iibsxjhx.exe
C:\WINDOWS\system32\iskespqa.exe
C:\WINDOWS\system32\jacbbfqa.exe
C:\WINDOWS\system32\jcsnbaqg.dll
C:\WINDOWS\system32\lawymhja.exe
C:\WINDOWS\system32\lkxwmcnm.exe
C:\WINDOWS\system32\llnhkafa.dll
C:\WINDOWS\system32\mluyvmgi.dll
C:\WINDOWS\system32\mroxjbvx.dll
C:\WINDOWS\system32\mwqrexmb.exe
C:\WINDOWS\system32\nfwpasmq.dll
C:\WINDOWS\system32\nktermsk.dll
C:\WINDOWS\system32\nnijytbh.dll
C:\WINDOWS\system32\oajfaftl.dll
C:\WINDOWS\system32\oytljdqp.dll
C:\WINDOWS\system32\qexvtsoq.exe
C:\WINDOWS\system32\qhvbhyid.dll
C:\WINDOWS\system32\qqbqesku.dll
C:\WINDOWS\system32\rgbchosq.dll
C:\WINDOWS\system32\sgyvikmm.exe
C:\WINDOWS\system32\shqghvra.dll
C:\WINDOWS\system32\sirjgxac.exe
C:\WINDOWS\system32\sjxsyurp.exe
C:\WINDOWS\system32\tkqpouyr.dll
C:\WINDOWS\system32\toiqudwd.dll
C:\WINDOWS\system32\trqruent.dll
C:\WINDOWS\system32\tyjctmxc.dll
C:\WINDOWS\system32\umepraau.exe
C:\WINDOWS\system32\utknafuq.dll
C:\WINDOWS\system32\vkjvdmep.dll
C:\WINDOWS\system32\vxghfngn.exe
C:\WINDOWS\system32\watisbsx.dll
C:\WINDOWS\system32\wefpwlyr.exe
C:\WINDOWS\system32\whmsckei.dll
C:\WINDOWS\system32\yafuilws.dll
C:\WINDOWS\system32\yktmayre.dll
C:\WINDOWS\system32\ywbgpedy.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-15 12:12 <DIR> d-------- C:\Program Files\CCleaner
2007-11-14 15:05 <DIR> d-------- C:\Program Files\Citrix
2007-11-14 15:05 3,902,784 --a------ C:\Documents and Settings\paul\gosetup.exe
2007-11-14 15:05 42,792 --a------ C:\WINDOWS\system32\gotomon.dll
2007-10-25 15:12 218,112 --a------ C:\HijackThis.exe
2007-10-22 13:09 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-22 12:25 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-22 12:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-22 11:02 <DIR> d-------- C:\WINDOWS\pss
2007-10-18 23:23 8,191 --a------ C:\WINDOWS\b111.exe.bin
2007-10-18 06:16 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-17 17:28 <DIR> d-------- C:\WINDOWS\system32\pod2
2007-10-17 17:28 <DIR> d-------- C:\WINDOWS\system32\cap1
2007-10-17 17:28 <DIR> d-------- C:\WINDOWS\system32\bib1
2007-10-17 17:28 <DIR> d-------- C:\WINDOWS\system32\bco2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 23:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-14 16:29 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-11-14 16:29 --------- d-----w C:\Program Files\Autodesk Land Desktop 2006
2007-11-14 16:29 --------- d-----w C:\Program Files\Autodesk Civil 3D 2006
2007-11-14 16:16 --------- d-----w C:\Program Files\Land Desktop 2004
2007-11-12 16:47 --------- d-----w C:\Documents and Settings\paul\Application Data\AdobeUM
2007-10-22 20:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-22 18:18 --------- d-----w C:\Program Files\Windows Media Connect 2
1997-07-22 02:30:54 1,045,776 --sha-w C:\WINDOWS\system32\Msjet35.dll
1997-06-23 10:00:00 123,664 --sha-w C:\WINDOWS\system32\Msjint35.dll
1997-06-23 19:06:50 24,848 --sha-w C:\WINDOWS\system32\Msjter35.dll
1997-06-23 19:06:50 252,176 --sha-w C:\WINDOWS\system32\Msrd2x35.dll
1997-06-23 19:06:50 287,504 --sha-w C:\WINDOWS\system32\Msxbse35.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-14_14.56.49.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-06-20 19:08:12 22,528 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\G2PrintUPDDriver.dll
+ 2007-06-20 19:08:42 69,632 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\G2PrintUPDUI.dll
+ 2007-06-20 19:06:42 8,192 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\GoToPrintProcessor.dll
+ 2007-11-15 20:40:28 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acronis True Image Monitor"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-09-13 18:21]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-09-13 18:21]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 13:42]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 21:05]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2003-11-06 19:27]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-27 05:37]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 17:20 C:\WINDOWS\stsystra.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-06 07:35]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 11:09]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 20:37:56]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 05:18:22]
Wireless USB 2.0 WLAN Card Utility.lnk - C:\Program Files\Dell Wireless\PRISMCFG.exe [2005-07-08 13:05:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 2007-06-20 11:09 10536 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMGNA.DLL]
PRISMGNA.DLL 2004-12-08 11:41 229465 C:\WINDOWS\system32\PRISMGNA.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Words]
C:\Program Files\Words\Words.exe

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis TrueImage Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R2 PRISMSVC;PRISMSVC;C:\WINDOWS\System32\PRISMSVC.EXE
R2 tifsfilter;Acronis TrueImage FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
S3 DELL_A02;Dell TrueMobile 1300 USB2.0 WLAN Card Driver;C:\WINDOWS\system32\DRIVERS\PRISMA02.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 12:42:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"Acronis True Image Monitor"="\"C:\\Program Files\\Acronis\\TrueImage\\TrueImageMonitor.exe\""
.
Completion time: 2007-11-15 12:43:28 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-14 14:57
C:\ComboFix3.txt ... 2007-11-03 14:04
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46, on 2007-11-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\PRISMSVC.EXE
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Citrix\GoToMyPC\g2mainh.exe
C:\Program Files\Citrix\GoToMyPC\g2host.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Citrix\GoToMyPC\g2printh.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Citrix\GoToMyPC\g2audioh.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
\Nas-01-48-1d\NAS01-1\Setup\Trend Micro\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.isqft.com
O15 - Trusted Zone: http://plso.wadnr.gov
O16 - DPF: Autodesk MapGuide Viewer, Java Edition - http://www.autodesk.com/us/mapguide/viewer..._win/mgjava.cab
O16 - DPF: {0BCADE60-1E93-11D8-ABDA-0004759647B3} (FastBid1 Class) - http://www.bxwa.com/fastbid/fastbidx1.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {2D752DD2-5BDD-4ADA-900A-F916E5B13BA6} (CompositeView Control) - http://plso.wadnr.gov/wx/Client/IrcViewer.cab
O16 - DPF: {32322460-3E7D-11D7-ABD8-0001029A9BA6} (FastBid2 Class) - http://www.bxwa.com/fastbid/fastbidx2.cab
O16 - DPF: {5BB05153-D3D2-4370-97A3-8715519FF81F} (Interactive Client Result Set Control) - http://plso.wadnr.gov/wx/Client/IrcResultSet.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EncompassES.local
O17 - HKLM\Software\..\Telephony: DomainName = EncompassES.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EncompassES.local
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\System32\PRISMSVC.EXE
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 8499 bytes

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:24 AM

Posted 15 November 2007 - 06:32 PM

Hello keebee,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of  Java Runtime Environment (JRE) 6 Update 3.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 3".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
*******************************************

You have a suspicious file we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\b111.exe.bin

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.
Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.

*******************************************


Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {0BCADE60-1E93-11D8-ABDA-0004759647B3} (FastBid1 Class) - http://www.bxwa.com/fastbid/fastbidx1.cab
O16 - DPF: {32322460-3E7D-11D7-ABD8-0001029A9BA6} (FastBid2 Class) - http://www.bxwa.com/fastbid/fastbidx2.cab



*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.


Reboot and post a fresh Hijackthis log and the results of the Virus Total scan.
Is this a company computer?

Edited by SifuMike, 15 November 2007 - 06:33 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 keebee

keebee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 15 November 2007 - 11:24 PM

Attached are the results of the TotalVirus scan and the newest HijackThis.
Yes, this is a work computer. We have gone 2.5 years without a virus and now this. I use OfficeScan but I'd really appreciate your recommendations for the best (and easiest to manage) corporate protection. If it means going to a worstation based software that would be okay. Again, any recommendations are welcome.

Thanks so much.

Complete scanning result of "image001.gif", processed in VirusTotal at 11/16/2007 05:04:16 (CET).

[ file data ]
* name: image001.gif
* size: 3775
* md5.: 0ef09df655f1eff4fbb7c15c9af507f8
* sha1: 5bd26dc5b8a6222fcf302a2b8accfeb14114a920

[ scan result ]
AhnLab-V3 2007.11.16.0/20071116 found nothing
AntiVir 7.6.0.34/20071115 found nothing
Authentium 4.93.8/20071115 found nothing
Avast 4.7.1074.0/20071115 found nothing
AVG 7.5.0.503/20071115 found nothing
BitDefender 7.2/20071116 found nothing
CAT-QuickHeal 9.00/20071115 found nothing
ClamAV 0.91.2/20071116 found nothing
DrWeb 4.44.0.09170/20071116 found nothing
eSafe 7.0.15.0/20071114 found nothing
eTrust-Vet 31.2.5299/20071116 found nothing
Ewido 4.0/20071115 found nothing
F-Prot 4.4.2.54/20071116 found nothing
F-Secure 6.70.13030.0/20071116 found nothing
FileAdvisor 1/20071116 found nothing
Fortinet 3.11.0.0/20071019 found nothing
Ikarus T3.1.1.12/20071116 found nothing
Kaspersky 7.0.0.125/20071116 found nothing
McAfee 5164/20071115 found nothing
Microsoft 1.3007/20071112 found nothing
NOD32v2 2661/20071115 found nothing
Norman 5.80.02/20071115 found nothing
Panda 9.0.0.4/20071115 found nothing
Prevx1 V2/20071116 found nothing
Rising 20.18.33.00/20071116 found nothing
Sophos 4.23.0/20071116 found nothing
Sunbelt 2.2.907.0/20071116 found nothing
Symantec 10/20071116 found nothing
TheHacker 6.2.9.130/20071115 found nothing
VBA32 3.12.2.5/20071116 found nothing
VirusBuster 4.3.26:9/20071115 found nothing
Webwasher-Gateway 6.0.1/20071116 found nothing




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:26, on 2007-11-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\PRISMSVC.EXE
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Citrix\GoToMyPC\g2mainh.exe
C:\Program Files\Citrix\GoToMyPC\g2host.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Citrix\GoToMyPC\g2printh.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Citrix\GoToMyPC\g2audioh.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
\Nas-01-48-1d\NAS01-1\Setup\Trend Micro\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.isqft.com
O15 - Trusted Zone: http://plso.wadnr.gov
O16 - DPF: Autodesk MapGuide Viewer, Java Edition - http://www.autodesk.com/us/mapguide/viewer..._win/mgjava.cab
O16 - DPF: {2D752DD2-5BDD-4ADA-900A-F916E5B13BA6} (CompositeView Control) - http://plso.wadnr.gov/wx/Client/IrcViewer.cab
O16 - DPF: {5BB05153-D3D2-4370-97A3-8715519FF81F} (Interactive Client Result Set Control) - http://plso.wadnr.gov/wx/Client/IrcResultSet.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EncompassES.local
O17 - HKLM\Software\..\Telephony: DomainName = EncompassES.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EncompassES.local
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\System32\PRISMSVC.EXE
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 7887 bytes

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:24 AM

Posted 15 November 2007 - 11:56 PM

Hi keebee,

Complete scanning result of "image001.gif", processed in VirusTotal at 11/16/2007



I think you scanned the wrong file. :thumbsup:
I asked you run C:\WINDOWS\b111.exe.bin throught Virus Total, and it looks like you scanned image001.gif

Please use Virus Total again and scan C:\WINDOWS\b111.exe.bin, then post the log.

Yes, this is a work computer. We have gone 2.5 years without a virus and now this. I use OfficeScan but I'd really appreciate your recommendations for the best (and easiest to manage) corporate protection. If it means going to a worstation based software that would be okay. Again, any recommendations are welcome.


There is nothing wrong with the OfficeScan antivirus you have. No antivirus would protect you for the Vundo infection you had.
Sorry, I dont give recommendations for work computers, only home computers. Contact your IT dept and ask them.

Edited by SifuMike, 15 November 2007 - 11:58 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 keebee

keebee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 16 November 2007 - 11:25 AM

It's wierd but I did e-mail them the correct file (I even checked the 'sent files' and the attachement was the correct file) but it came back with those results. I just ran it again without using the e-mail method. Here are the results:

Thanks!


File b111.exe.bin received on 11.16.2007 17:15:34 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 2/32 (6.25%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.11.16.0 2007.11.16 -
AntiVir 7.6.0.34 2007.11.16 -
Authentium 4.93.8 2007.11.15 -
Avast 4.7.1074.0 2007.11.15 -
AVG 7.5.0.503 2007.11.16 -
BitDefender 7.2 2007.11.16 Generic.Malware.Sdld!.AF8D181E
CAT-QuickHeal 9.00 2007.11.16 -
ClamAV 0.91.2 2007.11.16 -
DrWeb 4.44.0.09170 2007.11.16 -
eSafe 7.0.15.0 2007.11.14 -
eTrust-Vet 31.2.5300 2007.11.16 -
Ewido 4.0 2007.11.16 -
FileAdvisor 1 2007.11.16 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.16 -
F-Secure 6.70.13030.0 2007.11.16 -
Ikarus T3.1.1.12 2007.11.16 -
Kaspersky 7.0.0.125 2007.11.16 -
McAfee 5164 2007.11.15 -
Microsoft 1.3007 2007.11.12 -
NOD32v2 2664 2007.11.16 archive damaged
Norman 5.80.02 2007.11.16 -
Panda 9.0.0.4 2007.11.16 -
Prevx1 V2 2007.11.16 -
Rising 20.18.40.00 2007.11.16 -
Sophos 4.23.0 2007.11.16 -
Sunbelt 2.2.907.0 2007.11.16 -
Symantec 10 2007.11.16 -
TheHacker 6.2.9.131 2007.11.16 -
VBA32 3.12.2.5 2007.11.16 -
VirusBuster 4.3.26:9 2007.11.16 -
Webwasher-Gateway 6.0.1 2007.11.16 -
Additional information
File size: 8191 bytes
MD5: 498fc0e1921d91feca9867775fac10ce
SHA1: e35b1594a030ddc5ce9a401f73e6900f79684278
packers: PE_Patch

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:24 AM

Posted 16 November 2007 - 12:40 PM

Hello keebee,

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\b111.exe.bin


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 keebee

keebee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 16 November 2007 - 03:12 PM

While running ComboFix, OfficeScan again came across the virus mentioned earlier
C:\DOCUME~1\paul\LOCALS~1\Temp\feoslgqt.dll
Virus Name: TROJ_INJECT.JT
Successfully detected but not cleaned. File will be quarantined.

Thanks!


Here are the latest logs:

ComboFix 07-11-08.1 - paul 2007-11-16 12:05:12.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.483 [GMT -8:00]
Running from: C:\Documents and Settings\paul\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\paul\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\b111.exe.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\b111.exe.bin

.
((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.

2007-11-15 19:41 <DIR> d-------- C:\Program Files\Sun
2007-11-15 19:36 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-15 12:12 <DIR> d-------- C:\Program Files\CCleaner
2007-11-14 15:05 <DIR> d-------- C:\Program Files\Citrix
2007-11-14 15:05 3,902,784 --a------ C:\Documents and Settings\paul\gosetup.exe
2007-11-14 15:05 42,792 --a------ C:\WINDOWS\system32\gotomon.dll
2007-10-25 15:12 218,112 --a------ C:\HijackThis.exe
2007-10-22 13:09 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-22 12:25 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-22 12:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-22 11:02 <DIR> d-------- C:\WINDOWS\pss
2007-10-18 06:16 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-17 17:28 <DIR> d-------- C:\WINDOWS\system32\pod2
2007-10-17 17:28 <DIR> d-------- C:\WINDOWS\system32\cap1
2007-10-17 17:28 <DIR> d-------- C:\WINDOWS\system32\bib1
2007-10-17 17:28 <DIR> d-------- C:\WINDOWS\system32\bco2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-16 03:41 --------- d-----w C:\Program Files\Java
2007-11-14 23:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-14 16:29 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-11-14 16:29 --------- d-----w C:\Program Files\Autodesk Land Desktop 2006
2007-11-14 16:29 --------- d-----w C:\Program Files\Autodesk Civil 3D 2006
2007-11-14 16:16 --------- d-----w C:\Program Files\Land Desktop 2004
2007-11-12 16:47 --------- d-----w C:\Documents and Settings\paul\Application Data\AdobeUM
2007-10-22 20:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-22 18:18 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
1997-07-22 02:30:54 1,045,776 --sha-w C:\WINDOWS\system32\Msjet35.dll
1997-06-23 10:00:00 123,664 --sha-w C:\WINDOWS\system32\Msjint35.dll
1997-06-23 19:06:50 24,848 --sha-w C:\WINDOWS\system32\Msjter35.dll
1997-06-23 19:06:50 252,176 --sha-w C:\WINDOWS\system32\Msrd2x35.dll
1997-06-23 19:06:50 287,504 --sha-w C:\WINDOWS\system32\Msxbse35.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-14_14.56.49.28 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-12-15 09:30:58 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 06:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2006-12-15 09:31:06 53,346 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 06:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2006-12-15 11:09:14 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 07:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-06-20 19:08:12 22,528 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\G2PrintUPDDriver.dll
+ 2007-06-20 19:08:42 69,632 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\G2PrintUPDUI.dll
+ 2007-06-20 19:06:42 8,192 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\GoToPrintProcessor.dll
+ 2007-11-16 03:10:14 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_798.dat
+ 2007-11-16 04:03:57 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acronis True Image Monitor"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-09-13 18:21]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-09-13 18:21]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 13:42]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 21:05]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2003-11-06 19:27]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-27 05:37]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 17:20 C:\WINDOWS\stsystra.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-06 07:35]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 11:09]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 20:37:56]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 05:18:22]
Wireless USB 2.0 WLAN Card Utility.lnk - C:\Program Files\Dell Wireless\PRISMCFG.exe [2005-07-08 13:05:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 2007-06-20 11:09 10536 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMGNA.DLL]
PRISMGNA.DLL 2004-12-08 11:41 229465 C:\WINDOWS\system32\PRISMGNA.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Words]
C:\Program Files\Words\Words.exe

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis TrueImage Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R2 PRISMSVC;PRISMSVC;C:\WINDOWS\System32\PRISMSVC.EXE
R2 tifsfilter;Acronis TrueImage FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
S3 DELL_A02;Dell TrueMobile 1300 USB2.0 WLAN Card Driver;C:\WINDOWS\system32\DRIVERS\PRISMA02.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 12:07:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"Acronis True Image Monitor"="\"C:\\Program Files\\Acronis\\TrueImage\\TrueImageMonitor.exe\""
.
Completion time: 2007-11-16 12:07:30
C:\ComboFix2.txt ... 2007-11-15 12:43
C:\ComboFix3.txt ... 2007-11-14 14:57
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10, on 2007-11-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\PRISMSVC.EXE
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Citrix\GoToMyPC\g2mainh.exe
C:\Program Files\Citrix\GoToMyPC\g2host.exe
C:\Program Files\Citrix\GoToMyPC\g2printh.exe
C:\Program Files\Citrix\GoToMyPC\g2audioh.exe
C:\WINDOWS\explorer.exe
\Nas-01-48-1d\NAS01-1\Setup\Trend Micro\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.isqft.com
O15 - Trusted Zone: http://plso.wadnr.gov
O16 - DPF: Autodesk MapGuide Viewer, Java Edition - http://www.autodesk.com/us/mapguide/viewer..._win/mgjava.cab
O16 - DPF: {2D752DD2-5BDD-4ADA-900A-F916E5B13BA6} (CompositeView Control) - http://plso.wadnr.gov/wx/Client/IrcViewer.cab
O16 - DPF: {5BB05153-D3D2-4370-97A3-8715519FF81F} (Interactive Client Result Set Control) - http://plso.wadnr.gov/wx/Client/IrcResultSet.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EncompassES.local
O17 - HKLM\Software\..\Telephony: DomainName = EncompassES.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EncompassES.local
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\System32\PRISMSVC.EXE
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 7706 bytes

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:24 AM

Posted 16 November 2007 - 04:20 PM

Hi keebee,

I am not seeing any malware in your logs but lets dig deeper.


You will need to use Internet Explorer for this scan.
Disable your antivirus program and go here to run BitDefender Online Scan.
Click on I Agree.
Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.

When the ActiveX Control has loaded, click on "Click here to scan".
Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer.

NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.


When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.


******************

Download and install AVG Anti-Spyware v7.5.
  • After download, double click on the file to launch the install process.
  • Choose a language, click "OK" and then click "Next".
  • Read the "License Agreement" and click "I Agree".
  • Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
  • After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
  • Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update". Wait until you see the "Update successful" message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
  • Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". (Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them unaccessible for doing a scan. If this is the case, press the WINKEY + M key to "Minimize" the AVG display. Then right-click on AVG in the Task Bar and select "Maximize". If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)

Scan with AVG Anti-Spyware as follows:
  • Click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
  • Under "Reports" select "Do not automatically generate reports" and UNcheck "Only if threats were found".
  • Click the "Scan" tab to return to scanning options.
  • Click "Complete System Scan" to start.
  • When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
  • You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
  • Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop.
    A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
  • Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.

When done, submit the BitDefender log, the AVG Anti-Spyware 7.5 log and a fresh Hijackthis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 keebee

keebee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 20 November 2007 - 06:56 PM

Sorry for the delay, I was out of the office the past few days. Here are the BitDefender (attached as an HTML file), AVG and HiJackThis logs. I hope you have a great Thanksgiving!



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:49:35 PM 11/20/2007

+ Scan result:



C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\paul\Cookies\paul@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\paul\Cookies\paul@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@www.adobe[2].txt -> TrackingCookie.Adobe : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@bfast[2].txt -> TrackingCookie.Bfast : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@centrport[1].txt -> TrackingCookie.Centrport : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\paul\Cookies\paul@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@e-2dj6wfkoukc5oep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@e-2dj6wjkosmajwlo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@e-2dj6wjkycjazwlq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@e-2dj6wjkyohdpsdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@e-2dj6wjl4chcjibo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@e-2dj6wjlisjcpsbo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@e-2dj6wjnyqoczsgo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@e-2dj6wjnyuicpogp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@ehg-ati.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@ehg-foxsports.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@ehg-tigerdirect2.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@ehg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\paul\Cookies\paul@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\paul\Cookies\paul@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@data1.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\paul\Cookies\paul@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\paul\Cookies\paul@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Encompass.ENCOMPASSES\Cookies\encompass@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.


::Report end

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:59, on 2007-11-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\PRISMSVC.EXE
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
\Nas-01-48-1d\NAS01-1\Setup\Trend Micro\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.isqft.com
O15 - Trusted Zone: http://plso.wadnr.gov
O16 - DPF: Autodesk MapGuide Viewer, Java Edition - http://www.autodesk.com/us/mapguide/viewer..._win/mgjava.cab
O16 - DPF: {2D752DD2-5BDD-4ADA-900A-F916E5B13BA6} (CompositeView Control) - http://plso.wadnr.gov/wx/Client/IrcViewer.cab
O16 - DPF: {5BB05153-D3D2-4370-97A3-8715519FF81F} (Interactive Client Result Set Control) - http://plso.wadnr.gov/wx/Client/IrcResultSet.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EncompassES.local
O17 - HKLM\Software\..\Telephony: DomainName = EncompassES.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EncompassES.local
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\System32\PRISMSVC.EXE
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 8299 bytes

Attached Files



#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:24 AM

Posted 20 November 2007 - 07:09 PM

Hi keebee,

Many persons ComobFix has expired, but lets try your to see if this works with yours. If not,
then we use something else.

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Folder:: 
C:\WINDOWS\system32\pod2
C:\WINDOWS\system32\cap1
C:\WINDOWS\system32\bib1
C:\WINDOWS\system32\bco2


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 keebee

keebee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 21 November 2007 - 02:59 AM

Indeed you are correct. Combofix has expired and I see that it is not yet updated on your website. Any ideas? I have a saved copy from the download ... is it as simple as re-installing?

Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users