Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Getting Ie Pop Ups, Blue Screens.


  • Please log in to reply
10 replies to this topic

#1 Messiah

Messiah

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 19 December 2007 - 06:35 PM

I must be missing something here. The pop ups wont stop.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:16 AM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Symantec\SPA\smc.exe
c:\Program Files\Symantec\SPA\snac.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Array Networks\Common\8,1,0,307\arr_isrv.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Array Networks\Array SSL VPN\8,1,0,307\arr_srvs.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Oracle\ODrive\odrive.exe
C:\Program Files\Oracle Instant Chat\OIChat.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Micro Focus\Net Express\Base\bin\mfds.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
C:\Program Files\Oracle\Outlook Connector\ocautoupds.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TpKmpSVC.exe
D:\VMware554\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\Program Files\Oracle\ODrive\ODFWAgent.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\vmnetdhcp.exe
c:\Program Files\Symantec\SPA\SmcGui.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\Program Files\microsoft office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Debugging Tools for Windows\windbg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\anapoli\Local Settings\Temporary Internet Files\Content.IE5\IYN9D5CA\HiJackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.oracle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.oracle.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-proxy.us.oracle.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.oracle.com;*.oracleads.com;*.us.oracle.com;*.uk.oracle.com;*.ca.oracle.com;*.oraclecorp.com;*.oracleportal.com;<local>
O1 - Hosts: 172.16.34.129 huccbhp4
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Oracle Drive Helper Object - {5D33B3E0-4FB3-4ED1-9106-B6EB06A3B7C2} - C:\WINDOWS\SYSTEM32\ODriveHelper.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TweakAutomaticUpdates] C:\WINDOWS\orclobi\gdswsuspatch_soon.exe /s
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /OfficeXPHack
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ntpgds] C:\WINDOWS\orclobi\synctime.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AutoProfileRepair] "C:\Program Files\Oracle\Outlook Connector\profilerepair.exe" -msi
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Oracle Instant Chat] "C:\Program Files\Oracle Instant Chat\Oracle Instant Chat.lnk"
O4 - HKUS\S-1-5-18\..\RunOnce: [FirefoxConfig] C:\WINDOWS\orclobi\config\firefoxconfig.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ThunderbirdConfig] C:\WINDOWS\orclobi\config\tbirdconfig.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FirefoxConfig] C:\WINDOWS\orclobi\config\firefoxconfig.exe (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Oracle Drive.lnk = C:\Program Files\Oracle\ODrive\odrive.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://my.oracle.com
O16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} (ArrVPNAX Control) - https://adc-ssl-vsite2.oracle.com/prx/000/h...lhost/arr_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.oracle.com
O17 - HKLM\Software\..\Telephony: DomainName = us.oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{14F43AA2-57C2-41B5-8F8B-9DCB61C24F6D}: NameServer = 144.20.190.70,130.35.249.41,130.35.249.52
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.oracle.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.oracle.com
O23 - Service: Array SSL VPN Service 8,1,0,307 (ArraySSL_VPN_Service8.1.0.307) - Array Networks, Inc. - C:\Program Files\Array Networks\Array SSL VPN\8,1,0,307\arr_srvs.exe
O23 - Service: Array Utility Service 8,1,0,307 (Array_Utility_Service8.1.0.307) - Array Networks, Inc. - C:\Program Files\Array Networks\Common\8,1,0,307\arr_isrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Micro Focus Directory Server (mf_CCITCP2) - Unknown owner - C:\Program Files\Micro Focus\Net Express\Base\bin\mfds.exe
O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
O23 - Service: Oracle Connector Automatic Updates Service (ocautoupds) - Oracle Corporation - C:\Program Files\Oracle\Outlook Connector\ocautoupds.exe
O23 - Service: ODrive Service (OdService) - Oracle - C:\Program Files\Oracle\ODrive\XfsSvcCon.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: QOS MyDesktop (QOSMyDesktop) - Oracle - C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Protection Agent 5.1 (SmcService) - Symantec Corporation - c:\Program Files\Symantec\SPA\smc.exe
O23 - Service: Symantec NAC Service (SNAC) - Symantec Corporation - c:\Program Files\Symantec\SPA\snac.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\VMware554\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)

--
End of file - 13232 bytes

Edited by Messiah, 19 December 2007 - 06:35 PM.


BC AdBot (Login to Remove)

 


#2 Messiah

Messiah
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 20 December 2007 - 09:34 AM

I have looked up every process that looked suspicious to me, and I have come up with nothing.

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:47 PM

Posted 03 January 2008 - 01:04 PM

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.

When posting your logs please post them directly into the reply. Do not attach them.

Also make sure you have already followed the steps outlined below:

Preparation Guide For Use Before Posting A Hijackthis Log

Thank you for your patience.

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.

When posting your logs please post them directly into the reply. Do not attach them.

Also make sure you have already followed the steps outlined below:

Preparation Guide For Use Before Posting A Hijackthis Log

Thank you for your patience.

#4 Messiah

Messiah
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 07 January 2008 - 08:42 AM

Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:16 AM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Symantec\SPA\smc.exe
c:\Program Files\Symantec\SPA\snac.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Array Networks\Common\8,1,0,307\arr_isrv.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Array Networks\Array SSL VPN\8,1,0,307\arr_srvs.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Oracle\ODrive\odrive.exe
C:\Program Files\Oracle Instant Chat\OIChat.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Micro Focus\Net Express\Base\bin\mfds.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
C:\Program Files\Oracle\Outlook Connector\ocautoupds.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TpKmpSVC.exe
D:\VMware554\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\Program Files\Oracle\ODrive\ODFWAgent.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\vmnetdhcp.exe
c:\Program Files\Symantec\SPA\SmcGui.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\Program Files\microsoft office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Debugging Tools for Windows\windbg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\anapoli\Local Settings\Temporary Internet Files\Content.IE5\IYN9D5CA\HiJackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.oracle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.oracle.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-proxy.us.oracle.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.oracle.com;*.oracleads.com;*.us.oracle.com;*.uk.oracle.com;*.ca.oracle.com;*.o
raclecorp.com;*.oracleportal.com;<local>
O1 - Hosts: 172.16.34.129 huccbhp4
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Oracle Drive Helper Object - {5D33B3E0-4FB3-4ED1-9106-B6EB06A3B7C2} - C:\WINDOWS\SYSTEM32\ODriveHelper.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TweakAutomaticUpdates] C:\WINDOWS\orclobi\gdswsuspatch_soon.exe /s
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /OfficeXPHack
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ntpgds] C:\WINDOWS\orclobi\synctime.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AutoProfileRepair] "C:\Program Files\Oracle\Outlook Connector\profilerepair.exe" -msi
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Oracle Instant Chat] "C:\Program Files\Oracle Instant Chat\Oracle Instant Chat.lnk"
O4 - HKUS\S-1-5-18\..\RunOnce: [FirefoxConfig] C:\WINDOWS\orclobi\config\firefoxconfig.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ThunderbirdConfig] C:\WINDOWS\orclobi\config\tbirdconfig.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FirefoxConfig] C:\WINDOWS\orclobi\config\firefoxconfig.exe (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Oracle Drive.lnk = C:\Program Files\Oracle\ODrive\odrive.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://my.oracle.com
O16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} (ArrVPNAX Control) - https://adc-ssl-vsite2.oracle.com/prx/000/h...lhost/arr_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.oracle.com
O17 - HKLM\Software\..\Telephony: DomainName = us.oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{14F43AA2-57C2-41B5-8F8B-9DCB61C24F6D}: NameServer = 144.20.190.70,130.35.249.41,130.35.249.52
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.oracle.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.oracle.com
O23 - Service: Array SSL VPN Service 8,1,0,307 (ArraySSL_VPN_Service8.1.0.307) - Array Networks, Inc. - C:\Program Files\Array Networks\Array SSL VPN\8,1,0,307\arr_srvs.exe
O23 - Service: Array Utility Service 8,1,0,307 (Array_Utility_Service8.1.0.307) - Array Networks, Inc. - C:\Program Files\Array Networks\Common\8,1,0,307\arr_isrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Micro Focus Directory Server (mf_CCITCP2) - Unknown owner - C:\Program Files\Micro Focus\Net Express\Base\bin\mfds.exe
O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
O23 - Service: Oracle Connector Automatic Updates Service (ocautoupds) - Oracle Corporation - C:\Program Files\Oracle\Outlook Connector\ocautoupds.exe
O23 - Service: ODrive Service (OdService) - Oracle - C:\Program Files\Oracle\ODrive\XfsSvcCon.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: QOS MyDesktop (QOSMyDesktop) - Oracle - C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Protection Agent 5.1 (SmcService) - Symantec Corporation - c:\Program Files\Symantec\SPA\smc.exe
O23 - Service: Symantec NAC Service (SNAC) - Symantec Corporation - c:\Program Files\Symantec\SPA\snac.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\VMware554\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 13232 bytes

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:47 PM

Posted 07 January 2008 - 11:21 AM

I am not seeing anything here. Let's dig deeper.
  • Download Combofix to your desktop.

  • Doubleclick combofix.exe

  • Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, and after reboot if it asks for one, combofix will open again to gather the necessary information for the log. This may take a while so please be patient. When done, Combofix will close and a log should open called combofix.txt.

Post the contents of this log in your next reply along with a new hijackthislog.

Please do not post the ComboFix-quarantined-files.txt unless I ask you to.

#6 Messiah

Messiah
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 07 January 2008 - 12:16 PM

Here is ComboFix. Hijackthis looks the same as before. I may just wind up re-imaging this thing. :thumbsup:




ComboFix 07-12-21.4 - anapoli 2007-12-21 12:52:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.643 [GMT -5:00]
Running from: C:\WINDOWS\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Desktop\webmediaplayer.lnk
C:\Documents and Settings\All Users\Start Menu\Programs.\WebMediaPlayer
C:\Documents and Settings\All Users\Start Menu\Programs.\WebMediaPlayer\Privacy Policy.lnk
C:\Documents and Settings\All Users\Start Menu\Programs.\WebMediaPlayer\Terms and conditions.lnk
C:\Documents and Settings\All Users\Start Menu\Programs.\WebMediaPlayer\WebMediaPlayer.lnk
C:\Documents and Settings\All Users\Start Menu\Programs.\WebMediaPlayer\Website.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer\Privacy Policy.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer\Terms and conditions.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer\WebMediaPlayer.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer\Website.lnk
c:\Documents and Settings\anapoli\Local Settings\Application Data\hkhxxkprv.dat
c:\documents and settings\anapoli\local settings\application data\hkhxxkprv.exe
C:\Documents and Settings\anapoli\Local Settings\Application Data\hkhxxkprv_nav.dat
C:\Documents and Settings\anapoli\Local Settings\Application Data\hkhxxkprv_navps.dat
C:\Program Files\webmediaplayer
C:\Program Files\webmediaplayer\Privacy Policy.url
C:\Program Files\webmediaplayer\resources\languages_v2.xml
C:\Program Files\webmediaplayer\resources\webmedias
C:\Program Files\webmediaplayer\skins\classic.skn
C:\Program Files\webmediaplayer\sqlite3.dll
C:\Program Files\webmediaplayer\Terms and conditions.url
C:\Program Files\webmediaplayer\uninst.exe
C:\Program Files\webmediaplayer\WebMediaPlayer.exe
C:\Program Files\webmediaplayer\Website.url
C:\WINDOWS\Downloaded Program Files\cnsload-3.0.1.357.dll
C:\WINDOWS\Downloaded Program Files\cnsload.inf

.
((((((((((((((((((((((((( Files Created from 2007-11-21 to 2007-12-21 )))))))))))))))))))))))))))))))
.

2007-12-21 12:49 . 2007-12-21 12:49 1,478,778 --a------ C:\WINDOWS\ComboFix.exe
2007-12-21 09:37 . 2007-12-21 09:37 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-20 16:21 . 2007-09-18 01:10 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2007-12-20 16:21 . 2007-09-18 01:10 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2007-12-20 16:20 . 2007-12-20 16:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-20 16:20 . 2007-12-20 16:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-12-20 14:18 . 2007-09-18 01:10 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-20 13:29 . 2007-12-20 14:27 <DIR> d-------- C:\Documents and Settings\anapoli\.housecall6.6
2007-12-18 11:56 . 2007-12-18 11:56 <DIR> d-------- C:\Program Files\Common Files\Oracle
2007-12-18 11:56 . 2006-01-29 22:41 32,318 --a------ C:\WINDOWS\system32\dsgrab_01c84196fd7c70f0.dll
2007-12-18 11:56 . 2006-01-29 22:41 10,910 --a------ C:\WINDOWS\system32\drivers\dsload.sys
2007-12-17 09:52 . 2007-12-17 10:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-17 09:34 . 2007-12-20 10:46 <DIR> d-------- C:\Program Files\Debugging Tools for Windows
2007-12-14 09:39 . 2007-07-06 07:46 660,992 --------- C:\WINDOWS\system32\dllcache\mqqm.dll
2007-12-14 09:39 . 2007-07-06 07:46 471,552 --------- C:\WINDOWS\system32\dllcache\mqutil.dll
2007-12-14 09:39 . 2007-07-06 07:46 177,152 --------- C:\WINDOWS\system32\dllcache\mqrt.dll
2007-12-14 09:39 . 2007-07-06 07:46 138,240 --------- C:\WINDOWS\system32\dllcache\mqad.dll
2007-12-14 09:39 . 2007-07-06 07:46 95,744 --------- C:\WINDOWS\system32\dllcache\mqsec.dll
2007-12-14 09:39 . 2007-07-06 05:05 72,960 --------- C:\WINDOWS\system32\dllcache\mqac.sys
2007-12-14 09:39 . 2007-07-06 07:46 48,640 --------- C:\WINDOWS\system32\dllcache\mqupgrd.dll
2007-12-14 09:39 . 2007-07-06 07:46 47,104 --------- C:\WINDOWS\system32\dllcache\mqdscli.dll
2007-12-14 09:39 . 2007-07-06 07:46 16,896 --------- C:\WINDOWS\system32\dllcache\mqise.dll
2007-12-14 09:30 . 2007-10-29 17:43 1,287,680 --------- C:\WINDOWS\system32\dllcache\quartz.dll
2007-12-06 13:40 . 2007-08-01 18:08 46,744 --a------ C:\WINDOWS\system32\drivers\odptdi.sys
2007-11-21 12:51 . 2007-11-21 12:51 <DIR> d-------- C:\temp\neelima.raghu@oracle.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 12:32 --------- d-----w C:\Documents and Settings\anapoli\Application Data\Oracle Instant Chat
2007-12-21 12:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2007-12-21 12:31 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2007-12-20 17:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-10 20:25 --------- d-----w C:\Documents and Settings\anapoli\Application Data\VMware
2007-11-20 14:37 --------- d-----w C:\Program Files\Common Files\VMware
2007-11-18 00:58 --------- d-----w C:\Documents and Settings\anapoli\Application Data\vlc
2007-11-18 00:39 --------- d-----w C:\Program Files\VideoLAN
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 20:25 3,065,856 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 22:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-25 13:23 --------- d-----w C:\Documents and Settings\anapoli\Application Data\Windows Desktop Search
2007-10-24 13:36 --------- d-----w C:\Program Files\Windows Desktop Search
2007-10-11 05:57 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2007-10-11 05:57 666,112 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-11 05:57 617,984 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-11 05:57 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-11 05:57 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-11 05:57 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 05:57 449,024 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-11 05:57 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-11 05:57 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-10-11 05:57 251,904 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-10-11 05:57 205,824 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-11 05:57 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-11 05:57 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 05:57 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-11 05:57 1,498,112 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 05:57 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 05:57 1,024,000 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 10:48 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-04-24 14:38 9,832 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-16 14:59]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]
"Oracle Instant Chat"="C:\Program Files\Oracle Instant Chat\Oracle Instant Chat.lnk" [2007-04-24 12:36]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-06-19 14:14]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-06-19 14:05]
"CoolSwitch"="C:\WINDOWS\System32\taskswitch.exe" [2001-10-08 11:59]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 18:26]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 19:33]
"TweakAutomaticUpdates"="C:\WINDOWS\orclobi\gdswsuspatch_soon.exe" [2005-12-22 10:34]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2001-06-26 16:00]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2001-06-26 16:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2001-06-26 16:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2001-06-26 16:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2001-06-26 16:00]
"BMMGAG"="RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" []
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-19 23:38]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-19 23:38]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-19 23:38]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-03-04 00:10]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 17:39]
"TPKBDLED"="C:\WINDOWS\system32\TpScrLk.exe" [2002-10-09 05:28]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 18:17]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 18:17]
"ntpgds"="C:\WINDOWS\orclobi\synctime.exe" [2003-04-07 14:59]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 02:03]
"AutoProfileRepair"="C:\Program Files\Oracle\Outlook Connector\profilerepair.exe" [2007-07-06 09:50]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-09-18 01:10]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FirefoxConfig"="C:\WINDOWS\orclobi\config\firefoxconfig.exe" [2007-04-23 14:06]
"ThunderbirdConfig"="C:\WINDOWS\orclobi\config\tbirdconfig.exe" [2007-04-20 17:49]
"TSClientMSIUninstaller"="cmd.exe" [2004-08-03 23:56 C:\WINDOWS\system32\cmd.exe]
"MPlayer2_FixUp"="C:\WINDOWS\inf\unregmp2.exe" [2006-11-01 17:31]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-16 14:59:18]
Oracle Drive.lnk - C:\Program Files\Oracle\ODrive\odrive.exe [2006-09-22 12:47:00]
VPN Client.lnk - c:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2007-08-15 02:45:36]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 14:40:46]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2004-11-01 10:50 8704 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2004-08-13 03:11 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)

R1 Odptdi;Odptdi;C:\WINDOWS\system32\drivers\odptdi.sys [2007-08-01 18:08]
R1 TDFSD;TDFSD;C:\WINDOWS\system32\Drivers\TDFSD.sys [2006-09-22 12:41]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-19 23:38]
R2 Array_Utility_Service8.1.0.307;Array Utility Service 8,1,0,307;C:\Program Files\Array Networks\Common\8,1,0,307\arr_isrv.exe [2007-04-20 14:10]
R2 ArraySSL_VPN_Service8.1.0.307;Array SSL VPN Service 8,1,0,307;C:\Program Files\Array Networks\Array SSL VPN\8,1,0,307\arr_srvs.exe [2007-04-20 14:10]
R2 mf_CCITCP2;Micro Focus Directory Server;"C:\Program Files\Micro Focus\Net Express\Base\bin\mfds.exe" [2003-04-11 00:38]
R2 MyDesktopWindows;MyDesktopService;C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe [2007-10-19 13:32]
R2 ocautoupds;Oracle Connector Automatic Updates Service;"C:\Program Files\Oracle\Outlook Connector\ocautoupds.exe" [2007-07-06 09:47]
R2 PMEMNT;PMEMNT;C:\WINDOWS\pmemnt.sys [2000-09-01 07:11]
R2 QOSMyDesktop;QOS MyDesktop;C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe [2006-04-21 11:14]
R2 SNAC;Symantec NAC Service;c:\Program Files\Symantec\SPA\snac.exe [2007-01-10 16:44]
R2 WGX;Extend WG Protocol Driver;C:\WINDOWS\system32\Drivers\WGX.sys [2007-01-10 16:44]
R3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2006-10-01 07:37]
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2005-11-25 15:38]
R3 TPM11;NSC Integrated Trusted Platform Module 1.1;C:\WINDOWS\system32\DRIVERS\nsctpm11.sys [2005-04-21 13:44]
S3 ATP;Array Networks VPN Adapter;C:\WINDOWS\system32\DRIVERS\atpdrvr.sys [2007-04-20 14:09]
S3 OdService;ODrive Service;C:\Program Files\Oracle\ODrive\XfsSvcCon.exe svcmanager []
S4 SysGuard;SysGuard;C:\WINDOWS\system32\Drivers\Sysguard.sys [2007-01-10 16:41]
S4 SysPlant;SysPlant for NT;C:\WINDOWS\system32\Drivers\SysPlant.sys [2007-01-10 16:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b884fbca-f72c-11db-bc9f-00087430decd}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-08-15 02:54:20 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-21 12:56:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
Completion time: 2007-12-21 12:57:32
.
2007-12-14 15:04:25 --- E O F ---

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:47 PM

Posted 07 January 2008 - 03:51 PM

Combofix was able to kill some adware. Are the popups gone now?

#8 Messiah

Messiah
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 07 January 2008 - 04:05 PM

Still get pop ups. Even in Firefox. IE wont really run now. It goes to 99% and hangs.

Thanks for the Combofix though. Thats a new tool for me.

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:47 PM

Posted 07 January 2008 - 04:20 PM

Be carefuly with combofix. Using it, without knowing how, can hurt a machine in certain circumstances.

What are these popups you are receiving. Are you getting them browsing with IE or Firefox or when doing nothing? Very rare for a malware to affect both IE and firefox.

#10 Messiah

Messiah
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 08 January 2008 - 10:55 AM

I was getting pop ups with both, but now just Firefox, as IE is hosed.

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:47 PM

Posted 08 January 2008 - 11:11 AM

What are the popups exactly...how are you getting them? Just when browsing? Or IE and Firefox can be closed and you will all of a sudden get one? The more detail you can provide, the better I can assist you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users