Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crypt3.dll/troj Agent.aeua


  • This topic is locked This topic is locked
9 replies to this topic

#1 jpd9930

jpd9930

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 23 December 2007 - 12:13 AM

reference this file for history. I followed your procedure for filing in this forum

http://www.bleepingcomputer.com/forums/t/121819/crypt3dll-troj-agentaeua/

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:48 AM, on 12/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
f:\Program Files\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
J:\TRENDM~3\PcCtlCom.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
J:\TRENDM~3\Tmntsrv.exe
J:\TRENDM~3\TmPfw.exe
J:\TRENDM~3\tmproxy.exe
F:\Program Files\Hewlett-Packard\HP OfficeJet Series 500\bin\ktchnsnk.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
J:\trend micro\pccguide.exe
D:\Utopia\Angel\Angel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
J:\TRENDM~3\PcScnSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Diags\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F29F4B6-5434-44A5-A379-8DBEA4B179C2} - C:\WINDOWS\system32\crypt3.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [HP OfficeJet Series 500] "f:\Program Files\Hewlett-Packard\HP OfficeJet Series 500\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 500\Install"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [pccguide.exe] "J:\trend micro\pccguide.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Utopia Angel] "D:\Utopia\Angel\Angel.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Timex Data Link USB Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1189200242343
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1189200229171
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C09C8CD-35C7-4B74-90A5-D0F64F4992CF}: NameServer = 4.2.2.2,4.2.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{3C09C8CD-35C7-4B74-90A5-D0F64F4992CF}: NameServer = 4.2.2.2,4.2.2.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{3C09C8CD-35C7-4B74-90A5-D0F64F4992CF}: NameServer = 4.2.2.2,4.2.2.1
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: winjrs32 - winjrs32.dll (file missing)
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - f:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - J:\TRENDM~3\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - J:\TRENDM~3\PcScnSrv.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - (no file)
O23 - Service: RoxUpnpRenderer - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - J:\TRENDM~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - J:\TRENDM~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - J:\TRENDM~3\tmproxy.exe

--
End of file - 7165 bytes

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:51 PM

Posted 03 January 2008 - 01:06 PM

  • Download Combofix to your desktop.

  • Doubleclick combofix.exe

  • Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, and after reboot if it asks for one, combofix will open again to gather the necessary information for the log. This may take a while so please be patient. When done, Combofix will close and a log should open called combofix.txt.

Post the contents of this log in your next reply along with a new hijackthislog.

Please do not post the ComboFix-quarantined-files.txt unless I ask you to.

#3 jpd9930

jpd9930
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 05 January 2008 - 06:40 PM

Good News!!!!!! Combofix ended my woes!!!! Thanks for the help. Do you guys know of any software that identifies or monitors your system for being a spam client and keyloggers? Can you tell me something about mzmrmmvn.exe as well? I've googled it but I dont get much in response.

One more thing. After running combofix each time I delete a desktop icon (logs) PC-Cillin installer starts then I get an error stating a missing file in the pc-cillin directory. TMPCC.MSI is not in the correct directory. Once I clear the error I can then delete the file.


here are the logs:

ComboFix 08-01-06.1 - Jon 2008-01-05 12:43:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.230 [GMT -5:00]
Running from: C:\Documents and Settings\Jon\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\components
C:\WINDOWS\system32\crypt3.dll
C:\WINDOWS\system32\drivers\iukrisgk.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SJGXBGXQ
-------\nm
-------\sjgxbgxq


((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-05 12:40 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-26 00:28 . 2007-12-26 00:28 868 --a------ C:\remover2.baT
2007-12-25 15:36 . 2008-01-02 07:06 13,832 --a------ C:\logfile
2007-12-25 15:28 . 2007-12-25 15:45 <DIR> d-------- C:\Program Files\Kodak
2007-12-25 15:25 . 2007-12-25 15:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak
2007-12-25 14:50 . 2007-01-24 17:45 102,800 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-25 14:40 . 2007-12-25 14:40 25,713 --a------ C:\fix.zip
2007-12-25 08:13 . 2007-12-25 08:13 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-12-25 08:13 . 2007-12-25 08:13 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
2007-12-25 08:08 . 2007-12-25 08:15 <DIR> d-------- C:\Program Files\Zune
2007-12-25 08:02 . 2007-12-25 20:20 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-22 22:39 . 2007-12-22 23:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-12-22 18:15 . 2007-12-30 09:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-12-19 10:23 . 2007-12-19 10:19 176,128 ---h----- C:\WINDOWS\system32\mzmrmmvn.exe
2007-12-19 10:23 . 2007-12-22 19:59 73 --a------ C:\WINDOWS\system32\44682352\cfg
2007-12-19 10:23 . 2007-12-22 19:59 10 --a------ C:\WINDOWS\system32\44682352\run
2007-12-19 10:19 . 2007-12-19 10:23 <DIR> d--h----- C:\WINDOWS\system32\44682352
2007-12-19 10:19 . 2007-12-22 19:53 10 --a------ C:\WINDOWS\system32\44682352\tst
2007-12-19 08:06 . 2007-12-19 08:22 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2007-12-08 04:20 . 2007-12-08 04:20 <DIR> d-------- C:\Program Files\Virtual Earth 3D

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 18:24 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-30 18:24 --------- d-----w C:\Documents and Settings\Jon\Application Data\Azureus
2007-11-30 18:24 --------- d-----w C:\DOCUME~1\Jon\APPLIC~1\Azureus
2007-11-18 16:12 --------- d-----w C:\Documents and Settings\Jon\Application Data\LimeWire
2007-11-18 16:12 --------- d-----w C:\DOCUME~1\Jon\APPLIC~1\LimeWire
2007-11-16 02:38 40,832 ----a-w C:\WINDOWS\system32\drivers\zumbus.sys
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-08 20:56 5,120 ----a-w C:\WINDOWS\system32\drivers\iknzefoa.dat
2007-11-07 22:31 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-03-02 20:37 81,920 ----a-w C:\Documents and Settings\Jon\Application Data\ezpinst.exe
2007-03-02 20:37 81,920 ----a-w C:\DOCUME~1\Jon\APPLIC~1\ezpinst.exe
2007-03-02 20:37 47,360 ----a-w C:\Documents and Settings\Jon\Application Data\pcouffin.sys
2007-03-02 20:37 47,360 ----a-w C:\DOCUME~1\Jon\APPLIC~1\pcouffin.sys
2006-03-10 07:34 2,216 ----a-w C:\Documents and Settings\Jon\Application Data\ViewerApp.dat
2006-03-10 07:34 2,216 ----a-w C:\DOCUME~1\Jon\APPLIC~1\ViewerApp.dat
2006-09-03 04:47 699,232 --sh--w C:\WINDOWS\system32\llkkj.bak1
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Utopia Angel"="D:\Utopia\Angel\Angel.exe" [2007-12-10 03:28 3545600]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWEReboot"="" []
"nForce Tray Options"="sstray.exe" [2003-08-12 23:25 73728 C:\WINDOWS\system32\sstray.exe]
"SchedulingAgent"="mstinit.exe" [2004-08-04 02:56 12288 C:\WINDOWS\system32\mstinit.exe]
"HP OfficeJet Series 500"="f:\Program Files\Hewlett-Packard\HP OfficeJet Series 500\bin\ktchnsnk.exe" [2001-10-12 11:34 28672]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-09-22 16:43 793408]
"pccguide.exe"="J:\trend micro\pccguide.exe" [2007-01-23 01:26 3429904]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2007-11-15 21:51 166304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"SchedulingAgent"="mstask.exe" []

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Kodak EasyShare software.lnk - F:\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
F:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-05-09 19:40 294912 F:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjrs32]
winjrs32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-31 17:44 271672 F:\Program Files\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2007-07-07 22:17 1318912 F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys [2007-08-29 02:04]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 21:38]
R2 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-15 21:51]
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2001-08-17 07:12]
S3 w600bus;Sony Ericsson W600 driver (WDM);C:\WINDOWS\system32\DRIVERS\w600bus.sys []
S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w600mdfl.sys []
S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w600mdm.sys []
S3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\w600mgmt.sys []
S3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\w600obex.sys []
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-15 21:51]
S4 Yyfdzjeo;Yyfdzjeo;C:\WINDOWS\system32\mzmrmmvn.exe [2007-12-19 10:19]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 13:00:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-06 13:03:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-06 18:02:28


==============================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:25 PM, on 1/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
F:\Program Files\Hewlett-Packard\HP OfficeJet Series 500\bin\ktchnsnk.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
f:\Program Files\a-squared Anti-Malware\a2service.exe
J:\trend micro\pccguide.exe
D:\Utopia\Angel\Angel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
J:\TRENDM~3\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
J:\TRENDM~3\Tmntsrv.exe
J:\TRENDM~3\TmPfw.exe
J:\TRENDM~3\tmproxy.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
J:\TRENDM~3\PcScnSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
D:\Diags\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [HP OfficeJet Series 500] "f:\Program Files\Hewlett-Packard\HP OfficeJet Series 500\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 500\Install"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [pccguide.exe] "J:\trend micro\pccguide.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Utopia Angel] "D:\Utopia\Angel\Angel.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = F:\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Timex Data Link USB Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1189200242343
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1189200229171
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C09C8CD-35C7-4B74-90A5-D0F64F4992CF}: NameServer = 4.2.2.2,4.2.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{3C09C8CD-35C7-4B74-90A5-D0F64F4992CF}: NameServer = 4.2.2.2,4.2.2.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{3C09C8CD-35C7-4B74-90A5-D0F64F4992CF}: NameServer = 4.2.2.2,4.2.2.1
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: winjrs32 - winjrs32.dll (file missing)
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - f:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - J:\TRENDM~3\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - J:\TRENDM~3\PcScnSrv.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - (no file)
O23 - Service: RoxUpnpRenderer - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - J:\TRENDM~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - J:\TRENDM~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - J:\TRENDM~3\tmproxy.exe

--
End of file - 7362 bytes

Edited by jpd9930, 05 January 2008 - 07:03 PM.


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:51 PM

Posted 06 January 2008 - 02:29 PM

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\mzmrmmvn.exe
C:\WINDOWS\system32\llkkj.bak1
c:\windows\system32\winjrs32.dll

Folder::
C:\WINDOWS\system32\44682352

Suspect::[3]
C:\WINDOWS\DCEBoot.exe
C:\WINDOWS\system32\drivers\iknzefoa.dat

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjrs32]

Driver::
Yyfdzjeo


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

#5 jpd9930

jpd9930
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 06 January 2008 - 05:31 PM

Combofix accessed bleepingcomputer and uploaded a file..asked me to let you know..




not sure if this is what you wanted its the text file combofix created on my desktop:

file copied: C:\WINDOWS\DCEBoot.exe -> C:\WINDOWS\DCEBoot.exe.vir ( 10752 bytes )
file zipped: C:\WINDOWS\DCEBoot.exe.vir -> catchme.zip -> DCEBoot.exe.vir ( 10752 bytes )
PE file "C:\WINDOWS\DCEBoot.exe.vir" killed successfully
file copied: C:\WINDOWS\system32\drivers\iknzefoa.dat -> C:\WINDOWS\system32\drivers\iknzefoa.dat.vir ( 5120 bytes )
file zipped: C:\WINDOWS\system32\drivers\iknzefoa.dat.vir -> catchme.zip -> iknzefoa.dat.vir ( 5120 bytes )
PE file "C:\WINDOWS\system32\drivers\iknzefoa.dat.vir" killed successfully


----------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:18 PM, on 1/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
f:\Program Files\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
J:\PC-CIL~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
J:\PC-CIL~1\Tmntsrv.exe
J:\PC-CIL~1\TmPfw.exe
J:\PC-CIL~1\tmproxy.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
J:\PC-CIL~1\PcScnSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
F:\Program Files\Hewlett-Packard\HP OfficeJet Series 500\bin\ktchnsnk.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
J:\PC-cillin\pccguide.exe
D:\Utopia\Angel\Angel.exe
C:\WINDOWS\system32\ctfmon.exe
J:\PC-cillin\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
D:\Diags\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [HP OfficeJet Series 500] "f:\Program Files\Hewlett-Packard\HP OfficeJet Series 500\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 500\Install"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [pccguide.exe] "J:\PC-cillin\pccguide.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Utopia Angel] "D:\Utopia\Angel\Angel.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "J:\PC-cillin\TMAS_OE\TMAS_OEMon.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Timex Data Link USB Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1189200242343
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1189200229171
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C09C8CD-35C7-4B74-90A5-D0F64F4992CF}: NameServer = 4.2.2.2,4.2.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{3C09C8CD-35C7-4B74-90A5-D0F64F4992CF}: NameServer = 4.2.2.2,4.2.2.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{3C09C8CD-35C7-4B74-90A5-D0F64F4992CF}: NameServer = 4.2.2.2,4.2.2.1
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - f:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - J:\PC-CIL~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - J:\PC-CIL~1\PcScnSrv.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - J:\PC-CIL~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - J:\PC-CIL~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - J:\PC-CIL~1\tmproxy.exe

--
End of file - 6705 bytes

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:51 PM

Posted 07 January 2008 - 11:00 AM

Please delete this file, reboot and post a new hijackthis log.

C:\WINDOWS\system32\drivers\iknzefoa.dat

#7 jpd9930

jpd9930
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 07 January 2008 - 05:01 PM

Thanks for all your help so far.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:22 PM, on 1/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
F:\Program Files\Hewlett-Packard\HP OfficeJet Series 500\bin\ktchnsnk.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
J:\PC-cillin\pccguide.exe
f:\Program Files\a-squared Anti-Malware\a2service.exe
D:\Utopia\Angel\Angel.exe
C:\WINDOWS\system32\ctfmon.exe
J:\PC-cillin\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
J:\PC-CIL~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
J:\PC-CIL~1\Tmntsrv.exe
J:\PC-CIL~1\TmPfw.exe
J:\PC-CIL~1\tmproxy.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
J:\PC-CIL~1\PcScnSrv.exe
C:\WINDOWS\System32\svchost.exe
D:\Diags\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [HP OfficeJet Series 500] "f:\Program Files\Hewlett-Packard\HP OfficeJet Series 500\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 500\Install"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [pccguide.exe] "J:\PC-cillin\pccguide.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Utopia Angel] "D:\Utopia\Angel\Angel.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "J:\PC-cillin\TMAS_OE\TMAS_OEMon.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Timex Data Link USB Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1189200242343
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1189200229171
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C09C8CD-35C7-4B74-90A5-D0F64F4992CF}: NameServer = 4.2.2.2,4.2.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{3C09C8CD-35C7-4B74-90A5-D0F64F4992CF}: NameServer = 4.2.2.2,4.2.2.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{3C09C8CD-35C7-4B74-90A5-D0F64F4992CF}: NameServer = 4.2.2.2,4.2.2.1
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - f:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - J:\PC-CIL~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - J:\PC-CIL~1\PcScnSrv.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - J:\PC-CIL~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - J:\PC-CIL~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - J:\PC-CIL~1\tmproxy.exe

--
End of file - 6623 bytes

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:51 PM

Posted 08 January 2008 - 11:15 AM

Looks clean to me...how is it feeling to you?

#9 jpd9930

jpd9930
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 08 January 2008 - 04:15 PM

all warm and fuzzy!!!!

again, many thanks.

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:51 PM

Posted 09 January 2008 - 12:15 PM

Now that your clean:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here for your particular Windows Version:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

or

Windows Vista System Restore Guide


Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


I am closing this topic. Please message a moderator if you need it reopened.

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users